Privacy policy for the whistleblower system

I. Introduction

Compliance with the principle of legality and responsible, fair and sustainable business practices have always been a top priority for our company and an integral part of our values. We are convinced that only such entrepreneurial action will lead to long-term success. Violations of applicable law or internal regulations jeopardize the long-term success of the company. Damage to reputation or other serious disadvantages, such as compensation or penalty payments as well as order suspensions, can cause lasting damage to the company. Reporting possible violations or risks helps to prevent such negative consequences. SCHROTH Safety Products GmbH (hereinafter referred to as "SCHROTH", "we", "us" or "our") is convinced that a whistleblower system helps to quickly identify weaknesses and grievances and thus contributes directly to the sustainable success of the company.

We would therefore like to encourage you as the reporting or whistleblowing person to contact our reporting office with suspicious circumstances, providing as much specific information as possible. All reports will be treated confidentially.

Please note that a deliberately false report may have criminal consequences.

For reasons of better readability, the simultaneous use of the language forms male, female and diverse (m/f/d) is dispensed with. All personal designations apply equally to all genders.

II. Information

1. Who can report violations?
Any employee, including trainees, students, interns or temporary workers, can report possible violations of applicable law or internal regulations. Third parties, such as customers, suppliers and business partners, can also report a violation.

2. Where can a tip be submitted?

a) Internal reporting office

Online registration form -
You can submit your reports by text message via an online registration form on our website.

By telephone
You can also submit your notification by telephone. To do this, please dial

+49 (0) 2932 9742-100.
You can reach us by phone from Mon. to Thurs., 08:00-17:00 and on Fri. from 8:00 - 13:00.

Postal
If you do not wish to submit your anonymous report digitally via the online form, you also have the option of sending it by post. If you choose this method of reporting, please send your report to the following address:

SCHROTH Safety Products GmbH
Compliance department
Im Ohl 14
59757 Arnsberg
Germany

b) External reporting offices

Reporting office of the Confederation

In addition to reporting information about a violation to the internal reporting office, you can also report it to an external reporting office. The federal government's external reporting office is located at the Federal Office of Justice (BfJ). The reporting channels and further information on the BfJ's external reporting office are published on the website https://www.bundesjustizamt.de/DE/MeldestelledesBundes/MeldestelledesBundes_node.html.

Reporting office of the Bundeskartellamt

You can also find an external reporting office at the Federal Cartel Office. On the website https://www.bundeskartellamt.de/DE/Aufgaben/Kartelle/HinweiseAufKartellverstoesse/hinweiseaufverstoesse_node.html you will find detailed information on the respective reporting options.

Section 7 para. 1 sentence 1 of the Whistleblower Protection Act (HinSchG) provides for a right to choose. However, according to Section 7 para. 1 sentence 2 HinSchG, whistleblowers should prefer to report to an internal reporting office in cases where effective internal action can be taken against the violation and they do not have to fear reprisals. We therefore ask you to first contact our confidential internal reporting office with any suspicious circumstances.

3. Can tips also be submitted anonymously?
An anonymous submission of information, i.e. without providing personal data, is generally possible via our reporting system.

However, we recommend that you give our reporting office an opportunity to contact you, as otherwise there will be no possibility for us to contact you if there is still a need for clarification and the matter may not be able to be clarified further without your cooperation.

4. Which violations can be reported?
The range of violations that you can and should report is wide. All violations or reasonable suspicions in the context of professional or entrepreneurial activities that are subject to criminal penalties or fines, as well as violations of legal provisions and internal company regulations, e.g. the Code of Conduct, can be reported. These include, for example, fraud, bribery and corruption, money laundering, theft, competition/antitrust violations, consumer protection, data protection, discrimination and harassment, occupational health and safety, environmental, health and safety issues, human rights violations, conflicts of interest and energy management.

The list is not exhaustive. A complete list of possible circumstances can be found in § 2 of the HinSchG.

Examples of violations:

• possible violations by employees of applicable law, such as laws or regulations or internal rules (e.g. Code of Conduct or internal guidelines).
• Possible violations of applicable law or internal guidelines by business partners.

5. What details should be reported?

• What is your relationship with SCHROTH?
• What type of misconduct (e.g. corruption, fraud, discrimination, etc.) is involved?
• When did the incident happen?
• Where did the incident happen?
• Who are the suspects/participants/witnesses?
• What additional information on misconduct is reported?

You can also upload supporting documents.

6. What happens after the notification is received
Receipt of the registration will be confirmed in writing or electronically within 7 days.

If, after the initial assessment, the Internal Reporting Office investigator concludes that there are no indications of relevant misconduct, he will discontinue the procedure and inform you in writing of his decision and the reasons for it as soon as possible.

If, after an initial assessment, the Internal Reporting Office investigator concludes that there is evidence of relevant misconduct, appropriate action will be taken, which may include the appointment of one or more persons (either within or outside SCHROTH) to investigate the disclosure. The investigator will provide you with feedback no later than 3 months from the date of acknowledgement of receipt of the report. The feedback will contain information on the progress of the investigation and its expected timeframe.

7. How are whistleblowers protected?
Any form of discrimination against whistleblowers is prohibited and will not be tolerated. This includes, for example, intimidation of whistleblowers or negative consequences under employment law as a result of reporting. In addition to the prohibition of discrimination, internal processes have been implemented to protect whistleblowers in the best possible way. This includes the option of anonymous reporting.

III. Data protection information on the whistleblower system

In connection with the reporting of violations, we take the protection of your personal data (hereinafter referred to as "data") very seriously. We treat your data - insofar as it is processed as part of your report - confidentially.

Below we inform you in accordance with Art. 13 and 14 of the EU General Data Protection Regulation (GDPR) about the processing of your data within the framework of our whistleblower system. We will only process your data in accordance with the applicable data protection regulations. These requirements result in particular from the GDPR and the German Federal Data Protection Act (BDSG). This data protection information supplements our general data protection information for employees and website visitors.

1. Who is responsible and data protection officer
We are responsible for

• the confirmation of receipt of the notification,
• the examination of whether an infringement falls within the material scope of application,
• Contact with the reporting party,
• Verification of the validity of the notification,
• Obtaining further information from the reporting party, if necessary, and
• Taking appropriate follow-up measures.

The responsible body is SCHROTH Safety Products GmbH, Im Ohl 14, 59757 Arnsberg.

You can contact our external data protection officer on all data protection issues as follows:

Dirk-Michael Mülot
Expert office Mülot GmbH
Grüner Weg 80
48268 Greven
Germany
E-mail: datenschutz@svb-muelot.de

2. What data is processed?
In principle, you can submit your reports anonymously, i.e. without providing any data. However, you can voluntarily disclose your data, including your first and last name, your address, your telephone number, your e-mail address and your suspicions. If you provide this or other data voluntarily, it will be processed by us.

We do not request or process special categories of personal data in accordance with Art. 9 GDPR, such as information on ethnic origin, religious and/or ideological beliefs, trade union membership or sexual orientation. However, you can voluntarily provide such special categories of personal data (e.g. in the free text or letter).

The notification you submit may also contain data from third parties to whom you refer in your notification. These data subjects have the opportunity to comment on the information. In this case, we will inform the persons concerned about the report or the information provided. Your confidentiality is also guaranteed in this case, as the person concerned will - as far as legally possible - not receive any information about your identity and your information will be used in such a way that your anonymity is not jeopardized.

Please note that it is often required by law that the persons who are the subject of a report or tip-off must be notified and heard. During the investigation, these persons have the opportunity to express their views on the report. The data subject may have a right to information under applicable laws that could compel us to disclose their identity. Government agencies may also have similar rights of access or seizure that result in the disclosure of your identity. This may be the case in particular if the person concerned claims that the information provided against them is intentionally or grossly negligently untrue and then decides to press charges.

3. For what purposes is your data processed?
We process your data within the framework of the applicable laws, in particular for the following specific compliance and information purposes:

• Checking the plausibility of information,
• Cooperation with the external service provider,
• Clarification of misconduct,
• Implementation of legal obligations,
• Prevention of future misconduct,
• Exercise of rights,
• Relief for employees,
• Implementation of duties to cooperate.

In addition, the purposes listed in the general data protection information for employees and website visitors may also be considered as possible purposes of data processing.

4. What is the legal basis for processing your data?
The collection, processing and disclosure of your data in the context of the notifications is carried out in accordance with the applicable data protection laws, including the GDPR and the BDSG.

Implementation of legal obligations: If the notification falls within the scope of the HinSchG, the legal basis for the processing of your data in connection with this notification is Section 10 HinSchG in conjunction with. Art. 6 para. 1 lit. c) GDPR.

Safeguarding legitimate interests: In all other cases, the processing of your data in relation to a (potential) infringement is based on our legitimate interest in investigating infringements, receiving reports of infringements and processing them in accordance with the standards and values we have established (Art. 6 para. 1 lit. f) GDPR). Our legitimate interests may include in individual cases:

• Right defense,
• Improvement of the compliance structure,
• Support for those affected,
• Implementation of foreign legislation.

Investigation of criminal offenses: The processing of data relating to criminal offenses is carried out in accordance with Art. 10 GDPR (and, if applicable, Section 9 (2) HinSchG). If reconnaissance measures serve to uncover possible criminal offenses in the context of employment relationships, these may be justified in accordance with Section 26 (1) sentence 2 BDSG. However, we will only base such data processing on Section 26 (1) sentence 2 BDSG in conjunction with Art. 6 (1) lit. Art. 6 para. 1 lit. b) GDPR if documented factual indications justify the suspicion of a criminal offense in the employment relationship and the interests of the data subject do not prevail.

Implementation of the employment relationship: Data processing in the context of reconnaissance measures may be necessary, among other things, for the implementation and termination of the employment relationship with employees (Section 26 para. 1 sentence 1 BDSG in conjunction with Art. 6 para. 1 lit. b) GDPR). This applies, for example, to reconnaissance measures to uncover breaches of duty under employment contracts that do not constitute a criminal offense. Reconnaissance measures may also be necessary for the processing of employment relationships. This may be the case, for example, if we impose sanctions under employment law against a person concerned on the basis of the findings obtained in the course of an investigative measure.

Consent: In addition, data may be processed on the basis of Art. 6 para. 1 lit. a) GDPR if the reporting person has given consent.

Processing of special categories of personal data: If, in exceptional cases, special categories of personal data are processed (sensitive data), the legal basis for the processing is Art. 9 GDPR, Section 10 HinSchG and Section 22 BDSG.

We do not intend to use your data for purposes other than those mentioned above.

5. Who are the recipients of your data?
Initially, only authorized persons gain knowledge of the data transmitted by the reporting person. Appropriate authorization systems and appropriate technical and organizational measures ensure that only the responsible persons have access to this data. The person from the Compliance department responsible for processing the violations internally as well as the representative is expressly obliged to maintain confidentiality.

Other recipients may be other companies in the SCHROTH Group. An exchange of data between the individual SCHROTH companies may therefore be necessary in order to process the infringements.

In order to fulfill the aforementioned purpose, it may also be necessary for us to transfer your data to third parties, such as law firms, authorities, such as criminal, regulatory or competition authorities within or outside the EU/EEA.

Your data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the clarification of facts. In such a case, we ensure that the standard contractual clauses of the EU Commission are concluded with the recipient of the data and that all relevant additional guarantees are guaranteed. Otherwise, we do not transfer your data to countries outside the EU or the EEA or to international organizations.

6. How long will your data be stored?
Your data will be stored in accordance with the applicable data protection laws and deleted 3 years after the conclusion of the proceedings (Section 11 (5) HinSchG). In certain cases and for certain documents, a longer period may be appropriate, in particular if legal or administrative proceedings are pending in connection with the reported incident. Data may also be stored if this is required by European or national legislation to fulfill legal obligations, such as retention obligations. All data will then be deleted, blocked or anonymized.

7. What data protection rights do you have?
If we process your personal data, you have the right to the following to the extent permitted by law under the GDPR

• Information, in particular about stored data and processing purposes (Art. 15 GDPR),
• Correction of incorrect or completion of incomplete data (Art. 16 GDPR),
• Deletion of data that is no longer required (Art. 17 GDPR),
• Restriction of processing (Art. 18 GDPR),
• Objection to the processing (Art. 21 GDPR),
• data transfer, provided that processing is based on consent or is carried out for the performance of a contract or by automated means (Art. 20 GDPR), and
• Revocation of a consent given by you (Art. 7 para. 3 sentence 1 GDPR).
• Right to lodge a complaint with the supervisory authority (for SCHROTH: Landesbeauftragte für Datenschutz und Informationsfreiheit, Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Tel.: 0211/38424-0, E-Mail: poststelle@ldi.nrw.de).