Privacy Policy Whistleblower System

Responsible in the meaning of data protection law is

Salzgitter AG
Compliance Management / Corporate Legal Department of Salzgitter AG
Eisenhüttenstraße 99
38239 Salzgitter
Phone: +49 5341 / 21-9229
compliance.hotline@salzgitter-ag.de
Data Protection Officer: datenschutz.holding@salzgitter-ag.de

together with the respective group company to which the notice relates and which will follow up on the information.

A list of the group companies of Salzgitter AG can be found here: Our Business Units | Salzgitter AG (salzgitter-ag.com) and here Anteilsbesitzliste | Salzgitter AG (salzgitter-ag.com).

The purpose of the whistleblower system is to enable employees, business partners and all other parties affected by the activities of the Salzgitter group to provide information on possible violations of the law or other violations that are being investigated by the responsible departments in the group. At the same time, it enables all persons to draw attention to human rights and environmental risks as well as violations of human rights and environmental obligations by group companies or their suppliers.

1. Scope of data processing

Each time the electronic reporting portal is accessed, the system automatically collects the following data and information from the computer system of the calling computer:

(1) Partially anonymized IP address
(2) Device
(3) Operating system
(4) Web browser
(5) Referral and exit pages
(6) Date/time stamps

The data is stored in the log files of the system on servers in the EU in order to ensure the functionality of the electronic reporting portal and the security of the information technology systems. An evaluation of the data or a storage of this data together with other personal data of the users does not take place in this context.

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. If the data is stored in log files, this is the case after 14 days at the latest.

2. Legal basis and purpose of data processing

The legal basis for the collection of data and its temporary storage in log files is Article 6 (1) (f) GDPR. Access to the above-mentioned information by the system is necessary to enable the use of the electronic reporting portal by means of the users' end devices. These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

3. Possibility of objection and removal

The collection of data for the provision of the electronic reporting portal and the storage of the data in log files is absolutely necessary for the operation of the electronic reporting portal. Consequently, there is no possibility of objection on the part of the users.

4. Use of cookies

The electronic reporting portal only uses technically necessary cookies that are necessary to ensure the functionality of the electronic reporting portal. These purposes also constitute our legitimate interest in the processing of personal data on the basis of Article 6 (1) (f) GDPR.

The user data collected by technically necessary cookies will not be used to create user profiles.

The following cookies are used:

1. Scope and purpose of data processing

Within the electronic reporting portal, you have the option of voluntarily creating a complainant account. This is not a prerequisite for filing a complaint.

If no account is created, when filing a complaint, only the personal data specified in Section III.1. is collected under the conditions set out therein.

In the course of creating this account, at least a password to be assigned by the user himself and a pseudonym to be chosen are required. Optionally, and on a voluntary basis, users can provide their first and last name and also provide an e-mail address if they wish to receive news in connection with the handling of their complaint.

2. Legal basis, duration of storage, possibility of removal

The legal basis for the processing of the personal data processed in the course of account creation is the consent of the users pursuant to Art. 6 (1) (a) GDPR, which is transparently requested when the account is created. This consent can be revoked at any time without giving reasons and without causing any disadvantages to the users. On this basis, no more personal data will be processed. The lawfulness of the processing until the revocation is not affected by this.

The personal data of the users, which were collected in the course of creating the complainant account, will be stored until the users decide to delete the existing account within the electronic reporting portal (this is possible via "Edit profile"/"Delete account"), which also constitutes the revocation of consent. In the course of this, the data related to the account will be deleted immediately. However, this has no effect on the storage of data that may have already been sent to us in the course of complaints.

We use the electronic reporting portal to record and process all information/complaints received by Salzgitter AG. If you submit information by e-mail, letter, telephone call or by appearing in person at Salzgitter AG, all information you provide about the report or yourself will be entered into the electronic reporting portal. The original report is digitally stored in the electronic reporting portal, and the original is generally destroyed, unless storage is necessary for evidence purposes in individual cases.

If you submit the report via the ombudswoman and wish the report to be treated anonymously, no information about you will be passed on to us and will not be stored in the electronic reporting portal.

Information on the processing of your data in the electronic reporting portal can be found in the next section VI below.

1. Scope and purpose of the processing of personal data

As part of the entry and processing of reports in the electronic reporting portal, we process all data that is made available. In particular, the following data may be affected:

• Information on the personal identification of the whistleblower (e.g. name, address, contact details, gender),
• Employee status or other relationship which the whistleblower has with a company of the Salzgitter group,
• information on natural persons who are referred to in a report as a person who has committed the infringement or with whom the designated person is associated (e.g. name, address, contact details, gender, other information that enables identification),
• Information about violations that may allow conclusions to be drawn about a natural person.

We process this data for the purpose of investigating reports, in order to prevent and /or detect violations of applicable law or company policies and/or carry out follow up measures (such as measures to verify the validity of the allegations made in the report and, where appropriate, to address the reported violation, including through internal investigations, external investigations, law enforcement actions, measures to (re)recover funds or close the proceedings).

2. Legal basis

The processing of personal data is carried out on the basis of the following legal bases:

• We only process information on the identity of the whistleblower if the whistleblower has given us his or her consent to do so in accordance with Art. 6 (1) (a) GDPR by providing us with this data of his or her own accord.
• We process information on employee status, information on data subjects and other information that allows conclusions to be drawn about natural persons on the basis of Art. 6 (1) (f) GDPR. Depending on the specific individual case to be examined, our legitimate interest is to process reports in order to be able to carry out follow-up measures, such as measures to verify the validity of the allegations made in the report and, if necessary, to take action against the reported infringement, including through internal investigations, external investigations, law enforcement measures, measures for the (re)recovery of funds or closure of the proceedings. Whether the interests or fundamental rights and freedoms of the data subject conflict with such data processing will be examined on a case-by-case basis, including with regard to the violation.
• If a report received relates to an employee of Salzgitter AG or a Salzgitter group company, the processing also serves to prevent or prosecute criminal offences or other legal violations in connection with the employment relationship. In this case, the legal basis for the processing is § 26 para. 1 sentence 2 of the German Federal Data Protection Act (necessity of data processing for the detection of criminal offences).

3. How long will your data be stored?

As a rule, data is stored until the follow-up measures that may result from the report have been completed. In general, the documentation of a report is deleted three years after the procedure has been completed, unless applicable laws contain retention obligations that go beyond this (e.g. under the Supply Chain Due Diligence Act (7 years from creation) or the initiation of further legal action requires further retention (e.g. the initiation of criminal proceedings or disciplinary proceedings). If reports contain personal data which, after examination, we consider to be obviously factually unfounded, we will delete them immediately – as far as this is possible and reasonable. However, this does not apply to the documentation of the report as such.

1. Intra-group positions

All information will be treated confidentially and will only be accessible to employees who must necessarily access this data in order to process the case.

The group companies and/or the responsible compliance department of Salzgitter AG or Salzgitter Flachstahl GmbH, in the trading division Salzgitter Mannesmann Handel GmbH or KHS GmbH for their subsidiaries and associated companies check the validity of every indication. The underlying facts are clarified either by the Corporate Audit department of Salzgitter AG or by the management of the group company concerned, if necessary with the support of the responsible compliance department or the responsible legal department; the data is always treated confidentially. Depending on the focus of the report and for the effective initiation of follow-up measures, the personal data may be passed on to our responsible specialists departments.

In the context of processing a report or an investigation, it may be necessary to pass on personal data to employees in other group companies, e.g. if the information relates to events in other group companies of Salzgitter AG or if employees in other group companies have special expertise that is required for an investigation. If necessary for clarification, data may be transferred to subsidiaries of the Salzgitter group in a country outside the European Union or the European Economic Area, but always on the basis of suitable or appropriate data protection guarantees for the protection of data subjects. For data transfers to third countries in which there is no adequate level of data protection, it is ensured before the transfer that the recipient country either has an adequate level of data protection (e.g. on the basis of an adequacy decision of the European Commission or by agreement on so-called EU standard contractual clauses of the European Union with the recipient) or that the express consent of the data subjects has been obtained.

The board of directors and the group executive committee of Salzgitter AG are informed about reports and their processing status – without naming the whistleblowers.

We always make sure that the relevant data protection regulations are observed when passing on information.

2. External entities

As a matter of principle, personal data will only be transferred to third parties if there is a legal basis for doing so. This is particularly the case if the transmission serves to fulfil legal requirements according to which we are obliged to provide information, to report or to pass on data, if you have given us your consent to do so or if a balancing of interests justifies this.

Such a balancing of interests becomes necessary, for example, if a person named in a notice requests information pursuant to Art. 15 GDPR about his or her personal data stored by us. This request for information may also extend to information about the source from which we collected this data. In such a case, the interest of the data subject in the provision of this information and the interest of a reporting person in anonymity must be weighed against each other. As a rule, the interest of the data subject prevails if the whistleblower intentionally or grossly negligently reports incorrect information about violations.

Under certain circumstances, we may also pass on personal data to government security and/or law enforcement authorities, other competent authorities and/or persons bound to secrecy, such as auditors/lawyers.

3. Processors

For the provision of the electronic reporting portal, we work together with osapiens Services GmbH ("osapiens"), Julius-Hatry-Straße 1, 68163 Mannheim, Germany. They have developed the electronic reporting portal and host the system for us. Therefore, osapiens may take note of the personal data described in this privacy policy. osapiens acts as a processor for us. A data processing agreement required by Art. 28 (3) GDPR has been concluded. In it, osapiens was obliged to maintain confidentiality and to process personal data that falls under our responsibility under data protection law only in accordance with our instructions.

4. Ombudswoman

If you send information to the ombudswoman - Ms. Nina Weigel-Grabenhorst, SQR Rechtsanwälte LLP, Wolfenbütteler Straße 45, 38124 Braunschweig,salzgitter-ombudsfrau@sqr-law.com –, our ombudswoman as a processor is obliged to forward the information contained in your report to Salzgitter AG (cf. I. 1.). If requested by the whistleblower, this will be done anonymously. A data processing agreement required by Art. 28 (3) GDPR has been concluded, which obliges the ombudswoman to maintain confidentiality.

There is no legal or contractual obligation for users to provide us with personal data, as a complaint or reporting of an incident is voluntary.

If your personal data is processed and, if the legal requirements are met, you have the following rights vis-à-vis us as the person responsible:

(1) Right to information according to Art. 15 GDPR
(2) Right to rectification according to Art. 16 GDPR
(3) Right to erasure according to Art. 17 GDPR
(4) Right to restriction of processing according to Art. 18 GDPR
(5) Right to data portability according to Art. 20 GDPR
(6) Right to revoke the declaration of consent under data protection law (Art. 7 (3) GDPR). Please note that in the event of a revocation, data may have already been passed on to an external body in accordance with VII.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) and Article 6 (1) (f) GDPR (data processing on the basis of a balancing of interests). The objection can be made informally and, if possible, should be sent to the contact details listed in this data protection notice under 1.

Your personal data will then no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the purpose of asserting, exercising or defending legal claims.

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR if they consider that the processing of personal data concerning them violates the GDPR.