Whistleblowing guideline in accordance with EU standards

1. Aim of the guideline

This Whistleblowing Policy has been developed to provide a secure and confidential way for addressees to report violations of laws, policies or ethics within the company. The purpose of the Whistleblowing Policy is to ensure the integrity, transparency and compliance of our company and to ensure that reported violations are handled appropriately.

2. Scope:

This policy applies to all employees, contractors, suppliers and other stakeholders associated with our company.

3. Reporting Violations:

a) Recipients are free to report possible violations of law, policy or ethics of which they become aware. A non-exhaustive list of offenses that are specifically covered in this regard can be found under 3.b.. This is provided that the individual raises his or her concerns in good faith and in accordance with this policy.
b) This includes in particular, but is not limited to, the following offenses:
• Corruption: bribery, acceptance of bribes, improper benefits or kickbacks.
• Financial fraud: Falsification of accounting records, financial statements or other financial records.
• Insider trading: improper use of confidential information for personal gain in trading stocks or other securities.
• Theft or misappropriation of company assets.
• Violation of competition law: Unfair competition, abuse of a dominant market position or cartelization.
• Money laundering: concealment of the origin of illegally acquired funds.
• Violation of labor law: discrimination, bullying, harassment or violation of employee rights.
• Violation of environmental regulations: Illegal disposal, pollution, or violations of environmental laws.
• Violation of consumer protection: misleading advertising, product tampering, or sale of unsafe products.
• Violation of privacy policies: Misuse, theft or improper handling of personal data.
• Violation of supply chain standards: Exploitation of workers, child labor, forced labor, or violations of social and environmental standards along the supply chain.
• Violation of human rights: Aiding or condoning human rights abuses in connection with the company's business activities.
• Violation of occupational safety and health regulations: neglect of workplace safety or non-compliance with health standards.
• Violation of tax laws: tax evasion, misrepresentation on tax returns or other tax violations.
• Violation of ethics policies: Violations of corporate ethics, integrity or codes of conductc)
c) Explicitly not covered are exclusively personal, work-related complaints. This is understood to mean a complaint about a matter relating to an addressee's current or former employment that has a personal impact on the person concerned but does not have a wider impact on the company. In particular, this includes interpersonal conflicts between the addressees of the Policy, decisions by the Company regarding the hiring, transfer, compensation or promotion of an addressee, as well as decisions regarding the terms and conditions of employment or regarding the suspension or termination of an employment relationship, provided and to the extent that these are not at the same time violations subject to criminal penalties or fines or violations of federal and state laws. In such cases, notification to the immediate supervisor is requested.
d) Violations may be reported in writing through the following reporting channel: Whistleblowing
Online: Reporting by dialing into the whistleblowing link located on the website. Whistleblowers have the option of submitting reports anonymously and in encrypted form via a secure online connection. Access to this link is protected by appropriate security measures. In particular, there is the option of anonymous reporting via an encrypted portal.
e) The confidentiality of the whistleblower is protected. The identity of the whistleblower will not be disclosed unless the whistleblower expressly consents or this is required by law.
f) If requested by the whistleblower, a face-to-face meeting will be facilitated. A reasonable place and time will be arranged to receive the report confidentially, at which time the identity of the whistleblower will be disclosed to the Responsible Officer in the Legal Department.

4. Data protection:

a) GDPR-compliant processing: All personal data, both that of the whistleblower and any accused persons, will be processed in accordance with the provisions of the General Data Protection Regulation (GDPR), insofar as personal data is involved.
b) Data economy: Only those personal data are collected that are necessary for processing the report and investigating the reported incident.
c) Access restriction: access to personal data will be limited to authorized persons responsible for processing the reports and investigating the allegations. These persons are subject to strict confidentiality obligations.
d) Storage period: Personal data will be stored only for as long as necessary to process the report and to comply with legal retention periods

5. Responsibility within the company:

Within the company, the "most appropriate" person is determined to receive and follow up on the notifications. This is primarily the legal department as the point of contact for compliance issues. In times of absence of the employees of the legal department, the mentioned group of persons is represented by employees of the human resources department.

6. Duty of the company:

a) Notification of receipt and outcome: Within seven days, the Company will acknowledge to the whistleblower that the report has been received. Within three months, whistleblowers must be informed of actions taken, the status of the internal investigation and its outcome. If the report was received anonymously via the online reporting channel, the notification can be made there despite the anonymity.
b) The company will investigate all reported violations objectively, impartially and in a timely manner and take appropriate measures to take appropriate corrective action based on the results of the investigation to remedy the violation and prevent further violations. The whistleblower shall be informed of this process on a regular basis. If the report is received anonymously, the investigation of the facts shall be based on the information provided.
c) Duty to provide information: The company shall provide employees with easily understandable and easily accessible information describing and informing them about the possibilities of the reporting process. This will be done in particular by providing instructions for employees. This includes not only the company's employees per se, but also suppliers, service providers and business partners.
d) Data retention: All documents related to whistleblowing reports and investigations are retained in accordance with the company's applicable data protection regulations and retention policies.
e) Duty to maintain the identity of the whistleblower: By reporting through the online system, it is possible to protect the identity of the whistleblower to the best extent possible. In the case of an anonymous report, communication is possible without the processor being able to identify the reporter. However, this only applies as far as the report does not contain any conclusions about the identity.

7. Protection against retaliation:

The Company expressly disclaims any retaliation against whistleblowers who report violations under this Policy. Any form of retaliation will be considered a violation of the Policy and may result in sanctions.

8. Consequences of False Reporting:

Protection for a whistleblower exists only if, at the time of the report, the whistleblower had reasonable grounds to believe that the facts reported were true and that the information provided concerned violations that fall within the scope of this Policy and the Whistleblower Protection Act. In the event of intentional false reports or intentional reporting of facts that do not belong to the designated scope of application, the Company reserves the right to take disciplinary action against the reporting person.

9. Final Clause:

Only the German version of the guideline shall be authoritative; the english version is for information purposes only.