DRÄXLMAIER takes the protection of personal data very seriously. This privacy policy explains what personal data we collect from you as the referring person and how we use it. We ensure compliance with the applicable data protection regulations through appropriate technical and organizational measures.

Responsibilities

Different DRÄXLMAIER companies may be responsible for processing your information. This depends on where you submit your information and which company processes your information.

Person responsible for receiving and checking your information

The controller within the meaning of Art. 4 No. 7 GDPR (“European General Data Protection Regulation”) is generally the DRÄXLMAIER company to which you address your notice.

This is when you submit information via the following complaint channels:

• By e-mail or telephone directly to the Compliance Department:
  • E-Mail: compliance-office@draexlmaier.com
  • Phone: +49 8741 47 6561;
• In person in an appointment with the Compliance Department; or
• About the electronic whistleblower system INTEGRITY LINE                                                 

the

DRÄXLMAIER Group SE & Co. KG,
Landshuter Straße 100,
84137 Vilsbiburg,
Germany.

If you submit a report via the INTEGRITY LINE whistleblower system, you will find further information on data processing in INTEGRITY LINE.

If you submit information via the other complaint channels listed below (hereinafter "other complaint channels"):

• your direct superior;
• the HR organization at your location;
• the local employee representative at your location;
• the local Compliance Officer at your location;
• the ombudsman (where available),
• a complaints mailbox,

the company is responsible,

• where your direct superior is employed,
• to which the HR organization, the local employee representative body or the local compliance officer belongs,
• for which the ombudsman is active, or
• where the complaints mailbox is operated.

Person responsible for the further processing of your information

In accordance with our internal rules of procedure for whistleblowing, your report may be passed on to another compliance office at DRÄXLMAIER for further processing. A transfer will only take place with your prior consent. In this case, we will inform you in advance to which other compliance office we would like to hand over your report and at which DRÄXLMAIER company this compliance office has been set up. The company to which the report is submitted for further processing will then be responsible for further processing.

Data Protection Officer

You can contact the data protection officer of DRÄXLMAIER Group SE & Co. KG as follows:

DRÄXLMAIER Group SE & Co KG
Data Protection Officer
Landshuter Straße 100,
84137 Vilsbiburg,
Germany.

You can contact the Data Protection Officer of DRÄXLMAIER Group SE & Co KG by e-mail at privacy@draexlmaier.com.

You can also contact the Data Protection Officer of DRÄXLMAIER Group SE GmbH & Co. KG,

• if a company other than DRÄXLMAIER Group SE & Co KG is responsible for the other complaint channel you are using, or
• your information is further processed by another DRÄXLMAIER company with your consent.

Personal data

In principle, the use of DRÄXLMAIER's complaint channels is - as far as legally permissible - possible without providing personal data. However, you can voluntarily disclose personal data as part of the whistleblowing process, in particular information about your identity, first and last name, country of residence, telephone number or e-mail address.

In principle, we do not request or process any special categories of personal data, e.g. information on racial and/or ethnic origin, religious and/or ideological beliefs, trade union membership or sexual orientation. However, due to the free text fields in the registration form, you can voluntarily disclose such special categories of personal data.

The information you provide may also contain personal data of third parties to which you refer in your information. Data subjects are given the opportunity to comment on the information. In this case, we will inform the persons concerned about the notification. Your confidentiality is also protected in this case, as no information about your identity will be provided to the person concerned - as far as legally possible - and your report will be used in such a way that your anonymity is not jeopardized.

Purpose and legal basis of the processing

The use of a complaints channel enables you to contact us and report information on compliance and legal violations. We process your personal data in order to review the report you have made and to investigate the suspected compliance and legal violations. In doing so, we may have further questions for you. For this purpose, we only communicate via the complaint channel you have selected or the contact option you have provided. The confidentiality of the information you provide is our top priority.

The corresponding processing of your personal data is based on your consent given at the time of registration (Art. 6 para. 1 lit. a GDPR).

Furthermore, we process your personal data insofar as this is necessary to fulfill legal obligations. This includes, in particular, reports of matters relevant under criminal, competition and labor law (Art. 6 para. 1 lit. c GDPR).

Finally, your personal data will be processed if this is necessary to safeguard the legitimate interests of the company or a third party (Art. 6 para. 1 lit. f GDPR). We have a legitimate interest in the processing of personal data for the prevention and detection of violations within the company, to check the legality of internal processes and to safeguard the integrity of the company. If it is no longer objectively necessary to process personal data for the prevention and detection of violations, we will inform the accused person to the extent necessary. This also applies to other persons named in the report.

If you provide us with special categories of personal data concerning you, we process these on the basis of your consent (Art. 9 para. 2 lit. a GDPR). We process special categories of personal data of third parties if and insofar as this is legally permissible. In Germany, the processing of special categories of personal data of third parties is also permitted without consent in accordance with Section 10 of the Whistleblower Protection Act (HinSchG).

We also use your personal data in anonymized form for statistical purposes.

We do not intend to use your personal data for purposes other than those listed above. Otherwise, we will obtain your consent in advance.

There is no automated decision-making.

Technical implementation and security of your data

DRÄXLMAIER secures all data submitted via the whistleblower channels provided by DRÄXLMAIER in accordance with the state of the art. In particular, access is restricted to a very narrow circle of expressly authorized employees of the Compliance division of DRÄXLMAIER.

Disclosure of personal data

DRÄXLMAIER operates internationally and has locations in various countries within and outside the European Union. The stored data can only be viewed by specially authorized persons within the company. Insofar as this is necessary to fulfill the purpose stated for this purpose, specially authorized persons of our subsidiaries may also be entitled to inspect the data. This is particularly the case if the investigation of your report is carried out in the country concerned. All persons authorized to inspect the data are expressly obliged to maintain confidentiality.

In order to fulfill the stated purpose, it may also be necessary for us to transfer your personal data to external bodies such as law firms, criminal or competition authorities, within or outside the European Union (EU).

If we pass on your personal data within the Group or externally, a uniform, adequate level of data protection is ensured by means of internal data protection regulations and/or corresponding contractual agreements. If data is transferred to recipients outside the EU or the European Economic Area (EEA) and no adequacy decision pursuant to Art. 45 para. 3 GDPR exists for the respective countries or territories, we ensure an adequate level of data protection by concluding standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR. These can be viewed on the website of the EU Commission at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. In all cases, the responsibility for data processing remains with the company.

Duration of storage

We only store personal data for as long as is necessary to process your message or for as long as we have a legitimate interest in storing your personal data. Data may be stored for longer if this has been provided for by European or national legislation to fulfill legal obligations, such as retention obligations. All personal data will then be deleted, blocked or anonymized.

Your rights

If you have provided personal data, you have the right to information, correction and deletion of the personal data. You can also restrict the processing or request its transfer to another controller.

Furthermore, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation.

You have the right to withdraw your declaration of consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

You can assert these rights by sending an informal notification to the controller or our data protection officer named above. If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom we have disclosed the personal data concerning you of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. We will inform you about these recipients on request.

Finally, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Status 05/25