Data Privacy of the Company Website and Portals of genua

For technical reasons, genua processes a limited amount of data (so-called connection data) each time the website is accessed. This data is technically necessary to establish and carry out a connection between your terminal device and our servers. The processing is based on Art. 6 para. 1 p. 1 lit. f) GDPR. The following data or data categories may be collected in the process:

• Name of the website that is accessed

• Time and date of access

• Browser type and version

• The user operating system

• Referrer URL (the previously visited page)

• IP address

• possibly Username

This log data is only processed for statistical evaluations for the purpose of operation, security and optimization of the offer. However, we reserve the right to subsequently review the log data if there is a justified suspicion of unlawful use based on specific indications.

This data is deleted or anonymized after the end of the connection and is therefore not used to create user profiles.

Cookies are text files that allow device-specific information to be stored on the end device used.

Cookies that are necessary to carry out the electronic communication process (necessary cookies) are stored on the basis of Art. 6 para. 1 p. 1 lit. f) GDPR. genua has a legitimate interest in storing cookies for the technically error-free and optimized provision of its services. The legal basis for storing information in the end user's terminal equipment is Section 25 para. 2 (2) TDDDG (German Telecommunications and Telemedia Data Protection Act). The use of session cookies is absolutely necessary so that we, as the provider of the genua websites (telemedia service), can provide this expressly requested telemedia service. If consent to the storage of cookies has been requested, the storage of the cookies in question will be based exclusively on this consent (Art. 6 para. 1 p. 1lit. a) GDPR and Section 25 para. 1 TDDDG); consent can be revoked at any time.

genua provides you with the option to make general contact within the framework of the company website. If you wish to use these offers, you will be asked to enter personal data that is required to process your request. In this context, genua collects your last name and e-mail address (mandatory information) and, if applicable, your title, first name, telephone number, company, postal address (optional information). It is your free decision whether you use these offers and enter your data. genua collects this data in order to be able to use a personal approach when communicating with you. The legal basis for data processing is Art. 6 para 1 p. 1 lit. f) GDPR. This results from the economic, conceptual and technical interest in the provision and use of a contemporary information medium as well as to answer your inquiry.

a) Purpose and legal basis of data processing

Through our whistleblower tool, genua ensures greater protection for whistleblowers who want to report violations of EU or German law. Through this tool, genua has established a secure channel for whistleblowing. The purpose of processing personal data is to manage genua's whistleblower system, including the detection of serious violations or potential violations of German or EU law or other serious matters.

The processing of personal data is necessary for compliance with a legal obligation to which genua is subject, cf. Art. 6 para. 1 p. 1 lit. c) DSGVO. This is the German Law for Better Protection of Whistleblowers and for the Implementation of the Directive on the Protection of Persons Reporting Breaches of Union Law, which transposes the EU Directive "Directive on the Protection of Persons Reporting Breaches of Union Law" (2018/0106 COD) into national law.

In addition, the processing is necessary to protect genua's legitimate interest in detecting serious violations or potential violations of German or EU law or other serious matters that override the interests or fundamental rights and freedoms of the data subject, cf. Art. 6 para. 1 p. 1 it. ) GDPR.

As far as the processing of special categories of personal data is concerned, the processing is necessary for reasons of substantial public interest on the basis of the Law for Better Protection of Whistleblowers and for the Implementation of the Directive on the Protection of Persons Reporting Breaches of Union Law, cf. Art. 9 para. 2 lit. g)GDPR. In addition, the processing of special categories of personal data is necessary for the establishment, exercise or defense of legal claims, see Art. 9 para. 2 lit. f) GDPR in conjunction with Art. 6 para. 1 p. 1 lit. f) GDPR.

The processing is also necessary for the performance of a task carried out in the public interest, cf. Art. 6 para. 1 p 1 lit. e) GDPR.

The data subjects are primarily the persons to whom the reporting relates, including employees, partners or other persons professionally associated with genua, depending on who is mentioned in the notification. Moreover, genua processes personal data about the reporting person if the reporting person submits his or her contact information or other information from which the reporting person can be directly or indirectly identified. As the reporting person, you must therefore be aware that genua may process personal data about you in connection with the processing of the reported case.

Reporting can be done 100% anonymously. In this case, no personal data of the reporting person will be processed.

The categories of personal data that are processed depend on the information reported. If the reporting person reports personal data about another person, including the reported person or persons, genua also processes this personal data. Which personal data are processed in this case depends on which personal data are included in the report. The following categories of personal data may be processed:

• General personal data (name, address, e-mail address, telephone number, position, etc.)

• Personal data on criminal convictions or the suspicion of such activity

• Special categories of personal data (information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health, and data concerning a person's sex life or sexual orientation)

genua advises the reporting person to report only information that is of specific relevance to the reported case and, in particular, not to report information about criminal offenses and special categories of personal data unless this is of central importance to the processing of the reported case.

b) Obligation to provide personal data

There is no obligation to provide the personal data listed under Section 3, as reports can also be made anonymously. However, it may not be possible for genua to process the report without providing the personal data.

c) Recipients of personal data

The reports are created in the Internal Audit department of Bundesdruckerei Gruppe GmbH as a ticket in the WhistleB system, made available as a system message to genua's management and evaluated by them. After the assessment, the system messages are passed on internally to genua's Compliance Officer, who processes them. The reason for this being forwarded is that only the respective management can decide on any follow-up measures, not the Internal Audit department of Bundesdruckerei Gruppe GmbH. In this context, personal data is only passed on for a specific purpose and in accordance with the principle of data minimization, i.e. only the personal data that is absolutely necessary to process the report is passed on.

genua discloses personal data about the reporting person to public authorities if this is necessary to deal with serious violations or serious matters or to ensure the right of defense of the data subjects. In other cases, genua discloses personal data about the reporting person only with the consent of the reporting person. genua will only disclose personal data about persons other than the reporting person as part of the follow-up of a reported case or to deal with serious violations or serious matters.

genua uses the tool from Bundesdruckerei Gruppe GmbH, which in turn cooperates with the Swedish software manufacturer WhistleB, Whistleblowing Centre AB. As this involves order processing within the meaning of Art. 28 GDPR by Bundesdruckerei Gruppe GmbH, we have concluded an order processing agreement in accordance with the statutory provisions. For more information on WhistleB, Whistleblowing Centre AB, please visit: report.whistleb.com/content/documents/whistleb_terms_of_use.pdf

d) Storage period

Personal data that proves to be irrelevant to genua's processing of a reported case, as well as reports that genua deems to be unfounded or that do not fall within the scope of the whistleblower regu

relevant" and any existing personal reference (unless it is already an anonymous report) is removed. In order to ensure the legally required documentation obligation or legal deletion period from Section 11 para. 1, para. 5 HinSchG (the German Whistleblower Protection Act), this report is then initially archived (without personal reference), but not yet deleted. Archived cases are used exclusively to fulfill documentation obligations and can therefore no longer be called up by the system for processing.

Reports and personal data that genua collects in the course of processing a report that forms the basis for further processing will be anonymized as soon as possible. However, should the need arise for follow-up measures within the meaning of Section 3 (8), 18 HinSchG, it is possible that the anonymization must be deviated from, for example, due to an official order or to secure legal claims. In this case, pseudonymization is generally aimed for and implemented, unless otherwise specified (e.g., by a court order). Once the processing of the information is complete, either anonymization or pseudonymization is performed and the reports are archived and deleted two years after the case is closed, i.e., on the date genua made a decision in the case, unless special circumstances or legal as well as regulatory requirements require a shorter or longer period.