BAUHAUS TRUST LINE
The online portal for improved compliance

Rules of Procedure for the BAUHAUS Group Whistleblower System

A.) What is the process for submitting a report? How do I set up a mailbox?

To submit an anonymous or personalised report, first click on the 'Submit Report' button at the top of our home page.

The reporting process consists of 4 steps:

1. First, you will be asked to read some information about protecting your anonymity and answer a security question (captcha).
2. On the next page, you will be asked to select the category of your report.
3. On the report page, you can explain your report in your own words. You will also be asked to answer questions about the case by simply selecting answers. You can enter up to 5000 characters in the free text box, which is the equivalent of a full A4 page. You can also submit a file of up to 5 MB to support your report. Please note that documents may contain information about the author. After submitting your report, you will receive a reference number to confirm that you have submitted your report.
4. Please then set up your own secure mailbox. This is where you will receive feedback from us, including answers to questions and information about the progress of your report. You will also be able to upload additional attachments.

If you already have a secure mailbox, you can access it directly from the 'Login' button. Again, you will be asked to answer a security question.

As long as you do not enter any data that can be used to identify you, the technology of the BKMS^® system protects your anonymity.

B.) Who is responsible for processing the reports?

An internal reporting centre, which operates for the entire BAUHAUS Group and is contractually independent in the performance of its duties, is responsible for processing incoming reports. The internal reporting centre consists of the officers and other employees of the Legal & Compliance, HR Compliance and Tax Compliance departments, who process incoming reports on a topic-specific basis.

C.) How long does it take po process the report?

Immediately after sending the report, the whistleblower will receive a reference number as confirmation that the report has been received. The whistleblower will be informed of the outcome of the investigation within a maximum of 3 months. If the complaint is rejected as inadmissible or unfounded, the whistleblower will receive a statement of reasons.

D.) How can I get feedback and still remain anonymous?

The overriding principle of the reporting system used is the protection of the whistleblower. The functionality of the anonymity protection is certified by an independent body.

When setting up your protected mailbox, you choose your own pseudonym or username and password. These access details are not visible to third parties. If you lose your login details, please submit a new report and set up a new mailbox. If possible, please include the reference number of your old message. As this is a new mailbox, the contents of your old message will not be available here.

Your message will be kept anonymous through encryption and other special security routines. If you submit your report anonymously, you do not need to provide any personal information. Do not enter any information that could be used to identify you. Please do not use a technical device such as a PC or smartphone provided by your employer to submit your report.

An agent will use the secure mailbox to give you feedback on what is happening with your report, or ask questions if details are still unclear - you will remain anonymous during this dialogue. We are interested in reports to prevent harm, not in you as a whistleblower.

E.) Privacy information

I. Controller and contact details of the Data Protection Officer

The company chosen by the whistleblower (see also www.bauhaus.eu/companies) will be the addressee of the notification and the data controller. You can contact the Data Protection Officer at datenschutzbeauftragter@bauhaus.info .

II. Data Subjects

• Whistleblower
• Persons involved in the case

III. What is processed?

• Session ID only during the session to display the whistleblowing system
• Anonymous reports are possible (please provide pseudonym; mailbox with ID)
• Voluntary information on the whistleblower
• Information about the case reported by the whistleblower (subjects/topics affected in the opinion of the whistleblower); if applicable, names of persons involved; country in which the alleged violation took place; description of the facts)

IV. Purpose of processing

• Fulfilling legal obligations: Offering the whistleblower system
• Improving compliance
• Protect employees
• Possibility to maintain a mailbox for confidential communications (also possible with a self-chosen pseudonym)

V. Provision of information to defendants

• In accordance with Art. 14 GDPR, accused persons will be informed after the conclusion of the procedure/process.

VI. Legal basis

• Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with Directive (EU) 2019/1937 and corresponding (future) national implementations
• Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with the German Whistleblower Protection Act (internal reporting office), the German Supply Chain Due Diligence Act and the German Money Laundering Act (complaints office)
• Art. 6 para. 1 sentence 1 lit. f GDPR and in the case of a German BAUHAUS company in conjunction with §§ 30, 130 OWiG: legitimate interest in the detection and prevention of misconduct and the associated material and immaterial damage and liability risks for the data controller.
• Art. 9 para. 2 lit. f GDPR: if the processing of special categories of personal data is necessary
• Germany: Section 26 para. 1 sentence 2 BDSG: Processing to prevent criminal offences or other legal infringements in connection with the employment relationship
• Art. 6 para. 1 sentence 1 lit. f GDPR: Exercise and defence of our interests, rights and claims

If, as a whistleblower, you are located outside the EU or the European Economic Area at the time you submit a whistleblowing report, data will inevitably be transferred as part of the submission of your whistleblowing report. In this case, such data transfers will take place on the basis of Art. 49 para. 1 lit. d GDPR.

VII. Recipient

• EQS Group GmbH, Karlstraße 47, 80333 Munich (technical processor; content is encrypted)

VIII. Third party sources

• Information provided by a whistleblower about another person or persons

IX. Storage period

• Until clarification and final assessment of a matter including storage (in Germany: 6 years, § 50 BRAO)

X. Data subjects' rights

As a data subject, you are entitled to the following data protection rights, provided that the applicable requirements are met: right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR), right to data portability (Art. 20 GDPR), right to lodge a complaint with a supervisory authority (Art. 77 GDPR), right to object (Art. 21 GDPR), provided that we process data on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR.

Why should I submit a report?

Legally compliant and ethically correct behavior are the basis of our success at BAUHAUS. This is the only way to justify the trust placed in BAUHAUS by customers, business partners and employees. By addressing suspicuous, conspicuous or obviously illegal actions we can all contribute to making BAUHAUS an even better company.

What kind of report is useful?

The business activities of BAUHAUS are subject to the applicable legal provisions and the BAUHAUS Code of Conduct, which contains internal guidelines for ethical behavior and the responsible treatment of the environment and fellow human beings.

Both violations of applicable legal provisions and violations of the BAUHAUS Code of Conduct can be reported. Please keep in mind that the information you provide may incriminate others and may be used in criminal or civil proceedings. We trust that the whistleblower system will be used in good faith and with the best conscience.

What is the process for submitting a report? How do I set up a postbox?

To submit an anonymous or personalised report, start by clicking the “Submit report” button at the top of our introduction page.

The reporting process consists of 4 steps:

1. First, you will be asked to read some information on the protection of your anonymity and answer a security query (captcha).
2. On the following page, you will be asked about the category of your report.
3. On the report page, you can elaborate on your report in your own words. You will also be asked to answer questions about the case by simply selecting responses. You can type up to 5000 characters into the free text field, which corresponds to a full A4 page. You may also submit a file of up to 5 MB to support your report. Please bear in mind that documents can contain information about the author. Following the submission of your report, you will receive a reference number to confirm that you have sent this report.
4. Please subsequently set up your own secured postbox. You will receive feedback from us via this postbox, including answers to questions and information about the progress of your report. You can also upload more attachments there.

If you already have a secured postbox, you can access it directly via the ‘Login’ button. Here, too, you will have to answer a security query first.

As long as you do not enter any data from which conclusions about your identity can be drawn, the technology of BKMS^® System will protect your anonymity.

Please rest assured that we are only interested in the case you are reporting. Malpractices must be revealed and financial losses prevented.

How do I receive feedback and remain anonymous at the same time?

The whistleblowing system places the utmost importance on protecting the whistleblower. The system’s anonymity protection function is certified by an independent body.

When you set up your secured postbox, you choose your pseudonym/ user name and password yourself. This access data is not visible to anyone except you. If you lose your login information, please submit a new report and set up a new postbox. If possible, please provide the reference number of your previous report. The new postbox will not contain any content associated with your previous report.

Your report is kept anonymous through encryption and other specialised security measures. You will never be asked for personal information if you submit a report anonymously. Do not submit any information that can be traced back to you. Please do not use any device, such as a PC or smartphone, that has been provided by your employer to submit your report.

Via the secured postbox, an examiner will give you feedback about the further processing of your report or ask you questions if some details are still unclear – you remain anonymous throughout the dialogue. We are interested in reports to avoid damage, not in you as a whistleblower.

Who is responsible for handling of the data?

The controller for the data processing is the BAUHAUS company in the country selected by the whistleblower when submitting a report (Information on data protection).