Page 50 of 61

D D. 1.

Computing and IT Directive Introduction

D.1.1. Use of electronic data processing system D.1.1.1. Objective By using modern information technology, the aim is pursued of enhancing quality at the workplace and shortening the time input for routine tasks. The use of electronic data processing systems and information technologies is only ever to be for the benefit of the companies of the GCE. D.1.1.2. Data processing and quality assurance Quality assurance embodies principles for the correct application of data processing, with particular emphasis on the requirements of data backup and data protection to which the use of computing and information technology is subject. D.1.2. Subject Matter The present Computing and IT Directive governs the use of electronic data processing and information technologies in the companies of the GCE subject to the statutory regulations, the operational requirements for the highest possible efficiency and security and employee health. Throughout the Group, norms that are as standardized as possible are to be set up and complied with. Security is of utmost priority in using computing and information technology. The wide use of electronic data processing and information technologies calls for organisational measures to meet the requirements of data backup and protection and to meet the commitments derived from software licensing agreements. D.1.3. Scope of Application The Computing and IT Directive governing the electronic processing of data applies to all employees of the GCE. Where the respective works contracts make reference to the present Computing and IT Directive, freelancers and subcontractors are also governed by it. All external consultants engaged, such as external service providers, will also be bound by the Computing and IT Directive, when they come into contact with the computing and information technology facilities of the GCE. D. 2. Terms/ Definitions

D.2.1. Computing and Information Technology The infrastructure of the electronic data processing system and information technology (IT in short) largely determines the smooth running procedures of business processes. For this reason, considerable priority is given to the smooth running of this infrastructure. The said infrastructure includes servers, workplace PCs and programs as well as, in the broadest sense, the storage systems, networks and telecommunications systems on which it is based.

Page 51 of 61

D.2.2. Hardware Hardware is the collective term denoting the mechanical equipment of a computer system, a term covering all modular groups and peripheral devices of a computer. The hardware includes the PC (printer, screen, beamer, loudspeaker, ...), input devices (keyboard, mouse ....), storage media (hard disk, flash saver, CD-ROM drive, DVD drive ...), expansion cards (graphic card, sound card, network card, ISDN card, ...), importing devices (various types of scanners), data media (CD, DVD, disk, ...) and the basic components of computer architecture itself, such as circuit board, processor and storage (random access memory). The hardware of a computer is steered and managed by an operating system (Windows etc.). D.2.3. Software Software is the term used to denote all non-physical elements of a computer. Above all, it relates to computer programs and the use of specific data in conjunction with computer programs. In terms of the office user, software may be differentiated by a variety of criteria:
-

System software, required for the computer to work properly (particularly the operating system and extra programs, such as virus protection software) User software that supports the user in handling his specific assignments, thus of direct benefit to the user. Software as fixed installation in a device, for steering and control purposes (so-called company software).

Software typically used in the GCE is (as examples): D.2.3.1. Text processing, e.g. Word With the help of text processing, the entire correspondence is dealt with:
-

External correspondence, reports, protocols, etc. Texts that relate to persons must be saved securely over a password.

D.2.3.2. Table calculation, e.g. Excel As with most table calculations, Excel makes it possible to carry out copious calculations with formula and functions. The results may be evaluated by sorting and filter functions and presented in diagram form. D.2.3.3. Outlook Outlook is a software that manages personal data such as contacts, assignments, appointments, all kinds of memos and e-mails. User management is important in the GCE since each user is responsible for the administration of his own data and not all users may view or handle all data. D.2.3.4. Internet browser Internet browsers are computer programs for the viewing of web pages in the Internet. Besides the HTML pages, they also show other forms of documents. The GCE uses the Internet Explorer.

Page 52 of 61

D.2.3.5. CAD programs Computer Aided Design (CAD) is a type of electronic drawing board. With CAD programs, it is not only possible to produce technical drawings, but the more complex programs are also able to draw up three-dimensional models. This makes it possible to produce two or three-dimensional drawings and even derive animated visualization of the objects at issue. CAD software is used in all corporate divisions where constructions are developed for use in architecture and building projects within the GCE. D.2.3.6. Navision Navision is a program for accounting, for credit and debit management, liquidity planning, cost accounting and asset accounting. D.2.3.7. Virus protection programs So-called anti-virus programs (also known as virus scanners) are programs that trace, block and, where necessary, eliminate known computer viruses, computer worms and Trojans. . To identify viruses, each virus scanner has a list of samples of all known viruses and compares the software under scrutiny against it. If a file or part of a file matches up with a sample from the list, steps are taken to neutralize the infected file. Since new viruses are always in circulation, the lists in questions are continuously updated. D.2.3.8. Other software: Special applications are also used for personnel management and payroll tasks, database programs and programs specified by customers. D.2.4. Intranet The Intranet of the GCE is a network of computers based on the same techniques as Internet (see below), yet only accessible to a specified group of employees of the company. The GCE has Intranet in the form of a VPN. D.2.5. VPN A Virtual Private Network is a protected computer network that makes use of the Internet to transport company data. Parties to the virtual private network can work cross-location to exchange data as if in an internal, locationspecific Intranet. Each connection over the public Internet is secured and in code. D.2.6. Internet The Internet (English abbreviation for Interconnected Networks) is a worldwide network of independent networks. It serves the purposes of communication and exchange of information. In principle, each computer of a network is able to communicate with any other computer. The communication of each separate PC runs over defined protocols for the transmission of data. Communication in the public Internet harbours dangers, such as those derived from computer viruses or destructive programs. Over the virtual private network of the GCE, access to the Internet can be protected. When using mobile computers (laptops etc.), it must be ensured that access is especially protected over external network connections (WLAN, UMTS, GPRS, DSL, etc.).

Page 53 of 61

D.2.7. User Account A user account denotes the access to an IT system. Normally, authentication is required prior to access in the form of a user name and password. The user name and the password each have special functions. D.2.7.1. User name The user name serves to control access to the systems and makes it possible to access the programs and data as defined by the System Administrator. The user name is not secret. D.2.7.2. The password By contrast, the password must be kept secret, since it practically embodies the authorization of the user. The password protects the employees own field of responsibility for working in the computing system. The user himself chooses his own personal password. Compliance with the Password Directive is imperative (see below). D.2.8. E-Mail D.2.8.1. Definition E-Mail (from the English electronic mail, also abbreviated to mail) denotes letter-like communications transmitted electronically in computer networks. The e-mail service is a major part of the Internet. Over one half of the worldwide volume of mails in the Internet can be attributed to so-called spam mails (undesirable advertisements). D.2.8.2. Access data Employees of the GCE usually receive a business e-mail account (comparable to a post box). Each e-mail account has personal user data and a password that makes it possible to receive or send official e-mail letters at the workplace. Furthermore, employees sometimes have the possibility of having the System Administrator set up their e-mail access on another computer (e.g. on their notebooks) using their e-mail access data. D.2.8.3. Employees of branches in other countries Employees of branches in other countries continue to use their local Internet provider, yet with the help of their access data are able to send and receive e-mail communications. D.2.9. Computing Officer The Computer Officer is responsible for correct data processing in the respective companies of the GCE. He is nominated by Management. D.2.10. Administrator A System Administrator manages computer systems. He installs, configures and maintains the IT infrastructure of the GCE. The System Administrator is responsible and subordinate to the Computing Officer.

Page 54 of 61

D. 3.

Terms and Conditions of Use

D.3.1. General Principles of Conduct D.3.1.1. Treatment of computing equipment Each employee treats computer equipment with care and propriety. Above all this means cleanliness at the workplace (particularly the keyboard, mouse, screen etc.). In the event of damage or a malfunction, the Computing Officer is to be informed immediately. D.3.1.2. Handling passwords Each employee undertakes to maintain secrecy relating to his password. Upon the loss of a password or any suspicion of abuse, the responsible superior and the Computing Officer must be informed immediately. D.3.1.3. Access data Access data solely serve business use. Access data may not be transferred or rendered accessible to others. D.3.1.4. Software licences It is prohibited to use non-licensed software. D.3.1.5. Installation Installation is Administrator. subject to agreement with the responsible System

Employees are prohibited from intervening in the operating system or in programs or from making extensions to them. D.3.1.6. On-forwarding of programs and data It is only permitted to pass on programs and data to third parties if this has been specifically approved. D.3.1.7. Protection from viruses Employees ensure that their computer is not exposed to the danger of viruses or such like and, for this reason, will check that the virus scanner is permanently active and updated. D.3.1.8. Loss of a machine In the event a computer is lost, the Computing Officer is to be informed immediately. D.3.1.9. Publication of information in the Internet The following rules apply to any form of information published by an employee in the Internet: The employee bears responsibility himself for the contents. The employee vouches for and guarantees that the contents he is publishing in Internet does not, to the best of his knowledge, constitute any violation of thirdparty rights in terms of copyright, patent, trademark, operational secret or other industrial property right or public or private rights; does not constitute a breach of any laws, statutory regulations, ordinances or regulations (including export restrictions);

Page 55 of 61

D.3.1.10.

is not of a defamatory, slanderous or threatening nature; is neither pornographic nor obscene; does not constitute any violation of legislation governing unfair trading practices, incitement to hatred or prohibited advertising; does not embody any virus, Trojan, worm, timebomb or other damaging or destructive program routines. Making use of the infrastructure In using the computing and information technologies, the employee is not permitted to undertake any measure that places an unreasonable or excessive load on the infrastructure of the companies of the GCE.

D.3.1.11.

Blocking employee access The companies of the GCE are entitled to block an employees access to the computing and IT infrastructure at any time.

D.3.1.12.

Exclusion of liability Under no circumstances are the companies of the GCE liable for any damages generated from the negligent or wilfully intentional conduct of an employee in the Internet.

D.3.2. Objectives D.3.2.1. User objectives a) Data Protection and Data Security The use and application of the computing and IT system is subject to the statutory regulations governing data protection and the operational requirements for security. b) Briefing Before using the computing and IT systems for the first time, every user will be briefed on issues of security in handling the systems, particularly in respect of data backup and the protection of people-related data. c) Admissibility of Software and Hardware Use Only hardware and software components may be used for business assignments that have been licensed and installed by the System Administrator. Without the consent of the Computing Officer, it is not permitted to use private machines and software procured by the employee. It is also not permitted to pass on programs and data to parties outside the GCE. Only the business-related assignments operationally necessitated may be handled over the system. Programs developed by an employee in the respective department for purposes of a project may only be used by the developer at his own responsibility. For damages incurred from the defective development or use of a program, the developer of the program bears liability pursuant to the statutory regulations. Such programs may only be handed over to other employees subject to permission from the Computing Officer. Otherwise programs or parts of programs that have been privately developed or procured may not be used.

Page 56 of 61

d)

Notification Duties Each user undertakes to inform the responsible System Administrator of any virus warning, unexpected system behaviour, unusual events or notifications with the PC or any loss of data of unknown cause. The System Administrator will immediately inform the Computing Officer of such unusual circumstances.

e)

Intervention, Re-fitting and Troubleshooting Users are not permitted to tamper seriously with the hardware. In particular they are not permitted to install and remove computer drives. Any refitting and elimination of problems will only ever be carried out and documented by the System Administrator.

f)

Removal of Electronic Data Processing Material and Software Computers, accessories, peripheral equipment (printer, etc.), programs, program parts and data may only be removed from the premises for business-related reasons, subject to the prior consent of the Branch/ Plant Manager. If location-specific equipment is removed, the procedure will be documented. In such instances, the System Administrator undertakes to confirm the return of the equipment. It is otherwise forbidden to remove computing material and software for private reason.

g)

Handling Data Media Written data media and other documents of sensitive content that require protection are to be stored with care, unless they are in use for current working assignments. Upon termination of working hours, data media are to be removed from the PC drives.

h)

Use of Internet Given the open structure of the Internet, Internet pages may embody repulsive, damaging, illegal or inaccurate material, even in the form of falsely identified news items or in otherwise fraudulent manner. Employees undertake to use Internet with care and healthy common sense and to comply with the applicable legislation governing access to Internet services.

D.3.2.2. Objectives for System Administrators a) Assignments of System Administrators The System Administrator appointed by the Computing Officer is responsible for advising and aiding the user. His assignments are the following:
-

Installation and initiation of the operation of computing systems and components as well as the monitoring thereof (ensuring compliance with the respective standards of the GCE); All intervention in hardware, such as its reorganisation, upgrading or the connection of components; Maintenance and care of the installed hardware and software, the installation of patches and security updates; Provision of the basic structures for archiving data files;

Page 57 of 61

b)

Award of rights, the installation and monitoring thereof in cooperation with the Branch/ Plant Manager; Guarantee of data security of the computing and information technology systems of the GCE (through the use of passwords, for example); Containment and, as far as possible, elimination of malfunctions and the guarantee of renewed operational functionality following system crashes; Provision of regular data backup measures on external data media; Protection of the computing and information technology systems of the GCE against viruses; Maintenance and update of the computing equipment register and the software register; Notification of the Computing Officer in respect of errors with the use of hardware and software and submission of requirements for improvement; the Computing Officer will then liaise with the suppliers of hardware and software; Submission of proposals for improvement and further development of the general application concept; Preparation of local rules for the operation and maintenance of resources in line with general regulations; Agreement with Management on the use of external service providers.

Procurement of Hardware and Software The procurement of hardware and software is carried out with the agreement of respective Management in line with the approved investment plan.

c)

Access to Server Premises Only the Computing Officer and Administrators have access to the premises in which the servers are installed. Outsiders (including maintenance personnel from suppliers) may only access these premises in the company of a System Administrator.

d)

Software and Hardware Requirement Where the use of new programs seems appropriate, the responsible superior is to be duly notified and the requirement incorporated into investment planning.

D.3.3. Control of Performance/ Conduct Each employee is responsible for the accuracy of his computer-aided working results and the orderliness of working sequences. The companies of the GCE retain the right to record and save Internet meetings of the employee. D.3.4. Data Backup Employees are required to ensure the regular production of data backup copies, depending on the scope of amendment to data files, irrespective of the data backup procedures carried out within the corporate infrastructure.

Page 58 of 61

Employees are also required to back up their work during the working process, thus averting any significant loss of working hours in the event of any system malfunctioning. D. 4. Data Safety, Archiving, Structure

D.4.1. General Security After completion of work, all print-outs are to be removed from the printers/copying machines. Printers are to be so installed as to enable their control by the authorized user. Unauthorized parties must not be able to view the screens. Each employee undertakes to guarantee for his own particular field of assignment that computing equipment and systems are protected from unauthorized, improper and abusive use subject to the present Terms and Conditions of Use and that documents and programs cannot be accessed by unauthorized parties. When leaving the workplace, the computer is to be blocked against unauthorized access. D.4.2. Password Directive The user undertakes to amend his personal password at irregular intervals, at least every three months. The password is to be made up of at least six digits. It may not give any indication of its holder. The password must not be easy to guess, so that it should comprise at least one figure as well as capital and small letters and symbols; trivial combinations, such as 123456 or xxx are to be avoided. The password will be amended immediately if an unauthorized viewing of the password whilst being entered into the system cannot be ruled out. It is only permitted to pass on passwords in exceptional circumstances and subject to the explicit approval of the responsible Managing Director. D.4.3. Data Archiving For their respective working assignments, users are expected to set up a sensible and ergonomic structure for their archives in the Intranet. When in doubt, the user will consult the Computing Officer. The Windows file Eigene Dateien [Own files] is not to be used for saving data. Business data are to be archived in the network, otherwise they cannot be secured. The same applies to the administration of e-mails and e-mail attachments. Large e-mail attachments may not be saved permanently in Outlook but in the Intranet of the GCE. The users undertake to watch the volume of their Outlook post-boxes and to regularly back up assignments that have been dealt with. D.4.4. Data Backup The System Administrator ensures the backup of the Intranet daily. After projects have been completed, the person responsible for the project is required to separately back up the data that is no longer required in compliance with the archiving requirement prescribed by law. After completion of a project or part of a project, the results will be transmitted to data media and, in line with the legal archiving requirement, kept at a safe location for the required statutory period of time.

Page 59 of 61

D.4.5. Handling Data Media: Confidential working results, in particular personally specific data, may only be delivered on machine-readable data media or on paper. Print-outs that are not required must be destroyed. Hard disks may never be handed over to anyone. Should they be passed on to non-authorized persons (e.g. computing companies for maintenance or repair work), the data must first be physically deleted. D.4.6. Control of Access and User for processing Personally Specific Data Those persons, who are entitled to process personally specific data in automated procedures, will be nominated in detail by Management. In processing personally specific data, unauthorized persons must be prevented from viewing the ongoing procedure of data processing. Data media with personally specific data may only be kept on the premises or in containers specifically designated for the purpose and may only be moved and used by authorized parties. It is only permitted to pass on access rights (password, key, magnetic cards, etc.,) with the consent of the Managing Director. A written receipt must confirm receipt of keys, magnetic cards etc. Evidence thereof is kept by the responsible Computing Officer. D. 5. Private Use

D.5.1. Subject and Scope of Application This section of the Computing and IT Directive governs the principles for the private use of the Internet and e-mail services in the GCE and applies to all employees whose workplaces have a business Internet and e-mail access. D.5.2. Objective The aim of this Section of the Computing and IT Directive is to render the measures for recording and control transparent, to safeguard the personality rights of those employed and to guarantee protection of their personal particulars. D.5.3. Private Use of Internet and E-Mail Facility The GCE only permits the occasional in-house use of the business Internet and e-mail connection and the e-mail address for clearly insignificant private use as opposed to business-related use. Such minor use will neither be subject to disciplinary penalty nor punished, providing no legislation is violated or corporate directives breached or overstepped and the availability of the IT system for business-related purposes is not impaired. Senders and recipients of e-mails bear sole responsibility for their further use; they decide on the saving, deletion and on-forwarding thereof subject to statutory and corporate regulations.

Page 60 of 61

D.5.4. Rules of Consent and Representation No technical differentiation is made between business-related and private use. Recording and control subject to Section 5 of the present Directive also relate to the scope of the private use of the Internet access. By making private use of the Internet access, the employee declares his consent to such recording and control pursuant to Section 5 of the present Directive for the area of private use. In this respect, the user also agrees to a restriction of secrecy in telecommunications. In specifying a ruling for substitution purposes, the employee must expect that his private e-mails will also be able to read by his deputy. D.5.5. Control of Performance and Conduct/ Data Protection for Use of E-Mail Facility and Internet/ Sanctions Where personally specific or personally associated data are recorded, they may solely be used for the specified purpose of the present Directive. Data relating to user conduct may only ever be used to guarantee system security, to optimise and control the system, for the analysis and rectification or errors and for the allocation of the costs of the system to cost units. Access to these functions remains restricted to the persons entrusted with the technical administration of the systems; these persons are bound by Section 5 Federal Data Protection Act [BDSG] and Section 85 Telecommunications Act [TKG]. Any use of the above data for any further control of performance or conduct is not permitted. The rulings laid down in Sections 5.3 to 5.6 remain unaffected hereby. Where there are adequately substantiated grounds for suspicion and the Works Council is in agreement, an Internet and/or e-mail account may be inspected. The corporate Data Protection Officer must be present at such inspection. Measures to prevent or to help prove any abuse of the Internet and/or e-mail facility, may be implemented directly in instances of impending danger (substantiated suspicion). In such instances, the Data Protection Officer and, where available, the Works Council are to be immediately subsequently informed. Any violation may result in prosecution parallel to consequences under labour legislation. The GCE retains the right to forbid the private use of the Internet/e-mail access in individual circumstances where this ruling has been breached. D.5.6. Principles of Conduct Compliance with statutory regulations is to be assured when private use is made of the Internet and/or e-mail facility. Furthermore in terms of the restrictions of Section 3 such use is only permitted providing it does not disrupt or compete with business operations of the GCE, does not hinder or disturb the work of other employees, does not generate additional costs for the GCE, does not comprise business-related advertising, does not provide third parties with information or lists of employees and does not incorporate business or private mailing lists. It is generally not permitted to call up Internet pages that are subject to payment or to access or distribute material that could be conceived by others as tasteless, repulsive or lacking respect. Examples of this are:

Page 61 of 61

Material comprising obviously sex-related images and descriptions; Material that advocates illegal actions; Material that advocates intolerance towards others;

It is also generally not permitted to use the GCE user name in public chat rooms or on other occasions, which might result in the despatch of advertisements or so-called spam mails. In the event of excessive private use, the GCE retains the right to take steps under labour legislation.