Whistleblowing Policy

Objective

Compliance, i.e. fulfilment of statutory provisions and internal corporate guidelines, is a top-priority matter for the Südzucker group and a cornerstone of good and responsible company management. Complying with rules and regulations is the only way to protect the company, its employees and its business partners from infringements and inappropriate behaviour.

Employees of the Südzucker group have the opportunity at any time to inform their superiors, the work council or the compliance officer of any compliance-related violations. In addition, the Südzucker group offers its employees and third parties, e.g. customers or business partners access to the ‘Südzucker Compliance Line’ in order to facilitate reporting of compliance-related violations: https://www.bkms-system.com/suedzucker.

This Directive defines the functionality and the use of the ‘Südzucker Compliance Line’.

The ‘Südzucker Compliance Line’ is an electronic communication platform with certified data protec- tion credentials. It exists to receive and to process notifications of compliance violations in a secure and confidential manner. Use of the ‘Südzucker Compliance Line’ is on a voluntary basis.

Scope and validity

This Directive applies to the functionality and the use of the ‘Südzucker Compliance Line’ in the Südzucker Group (hereinafter simply ‘Südzucker’), in all Group functions, divisions and subsidiaries through which the parent company Südzucker AG can exercise control. The listed companies of AGRANA Beteiligungs-AG and CropEnergies AG are exempt from the scope of this Directive together with their affiliates due to their own sets of rules in this respect.

The Directive for the Südzucker Whisleblowing System (‘Südzucker Compliance Line’) in its version dated 19.03.2018 enters into force on 16.04.2018.

Basic principles governing the use of the ‘Südzucker Compliance Line’

Principal contents of information provided through the ‘Südzucker Compliance Line’

The ‘Südzucker Compliance Line’ was set up to receive information about compliance-related matters. Information can be provided about the following main issues:

Anti-competitive behaviour
Bribery and corruption
Discrimination and harassment / mobbing
Insider trading
Infringements of data protection provisions
Violation of environmental protection and work safety specifications
Fraud / breach of trust / embezzlement / theft
Faulty accounting or financial reporting
Infringements of the Code of Conduct of Südzucker AG

Submitting information through the ‘Südzucker Compliance Line’

Protection of the source/whistleblower is the founding principle of the ‘Südzucker Compliance Line’. The ‘Südzucker Compliance Line’ makes it possible to submit information either as a named source or in anonymous form. Annex A-2 contains instructions on how to submit information, also available directly on the electronic ‘Südzucker Compliance Line’.

Information should be submitted by named individuals because many investigations can be car- ried out faster and more effectively if the name of the source is known. Südzucker assures strict confidentiality of the identity of the whistleblower at all times (see Point 3.3).

Anonymous tip-offs should be the exception rather than the rule. It is entirely up to the whistle- blower to decide whether to be named or to remain anonymous. If information is provided anon- ymously, at no time in the process will personal details be asked for. No data should be submit- ted that provide clues as to the identity of a source who wishes to remain anonymous. Techni- cally, anonymity can be secured by encryption and security routines that are certified by an inde- pendent body (see Point 5.2).

The ‘Südzucker Compliance Line’ must be used in a responsible manner. It must not be misused to be defamatory about others, or to make false accusations. Accordingly, information must only be sub- mitted where its provider, the source, is personally convinced to the best of his/her knowledge and conscience of its accuracy. Whistleblowers who submit information in good faith – confidentially and/or anonymously – shall not suffer any adverse consequences.

Recipients of information over the ‘Südzucker Compliance Line’

Regardless of whether information is submitted by a named or an anonymous source, that source can set up a protected mailbox in the whistleblowing system. When this mailbox is set up, the ‘Pseudo- nym/username’ and ‘Password’ are chosen by the source.

This protected mailbox is used exclusively for communication with the Compliance Officer of Südzucker AG, who will also provide feedback on how the note is further processed, or further ques- tions can be asked in cases where details are still not clear. In cases where the source has decided in favour of anonymous communication, this shall be assured in all further communication with the Compliance Officer of Südzucker AG.

The Compliance Officer at Südzucker AG is obliged to maintain absolute confidentiality and is the only person to handle incoming information. The authorisation concept of the ‘Südzucker Compliance Line’ is set up accordingly. Only one other member of the Compliance Committee of Südzucker AG has ac- cess to the system to safeguard the peer review principle (see Point 5.2). This member of the Compli- ance Committee is obliged to maintain absolute confidentiality as well. When required, the Compli- ance Officer of Südzucker AG immediately anonymises the personal details in the information text in the whistleblowing system using a specific data protection function provided by that system.

To safeguard communication and to provide support with investigations, the mailbox must be opened and checked on a regular basis by the source to establish if there are any questions or information from the Compliance Officer at Südzucker AG.

Basic principles of the inspection and investigation of information provided

All incoming information over the ‘Südzucker Compliance Line’ is checked immediately, also to fulfil legal deadlines, and in order to provide feedback promptly to the source – to the extent that this is possible. If there is sufficient initial suspicion, one based on firm circumstances, the Compliance Of- ficer of Südzucker AG conducts a more in-depth, case-specific clarification of the facts of the matter. With anonymous messages, this can be an elaborate and extensive process to eliminate as far as pos- sible the higher risk of misuse of the ‘Südzucker Compliance Line’.

The decision about whether or not to involve the Central Auditing Department (ZAREV), which is re- sponsible for investigating compliance violations, in conducting an internal investigation depends on the quality of the notification, and this becomes apparent in the course of communication between source and recipient of the message. If the matter in hand prompts sufficient suspicion of an infringe- ment that meets the definitions of Point 3.1, ZAREV will endeavour to conduct an unscheduled inves- tigation, appointed by the Board of Management (known as a Special Examination).

As few people are involved as necessary when conducting such a Special Examination. All investiga- tions are carried out under conditions of the greatest possible confidentiality and in full compliance with data protection provisions. Employees involved in this kind of examination are required to re- spect the need for confidentiality.

Basic principles of data protection and data security / rights of the affected person

Data protection

In the entire information-providing process and during ensuing internal measures, the provisions of the applicable General Data Protection Regulations shall be respected.

Personal details in such information may relate to the person from whom the information originates and/or to persons known to the that individual, i.e. the source. The personal details processed during an investigation usually include name, job title and contact details (e.g. e-mail address or telephone number).

The Compliance Officer of the Südzucker AG only processes personal data which are objectively essen- tial in order to examine, confirm or eliminate grounds for suspicion. No sensitive personal details such as ethnic origin, political views, religious persuasion, membership in a trade union or details about the health or sexuality of the person are ever processed.

All recordings, documentation and system-side logging that are made as part of the entire whistle- blowing process are treated confidentially and in harmony with applicable legislation and specifications relating to data protection. Personal data in connection with notices will be stored as long as necessary for clarification and final assessment as well as the legal deadlines. These details are deleted from file once information from a source has been processed in full. Personal details deemed in the entire pro- cess to serve no purpose are deleted immediately, in accordance with legislative stipulations.

The information from a source, after removal of all personal details, can also be archived at the end of a case. Specific attention is drawn to the need for finalised cases only to be archived once the names of the accused, where applicable the name of the source and of possible witnesses are rendered un- traceable, for which the specialist data protection function in the whistleblowing system can be em- ployed.

In cases where the source has disclosed his/her identity, his/her identity is then only made known in the following cases:

where the source has expressly consented to this in writing;
where disclosure is legally required (e.g. essential when the authorities become involved) or
disclosure is essential to prevent or to reduce threats to life and limb or to the safety of a per- son.

Employees to whom one of these messages refers shall always be notified of the accusations (duty of information), regardless of whether or not an investigation is or is not conducted. In this process, the identity of the source is safeguarded and protected. If there is a substantial risk that notification of the employee who is the subject of such a message could jeopardise the effective investigation of the ac- cusation or the collection of the required evidence, notification can be postponed throughout the time that such a risk continues to exist.

The latest version of the privacy statement of the whistleblowing system is attached to this guideline in Annex A-1 and can be found by accessing the ‘Südzucker Compliance Line’.

Data security

The ‘Südzucker Compliance Line’ is operated by an external provider, Business Keeper AG, in what is

Personal details and information entered in the whistleblowing system are stored in a database oper- ated by Business Keeper AG in a certified high-security computer centre in Germany (Security Class Tier 3+). Communication between the computer of the source and the whistleblowing system is ef- fected via an encrypted connection (SSL). The IP address of the computer of the source is not saved during use of the whistleblowing portal. To maintain the connection between the computer and the BKMS® system, a cookie is saved on the computer that only contains the session ID (known as a zero cookie). This cookie only remains valid until the end of the session and becomes invalid when the browser is closed. On this system, data are saved exclusively in the whistleblowing system, and are also stored separately; this is not e-mail communication.

Data can only be viewed by Südzucker after a series of technical and organisational measures have been applied. At no time do Business Keeper AG and other third parties have access to the content and/or to the data or personal details associated with the message from the source. Access security is achieved using a certified process which involves encryption of messages with a special form of en- cryption methodology applied by the external provider. A person not authorised to use the system by the authorisation process, documentary records of which are kept, is not able to interpret and/or view any message, nor any other data in the system.

Südzucker has defined a stringent authorisation concept for gaining access to process this infor- mation. Access to the system is restricted to a very tight circle of just two expressly authorised indi- viduals who are committed to maintaining absolute confidentiality. The only person allowed to pro- cess this information is the Compliance Officer at Südzucker AG. To assure the peer review principle, a member of the Compliance Committee responsible for capital market compliance is also provided with access to the data. All data is saved in encrypted form, backed up by several layers of password protection.

Annexes

Annex A-1: Privacy statement of the whistleblowing system

Annex A-2: Instructions on how to submit information over the ‘Südzucker Compliance Line’

Annex A-1:

Privacy statement of the whistleblowing system

We take the issue of data protection and confidentiality very seriously and follow the applicable data protection regulations. Please read this privacy policy carefully before submitting a report.

Purpose of the whistleblowing system

The whistleblowing system (BKMS® System) serves to receive and process information on compliance violations in a secure and confidential manner.

Controller and data security

The responsible for data protection in the whistleblowing system is Südzucker AG, Maximilianstraße 10,68165 Mannheim. The whistleblowing system is operated by a specialist company, Business Keeper AG, Bayreuther Str. 35,10789 Berlin in Germany, on behalf of Südzucker AG (hereinafter also referred to as “Südzucker”).

Personal data and information entered into the whistleblowing system are stored in a database oper- ated by Business Keeper AG in a high-security computer centre. The data can only be seen by Südzucker. Business Keeper AG and other third parties have no access to the data. This is guaranteed in the certified process by comprehensive technical and organizational measures.

All data is encrypted and stored in a multi-level password-protected way, so that access is restricted to a very small circle of two expressly authorized persons (Compliance Officer of Südzucker AG and a member of the Compliance Committee).

Type of personal data collected

The use of the whistleblowing system is voluntary. When you submit a report via the whistleblowing system, we collect the following personal data and information:

Your name, if you disclose your identity,
whether you are employed by Südzucker and
if applicable, the names of persons and other personal data of the persons mentioned in your report.

Confidential handling of notices

Information will be received by Südzucker’s Compliance Officer and will always be treated confiden- tially. The Compliance Officer reviews the facts of the matter and, if necessary, conducts a more de- tailed case-related clarification of the facts.

As part of the processing of a report or during a special investigation, it may be necessary to pass on information to other employees of Südzucker or employees of other Südzucker Group companies, e.g. if the information refer to transactions in subsidiaries. The latter may also have their registered of- fice in countries outside the European Union or the European Economic Area, which may have diver- gent rules on the protection of personal data. We always ensure that the relevant data protection reg- ulations are observed when passing on information.

Any person who gains access to information is obliged to maintain confidentiality. Retention period of personal data

Personal data will be retained as long as it is necessary for clarification and final assessment. After completion of the information processing, this data will be deleted in accordance with the legal re- quirements.

Use of the whistleblowing system

Communication between your computer and the whistleblowing system takes place via an encrypted connection (SSL). The IP address of your computer is not stored while using the whistleblowing sys- tem. In order to maintain the connection between your computer and the BKMS® system, a cookie is stored on your computer that only contains the session ID (a so-called zero cookie). The cookie is only valid until the end of your session and becomes invalid when you close the browser.

You have the possibility to set up a protected mailbox in the whistleblowing system with your own chosen pseudonym / user name and password. In this way, you can send reports to Südzucker’s Compliance Officer by name or anonymously and securely. With this system, the data is stored exclu- sively in the whistleblowing system and is therefore particularly secure; it is not an e-mail communi- cation.

Annex A-2:

Instructions on how to submit information over the ‘Südzucker Compliance Line’

If you would like to send a note, click on the “Submit message” button at the top left of our introduc- tion page.

The reporting process consists of 4 simple steps:

First of all, you will be asked to read an information text to protect your anonymity and to an- swer a security
On the following page you will be asked in which content area you want to leave a
On the registration page, you phrase your information or question in your own After sending your note, you will receive a reference number as proof that you have sent this note.
Afterwards, please set up your own protected mailbox. This is the only way to receive feed- back from the Compliance Officer and, if necessary, information on the progress of your The mailbox is set up on a voluntary basis.

If you already have a protected mailbox, click on the “Login” button to go directly to this mailbox. Here too, you will be asked to answer a security question.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Legal