Vonovia : LkSG Report

Vonovia SESupply Chain Due Diligence Act Report

Supply Chain Due Diligence Act (LkSG) Report

Reporting period from January 1, 2023, to December 31, 2023 Name of the organization: Vonovia

Address: Universitätsstrasse 133, 44803 Bochum, Germany

Contents

3 A. Strategy & Embedding

1. A1. Monitoring of risk management & management responsibility

1. A2. Policy statement on human rights strategy
2. A3. Embedding the human rights strategy within the organization

7 B. Risk Analysis and Preventive Measures

7 B1. Risk analysis implementation, procedure and results

1. B2. Preventive measures in the company's own area of business
2. B3. Preventive measures at the level of direct suppliers

1. B5. Communication of results

1. B6. Changes in risk exposure

14 C. Identification of Violations and Remedial Action

14 C1. Identification of violations and remedial action in the company's own area of business

1. C2. Identification of violations and remedial action at the level of the company's direct suppliers

1. C3. Identification of violations and remedial action at the level of the company's indirect suppliers

15 D. Complaints Procedure

1. D1. Establishment of, or participation in, a complaints procedure
2. D2. Requirements for the complaints procedure
3. D3. Implementation of the complaints procedure

18 E. Review of Risk Management

Vonovia SESupply Chain Due Diligence Act Report

A. Strategy & Embedding

A1. Monitoring of risk management & management responsibility

Which responsibilities were defined for monitoring risk management in the reporting period?

Chief Compliance Officer Ralf Zieren was appointed as Human Rights Officer as of January 1, 2023, and is responsible for monitoring risk management in accordance with the German Supply Chain Due Diligence Act (LkSG). The ­Vonovia Management Board has overall responsibility and decides on the organizational structures and workflows of risk management and the allocation of resources. The Vonovia Management Board also has overall responsibility for ensuring an appropriate risk management system. The Internal Audit department reviews the implementation of Group guidelines in the relevant departments at regular intervals (the policy statement on the human rights strategy has also been adopted by the Management Board as a Group guideline).

Has the management established a reporting process that ensures that it is provided with information on a regular basis - at least once a year - on the work of the person responsible for monitoring risk management?

The company confirms that the management has established a reporting process that ensures that it is provided with information on a regular basis - at least once a year - on the work of the person responsible for monitoring risk management within the meaning of Section 4 (3) LkSG.

• Confirmed

Describe the process that ensures reporting on risk management matters to management at least once a year/on a regular basis.

The Human Rights Officer reports to the CEO on a regular basis, at least once a month. The Management Board and the Supervisory Board are provided with information on current compliance issues on a quarterly/half-yearly basis. This also includes topics that fall within the scope of the Supply Chain Due Diligence Act. The management is informed immediately of any ad hoc risks.

A2. Policy statement on human rights strategy

Has a policy statement been prepared/updated on the basis of the risk analysis carried out during the reporting period?

The policy statement has been uploaded https://www.vonovia.com/en/content/download/61163/6246335?version=7

Has the policy statement been communicated for the reporting period?

The company confirms that the policy statement has been communicated to employees, the works council where applicable, the public and the company's direct suppliers in respect of which a risk was identified in the risk analysis.

• Confirmed

Please describe how the policy statement was communicated to the relevant target groups.

Vonovia has adopted its policy statement on its human rights strategy in the form of a Group guideline in order to take account of the particular importance of this topic and to clarify its binding nature within the Group. The policy statement was adopted by the Management Board and was then sent out by the Human Rights Officer to all managers at the first and second level below the Management Board. The policy statement has been published on the intranet and on the public company website in both German and English. A reference to the policy statement can also be found on the Vonovia website in the section for business partners and in the Non-financial Declaration in the Annual Report. Vonovia has also proactively informed its suppliers of the policy statement by email.

Vonovia SESupply Chain Due Diligence Act Report

A. Strategy & Embedding

A2. Policy statement on human rights strategy

What are the components of the policy statement?

• Establishment of risk management
• Annual risk analysis
• Establishment of preventive measures in the company's own area of business, at the level of direct suppliers and, where applicable, indirect suppliers, as well as a review of the effectiveness of these measures
• Remedial action in the company's own area of business, at the level of direct suppliers and, where applicable, indirect suppliers, as well as a review of the effectiveness of these measures
• Establishment of a complaints procedure in the company's own area of business, at the level of suppliers, as well as a review of its effectiveness
• Documentation and reporting obligation
• Description of the prioritized risks identified
• Description of human rights-related and environmental expectations towards the company's own employees and suppliers

Description of possible updates during the reporting period and reasons.

Vonovia had already published and adopted a policy statement on human rights back in 2020. It was signed by the Management Board. An updated version of the policy statement was published as a Group guideline in German and English on January 1, 2023, in order to include more detailed information on the processes implemented at Vonovia in the context of the LkSG.

It was updated again in the first quarter of 2024, and an updated policy statement was published in German and English on March 6, 2024. In addition to editorial revisions, we updated the risk areas identified based on the risk analyses carried out for our own area of business and for direct business partners, added a reference to the published rules of procedure for the complaints procedure, and updated the frequency of meetings of the Due Diligence Committee.

A3. Embedding the human rights strategy within the organization

In which relevant departments/business processes was the embedding of the human rights strategy ensured during the reporting period?

• HR
• Location Development/Management
• Environmental Management
• Occupational Safety & Occupational Health Management
• Communications/Corporate Affairs
• Research & Development
• Procurement
• CSR/Sustainability
• Legal/Compliance
• Quality Management
• Mergers & Acquisitions
• Business Development
• IT/Digital Infrastructure
• Community/Stakeholder Engagement
• Internal Audit

Vonovia SESupply Chain Due Diligence Act Report

A. Strategy & Embedding

A3. Embedding the human rights strategy within the organization

Describe how responsibility for implementing the strategy has been distributed within the various departments/ business processes.

The Vonovia Management Board has overall responsibility for compliance with human rights and environmental due diligence obligations. The Human Rights Officer is responsible for monitoring risk management and reports directly to the Management Board in this function.

The policy statement on the human rights strategy has been adopted as a Group guideline, applies to all Vonovia Group employees and has been widely communicated. Individual managers are responsible for compliance with the Group guidelines within their departments. The Human Rights Officer is supported by a committee that brings together due diligence coordinators from relevant departments (Compliance and Data Protection, Procurement, Sustainability/Strategy, Human Resources). The committee convened once per quarter in the reporting year, and discusses the ongoing fulfillment of the human rights and environmental due diligence obligations.

The clear stance with regard to respect for human rights is also firmly anchored in the Vonovia Code of Conduct, which is also binding for all employees. We also set out our clear expectations with regard to respecting human rights in the supply chain in our Business Partner Code, which all business partners have to sign.

Describe how the strategy has been integrated into operational processes and workflows.

Vonovia has implemented instruments to firmly establish respect for human rights in processes and measures, for example in supplier management:

As part of the regular evaluation of our key suppliers and service providers via our partner portal, we also ensure compliance with the criteria set out in the Business Partner Code. In the event of incidents and breaches, a structured management of measures is activated, which - once all other means have been exhausted - may result in blocks on orders or even in a supplier being blocked entirely. We also use long-term cooperation in the spirit of partnership to build a close relationship of trust with our contractual partners. This is largely the responsibility of the procurement department and allows any misconduct and other risks to be addressed. We have revised our Group-wide Procurement Guidelines and expanded them to include the LkSG requirements.

Our Business Partner Code is based on internationally recognized guidelines, such as the principles of the UN Global Compact, the ILO core labor standards and the UN Guiding Principles on Business and Human Rights. All direct suppliers must comply with the requirements described and agree to contractual control mechanisms. Vonovia also reserves the right to verify compliance with this Code after the contract has been concluded. Our business partners have to guarantee active support in these reviews. In addition, each and every business partner is required to implement these obligations in their supply chain and to pass them on to their own business partners.

Employees receive regular training on the Code of Conduct, which they also have to sign, together with their employment contract, before their first day of work. The individual departments are responsible for integrating human rights due diligence into operational processes, including analyzing and assessing relevant risks and implementing appropriate measures.

Vonovia has established various complaints procedures that can be used to report potential or actual misconduct (anonymously). The Compliance and Data Protection department and an external ombudsperson are also available to all employees who have questions or require information.

Vonovia SESupply Chain Due Diligence Act Report

A. Strategy & Embedding

A3. Embedding the human rights strategy within the organization

Describe which resources & expertise are provided for implementation.

We collaborate on an interdisciplinary basis to ensure that Vonovia meets its human rights and environmental due diligence obligations on an ongoing basis:

The Procurement department is responsible for risk analysis in relation to the supply chain and provides expertise in working with and reviewing suppliers. The Compliance and Data Protection department is responsible for conducting the risk analysis for the company's own area of business, for establishing complaints procedures, as well as reviewing the reports received, for monitoring overall risk management in accordance with the LkSG and for updating the policy statement on the human rights strategy. Both the Procurement department and the Compliance and Data Protection department are responsible for developing and implementing appropriate preventive and remedial measures, as well as reviewing their effectiveness. The HR department contributes expertise in relation to relevant issues within the company's own workforce and in the implementation of requirements under the German General Act on Equal Treatment (AGG) as well as in the development and implementation of training formats. The Sustainability/Strategy department provides support with internal and external reporting as well as documentation. The Financial Controlling department offers support with the approach for risk analysis and assessment.

An overarching Due Diligence Committee brings together the due diligence coordinators from Compliance and Data Protection, Procurement, Sustainability/Strategy and HR, and meets at regular intervals. The Committee provides procedural support to the Human Rights Officer and also deals with the risk management organization. In the reporting year, external experts also provided support and advice on the preparation and implementation of the risk analysis for the supply chain, the supplier survey, training sessions and the update of the policy statement on the human rights strategy.

Vonovia SESupply Chain Due Diligence Act Report

B. Risk Analysis and Preventive Measures

B1. Risk analysis implementation, procedure and results

Has a regular (annual) risk analysis been conducted during the reporting period to identify, and assign weightings and priority levels to, human rights and environmental risks?

• Yes, for the company's own area of business
• Yes, for direct suppliers

Describe the period in which the annual risk analysis was carried out.

January 1, 2023-December 31, 2023

Describe the risk analysis approach.

Vonovia had already integrated sustainability risks into its Group-wide risk management system, and had these risks identified and evaluated on a regular basis, before the German Supply Chain Due Diligence Act (LkSG) came into force. Accordingly, the risk catalog already included risks related to occupational safety and environmental protec- tion. All risks referred to in the LkSG were taken into account in the risk analysis for the supply chain (direct sup­ pliers) as well as for the company's own area of business. As part of the overall risk analysis, care was taken to ensure consistency with the methodology used as part of the existing Group-wide risk management system. Where relevant, we have also applied the chosen approach to the identification and assessment of sustainability-related impacts, opportunities and risks as required by the Corporate Sustainability Reporting Directive (CSRD). We have described this approach for the 2023 reporting year below. Vonovia plans to roll out the established processes and measures resulting from the LkSG at its foreign subsidiaries in the course of 2024.

Risk analysis for the company's own area of business:

The risk analysis for the company's own area of business was integrated into the existing regular compliance risk analysis. The survey was conducted online and aimed at the first two management levels below the Management Board. When selecting the survey participants, all relevant individuals responsible for areas in which services are provided for the company's own area of business were included. Participants were asked to assess the relevant human rights and environmental risks (in accordance with the legal positions stated in the LkSG); they were also given the opportunity to provide information on other human rights or environmental risks. This also included asking about indications of risks that had arisen in the past and future (expected) risks. In accordance with the requirements of the LkSG, the risks were assessed according to the relevant criteria of nature and scope of business activity, likelihood of occurrence and severity (degree, number of people impacted, irreversibility) (the company's contribution and ability to exert influence are given, as the risks relate to the company's own area of business). Measures that are already implemented were taken into account in the specific risk assessment (net assessment) and documented.

Risk analysis for the supply chain (direct suppliers):

For the purposes of the supply chain risk analysis, the annual revenue per business partner was calculated and the relevant trade, country and contractual relationship were broken down. Next, clusters of trades and materials were created, and each cluster was analysed in two different risk dimensions. The first risk dimension related to risk factors pointing to susceptibility of business activities to risk. This involved assessing the following factors: the complexity and transparency of the supply chain, the risk potential associated with the work to be carried out and the raw materials involved, and the degree of vulnerability of the individuals involved/potentially affected. The second dimension involved assessing the abstract risks we had identified for each cluster in accordance with the appropriateness criteria (severity of a potential violation, likelihood of occurrence, the nature of the contribution of Vonovia and the ability of Vonovia to exert influence). The resulting assessments (conducted in collaboration with purchas- ers) were evaluated and weighted based on both risk dimensions. The clusters were categorized as low, medium and high-risk based on their risk profile. We consider a considerable lack of transparency to be tantamount to an increased risk, as not enough information is available to assess the risk as low. Each business partner was assigned a risk profile based on this approach. Priority levels were set based on revenue per cluster and business partner. Based on the priority levels and using a systematic decision tree, appropriate measures for in-depth risk analysis were developed and implemented. In particular, these included sending out topic-specific questionnaires to business partners that had been prioritized based on the risk associated with them.

Vonovia SESupply Chain Due Diligence Act Report

B. Risk Analysis and Preventive Measures

B1. Risk analysis implementation, procedure and results

Were ad hoc risk analyses also carried out during the reporting period?

• No

Please provide reasons for your answer.

No cause has been identified, meaning that no ad hoc risk analysis was carried out for the company's own area of business or for the supply chain, in addition to the regular risk analysis carried out in the reporting period.

Results of the risk assessment

What risks were identified as part of the risk analysis/analyses in the company's own area of business?

• Failure to account for occupational health and safety and work-related health hazards
• Prohibition of unequal treatment in employment
• Other prohibitions: Discrimination against tenants or customers

Results of the risk assessment

What risks were identified as part of the risk analysis/analyses conducted in relation to the company's direct suppliers?­

• Failure to account for occupational health and safety and work-related health hazards
• Prohibition of forced labor and all forms of slavery
• Prohibition of child labor
• Prohibited production and/or use of substances that fall within the scope of the Stockholm Convention (POPs) as well as the non-environmentally sound handling of waste containing POPs

Were the risks identified in the reporting period weighted and, where applicable, prioritized and, if so, on the basis of which appropriateness criteria?

• Yes, based on the expected severity of the violation in terms of its degree, the number of people impacted and its irreversibility
• Yes, based on the company's own ability to exert influence
• Yes, based on the likelihood of occurrence
• Yes, based on the nature and scope of the company's own business activities
• Yes, based on the nature of the company's contribution
• Yes, based on other factors:
  In addition to the aforementioned criteria, we used factors for susceptibility to human rights or environmental risks specific to countries, sectors and product groups (in accordance with the BAFA appropriateness guidance) to identify and prioritize risks as part of the risk analysis for the supply chain.

Describe in greater detail how the weightings and, where applicable, priority levels were assigned, and what factors were taken into account in the process.

Risk analysis for the company's own area of business:

The abstract risks identified were subjected to a net assessment. This resulted in two risks that are prioritized and assigned a higher weighting (discrimination in relation to the company's own employees and tenants/customers; failure to comply with occupational health and safety standards in the company's own workforce). The risks identified were assessed upstream according to the nature and scope of business activity, and then 50% each according to likelihood of occurrence and severity (degree, number of people impacted, irreversibility) (the company's­ contribution and ability to exert influence are given as the risks relate to the company's own area of business).

Risk analysis for the supply chain (direct suppliers):

Both risk aspects (risk of general business activity and risk of violations of human rights and environmental regula- tions) were assigned a 50% weighting. The risk of a negative impact on human rights or the environment was assessed based on the criteria of severity of the violation (50% weighting), likelihood of occurrence (30% weighting), nature of the company's contribution (10% weighting) and ability to exert influence (10% weighting). The risks in each cluster are categorized as low, medium and high-risk/lack of transparency. Further priority levels were set based on the level of revenue per cluster and business partner.

Vonovia SESupply Chain Due Diligence Act Report

B. Risk Analysis and Preventive Measures

B2. Preventive measures in the company's own area of business

Which risks were prioritized in your own area of business during the reporting period?

• Failure to account for occupational health and safety and work-related health hazards
• Prohibition of unequal treatment in employment
• Other prohibitions: Discrimination against tenants or customers

Failure to account for occupational health and safety and work-related health hazards

What specific risk does this relate to?

In the course of modernization work, repairs and similar construction work, there is a possibility that employees - or tenants - may come into contact with materials containing asbestos or other hazardous substances. These could have adverse health effects if handled improperly.

Where does the risk arise?

• Germany
• Austria
• Sweden

Prohibition of unequal treatment in employment

What specific risk does this relate to?

The risk of discrimination on the grounds specified in Section 2 (2) no. 7 LkSG could materialize within the company's own workforce, for example when recruiting or selecting applicants, promoting employees, etc.

Where does the risk arise?

• Germany
• Austria
• Sweden

Other prohibitions

What specific risk does this relate to?

The risk of discrimination on the grounds specified in Section 2 (2) no. 7 LkSG could also affect tenants or customers, e.g. when apartments are allocated.

Where does the risk arise?

• Germany
• Austria
• Sweden

What preventive measures were implemented for the reporting period to prevent and minimize the prioritized risks in your own area of business?

• Holding training sessions in relevant business areas
• Implementing risk-based control measures

Holding training sessions in relevant business areas

Describe the measures implemented and, in particular, specify their scope (e.g. number, coverage, scope of application)

Regular Group-wide training sessions are the cornerstone for preventing misconduct before it happens. A comprehensive catalog of regular and mandatory training events is already firmly established and has been adapted for the various internal target groups. These training courses cover topics such as anti-discrimination and the content of the AGG. One training session is dedicated to the Vonovia Code of Conduct, which defines respectful and tolerant cooperation as a core value of the corporate culture and which all employees have to sign.

Vonovia SESupply Chain Due Diligence Act Report

B. Risk Analysis and Preventive Measures

B2. Preventive measures in the company's own area of business

Vonovia has established a toxic materials management system to ensure the safe handling of toxic materials. Among other measures, safety fact sheets and operating instructions are kept for affected products and the company's own employees are trained on how to handle these products correctly from an occupational safety perspective. There are established processes for handling hazardous substances.

Describe the extent to which the training measures to prevent and minimize the prioritized risks are appropriate and effective.

The training courses implemented to raise awareness and prevent risks are appropriate and effective, as they are made accessible to all employees with low thresholds involved, and use examples from everyday life within the company to ensure practical relevance. The training courses also enable our employees to handle asbestos and other hazardous substances (where relevant) properly. Breaches of the processes that have been put in place are the absolute exception and are dealt with promptly.

In the course of the next reporting year (2024), a concept for reviewing the appropriateness and effectiveness of the preventive measures is to be developed.

Implementing risk-based control measures

Describe the measures implemented and, in particular, specify their scope (e.g. number, coverage, scope of application)

The update of the process for handling materials containing asbestos is planned for 2024. Checks on the implementation of the revised process for handling materials containing asbestos performed by the Compliance and Data Protection department and an audit review of the departments affected by the process are planned for 2024.

Describe the extent to which the measures to prevent and minimize the prioritized risks are appropriate and effective.

The improvement of the process and the subsequent review of its implementation help to minimize the identified risk. If the review identifies a need for further adjustments, these will be implemented.

B3. Preventive measures at the level of direct suppliers

Which risks were prioritized at the level of direct suppliers during the reporting period?

• Failure to account for occupational health and safety and work-related health hazards
• Prohibition of forced labor and all forms of slavery
• Prohibition of child labor
• Prohibited production and/or use of substances that fall within the scope of the Stockholm Convention (POPs) as well as the non-environmentally sound handling of waste containing POPs

Failure to account for occupational health and safety and work-related health hazards

What specific risk does this relate to?

The following identified risks could arise primarily on construction sites and in the production facilities of our sub­ contractors. Around 99% of our direct suppliers are based in Germany.

Disregard or breaches of occupational health and safety standards by our direct suppliers, particularly on construction sites, can lead to injuries being sustained by our suppliers' employees. Work in the craft and construction sectors sometimes calls for heavy physical labor. In some cases, this industry also employs low-skilled employees who belong to vulnerable groups (e.g. due to language barriers).

Where does the risk arise?

• Germany