Scheidt & Bachmann GmbH

PART 1: INFORMATION ON DATA PROTECTION FOR THE USE OF PERSONAL DATA IN CONNECTION WITH (PROSPECTIVE) BUSINESS AND CONTRACTUAL RELATIONSHIPS OR OTHER COMMUNICATION RELATIONSHIPS

1. Scope
2. Data controller
3. Contact details of the data protection officer
4. Scope of the processing
5. Purpose and legal basis of the processing
6. Storage period
7. E-mail
8. General information on data transmission
9. Special information for the use of Microsoft Teams
   1. What data is processed?
   2. Purposes and legal bases of data processing
   3. Recipients of the collected contact data
   4. Data transfer to a third country
   5. Storage period
10. Your data subject rights
11. Your right to object according to Art. 21 GDPR
12. Final remarks

PART 2: SUPPLEMENTARY PRIVACY STATEMENT FOR VISITORS TO THE COMPANY PREMISES AND FOR VIDEO SURVEILLANCE OF THE COMPANY PREMISES

1. Visitor management
2. Video surveillance
3. License plate recognition

PART 3: SUPPLEMENTARY DATA PROTECTION DECLARATION FOR PHOTOGRAPHY AND FILMING AT EVENTS

1. Scope of the processing
2. Purpose and legal basis of the processing
3. Storage period
4. Supplementary information on data transmission

PART 4: SUPPLEMENTARY PRIVACY POLICY FOR INTERNAL REPORTING UNIT

1. Scope of the processing
2. Location of the data processing
3. Confidentiality and disclosure of data
4. No data transfer to third countries
5. Storage of the data
6. Obligation to provide data

PART 1: INFORMATION ON DATA PROTECTION FOR THE USE OF PER-SONAL DATA IN CONNECTION WITH (PROSPECTIVE) BUSINESS AND CONTRACTUAL RELATIONSHIPS OR OTHER COMMUNICATION RELA-TIONSHIPS 

pursuant to Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR)

We, the Scheidt & Bachmann GmbH (hereinafter "we", "us" or "Scheidt & Bachmann"), take the protection of your personal data very seriously and would like to inform you here about data protection at Scheidt & Bachmann.

Our data protection information is regularly updated in accordance with legal and technical requirements. Please note the current version of our data protection information.

This data protection information applies to the collection, processing and use of your personal data when we have contact with you as a contact person of interested companies, customers, suppliers, service providers, clients, contractors and cooperation partners (hereinafter "business partners").

Data controller in the sense of Art. 4 No. 7 GDPR is:

Scheidt & Bachmann GmbH, Breite Straße 132, 41238 Mönchengladbach, Germany
Phone: 02166/266-0; e-mail: impressum@scheidt-bachmann.de

You can reach our data protection officer at the following contact details:

Scheidt & Bachmann GmbH
Data Protection Officer
Breite Straße 132, 41238 Mönchengladbach, Germany
Phone: +49 2166 266-839, e-mail: datenschutzbeauftragter@scheidt-bachmann.de

General data from the business relationship

We collect, process and use the following personal data in particular within the scope of the (developing) business relationship:

• Master data, in particular name and, if requested, function in the company;
• Contact details, in particular current business address, telephone numbers and email addresses and, if requested, post office box;
• If applicable, other data of your employer related to the fulfilment of the respective business relationship, such as dealer number, address data, contract data and/or payment and booking data

We collect, process and use personal data that is

• you have voluntarily surrendered to us,
• you or your employer have provided to us as part of the business relationship,
• arise from correspondence (postal and electronic) between you and your employer and us,
• arising from other postal, electronic or telephone communication.

Data from other sources

Furthermore, we also process - insofar as it is necessary for the fulfilment of the contract or pre-contractual measures with your employer or you or your employer have consented - such personal data that we have permissibly received from Scheidt & Bachmann group companies and other third parties.

We only process personal data from publicly accessible sources (e.g. authorities, internet) if this is legally permissible, for example because it is necessary for the provision of our services or you or your client/employer have consented.

We process your personal data insofar as this is necessary to protect the legitimate interests of Scheidt & Bachmann (Art. 6 para. 1 lit. f GDPR), in particular:

• to enter into or perform orders, contracts and other business relationships (including to process purchase orders, deliveries or payments) or to prepare or respond to requests for proposals and to determine the terms of the contractual relationship, with our business partners for whom you may be acting as an agent or employee;
• subsequent direct advertising (by e-mail or post pursuant to § 7 para. 3 Act against Unfair Competion (UWG), with offers of similar products, services or events in connection with the existing business relationship, unless you object or have objected to this use;
• for internal administrative purposes (e.g. for accounting);
• to conduct anti-terrorism and sanctions list screenings, if applicable;
• to conduct court and official proceedings and/or for the purpose of asserting/exercising as well as defending against legal claim(s) at home and abroad;
• in order to send you our customer information to the extent relevant to your business activities, such as newsletters with information on products and references to current topics and events of the Scheidt & Bachmann Group;
• to make documents, such as contract documents or product information, available to you for download as an authorised person in our data room;
• for other communication purposes;
• to ensure the IT security and IT operations of our company;
• Advertising, market and opinion research, insofar as you have not objected to the use of your personal data;
• Review and optimisation of needs assessment procedures;
• Statistical evaluations or market analysis;
• Benchmarking;
• Further development of services and products as well as existing systems and processes;
• Obtaining information such as data exchange with credit agencies;
• on the use of service providers (e.g. external IT service providers) that support our business processes;
• to plan and host events to which you are invited, including coverage of these events on our website or intranet, which may include the publication of images and video footage on the internet or intranet in which you are pictured.

Furthermore, the processing of your personal data might be necessary in the context of the performance of a contract or a pre-contractual measure (Art. 6 para. 1 lit. b GDPR) with you as an individual (natural person).

Furthermore, the processing of your personal data may be required to comply with legal requirements (Art. 6 para. 1 lit. c GDPR), e. g. according to the provisions of the Money Laundering Act (GwG), or in the public interest (Art. 6 para. 1 lit. e GDPR). Likewise, you may also have given us your consent in accordance with Art. 6 para. 1 lit. a GDPR.

We process your personal data only for as long as is necessary to fulfil the respective processing purpose and to comply with regulatory requirements, usually for the duration of the respective business relationship, or for the duration of any statutory retention period.

In addition, we are subject to various storage and documentation obligations, which result from the German Commercial Code (HGB) or the German Fiscal Code (AO), among other things. These can be up to 10 years.

Finally, the storage period is also assessed according to the statutory limitation periods, which can be up to thirty years, for example, according to §§ 195 et seq. German Civil Code (BGB), with the regular limitation period being three years.

Should you wish to contact us by e-mail, we would like to point out that the content of unencrypted e-mails can be viewed by third parties. We therefore recommend sending confidential information by post. Please note that personal data transmitted by e-mail will be stored and processed for the purpose of following up your enquiry.

We only transfer your personal data to third parties if

• you have given us consent to transfer the information to third parties,
• this is necessary in accordance with Art. 6 para. 1 p. 1 lit. b GDPR for the processing of contractual relationships with you,
• we are obliged to disclose, report and pass on data due to legal requirements,
• external service providers process the data on our behalf as order processors in accordance with Art. 28 GDPR or function transferees (e. g. external data centres, IT service providers, archiving, data destruction, legal advice, auditing, credit institutions, logistics companies, courier services).

In addition, we pass on your personal data to Scheidt & Bachmann group companies, which also process personal data partly under their own responsibility (so-called data controller, cf. Art. 4 No. 7 GDPR), to the extent necessary.

Within Scheidt & Bachmann, only those organisational units receive your data that require it to fulfil our contractual and legal obligations or in the context of processing and implementing our legitimate interest.

Beyond that, we do not pass on your personal data to third parties.

We do not intend to transfer your personal data to countries outside the European Union (EU) or the European Economic Area (EEA), but this may be done by external service providers if necessary. If external service providers come into contact with your personal data, we take legal, technical and organisational measures to ensure that they comply with the provisions of data protection laws and - if they act as processors - only process your data on our behalf and in accordance with our instructions.

If you access the Microsoft Teams website, the Microsoft Teams provider is responsible for data processing. However, accessing the website is only necessary for using Microsoft Teams in order to download the software for using Microsoft Teams. If you do not want to or cannot use the Microsoft Teams app, you can also use Microsoft Teams via your browser. The service will then also be provided via the Microsoft Teams website.

For more information on data protection at Microsoft, click here:

https://privacy.microsoft.com/de-de/privacystatement

https://www.microsoft.com/de-de/trust-center

1. What data is processed?

When using Microsoft Teams, various types of data are processed. The scope of the data also depends on the data provided before or during participation in a Teams meeting.

The following personal data are subject to processing:

• User details: e.g. display name, e-mail address if applicable, profile picture (optional), preferred language.
• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
• Text, audio and video data: It is possible to use the chat function in a Teams meeting. In this respect, the text entries made by the respective user are processed in order to display them in the Teams meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device as well as from any video camera of the terminal device are processed accordingly for the duration of the meeting. The user can turn off or mute the camera or microphone at any time via the Microsoft Teams applications.

2. Purposes and legal bases of data processing

We use Microsoft Teams to conduct online meetings. If online meetings are to be recorded, this will be transparently communicated in advance and consent requested where necessary. The chat content is logged when using Microsoft Teams. Automated decision-making within the meaning of Art. 22 GDPR does not take place.

Insofar as personal data of our employees (or applicants) is processed, § 26 para. 1 Federal Data Protection Act (BDSG) is the legal basis for the data processing. If, in connection with the use of Microsoft Teams, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of Microsoft Teams, Art. 6 para. 1 lit. f GDPR is the legal basis for data processing. In these cases, our interest lies in the effective implementation of online meetings.

The legal basis for data processing when conducting online meetings is Art. 6 para. 1 lit. f GDPR. Here, too, our interest is in the effective implementation of online meetings.

3. Recipients of the collected contact data

Personal data processed in connection with participation in online meetings will not be disclosed to third parties unless it is intended for disclosure. Please note that the content of online meetings, as well as face-to-face meetings, may be used to communicate information to third parties and are therefore intended for disclosure.

Other recipients: The Microsoft Teams provider necessarily receives knowledge of the above-mentioned data insofar as this is provided for in the context of the order processing agreement with Microsoft.

4. Data transfer to a third country

Data processing in a third country outside the European Union (EU) does not take place in principle, as we have restricted the storage location to data centres in the European Union. However, we cannot exclude the possibility that data is routed via internet servers located outside the EU. This may be the case in particular if participants in online meetings are located in a third country. However, the data is encrypted during transport via the internet and thus protected against unauthorised access by third parties.

5. Storage period

Personal data is generally deleted if there is no need for further storage. A requirement may exist if the data is still needed, for example, to fulfil contractual services. In the case of statutory retention obligations, deletion is only considered after the expiry of the respective retention obligation.

Every data subject has the right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. In order to exercise the aforementioned rights, you can contact the offices mentioned under clauses II and III.

If you have given us your consent to data processing, you can revoke this consent at any time without formalities. If possible, the revocation should be addressed to the offices mentioned under clauses II and III.

Furthermore, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR). The competent supervisory authority for Scheidt & Bachmann is:

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information (LDI NRW)

However, we recommend that you first contact our data protection officer with a complaint.

You have the right to file an objection at any time, on grounds relating to your particular situation, against the processing of personal data relating to you which is carried out on the basis of Art. 6 para. 1 lit. f GDPR (processing of data on the basis of a weighing-up of interests) or Art. 6 para 1 lit. e GDPR; this also applies to any profiling based on this provision within the meaning of Art. 4 para. 4 GDPR.

If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In individual cases, we process your personal data for the purpose of direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you file an objection to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be made form-free and should, if possible, be addressed to the offices mentioned in the data protection statement under clauses and III.

Security: We use technical and organisational security measures in order to adequately protect your personal data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons.

Validity and actuality of the privacy policy: This privacy policy is dated January 2023 and is valid as long as no updated version replaces it.
Due to the implementation of new technologies, it may become necessary to change this privacy policy. We reserve the right to change the privacy policy at any time with effect for the future. We recommend that you re-read the current data protection declaration from time to time.
 

PART 2: SUPPLEMENTARY PRIVACY STATEMENT FOR VISITORS TO THE COMPANY PREMISES AND FOR VIDEO SURVEILLANCE OF THE COMPA-NY PREMISES

Scope and purpose of processing: When you visit our premises, e. g. as a supplier, service provider or customer, the following personal data may be collected:

• Identification data such as surname, first name, company, vehicle registration number, special authorisations (for truck drivers) or QR codes for the use of reserved visitor parking spaces in order to be able to identify you as an authorised visitor, for documentation, e.g. of meetings, events and agreements, for complaint management and dispute resolution, assertion or defence of legal claims or for the performance of internal and external audits and external inspections by licensing and supervisory authorities.
• Addresses and contact details such as postal address, e-mail address, telephone number and, if applicable, organisational data such as company, department, function, in order to be able to contact you if, for example, questions need to be clarified, information needs to be exchanged, appointments need to be made or access to the internet needs to be set up for you.
• Time recording, e. g. on company premises or for the provision of services, in order to be able to invoice services.
• IP address and voucher code if you, as a visitor, have been granted temporary access to the Internet via LAN (local aera network) or WLAN (wireless local aera network) via a captive portal, for authorisation and identity management for e-services, including technical support and troubleshooting.
• Name and address, as export control law requires that visitors to the S&B Group companies located at the Mönchengladbach site (natural persons and legal entities) be subjected to a sanctions list screening at the latest before entering the company premises. The basis for this is the legal obligation on the part of the data controller and its subsidiaries to ensure compliance with the requirements of foreign trade laws and regulations, including Art. 2 para. 1 lit. B of Regulation (EC) No. 2580/2001, Art. 2 para. 2 of Regulation (EC) No. 881/2002 and Art. 3 para. 2 of Regulation (EU) No. 753/2011. Within the scope of this screening, the person and/or the company (firm) are checked against the current sanctions lists of the Federal Republic of Germany, the European Union and the USA. In the event of a verified hit, the person and/or the company is to be prohibited from entering the company premises. The results of the check are stored in the system for 365 days. Furthermore, a sanctions list check is carried out before each new visit.

We collect, process and use personal data that is

• you have voluntarily surrendered to us,
• you or your employer/client have provided to us as part of the business relationship,
• arise from correspondence (postal and electronic) between you and your employer/client and us,
• arising from other postal, electronic or telephone communication.

The legal basis for this processing of your personal data is Article 6 para. 1 lit. f GDPR. We have a legitimate interest in exercising our domiciliary rights, to ensure security at the site, to comply with legal requirements and to contact you quickly and easily. In addition, the processing of your personal data could be necessary in the context of the fulfilment of a contract or a pre-contractual measure (Art. 6 para. 1 lit. b GDPR), for the fulfilment of legal requirements (Art. 6 para. 1 lit. c GDPR) or in the public interest (Art. 6 para. 1 lit. e GDPR). Likewise, you may also have given us your consent in accordance with Article 6 (1) a GDPR.

Storage period: We only process your personal data for as long as is necessary to fulfil the respective processing purpose and to meet regulatory requirements, usually for the duration of the respective business relationship, or for the duration of any statutory retention period.

In addition, we are subject to various storage and documentation obligations, which result from the German Commercial Code (HGB) or the German Fiscal Code (AO), among other things. These can be up to 10 years.

Finally, the storage period is also assessed according to the statutory limitation periods, which can be up to thirty years, for example, according to §§ 195 et seq. German Civil Code (BGB), with the regular limitation period being three years.

Scope and purpose of the processing: A video surveillance system is operated to monitor the company premises. The purpose of the video surveillance of the employee / company car parks, the entrances and exits to the company premises, the forecourt of the shipping department, the entrances for persons, the plant roads as well as the construction sites located on the company premises is to safeguard the domiciliary right, to protect the company premises and its facilities, the people and the things located thereon, but also to document the changes on the company premises for the company history. This right is basically covered by the domiciliary right. Furthermore, the purpose of video surveillance is to increase the sense of security of the people who are in these places, to deter people who are willing to commit vandalism, to prevent crime and to preserve evidence for the effective prosecution and enforcement of criminal and civil claims of the data controller, the employees and third parties.

The legal basis for video surveillance is our legitimate interest or that of a third party within the meaning of Art. 6 para. 1 lit. f GDPR as well as §§ 4, 26 para. 4 Federal Data Protection Act (BDSG). Exercise of domiciliary rights; protection of property, people, things and facilities located on the company premises; protection against criminal offences; assertion of claims for damages under civil law by the data controller and its employees; documentation of changes on the company premises for company history; on the basis of a collective agreement in the case of processing personal data of employees.

However, it can be assumed that the interest of the controller or a third party in video surveillance does not unduly interfere with the rights and freedoms of natural persons, especially since they are made aware of the video surveillance. Video surveillance is necessary and suitable to fulfil the intended purpose and is also the mildest means in this respect. Video surveillance is certainly suitable for deterring possible troublemakers/offenders. The video surveillance is easily recognisable for everyone; in addition, signs point to the video surveillance. Video surveillance provides usable images that support the implementation of house rights or criminal prosecution. No equally suitable, milder means can be identified. If this function were to be carried out by security guards, this would require staff around the clock. Even the use of dummy cameras is only likely to provide a comparable deterrent in the short term, as it cannot be ruled out that this will become known. The observation boundary ends at the boundary of the property.

Storage period: The data is deleted 5 working days after it has been created if it has not been used.

Scope and purpose of the processing: The entrances and exits to the company premises are equipped with barriers and TCP/IP-connected cameras for license number plate recognition. The image capture is triggered by driving over an induction loop embedded in the roadway, whereby the vehicle registration number is captured in an image file and read out together with the entry and exit time.

License plate recognition could constitute video surveillance within the meaning of § 4 Federal Data Protection Act (BDSG) due to the permanent observation of a detection area and the recurring short-term image capture.

The legal basis for video surveillance is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR as well as §§ 4, 26 para. 4 Federal Data Protection Act (BDSG) for the following purpose: exercising domiciliary rights; protection of property, people, things and facilities located on the company premises; protection against criminal offences; assertion of claims for damages under civil law by the data controller and its employees; on the basis of a collective agreement in the case of processing personal data of employees.

Video surveillance is a suitable means of safeguarding the data controllers's domiciliary rights by giving the data controller the possibility to decide who may enter the company premises and/or use the parking space located thereon. In addition, license plate recognition can be used for preventive purposes, such as deterring violations of the law within the traffic area, or for repressive purposes, such as preserving evidence for the enforcement of civil claims by the data controller. A milder means of achieving the objective is not recognisable.

The data will be deleted 5 working days after collection if it has not been used.

PART 3: SUPPLEMENTARY DATA PROTECTION DECLARATION FOR PHO-TOGRAPHY AND FILMING AT EVENTS

In the context of events, we may take photographs and/or film recordings and collect and process the following in this context:

• Photo and film data and sound recordings of you
• If applicable, your name and, if requested, function in the company
• Contact details, if applicable.

If you do not wish to be photographed/filmed, please mention this directly to the photographer/cameraman so that your wish can be considered.

The legal basis for the data processing is Art. 6 para. 1 lit. f DSGVO. The photos/films will be taken for the purpose of documenting the event and will be used/saved/copied/distributed/exhibited/published on the internet via the company homepage of the data controller and/or on the intranet, in social media channels as well as in print media, in particular in the newsletter, for the purpose of documenting the event, for public relations and the presentation of the activities of the data controller in order to increase the level of awareness of the data controller as well as, if applicable, also for the long-term documentation of the company history of the data controller.

It can be assumed that the interest of the responsible person in the production and use of the photos/films does not unduly interfere with the rights and freedoms of the natural persons, especially since they are informed about the production and use of the photos/films in advance and/or at the event, and care is taken both in the production of photos/films and in the publication of the same that no legitimate interests of persons depicted are violated. If the rights and freedoms of a person depicted are violated for reasons particularly worthy of consideration, we will take appropriate measures to refrain from further processing. A deletion in print media that have already been issued cannot take place. Deletion on the website, in social media channels or on the intranet will be carried out within the scope of technical possibilities.

Data not used following the event will be deleted immediately. Otherwise, the data will be stored and deleted at the end of the 4th calendar year after production if it has not been used.

Departments of the data controller that necessarily need to receive the data in the course of carrying out the activity (e. g. marketing, IT, other administrative units), Scheidt & Bachmann group companies, contractors and processors involved in the processing (preparation as well as publication).

If applicable, tax advisors, authorities (tax office, other authorities) as well as legal representatives (in the enforcement of rights or defence against claims or in the context of official proceedings).

The data is made available on the internet to the worldwide public, on the intranet worldwide to the employees of the Scheidt & Bachmann group companies, and published in social media channels. The data will be published in print media: Employee newsletters distributed to employees of Scheidt & Bachmann group companies in a limited edition of 4,000 copies. Trade press/newsletters are distributed to the worldwide public.

The data will not be passed on to recipients who pursue their own purposes with this data. In the case of social media channels, however, it may be that the respective social media service receives the right to exploit the published data.

No other transfer to recipients in a third country (outside the EU) or to an international organisation is envisaged.

Through the use on the website, there is the possibility of worldwide access to the images/films or the retrieval of the posted data and images also from countries in which no or no sufficient data protection standard exists. The data controller can therefore neither influence the access to these data via the internet nor the use of these data and in this respect also cannot assume any guarantee for the observance of data protection.

Using suitable search engines, personal data can be found on the internet and the persons depicted in images can also be identified under certain circumstances. This also makes it possible to create personality profiles by combining this data and information with other data available on the internet and to open up additional possibilities of use, e. g. for advertising purposes. Due to the possibilities of worldwide retrieval and storage of data by other bodies or persons, further use by other bodies or persons or retrieval via archive functions of search engines cannot be ruled out in the event of revocation of consent and despite removal of your data and images from our website. Unidentification in print media that have already been issued cannot take place.

PART 4: SUPPLEMENTARY PRIVACY POLICY FOR INTERNAL REPORTING UNIT

In the context of events, we may take photographs and/or film recordings and collect and process the following in this context:

• Photo and film data and sound recordings of you
• If applicable, your name and, if requested, function in the company
• Contact details, if applicable.

If you do not wish to be photographed/filmed, please mention this directly to the photographer/cameraman so that your wish can be considered.

General information

You can send your report to the internal reporting unit

• by telephone
  from Germany on +49 800 3800 999 and
  from other countries on +49 69 99998839,
• by e-mail to whistleblower@scheidt-bachmann.de,
• by post to Scheidt & Bachmann GmbH, Corporate Compliance, Whistleblower Protection Reporting Unit, Breite Straße 1321, 41238 Mönchengladbach, Germany,
• by internal mail to Corporate Compliance, Reporting Unit Whistleblower Protection, or
• by using the web-based whistleblower system "Legal Tegrity".

Whistleblowing system “Legal Tegrity"

You can access the "Legal Tegrity" whistleblower system via a hyperlink on the website www.scheidt-bachmann.de and submit your report there. When you submit your report, you can set up a non-personalised mailbox so that you can communicate with us during the processing of your report. Setting up the mailbox is voluntary and not required for submitting a notification. Access to this mailbox is password-protected in the form of a PIN number, which will be sent to you after you have submitted your report.

The "Legal Tegrity" whistleblowing system does not collect any data that could lead to identification in any way.

Scheidt & Bachmann handles all incoming reports responsibly and carefully. This applies in particu-lar to the personal data that you submit about yourself, but also to the personal data of the person affected by your report. All reports or complaints are processed by selected and specially trained employees of the Corporate Compliance department and, if necessary, by employees of the Scheidt & Bachmann company concerned.

All persons involved in the process are subject to confidentiality, are impartial and independent in the fulfilment of their duties and are not bound by instructions.

Legal Tegrity GmbH, which operates the whistleblowing system, is appointed with the processing of any personal data as a processor.

Scheidt & Bachmann relies on law firms or auditing companies to process your report, to take the necessary clarification measures and to assert, exercise and defend legal claims. In exceptional cas-es, personal data of the whistleblower and the person concerned must be transmitted to authori-ties, courts or third parties if the disclosure of information is mandatory for Scheidt & Bachmann. In addition, under certain circumstances, Scheidt & Bachmann must also disclose the reported infor-mation to the person affected by the report.

If the whistleblower has disclosed his/her identity and/or contact details, the internal reporting unit will inform the whistleblower if the reported information must be disclosed and the reasons for this. Notification will only be omitted if this would jeopardise the official investigation.

The data transmitted to the internal reporting unit will be processed by us and the processor ex-clusively in the Federal Republic of Germany. Data will not be transferred to countries outside the European Union (EU) or the European Economic Area (EEA) unless your report concerns a Scheidt & Bachmann company in a third country.

Scheidt & Bachmann companies are located in the following third countries: United Kingdom of Great Britain and Northern Ireland, Russia, Switzerland, Tunisia, Israel, Ukraine, USA and Canada. If there is no adequacy decision by the EU Commission for the country in question in accordance with Art. 45 GDPR, we ensure that your rights and freedoms are adequately protected and guaran-teed in accordance with the requirements of the GDPR by means of appropriate contracts.

The data transmitted by you will be deleted at the latest 3 years after completion of the procedure. The storage period may be extended in order to fulfil the requirements of the HinSchG or other legal provisions, if and insofar as this is necessary and proportionate.

In addition, special statutory provisions may require a longer retention period, such as the preservation of evidence within the framework of statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (BGB), the standard limitation period is three years, but limitation periods of up to 30 years may also be applicable.

If the data is no longer required for the fulfilment of contractual or legal obligations and rights, it is regularly deleted, unless its - temporary - further processing is necessary for the fulfilment of the above-mentioned purposes due to an overriding legitimate interest.

The use of Scheidt & Bachmann's internal reporting unit is voluntary on the part of the person providing the information. There is no obligation to provide data.