COMPLIANCE

A compliance management system has been introduced to ensure compliance with laws and guidelines within the company. The compliance management system (CMS) forms part of ESG’s “integrated management system” and is therefore integrated into ESG guidelines.

A CMS refers to the organisational structure as well as all measures and methods established within the company in connection with compliance. The aim of the CMS is to recognise, assess and manage compliance risks and prevent violations of the law, and therefore sanctions imposed by the authorities or customers as well as the related damage this causes to both the company’s financial position and reputation, so as to ensure the company’s success in the long term. Group companies are integrated into this compliance system taking into account the company-specific and legal requirements of the respective country.

ESG’s compliance activities focus on preventive measures such as training, information and communication regarding all compliance-related topics within the company. The CMS also provides an opportunity to address questions or information on violations of the law in a suitable manner.

Regular risk assessments are carried out to determine all compliance risks relevant to ESG. Organisational instructions (compliance rules) have been prepared for all material compliance risks included in the CMS and guidelines specified in the “Code of Conduct”. The organisational instructions constitute an important component of the CMS as they transform legal requirements into company rules for employees.

The compliance rules form an integral part of the regulations and are binding for all employees. Depending on their severity but regardless of their legal consequences, violations will incur disciplinary measures up to the termination of employment. The internal audit department primarily investigates and controls compliance matters. ESG employees can find out about the CMS in the company-wide WIKI (company information). They must also attend compulsory events in accordance with the existing training concept, which is based on the Code of Conduct. Business partners have to undergo regular integrity checks. In a structured process, questionnaires and references, database checks and comparisons with embargo lists are used to collect all information available to create a comprehensive profile of the business partner.

The whistleblower system is operated by EQS (EQS Group AG, Hardturmstrasse 11, 8005 Zurich, Switzerland – hereinafter referred to as "EQS") on behalf of ESG ELEKTRONIKSYSTEM- UND LOGISTIK-GMBH, Munich ("ESG"). As the operator, EQS does not have access to the information recorded.

The use of the whistleblower system is voluntary.

Whistleblowers can record the following information using Integrity Line:

• Name (voluntary)
• Information about the incident and the companies, organizations or persons affected

The whistleblower system is not intended to replace standard methods of communication. Instead, it is to be used solely for reporting serious suspicion of legal violations or for those cases in which strict confidentiality of information must be ensured. Reports can therefore also be submitted anonymously.

Please note that for legal reasons, reports cannot be processed unless sufficiently specific indications are provided. Note that deliberate misreporting and slander can have legal consequences. This does not apply to reports that have been submitted in good faith and that are subsequently determined to be false.

The whistleblower system is protected by a variety of technical security features. All confidential information is encrypted to ensure that all reports are protected. The system can be accessed exclusively via secured connections; data transmission is protected by a SSL certificate. Within the system, access is controlled via an authorization concept. No IP addresses are stored in order to ensure the anonymity of the whistleblower.

Questions and information entered in the whistleblower system are viewed, evaluated and provisionally processed (preliminary review) by the compliance officer of ESG and/or his or her representative. In case of notifications regarding data protection the data protection officer is automatically involved. The compliance officer or his or her representative reports directly to the management board, and in exceptional cases, to the advisory board to ensure the highest possible level of confidentiality at all times.

However, depending on the assessment or evaluation of the report, further persons, for example from the audit and legal departments, as well as external persons, may be involved or requested to investigate the report. In such cases, these persons are also granted access to the incident. Depending on the content of the incident, processing can also be passed on to the local organization, as long as it is not affected by the contents of the report.

Note that, at a certain point, ESG may be required to pass on the information to government agencies responsible for the prosecution of criminal offenses.

Under the law, ESG is obligated to notify the accused party that allegations have been made against that person, as long as the notification no longer jeopardizes the further investigation of the allegations. To ensure that the person accused in the report can exercise his or her own rights, the person will be informed of the allegations as soon as the investigation permits, while preserving the anonymity of the reporting person. He or she then has the right to comment on the allegations.

Once the incident is closed, personal information will not be retained any longer than legally permitted.

To protect your anonymity in the whistleblower system, we deliberately refrain from linking. Please copy the link and paste it manually into the address bar of your browser.

https://esg.integrityplatform.org/

In order that the opening of the whistleblowing hotline via this website cannot be traced, please copy the URL into the address line of your browser.