1.1 Objective of this policy

We are committed to promoting and supporting a culture that encourages employees to speak up when they encounter behaviour in the workplace that is unethical, illegal or contrary to the values of our Code of Conduct.
Whistleblowers are an important source of information to uncover unlawful or unethical behaviour that needs to be corrected and the company is committed to protecting whistleblowers from retaliation and discrimination.
This policy is intended to provide clarity on how the Company supports whistleblowers so that you:

• Are encouraged to raise your concerns;
• know how to raise your concerns;
• know what will happen if you raise your concerns; and
• feel safe and protected when raising your concerns

The latest version of this policy is available on the intranet and website.

1.2 Who can report?

Reports can be made by current or former employees, directors, board members, officers, suppliers and service providers, interns and other business partners. This also applies to relatives, family members or spouses of these persons.

1.3 What can be reported?

To make a report, the reporting person must reasonably believe that the disclosure reveals past, present or likely future misconduct that properly falls into one or more of the following categories:

• Theft, embezzlement and misappropriation, fraud
• Bribery and corruption
• Competition and antitrust offences
• Discrimination and harassment
• Conflicts of interest
• Product safety
• Environmental, health and safety violations
• Violation of human rights
• Insider trading
• Data protection and information security
• Sanction violations
• Violations of the company name Code of Conduct

The whistleblower system is not designed to resolve general complaints.  In the event of personal work-related problems, employees can contact the HR department. Customers can contact Customer Service with complaints.

2.1 Internal reporting channels

The company has set up a whistleblower portal. Reports can be submitted via this portal.
Whistleblowers can also discuss their concerns internally directly with their line manager or a contact person.

2.1.1 Person of trust

The confidential counsellor serves as an independent authority and recipient of incoming reports between the whistleblower and the company in our portal.
Reports can be submitted there at any time, 24 hours a day, in various languages via a secure system. The reporting process is encrypted and password-protected. You receive a unique reference and assign your own PIN, which you can use to view the status of processing. Communication with the whistleblower takes place on this secure platform.
Reports can also be sent by post or, by arrangement, in a personal meeting.  

2.1.2 Anonymity

If you make a report, you can do so anonymously. You will remain anonymous during and after the investigation.
If you submit an anonymous report via the whistleblower portal, you will receive a unique reference. You can then log in to the whistleblower portal to provide further information or request an update. 

2.1.3 Reporting requirements

In order to make a report, the reporting person must reasonably believe that the disclosure reveals past, present or likely future misconduct.
A whistleblower acts in good faith if he or she believes that the information is comprehensive and accurate. This applies even if the suspicion of a violation is not confirmed and information is disproved in the course of the investigation.
All reports should be as objective and complete as possible. Although consultation with the whistleblower will take place during case handling, mere suspicions should be avoided. Whistleblowers can use the following questions as a guide for the reporting process:

• What happened?
• When did it happen?
• Who was or is involved?
• Are the circumstances ongoing?
• How high is the risk and how time-critical is the offence to be reported?
• Who has knowledge of the offence?
• Documents that help to clarify the report should be made available when reporting violations.

2.2 External reporting channels

Whistleblowers are free to report a violation of the law to state authorities. However, we would like to encourage whistleblowers to submit reports via internal channels first. In this way, we can ensure that any misconduct is rectified as quickly as possible and further damage can be averted.

3.1 Confirmation of receipt

Whistleblowers will receive confirmation of receipt of their report within seven days. If you have submitted a report anonymously, you will find the confirmation as well as all questions and feedback on your report in the whistleblower portal.

3.2 Review

The confidential counsellor first checks all reports to see whether they fall within the scope of this directive. If it is a whistleblowing report in accordance with this policy, the company will appoint an investigating officer.  The investigator may be an employee or an external service provider. The nature and scope of the investigation methods will vary depending on the nature of the reported offence and may require the involvement of experts.
An investigator is determined based on whether he or she is qualified to conduct the investigation in a timely, professional, objective, fair and independent manner. Reports will be processed in accordance with applicable laws. 

3.3 Completion of the investigation

The type of corrective measures to prevent future violations is developed with the relevant departments on a case-by-case basis. The results of the investigation are communicated directly to the Management Board and, if necessary, to the Supervisory Board.
In accordance with the EU Directive, the whistleblower is informed of the results of the investigation and the follow-up measures taken within 3 months (in exceptional cases within 6 months) via the whistleblower portal.

The company ensures protection and measures that enable whistleblowers to report violations confidentially and without fear of intimidation, discrimination or reprisals. Discrimination in this sense includes direct and indirect acts or omissions that may be attributable to the reporting of a violation.
Any person who retaliates against a whistleblower for reporting a violation or participating in an investigation will be subject to consequences under labour law and disciplinary action, up to and including termination of employment.

4.1 Confidentiality

As the most important measure to protect the identity of the whistleblower, access to the whistleblower portal and the processing of reports is restricted to a strictly limited group of persons, so that only persons entrusted with the report are aware of the identity of the whistleblower and the content of the report, provided the whistleblower discloses his or her identity.
The identity of the whistleblower remains confidential at all stages of the processing of reports and may only be disclosed with the express consent of the whistleblower, unless disclosure is required by law. In this case, the whistleblower will be informed in advance.

4.2 Protection of data subjects

The rights of persons to whom reports are made under the whistleblower system are governed by the relevant data protection laws. The persons affected by a report are informed as quickly as possible about the report received and made aware of their duty to provide information and their right to rectification. However, if there is a significant risk that the notification could jeopardise an internal investigation, the notification may be postponed until the investigation has been completed or the corresponding risk no longer exists. Data subjects have the right to request access to data concerning themselves and may request changes.

4.3 Data protection

Information in the context of incoming information and subsequent processing is processed in accordance with the requirements of the European General Data Protection Regulation (GDPR). All necessary precautions are taken to ensure the security of the data during collection, communication or storage. You have the right to access, amend and rectify your personal data.

4.4 Exclusion

Deliberate misreporting constitutes a breach of the Code of Conduct and will result in disciplinary action. If a person knowingly makes a false report, there may also be legal consequences.

For those parts of the Group that are subject to laws or regulatory requirements that conflict with this Policy, the stricter standard shall apply. This policy is not part of an employment contract.

National law remains unaffected by this Directive. Where national law conflicts with this Directive, national law shall prevail.

Data protection information on the collection of personal data in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) for whistleblowers

With this information we inform you about the processing of your personal data and the rights to which you are entitled under data protection law if you submit a report (anonymously or not anonymously) in our whistleblower protection system or if you make a report by telephone. 

1. who is responsible for data processing and who can I contact?

Responsible body: Nivus GmbH, Im Täle 2, 75031 Eppingen

Data Protection Officer: EmEtz GmbH, Mail: datenschutz@nivus.de

2. what data we process, what we process your data for (purposes of processing) and on what legal basis we do so:

The data processing is carried out exclusively for the examination and processing of your information in which you report the violation of behaviour (e.g. fraud, corruption, insider trading) as well as the violation of human rights, environmental concerns, other legal provisions and similar cases, as well as the associated clarification of the facts. The legal basis for processing is Art. 6 (1c) (GDPR) in conjunction with the Whistleblower Protection Act (HinSchG)..

We may process personal data of employees on the basis of Section 26 (1) sentence 2 BDSG. According to this, personal data of employees within the meaning of Section 26 (8) BDSG may be processed to uncover criminal offences if there are factual indications to be documented that justify the suspicion that the person concerned has committed a criminal offence in the employment relationship, the processing is necessary for detection and the employee's legitimate interest in the exclusion of processing does not outweigh this, in particular the type and extent are not disproportionate with regard to the reason.

If necessary, we also process your data as part of the balancing of interests in accordance with Art. 6 (1f) GDPR. We process information on employee status, information on data subjects and other information that allows conclusions to be drawn about natural persons on the basis of Art. 6 para. 1 f) GDPR. Accordingly, processing is lawful if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in order to safeguard our legitimate interests or those of a third party. This may be the case for:

Depending on the specific individual case to be examined, our legitimate interest lies in the processing of reports in order to prevent, detect or prosecute violations of applicable law or company guidelines. This may also include checking the validity of the allegations made in the report and, if necessary, internal enquiries, investigations and the initiation of criminal prosecution measures. Whether the interests or fundamental rights and freedoms of the data subject conflict with such data processing will be examined on a case-by-case basis, including with regard to the offence.

We require your consent to disclose your identity to third parties unless the information must be provided on request in criminal proceedings. We also require your consent if you make a report to us by telephone and an audio recording is made. The legal basis for processing is Art. 6 (1a) GDPR.
Once consent has been given, it can be withdrawn at any time. Please note that the revocation is effective for the future. Processing that was carried out before this revocation is not affected by this.

3. to whom is the data forwarded (categories of recipients)?

We have set up an internal reporting centre. This means that only those persons and departments within our company who need the reports to fulfil our legal obligations receive them. 

We have carefully selected a service provider, Sicoda compliance GmbH, Rochusstr. 198, 53123 Bonn, Germany, to provide the portal. The portal is provided as a software as a service solution. We have concluded an order processing contract with the service provider in accordance with Art. 28 GDPR. 

If you submit a report via the portal, no IP addresses will be stored. Unless you voluntarily provide contact details, your report is anonymous and cannot be traced from the server data. The text you have entered may, of course, make it possible to identify you.

Our employees and the service providers commissioned by us are obliged to maintain confidentiality and comply with the provisions of the applicable data protection regulations.
Data may be passed on to external bodies in the following cases:

• to law enforcement authorities upon request in criminal proceedings
• on the basis of an order in administrative proceedings following a report, including administrative fine proceedings
• to courts on the basis of a court decision
• to external lawyers for case processing

If the success of the investigation is not jeopardised by informing the accused person of the data and if no legitimate interests of the whistleblower prevail, we will usually inform the accused person after four weeks, but possibly also later.

Duration of data storage:
The personal data will be deleted after the investigation has been completed. If the report proves to be unfounded, we will delete your data once the matter has been concluded. The usual retention period is therefore between 3 and 10 years.

Data transfer to third countries:
A transfer to a third country is not intended (or does not take place).

Rights of data subjects:
You can request information about the personal data stored about you using the contact details provided above. (Art. 15 GDPR). In addition, under certain conditions, you can request the rectification or erasure of your data (Art. 16 and 17 GDPR). You have the right to request the restriction of the processing of your personal data (Art. 18 GDPR). In addition, you have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format (Art. 20 GDPR).

Right to lodge a complaint:
You have the right to lodge a complaint with the data protection officer named above or with a data protection supervisory authority.

Right to object:
If we process your data to protect legitimate interests, you can object to this processing if there are reasons arising from your particular situation that speak against data processing.