Responsible for the processing of your personal data in the context of this contact is:

UNITAX-Pharmalogistik GmbH
Compliance Unit
An den Gehren 1
12529 Berlin-Schönefeld
Germany
+49 (030) 338438100
datenschutz@unitax-group.de
https://unitax-group.com/

The appointed Data Protection Officer is:

DataCo GmbH
Sandstrasse 33
80335 Munich
privacy@dataguard.com
www.dataguard.de

In principle, the reporting system can be used without providing personal data. However, you may voluntarily disclose personal data as part of the whistleblower process, in particular information regarding:

• Date of the incident
• Description of the incident
• First and last name of the reporting person
• First and last name of other affected persons
• Phone number
• Email address
• Preferred method of communication

Generally, we do not request or process special categories of personal data, e.g., information about race and/or ethnic origin, religious and/or philosophical beliefs, trade union membership, or sexual orientation.

However, you are free to provide this information in the free text fields of the reporting form insofar as it is relevant to the reported incident.

The report you submit may contain personal data of third parties. The affected persons may be informed and given the opportunity to comment on the information. Should this be the case, your identity will remain confidential.

The reporting system allows you to contact us and report violations of regulations or laws. We process personal data (if provided) to investigate incidents reported via the reporting system and to clarify suspected violations of regulations and laws.

Should we need to contact you, we will only communicate with you via the reporting system. The confidentiality of the information provided is our top priority.

There is also the possibility of a personal meeting regarding the incident if you wish. In this case, the meeting will take place without the involvement of the HR department or management.

The processing of your personal data takes place on the basis of the consent you provided when reporting via the reporting system (Art. 6 (1) (a) GDPR).

Furthermore, we process your personal data insofar as this is necessary to fulfill legal obligations. This includes, in particular, reports relating to criminal, competition, and labor law (Art. 6 (1) (c) GDPR).

Finally, your personal data will be processed if this is necessary to safeguard the legitimate interests of the company or a third party (Art. 6 (1) (f) GDPR). We have a legitimate interest in processing personal data for the prevention and detection of violations within the company, for checking the legality of internal processes, and for maintaining the integrity of the company.

If you provide us with special categories of personal data, we process these based on your consent (Art. 9 (2) (a) GDPR).

In addition, we use your personal data in anonymized form for statistical purposes. We do not intend to use your personal data for purposes other than those mentioned above. Otherwise, we will obtain your prior consent.

The reporting system includes an option for anonymous communication via an encrypted connection. When you use the reporting system, your IP address and your current location are never stored.

After sending a message, you will receive access data for the reporting system inbox so that you can continue to communicate with us securely.

We maintain appropriate technical measures to ensure data protection and confidentiality. The data you provide to us is stored in a secure database. All data stored in the database is encrypted using state-of-the-art technology.

To fulfill the above-mentioned purpose, personal data will be viewed by authorized persons within the company.

It may also be necessary for us to transmit personal data to external bodies such as law firms, criminal or competition authorities.

We transmit personal data to the extent described above for the technical implementation of the reporting system to the hosting provider Microsoft Ireland Operations Limited. For this purpose, we have concluded a data processing agreement to ensure data protection.

If we pass on your personal data internally within the group or externally, a uniform level of data protection is ensured through internal data protection regulations and/or corresponding contractual agreements.

Your personal data will generally not be transferred to third countries outside the European Union or the European Economic Area, nor is this planned.

We only store personal data for as long as is necessary to process your report or as long as we have a legitimate interest in storing the personal data.

Furthermore, your personal data may be stored if this is necessary under European or national law to fulfill legal obligations, such as retention requirements. Subsequently, all personal data will be deleted, blocked, or anonymized.

According to the General Data Protection Regulation, you have the following rights:

• If your personal data is processed, you have the right to obtain information from the controller about the data stored about you (Art. 15 GDPR).
• If incorrect personal data is processed, you have a right to rectification (Art. 16 GDPR).
• If the legal requirements are met, you can request erasure or restriction of processing (Art. 17 and 18 GDPR).
• If you have consented to data processing or a contract for data processing exists and data processing is carried out using automated procedures, you may have a right to data portability (Art. 20 GDPR).
• If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
• Furthermore, there is a right to lodge a complaint with a supervisory authority (Art. 77 GDPR).