Merlin Properties SOCIMI S A : Report on the activities of the Audit and Control Committee in 2023

Audit and Control Committee

December 2023

Report on the activity of the Audit and Control Committee of MERLIN Properties, SOCIMI, S.A. for the year ended December 31, 2023

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

1.- PRESENTATION	3
2.- COMPOSITION, FUNCTIONING AND POWERS	4
2.1.	Composition	4
2.2.	Operation	5
2.3.	Competences	6
3.- MAIN ACTIONS IN THE 2023 FINANCIAL YEAR	9
3.1.	Meetings	9
3.2. General actions	10
3.3. Specific actions	11
3.3.1. Financial Information	11
3.3.2. Non-financialinformation	13
3.3.3. External auditors	14
3.3.4. Asset valuation	19
3.3.5. Risk management	20
3.3.6. Tax policy and legal risks	21
3.3.7. Internal Audit	21
3.3.8. Regulatory Compliance	22
3.3.8.1. Prevention of criminal risks (Criminal Compliance)	22
3.3.8.2. Prevention of money laundering and terrorist financing	23
3.3.8.3. Protection of personal data	23
3.3.8.4. Internal Information System - Ethics Channel	24
3.3.8.5. Corporate operations	24
3.3.8.6. Related-partytransactions	24
3.3.8.7. Treasury Stock	25
3.3.8.8. Improvement of policies and procedures	25
4. CONCLUSIONS	25
5. WORK PLAN FOR 2024	27

2

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

1.- PRESENTATION

In order for the Board of Directors to carry out the annual evaluation of the Audit and Control Committee (hereinafter, the Committee) of MERLIN PROPERTIES SOCIMI, S.A. (hereinafter, MERLIN) in accordance with the provisions of article 529h of the Consolidated Text of the Capital Companies Act, this Committee prepares an annual report on its operation, highlighting the main activities carried out in relation to its functions. which is made public in the terms provided by the applicable regulations in force.

In accordance with the aforementioned standard, as well as with Recommendation 6 of the Code of Good Governance of listed companies, Section 79 of Technical Guide 3/2017 of the National Securities Market Commission and the provisions of Article 25.2 of the Regulations of the Audit and Control Committee itself, this Annual Report for the financial year 2023 is prepared, which will be available to investors, shareholders and any other

interested party, through the corporate website (https://ir.merlinproperties.com/gobierno-corporativo/informes-anuales/) from the call of the Ordinary General Shareholders' Meeting.

The regulations of the Committee, in addition to those established by current legislation, are set out in the Articles of Association, in the Regulations of the Board of Directors of the Company and, more specifically, in the Regulations of the Audit and Control Committee, approved by the Board of Directors on January 30, 2018. revised on 16 December 2020, 4 May 2022 and, finally, on 14 February 2023, following a proposal from the Audit and Control Committee itself.

This Regulation of the Commission incorporates all the aspects included in the recommendations of the Technical Guide 3/2017 of the National Securities Market Commission (CNMV) on Audit Committees of Public Interest Entities, as well as the updates to the recommendations included in the New Code of Good Governance approved by the CNMV in June 2020.

All of MERLIN's internal regulations (Articles of Association, Regulations of the Board of Directors and Regulations of the Audit and Control Committee) are available to anyone interested on the corporate website: (https://ir.merlinproperties.com/gobierno-corporativo/normativa-de-gobierno-corporativo/).

During the year, the activity of the Committee, in its ten sessions, has complied with the Annual Work Plan for the year 2023, included in the "Work Calendar for the financial year 2023", approved by the Committee in December 2022 and which reflected the planned content of its meetings and reports to be submitted to the Board of Directors, the appearances of the external auditor, as well as a training plan for the Commission.

In this regard, and as reflected in this Annual Report, during the 2023 financial year the Committee has undertaken the analysis and examination of all issues and aspects of its competence, reporting in a timely manner to the Company's Board of Directors, including the review of financial and non-financial information, the supervision of the relationships and independence of the External Auditor, the supervision of Internal Audit, the supervision of risk

3

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

management and control systems, including tax and technological risks, the supervision of related-party transactions, the supervision of the regulatory compliance system and associated control structures, as well as recommendations for the continuous improvement of the Company's Internal Control and Corporate Governance Systems.

2.- COMPOSITION, FUNCTIONING AND POWERS

The composition and powers of the Audit and Control Committee of MERLIN are regulated in Chapters II and III of the Regulations of the Audit and Control Committee in accordance with the provisions of Article 529 quarter of the Capital Companies Law. These provisions establish, in summary, the following main aspects in relation to the Commission:

2.1.- Composition

With regard to its composition, and in accordance with the provisions of Articles 12 and 13 of the Regulations of the Audit and Control Committee, the Committee shall be composed of a minimum of three (3) and a maximum of six (6) members, who shall be all non-executive directors and most of whom shall be independent; these members shall be appointed by the Board of Directors, on the proposal of the Appointments and Remuneration Committee. In the nomination and appointment of its members, diversity in its composition will be sought, in particular with regard to gender, professional experience, skills and sectoral knowledge.

The members of the Commission, as members of the Board of Directors, must have the experience and knowledge in management, economic, financial and business areas necessary for any good director. In addition, the Commission as a whole must have the relevant technical knowledge in relation to the sector of activity to which the Company belongs; and at least one of the members of the Commission shall be appointed, taking into account equally his or her knowledge and experience in accounting, auditing and/or accounting.

In addition to the above, in the proposal and appointment of members and positions, the Committee itself, the Appointments and Remuneration Committee and the Board of Directors shall ensure that the Chairman of the Committee has the knowledge, skills and experience appropriate to the functions he or she is called upon to perform in the field of accounting. auditing or risk management; the members of the Commission as a whole have financial and internal control skills; and that at least one of the members of the Commission has experience in information technology (IT), inter alia, in order to facilitate efficient supervision of internal risk management and control systems, which generally use complex IT applications, and to be able to adequately assess new emerging risks, such as cybersecurity.

The Chairman of the Audit and Control Committee, a position that in any case shall be held by an Independent Director, shall be appointed from among its members and shall be replaced every four (4) years, and may be re-elected once a period of one (1) year has elapsed since his or her resignation, without

4

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

prejudice to his or her continuity or re-election as a member of the Committee.

The number of members, powers and rules of operation of the Commission are intended to promote the independence of its functioning.

During the 2023 financial year, Ms. Ana Forner Beltrán has ceased to be a member of the Commission, leaving the composition of the Committee at 5 members, so as of the date of this report, it is as follows:

					CATEGORY		EXPERIENCE IN
	CHARGE		MEMBER		AS A		ACCOUNTING/FINANCIAL/TECHNOLOGY
					DIRECTOR		MANAGEMENT
President		Mr. Donald		Independent		✓
	Johnston
			Mr. Juan
	Vowel		María		Independent		✓
		Aguirre
			Gonzalo
			Mrs. Ana
	Vowel		María		Independent		✓
			García Fau
			Mrs. María
	Vowel		Luisa Jordá		Independent		✓
			Castro
			Ms.
			Francisca
	Vowel		Ortega		Sunday		✓
			Hernández-
			Agero

The profiles of each member of the Commission, including information about their education, work and management experience, dates of appointment and subsequent re-election, can be consulted on the corporate website.

(https://ir.merlinproperties.com/gobierno-corporativo/consejo-de-administracion/)

By virtue of the provisions of Article 13 of the Commission's Rules of Procedure, the Secretary, who is not a member of the Commission, is Mr. Ildefonso Polo del Mármol, who is also Deputy Secretary of the Board of Directors.

2.2.- How it works

The Audit and Control Committee, in accordance with the provisions of Article 17 of its Regulations, before the beginning of each financial year, approves an annual work plan that includes the specific objectives in relation to each of the functions entrusted to it, the organisation of information and the agenda of meetings or other means of periodic communication with the Company's executives. with the head of the Internal Audit Department and with the external auditor and the training deemed appropriate for the proper

5

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

performance of the Committee's functions.

In this regard, the Commission has carried out its functions during the year in accordance with the "Work calendar for the financial year 2023", approved by the Commission on 13 December 2022 and has approved the "Work calendar for the financial year 2023" at its meeting of 11 December 2023.

In any case, the Committee shall be convened and shall meet, at least quarterly, in order to review the periodic financial information that, in accordance with the Company's internal procedures and, where applicable, the regulations in force, the Board of Directors must submit to the stock exchange authorities, and other periodic obligations (AML/CFT, Compliance, risks, etc.), as well as the information that the Board of Directors must approve and include in its annual public documentation.

Such meetings shall be attended by the Director of Internal Audit and, when issuing a review report, by the external auditor. At least part of these meetings will take place without the presence of the Company's management, so that specific issues arising from the reviews can be discussed exclusively with them.

Likewise, the Commission may collaborate and contract external services and advice and collect any type of information or documentation available to the Company regarding matters that fall within the competence of the Commission and that it considers necessary for the performance of its functions.

2.3.- Competencies

The tasks of the Committee are detailed in Articles 5 to 10 of the Specific Regulations of the Audit and Control Committee. Its main competencies are summarized below:

1. Approve the Policy that determines the procedure for the selection and hiring of the external auditor and the relations with the external auditor, as well as the circumstances that could affect their independence and the instruments to provide such relationships with due transparency.
2. Submit to the Board of Directors, for submission to the General Shareholders' Meeting, the proposal for the selection, appointment, re-election and replacement of the external auditor, as well as its contracting conditions and, where appropriate, its revocation or non-renewal.
3. Receive annually from the external auditor the declaration of its independence, as well as information on the additional services of any kind provided and the corresponding fees received by him or by the persons or entities linked to him, in accordance with the provisions of the legislation on auditing of accounts.

6

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

1. Issue annually, prior to the issuance of the audit report, a report expressing an opinion on whether the independence of the external auditor is compromised.
2. Review with the external auditor the main incidents detected during the audit, contrast them with the opinion of the management, verifying that they have been solved and, if not, understand why not, and follow up on the recommendations of the external auditor.
3. Analyze with the external auditor the significant weaknesses of the internal control system detected in the development of the audit and present recommendations or proposals to the Board of Directors and the corresponding deadline for their follow-up.
4. To authorise in advance the services other than the audit of accounts that the external auditor (or the auditing firm to which he belongs) or the persons or entities related to them (in accordance with the provisions of the legislation on auditing of accounts) are going to provide to the companies of the group, under the terms provided for by law.
5. Supervise the correct application of generally accepted accounting principles and applicable international financial reporting standards and supervise the process of preparing and presenting the Company's annual accounts and the periodic financial information that, in accordance with the regulations in force, the Company must provide to the markets and its supervisory bodies, as well as its preparation and publication process, informing the Board of Directors in this regard prior to its approval and presenting recommendations or proposals aimed at safeguarding its integrity.
6. Review the clarity and completeness of all financial and non- financial information that the entity makes public, such as the financial statements, management report, statement of non- financial information and annual corporate governance report, ensuring that the half-yearly financial reports and quarterly management statements are prepared with the same accounting criteria as the annual financial reports and, to this end, consider the appropriateness of a limited review of the half-yearly Financial Reports by the auditor.
7. Supervise the content of the audit reports, the limited review reports of interim accounts, the review reports of the statement of non- financial information and other mandatory reports of the external auditor, before they are issued, in order to avoid qualifications.
8. Ensure, with the collaboration of the internal authorship department, that the financial and non-financial information published on the Company's website is permanently updated and coincides with that which has been formulated by the Company's

7

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

directors and published, where appropriate, when required to do so on the CNMV website.

1. Approve the guidance and work plans of the internal audit department and receive regular information on its activities. In supervising the work plan, the Commission shall verify that the main financial and non-financial risk areas of the business have been considered in the work plan, and that their responsibilities are clearly identified and delineated for the purposes of appropriate coordination with other assurance functions that may exist, such as risk management and control units. management control, regulatory compliance and external auditing.
2. Supervise all matters relating to the different types of risk faced by the Company, including financial and non-financial risks, contingent liabilities, other off-balance sheet, operational, environmental, technological, legal, social, political and reputational risks.
3. Evaluate, at least annually, the list of the most significant financial and non-financial risks and the tolerance level established for each based on the information provided by management, the head of the internal audit department and, where appropriate, the risk management and control unit, bearing in mind that setting the levels of risk that the Company considers acceptable is an executive function of the Board of Directors.
4. Review the Company's internal control and risk management systems and, in particular, the correct design of the internal control and management system for financial information (ICFR) and non- financial information (ICNFR), so that the main risks are identified, managed and adequately disclosed.
5. Approve the internal audit plan for the evaluation of the ICFR and ICNFR, and its amendments, and receive periodic information on the outcome of its work, as well as the action plan to correct the deficiencies observed.
6. Hold, at least annually, a meeting with the heads of the business units in which they explain the trends of the business and the associated risks, and reinforce the idea that it is the heads of the business units who are directly responsible for effectively managing the risks and that there should be an assigned manager for each identified risk.
7. To report to the General Shareholders' Meeting on the issues that arise in relation to those matters that fall within the competence of the Committee, and, in particular, on the result of the audit, explaining how it has contributed to the integrity of the financial information and the role that the Committee has played in this

8

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

process.

1. To report to the General Shareholders' Meeting on the issues that arise in relation to those matters that are within its competence.
2. Supervise the hiring process of external real estate asset appraisers, proposed by the Management, ensuring the application of the rotation policy and the identification of possible conflicts of interest and threats to independence that may question their suitability.
3. Review that the methodology applied and the assumptions used by external real estate asset valuers are in accordance with International Accounting Standards (IFRS).
4. Supervise the outcome of the work carried out by the external auditor in relation to the valuation of the company's assets.
5. To report to the Board of Directors on the creation or acquisition of shareholdings in special purpose entities or entities domiciled in countries or territories that are considered tax havens, on the economic conditions and accounting impact and, where applicable, on the exchange ratio of the structural and corporate modification operations that the Company plans to carry out and the transactions with related parties.
6. Review the annual plan of activities of the Criminal Enforcement Body, as well as the half-yearly report of its activities for subsequent submission to the Board of Directors. Receive information from the Criminal Enforcement Body in relation to any relevant issue relating to regulatory compliance and the prevention and correction of illegal or fraudulent conduct.
7. Review, through the Internal Control Body, the Company's internal policies and procedures to verify their effectiveness in the prevention of money laundering and terrorist financing and identify any policies or procedures that are more effective in promoting the highest ethical standards, for submission to the Board of Directors.

3.- MAIN ACTIONS IN THE 2023 FINANCIAL YEAR

3.1.- Meetings

The Committee carries out its functions with complete independence and operational autonomy, being directed by its Chairman, who is responsible for convening meetings, proposing the order of matters to be dealt with and requiring the attendance of any director, officer or employee of the Company or of the external auditor or any other external auditor necessary for the performance of its functions.

9

Audit and Control Committee Activity Report for the financial year 2023

AUDIT AND CONTROL COMMITTEE

During the 2023 financial year, the Committee met on ten (10) occasions (in particular, on 19 January, 15 February, 23 February, 14 April, 10 May, 24 July, 25 July, 13 September, 14 November and 11 December). The meetings held during the year were all held in person at the Company's headquarters.

In addition to its members, the meetings of the Audit and Control Committee have been attended by employees and executives of the Company, such as the Executive Director and Corporate General Manager, the Director of Legal Counsel, the Head of the Tax Department, the Director of Internal Audit, the Coordinator of Asset Valuations and the Head of Systems. among others, to deal with the items on the agenda to which they had been summoned.

Likewise, the External Auditor has attended 5 meetings of the Committee to report on the review of the valuation of assets at the end of 2022, the Audit carried out during the 2022 financial year, the half-yearly review of asset valuations for 2023 and the Limited Review for the first half of 2023, and the preliminary conclusions of the review for the end of the 2023 financial year.

3.2.- General actions

By way of general information, at its meetings during the financial year 2023 and in the exercise of the functions attributed to it, the Commission has:

1. Submitted to the Board of Directors the reports relating to the presentation of the individual and consolidated financial statements, as well as their review by the external auditor, for the year ended December 31, 2022, as well as on the quarterly and half-yearly financial information and management reports required of the Company (during the 2023 financial year), as a listed company, by the applicable regulations;
2. Presented to the Board of Directors all the work entrusted to the external auditor during the current year and its prior analysis of the contract in terms of independence and compatibility in accordance with the Audit Law.
3. Supervised the annual hiring process of external real estate asset appraisers, proposed by the Management, ensuring the application of the rotation policy and the identification of possible conflicts of interest and threats to independence that may question their suitability.
4. Reviewed the methodology applied by the external valuators of real estate assets and the significant assumptions used, being in accordance with International Accounting Standards (IFRS).
5. Supervised the outcome of the work carried out by the external auditor in relation to the valuations of the Company's assets.
6. Decision has been taken on related-party transactions, informing the Board of Directors for approval, if necessary.

10