Compliance and Responsibility

The effectiveness of the compliance management system is continually reviewed and refined. The system is based on the model of the IDW PS 980 auditing standard of the Institute of Public Auditors in Germany, and focuses on preventing compliance violations. The anti-corruption section pursues the aim of preventing, detecting, tracking, and penalizing corruption within the company. As part of its regular checks and short-notice audits, the Group Audit department checks adherence to the compliance requirements in KION GROUP AG and its consolidated subsidiaries.

As in previous years, the topics of anti-corruption, data protection and IT security, foreign trade and export controls, action against money laundering, fraud prevention—notably in relation to cybercrime—D&O liability, and management responsibility remained key focal areas in 2024. Anti-discrimination, whistleblower protection, and fostering a speak-up culture—or company culture in which questions and concerns can be openly expressed—were also focal points in the year under review.

The KION Group expressly supports the fight against all forms of corruption and bribery. To this end, it follows the approach of “prevent, detect, respond.” No confirmed cases of competition or antitrust violations were recorded in the reporting year. There were also no confirmed cases of active corruption by employees.

Multiple Reporting Channels

Actual or suspected violations can be reported in person, by phone, mail, email, or via an online form. All KION Group employees—as well as external stakeholders—also have access to an online form and hotline where they can report potential compliance breaches around the clock, including anonymously if they so wish. The whistleblowing system is in place worldwide, but is adapted as closely as possible to local conditions. The integrated case management system is designed to ensure that all incoming information is reviewed and that each individual case is processed systematically in line with the provisions in the EU Whistleblowing Directive. This system guarantees confidentiality and protection against retaliation.

The KION Group Compliance Committee is a cross-functional body made up of executives from the Corporate Compliance, Internal Audit, and Legal departments. This committee oversees the processing of reports of potential breaches and related investigations and confers on sanctions in the case of identified compliance violations.

The Compliance Committee at Linde MH in Germany provides employees with another independent point of contact that they can turn to when seeking advice or reporting potential violations. If anyone experiences or observes discrimination or harassment, they can get in touch with their responsible committee—and it goes without saying that this is in complete confidence. Similar bodies exist throughout the EMEA in accordance with national regulations. Compliance representatives are available to provide assistance at any time in all countries where Linde MH operates.

To encourage use of the whistleblowing system, employees are regularly updated about the various reporting channels via the intranet and mandatory compliance training.

All reported cases suspected non-compliance are systematically reviewed, and confirmed breaches are addressed through effective controls measures, such as regular or special audits. Any cases of misconduct are subject to disciplinary action. If necessary, the compliance management system is adjusted to prevent future violations.

As well as clear guidelines, there is also a wealth of information and a wide range of advisory services and training courses available. Linde MH’s compliance officers and representatives work hard to ensure that the company’s staff are kept fully up to date at all times about compliance matters and understand the importance of upholding the company’s values. All new employees of the KION Group are required to complete mandatory training on the KION Group Code of Compliance—either via e-learning or, for employees who do not have a work PC, via in-person training. Employees who are exposed to particular compliance risks due to their role—including sales and procurement staff—also attend regular in-person training sessions on specific topics.

The aim of this program is to provide all KION Group employees with regular training on the most important topics (anti-corruption, avoiding conflicts of interest, antitrust and competition law, anti-money laundering, whistleblower protection, data protection, IT security, and human rights). Changes to legislation or internal regulations are also communicated via training, as are any lessons learned from the compliance management system. In 2024, an in-person training program on anti-discrimination and the use of whistleblower channels was rolled out for employees without access to a computer. Employees with compliance-critical tasks (managers, sales, and procurement) were also given the chance to refresh their compliance knowledge through in-person training sessions.

Before the KION Group enters into a new business relationship, external business partners must be audited and relevant documentation secured. The auditing process establishes and verifies the financial background of the potential business partner and identifies any arguments against entering into a business relationship with them; for example, because the business appears on a sanction list or is the subject of negative reporting. In case of doubts, the Group may choose not to pursue its business dealings with a particular partner. External partner audits at the KION Group are, wherever possible, conducted on the basis of a risk assessment.

The basic inspection is carried out using the business partner tool, which is managed by Corporate Compliance. The process involves checking customers and suppliers for certain indicators based on compliance lists. Corporate Compliance is responsible for running these checks, assessing the results, and taking any necessary action. For external sales partners where the potential for corruption is higher—such as dealers, importers, distributors, agents, or integrators—the responsible compliance officer will conduct a multi-stage due diligence assessment prior to commencing a new business relationship. In addition to identifying potential risks in the relevant country based on subindices from reputable international organizations, this assessment obtains information from the sales partners via due diligence questionnaires, through audits conducted using the business partner tool, and/or via external due diligence providers. The results of the due diligence assessment are subsequently communicated to the responsible teams—e.g., the Management Board—along with any recommended actions, such as tighter contractual terms including a right to audit clause or additional monitoring of payment streams.

As part of a systematic analysis, the KION Group records and evaluates corruption and bribery risks on a regular basis throughout the Group. Money laundering, tax compliance, cybersecurity, and human rights risks are also assessed, as are the risks of non-compliance with competition laws. Non-financial risks that arise on an ongoing basis are also screened, evaluated, and managed. Adequate measures are subsequently derived to eliminate both process and control weaknesses. The characteristics of the corruption perception index for the respective country, the size and structure of the local procurement or sales organization, and contact with public officials play an important role in the risk assessment. This analysis has already been completed for all Linde MH subsidiaries. There continued to be no significant compliance risks.

Data protection and information security are both top priorities at Linde MH and the company complies with the relevant policies in place across the KION Group. This includes the Data Protection Policy, which sets out technical and organizational measures to protect personal data, and the KION Group’s Information Security Policy, which focuses on safeguarding the confidentiality, integrity, and availability of information, as well as protecting the KION Group against related attacks. A range of Group works agreements and mandatory standards on topics such as IT security in the workplace and the management of IT systems, email, and the Internet are also in place. Samples and templates for the day-to-day handling of personal data and sensitive business information are also available. The Operating Units are responsible for implementing the central requirements. Those responsible for data protection and its coordination in the individual subsidiaries report to their respective management. At Group level, the Group Data Protection Officer reports to the Chief Compliance Officer, and the KION Group Chief Information Security Officer reports to the Chief Information Officer who reports to the Executive Board of KION GROUP AG.

Protecting sensitive, personal data is also an important responsibility, so secure and effective processes and systems have therefore been put in place to protect this information and ensure compliance with the relevant legislation. All staff are given training and receive regular updates via the Group intranet to ensure that they understand and remain up to date with basic data protection principles, their reporting obligations, and the Group-wide compliance reporting system.

The number of attacks on companies’ global IT infrastructure has increased significantly due to organized crime and industrial espionage. Various technical and organizational measures have been implemented with the aim of protecting the KION Group’s data against unauthorized access, misuse, and loss. This includes continuously checking for vulnerabilities in the entire IT and operational technology infrastructure. Regular training on IT security issues, global anti-phishing campaigns, a monthly video series published on the Group intranet, and instructions for keeping IT infrastructure secure also play an important role in maintaining IT security standards.

Information Security Management System

The KION Group’s management system for information security (ISMS/Information Security Management System) is designed to ensure that sensitive information continues to be protected and that competitiveness in the industry is maintained. The KION Group ISMS is based on ISO 27001 requirements (establishment, implementation, maintenance, and continuous improvement of documented security management processes) for the entire Group. A documentation framework has been established that sets out the requirements for information security.

In this context, the KION Group regularly analyzes potential or existing risks to information security. Where the risk analysis identifies an IT security risk or where there is deviation from a KION Group security standard, the risk is described and appropriate action is set out. Once the residual risk has been assessed, the risk owner decides on whether to accept the residual risk. It must then be reassessed regularly and safeguarded by means of renewed risk acceptance.

The Group Audit department regularly carries out special IT audits, which also cover information security.

The KION Group divisions that develop and operate the cloud-based fleet management systems are certified in accordance with ISO 27001. The certified companies at Linde MH are Linde Material Handling GmbH in Aschaffenburg and Linde Material Handling Ibérica, S.A.U. in Spain. The KION Group headquarters in Frankfurt am Main, the Linde Material Handling headquarters in Aschaffenburg, and Willenbrock Fördertechnik GmbH in Bremen (also a Linde MH company) are certified in accordance with the TISAX¹ standard. In each case, these companies were found to have a high maturity level in the first assessment, and the TISAX label was granted without conditions. As part of this assessment, the auditor had to be provided with around 200 different pieces of evidence, including information security standards, standard operating procedures, security concepts, and KPIs.

In preparation for the NIS 2 Directive (Network and Information Security Directive 2), additional locations are currently being included in the scope of the ISMS. Furthermore, maintaining the established high level of information security and ensuring the smooth operation of the system’s components in day-to-day business are now key priorities. This will include regular internal audits and checks, managing information security risks, and planning and introducing improvements and other measures.

Footnotes:
[1] TISAX® is a cross-company assessment and exchange mechanism for information security in the automotive industry. It is designed to ensure the security, integrity, and availability of data required for manufacturing processes and vehicle operations