# Compliance and Audit Report — Q1 2026

**From:** Yuki Sato, Head of Compliance and Internal Audit
**To:** Board of Directors, Helios Renewables AG
**Date:** 13 March 2026
**Classification:** Board-confidential

## 1. Annual GDPR record-of-processing review (required item)

Under Art. 30 GDPR the board is required to confirm, on an annual cadence, that the company's records of processing activities (RoPA) are complete and current. This review covers the period 1 March 2025 – 28 February 2026.

| Area | Records reviewed | Material updates this year | Findings |
|---|---|---|---|
| HR (employees, contractors) | 17 processing records | New "employee well-being survey" record added; new Workday subprocessor agreement signed | None |
| Sales and CRM | 12 records | Salesforce DPA refreshed to v2024-09; consent flow corrected on one EU-IT landing page | One closed minor non-conformity (closed 14 February 2026) |
| Customer support | 5 records | Zendesk subprocessor switched to EU-region instance | None |
| Marketing | 8 records | One unauthorised pixel removed from blog after internal scan | One closed minor non-conformity (closed 28 January 2026) |
| Engineering / product | 6 records | Cleaned up two records for legacy products decommissioned in 2024 | None |
| Finance / treasury | 4 records | None | None |

**Conclusion:** RoPA is complete, current, and matches the technical reality of our data flows. No material gaps. Two minor non-conformities identified during the year were closed within their target windows.

**Board action requested:** acknowledgement that the annual RoPA review has been performed and is satisfactory.

## 2. ISO 14001:2015 environmental management — annual recertification

TÜV SÜD on-site audit completed 28 February 2026. Three-day scope covering:

- Antwerp PV-module plant (lead site)
- Munich corporate HQ
- Two field sites (Stuttgart solar farm; Linz battery-installation in progress)

Results:

- **Zero major non-conformities.**
- **Two minor non-conformities:**
    - Energy-monitoring submeter on Antwerp Line 3 had been out of calibration since November 2025 (recalibrated during audit; corrective action plan filed).
    - Waste-segregation signage in the Munich basement archive room was out of date (replaced same day).
- **Three positive observations** noted by the auditor (improved supplier-evaluation methodology; integration of climate-physical risk into the EMS; staff awareness scores up year-on-year).

Certificate renewed to 28 February 2029. Recertification cost: €37 k (in line with budget).

## 3. Internal audit programme — Q1 2026 close-out

Three audits closed in the quarter; one in flight; one rescheduled.

| Audit | Status | Findings |
|---|---|---|
| IT access reviews (Q4 2025 access-review cycle) | Closed | All seven Vanta access slots up to date; 1 dormant SSO group cleaned up. |
| Procurement — small-supplier onboarding controls | Closed | 3 minor findings, all closed; recommendation to add automated DSE check (in flight as engineering ticket). |
| Travel and expenses — sample of 240 expense reports | Closed | No fraud signals. One out-of-policy reimbursement (refunded). |
| Field-service revenue recognition | In flight; closes Q2 2026 | n/a |
| Stock-take audit (Antwerp) | Rescheduled to Q2 due to operations conflict | n/a |

## 4. Whistleblower disclosures

EU Whistleblower Directive channel received **3 reports** in Q1 2026:

- One unsubstantiated allegation of favouritism in a promotion (HR reviewed; no finding).
- One report of a near-miss safety incident (already known to ops; closed).
- One anonymous report of a procurement irregularity (under investigation by an external law firm; expected close Q2).

All three reports were acknowledged to the reporter within 7 days of receipt and processed in line with the Directive's procedural requirements.

## 5. AI-systems compliance (ISO 42001 in-flight)

Helios has begun preparing for ISO/IEC 42001:2023 (AI management system) certification ahead of operationalising the AI Boardroom and AI-driven storage-fleet optimisation. Current state:

- AI inventory complete: 4 AI systems in production (forecast, fleet-optimisation, customer-support summarisation, AI Boardroom).
- AIMS policies drafted and ratified by the management AI committee in February 2026 (7 policies in scope).
- Initial certification audit targeted for Q3 2027.

This is informational only — no board action required this quarter.

## 6. Auditor reappointment (Resolution R-2026-Q1-02)

The audit committee has reviewed PWC's performance over the prior 12 months and recommends reappointment for FY 2026. Audit fee proposed €1.34 m (FY 2025: €1.28 m, +4.7 %). No advisory services in excess of board-approved limits were rendered by PWC during FY 2025.

## 7. What I am asking for

1. **Acknowledge** the annual GDPR RoPA review (Section 1).
2. **Acknowledge** ISO 14001 recertification (Section 2).
3. **Approve** Resolution R-2026-Q1-02 (PWC reappointment).