Information obligations according to Art. 13 GDPR

2. What data is processed and what are the sources of this data?

We process the data that we have received from you as part of contract initiation or processing, on the basis of consent, or as part of your application to us or your employment with us.

Personal data includes the following:

Your master/contact data, for customers this includes e.g., first and last name, address, contact data (email address, telephone number, fax), bank details.

For applicants and employees, this includes, e.g., first and last name, address, contact data (email address, telephone number, fax), date of birth, details from curriculum vitae/resume and references, bank details, religious affiliation, photographs.

For business partners, this includes, e.g., the name of their legal representative, company, commercial registry number, VAT number, company number, address, contact person contact data (email address, telephone number, fax), bank details.

For visitors to our company, this includes name and signature.

For journalists, this includes first and last name, email address, fax number.

For social media campaigns, this includes first and last name, email address, telephone number, job description, company, and the URL of the profile.

For Whitapeper Downloads, this includes first and last name, email address, phone number, job description, company, and profile URL.

We also process the following additional personal data:

• Information about the type and content of contract data, order data, sales and receipt data, customer and supplier history, and consulting records

• Advertising and sales data

• Information from your electronic communications with us (e.g., IP address, login data)

• Other data that we have received from you as part of our business relationship (e.g., in customer meetings)

• Data that we generate ourselves from master/contact details and other data, e.g., by means of customer demand and customer potential analyses

• Documentation of your declaration of consent to receive e.g., newsletters, whitepapers, photographs taken as part of events

3. For what purposes and on what legal basis is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act 2018, as amended:

• For the fulfillment of (pre-)contractual obligations (Art. 6 para. 1 lit. b GDPR): The processing of your data takes place for processing contracts online or in one of our branch offices, for processing contracts of your employment in our company. In particular, the data is processed during the initiation of business and the performance of contracts with you.

• For the fulfillment of legal obligations (Art. 6 para. 1 lit. c GDPR):Processing of your data is necessary for the purpose of fulfilling various legal obligations, e.g., from the German Commercial Code or the German Fiscal Code.

• For the protection of legitimate interests (Art. 6 para. 1 lit. f GDPR): Based on a balancing of interests, data processing may take place beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties. Data processing for the protection of legitimate interests occurs, for example, in the following cases: Advertising or marketing (see no. 4), Measures for business management and further development of services and products, Maintaining a Group-wide customer database to improve customer service, As part of legal proceedings, Sending non-sales-related information and press releases

• Within the scope of your consent (Art. 6 para. 1 lit. a GDPR): If you have given us consent to process your data, e.g., to send you our newsletter, whitepapers, publish photos, sweepstakes, etc.

4. Processing of personal data for advertising purposes

You may object to the use of your personal data for advertising purposes at any time, either overall or for individual measures, without incurring any costs other than the transmission costs according to the basic rates.

We are entitled under the legal provisions of Section 7 para. 3 UWG (Act against Unfair Competition) to use the email address that you provided when concluding the contract for direct advertising for similar goods or services we offer. You will receive these product recommendations from us regardless of whether or not you have subscribed to a newsletter.

If you do not wish to receive such recommendations from us by email, you may object to the use of your address for this purpose at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form is sufficient for this. An unsubscribe link is, of course, always included in every email.

5. Who receives my data?

If we use a service provider as part of order processing, we still remain responsible for the protection of your data. All contractors are contractually obligated to treat your data confidentially and to process it only as part of providing the service. The contractors we commission receive your data to the extent that they need the data to fulfill their particular service. These are, for example, IT service providers that we require for the operation and security of our IT system as well as advertising and address publishers for our own advertising campaigns.

Your data is processed in our customer database. The customer database supports the enhancement of existing customer data quality (elimination of double entries, moved/deceased identifiers, address correction) and enables enrichment with data from public sources.

This data is made available to the Group companies to the extent necessary for contract processing. The storage of customer data is done separately on a company-by-company basis, with our parent company acting as a service provider for the individual participating companies.

In the event of a legal obligation and as part of legal prosecution, authorities and courts as well as external auditors may be recipients of your data.

In addition, insurance companies, banks, credit agencies, and service providers may be recipients of your data for the purpose of initiating and fulfilling contracts.

6. How long will my data be stored?

We process your data until termination of the business relationship or until expiry of the applicable statutory retention periods (such as from the Commercial Code, the Fiscal Code, or the Working Hours Act); furthermore, until the termination of any legal disputes in which the data is required as evidence. In the event of withdrawal or objection, your data will be erased provided that there are no statutory retention periods to the contrary. The data will also be erased after expiry of the purpose.

7. Is personal data transmitted to a third country?

We do not generally transmit any data to a third country. Transmission takes place in individual cases only on the basis of an adequacy decision by the European Commission, standard contractual clauses, appropriate guarantees, or your express consent.

8. What data protection rights do I have??

You have a right of access, a right to rectification, erasure, or restriction of the processing of your stored data, a right to object to the processing, as well as a right to data portability and to lodge a complaint in accordance with the requirements of data protection law at any time.

Right of access:
You can request information from us as to whether and to what extent we process your data.

Right to rectification:
If we process your data that is incomplete or incorrect, you can request that we rectify or complete it at any time.

Right to erasure (“right to be forgotten”):
You can request that we erase your data if it is being processed unlawfully or if processing disproportionately interferes with your legitimate interests of protection. Please note that there may be reasons that prevent immediate erasure, e.g., in the case of legally regulated retention requirements.

Regardless of whether you exercise your right to erasure, we will immediately and completely erase your data, provided there is no legal or statutory retention requirement to the contrary.

Right to restriction of processing:
You can request that we restrict the processing of your personal data if

• You dispute the accuracy of the data for a period of time that allows us to verify the accuracy of the data

• The processing of the data is unlawful, but you refuse erasure and instead request the restriction of the use of the data

• We no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims

• You have lodged an objection to the processing of the data

Right to data portability:
You can request that we provide you with the data you have provided to us in a structured, commonly used, and machine-readable format so that you can transmit this data to another controller without hindrance from us, provided that

• we process this data on the basis of consent given by you, which may be withdrawn, or for the performance of a contract between us, and

• this processing is carried out by automated means.

If technically feasible, you may request that we transmit your data directly to another data controller.

Right to object:
If we process your data for a legitimate interest, you may object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or the processing serves to establish, exercise, or defend legal claims. You may object to the processing of your data for the purpose of direct marketing at any time without giving reasons.

Right to lodge a complaint:
If you are of the opinion that we are violating German or European data protection law in the processing of your data, please contact us so that we can clarify any questions. Of course, you also have the right to contact the supervisory authority responsible for you, the respective State Office for Data Protection Supervision.

If you wish to assert any of the aforementioned rights against us, please contact our Data Protection Officer. If in doubt, we may request additional information to confirm your identity.

9. Am I required to provide data?

The processing of your data is necessary for the conclusion or fulfillment of your contract entered into with us. If you do not provide us with this data, as a rule we will have to refuse to conclude the contract or will no longer be able to perform an existing contract and consequently will have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that is not relevant for the fulfillment of the contract or that is not required by law.