Privacy Notice for the whistleblower system

In the following, we provide information pursuant to Art. 13 of the General Data Protection Regulation (GDPR) on how the Scheer Group company named below processes personal data as part of the reporting system and on the associated data protection regulations, claims and rights.

The Scheer Group uses web-based software, a cloud solution hosted in Germany, to help detect operational irregularities. By introducing such a system, criminal, illegal, morally reprehensible or unfair activities can be detected and prevented at an early stage and incalculable material and immaterial damage as well as loss of reputation can be averted.

Who is responsible for the processing ?

Controller within the meaning of Art. 4 No. 7 GDPR is generally the company to which you submit a report. You make this selection yourself, e.g. by specifying in the system to which company you are sending your report. Information on the respective Controller can be found below:

Data Protection Officer

If you have any questions about data protection, please contact the Privacy Team at the above address of IDS Scheer Holding GmbH with the addition "Attn: Data Protection" or electronically at: datenschutz@scheer-group.com.

For what purposes do we process the data?

The respective Scheer Group Controller processes the personal data of the reporting person, unless the report was submitted anonymously, as well as the personal data of the accused person(s), such as name and other communication and content data, for the purpose of investigating the reports in order to prevent violations of applicable law or company policies, detect and/or take follow-up action (such as measures to verify the validity of the allegations made in the report and, where appropriate, to address the reported violation, including through internal investigations, inquiries, prosecutions, measures to (re)recover funds or close the case).

On what legal basis do we process the data?

The collection of the reporting person's personal data in the case of a non-anonymous report is based on consent to the processing through the transmission of the data (implied consent) (Art. 6 para. 1 sentence 1 lit. a GDPR).

The collection, processing and disclosure of personal data of the persons named in the notification serves to safeguard the legitimate interests of the above-mentioned Controller (Art. 6 para. 1 sentence 1 lit. f GDPR). It is a legitimate interest of the company to detect, process, remedy and sanction violations of the law and serious breaches of duty by employees effectively and with a high degree of confidentiality and to avert associated damage and liability risks for companies (Sections 30, 130 Federal Act on Regulatory Offences). Directive (EU) 2019/1937 ("EU Whistleblower Directive") and the Whistleblower Protection Act in Germany also require the establishment of a reporting system in order to give employees and third parties the opportunity to report legal violations in the company in a protected manner.

The disclosure of personal data in the case of non-anonymous reporting to other recipients (Art. 4 No. 7 GDPR) may be necessary due to a legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).

The processing of personal data of employees (for Controllers within the scope of the Federal Data Protection Act - BDSG) is carried out on the basis of Section 26 (1) sentence 2 BDSG. According to this, personal data of employees within the meaning of Section 26 (8) BDSG may be processed to uncover criminal offenses if there are factual indications to be documented that justify the suspicion that the person concerned has committed a criminal offense in the employment relationship, the processing is necessary for detection and the employee's legitimate interest in the exclusion of processing does not outweigh this, in particular the type and extent are not disproportionate with regard to the reason.

What categories of data are processed?

Basically, we process personal data that we receive directly as part of a report. This may include:

1. Information about the reporting person (unless he/she wishes to remain anonymous) and the accused person(s), such as

• First and last name
• Contact details
• Other personal data relating to the employment relationship, if applicable

2. Personal information, such as data subjects identified in a report as a person alleged to have engaged in misconduct and identified in the investigation, including details of the allegations made and supporting evidence.

3. Date and time of the calls (when the message is received by telephone)

4. Any other information identified in the investigation results and in any further proceedings, e.g. information on criminal conduct or     data on unlawful or improper conduct, insofar as this has been reported.

5. Information about violations that may also allow conclusions to be drawn about a natural person.

Who has access to the personal data?

Personal data collected via the web-based software is only made accessible to those persons who have a legitimate need to process this data due to their function. If the report is received via the telephone hotline, the report will be recorded in the reporting system while preserving the anonymity of the reporting person.

We have commissioned a neutral Compliance Ombudsperson to receive and qualify a report: THS Treuhand Saar Compliance GmbH, Feldmannstraße 103, 66119 Saarbrücken, Germany.

The latter operates our internal reporting office on our behalf with the aid of a web-based application from lawcode GmbH, Universitätsstraße 3, 56070 Koblenz, Germany.

Depending on the focus of responsibility of the report and for the effective initiation of follow-up measures, the personal data required as part of the report may be passed on to the responsible internal specialist departments.

In some cases, the Controller is obliged to disclose the data to authorities (such as those with legal or regulatory jurisdiction over the employer, law enforcement authorities and legal bodies) or external advisors (such as auditors, accountants, lawyers).

If the reporting person has provided their own name or other personal data (non-anonymous reporting), their identity will not be disclosed - as far as legally possible - and it will also be ensured that no conclusions can be drawn about the identity of the reporting person.

If personal data is processed by external service providers, this is always done based on order processing contracts in accordance with Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR and that all persons authorized to process personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality.

Your rights as a data subject

Within the framework of the respective regulations (in particular Art. 15-21 GDPR), you have various rights with regard to the processing of your personal data:

• Right to information,
• Right to rectification,
• Right to erasure,
• Right to restriction of processing
• Right to data portability.
• You also have the right not to be subject to an exclusively automated individual decision.
• Right to lodge a complaint with a competent data protection supervisory authority.

The right to information and the right to erasure are subject to legal restrictions. If we process your data to protect legitimate interests, you can object to this processing if your particular situation gives rise to reasons that speak against data processing.

In accordance with Art. 7 GDPR, you have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Further information on the right to object can be found below.

Is there an exclusive automated decision-making process?

No.

Does profiling take place?

No.

Duration of data storage

The personal data will be stored in the respective procedure for as long as required for the clarification and final assessment, a legitimate interest of the company or a legal requirement exists. This data is then deleted in accordance with legal requirements. The duration of storage depends in particular on the severity of the suspicion and any reported breaches of duty.

Personal data in connection with reports will be deleted immediately by the Compliance Ombudsperson if they are deemed to be manifestly unfounded.

Right to object pursuant to Art. 21 GDPR

Pursuant to Art. 21 GDPR, you have the right to object to the processing of your personal data on grounds relating to your particular situation. Your personal data will then no longer be processed unless the Controller demonstrates compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

The objection can be made informally and should, if possible, be addressed to the above-mentioned Controller or its internal reporting office.

Information pursuant to Art. 13 para. 2 lit. e GDPR

The provision of data via a notification is neither contractually required nor necessary for the conclusion of a contract. Depending on the individual case, there may be legal obligations to provide us with a report. However, it is necessary to process the data in order to process and investigate the report appropriately.

Other notes

We reserve the right to update this data protection notice if necessary.

Status: December 2023