Privacy Policy (06.02.2025)

As a data subject, you have the following rights:

2.1 Right of access (Art. 15 GDPR): You have the right to be informed at any time of the categories of personal data processed, the purposes of processing, any recipients or categories of recipients of your personal data and the planned storage period.

2.2 Right of rectification (Art. 16 GDPR): You have the right to request the rectification or completion of personal data concerning you that is incorrect or incomplete.

2.3 Right to erasure („right to be forgotten“) (Art. 17 GDPR): You have the right to request the immediate erasure of your personal data. In particular, we are obliged as the controller to delete your data in the following cases:

• Your personal data is no longer needed for the purposes for which it was collected.
• A processing of your personal data took place solely on the basis of your consent, which you have now withdrawn, and there is no other legal basis that legitimises a processing of your personal data.
• You have objected to a processing which is based on the legitimate or public interest and we cannot prove that there are legitimate grounds for processing.
• Your personal data has been processed unlawfully.
• The erasure of your personal data is necessary in order to comply with a legal obligation to which we are subject.
• Your personal data has been collected in connection with information society services offered in accordance with Art. 8 I GDPR.

Please be aware that the right to erasure is subject to a limitation in the following cases, so that a deletion is excluded:

• Your personal data is used to exercise the right to freedom of expression and information.
• Your personal data serves to fulfil a legal obligation to which we are subject.
• Your personal data is used to carry out a task that is in the public interest or in the exercise of official authority that has been assigned to us.
• Your personal data serves the public interest in the field of public health.
• Your personal data are necessary for archiving purposes in the public interest, for scientific or historical research or for statistical purposes.
• Your personal data serve for us to establish, exercise or defend legal claims.

2.4 Right of restriction of processing (Art. 18 GDPR): You also have the right to request that the processing of your personal data be restricted; in such a case, your personal data will be excluded from any processing. This right applies if:

• You contest the accuracy of your personal data and we have to verify the accuracy of your personal data.
• The processing of your personal data is unlawful and instead of erasing your personal data, you request a restriction of processing.
• We no longer need your personal data for the fulfilment of the specific purposes, but you still need this personal data to establish, exercise or defend legal claims.
• You object to the processing of your personal data and it has not yet been determined whether your or our legitimate reasons override this.

2.5 Right of data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you that you have provided to us as a controller in a structured, common and machine-readable format and to transfer it to another controller. Furthermore, you also have the right to request that your personal data be transferred from us to another controller, insofar as this is technically feasible.

The requirements for the applicability of data portability are:

• Your personal data is automatically processed based on your consent or a contract.
• Your personal data does not serve to fulfil a legal obligation to which we are subject.
• Your personal data will not be used to perform a task that is in the public interest.
• Your personal data do not serve for the performance of a task which is performed in the exercise of an official authority delegated to us.
• The exercise of your right shall not interfere with the rights and freedoms of others.

2.6 Right to object (Art. 21 GDPR): You have the right at any time to object to the processing of your personal data on grounds arising from your particular situation. This also applies to profiling. The requirement for this is that the processing is based on a legitimate interest on our part (Art. 6 I lit. f GDPR) or the public interest (Art. 6 I lit. e GDPR).

Furthermore, you may also at any time object to the processing of your personal data for the purposes of direct marketing or profiling linked to such direct marketing.

Should you object to the processing of your personal data based on a legitimate interest, we will check in each individual case whether we can show grounds worthy of protection that override your interests and rights and freedoms. In the event that there are no reasons worthy of protection on our part or your interests as well as rights and freedoms override our own, your personal data will no longer be processed. An exception is made if your personal data is still used for the establishment, exercise or defence of legal claims.

If you object to the processing of your personal data for the purposes of direct marketing or profiling, insofar as this is linked to such direct marketing, your personal data will no longer be processed for these purposes.

2.7 Right to lodge a complaint with the supervisory authority (Art. 77 GDPR): You also have the right to lodge a complaint with a supervisory authority at any time, in particular with a supervisory authority in the Member State of your residence, place of work or place of suspected infringement, if you consider that the processing of personal data concerning you is in breach of the data protection regulations.

The address of the supervisory authority responsible for our company is:

Der Landesbeauftragte für den Datenschutz Niedersachsen

Prinzenstraße 5

30159 Hannover

Telefon 0511-120 4500

Fax 0511-120 4599

U2FsdGVkX19de5x+XlZgGXUrtjKA/s8YvjKWnbQYhvojQnWMd3CbsQ3JrqWzB/A6

2.8 Right of withdrawal (Art. 7 GDPR): If you have given us consent to process your personal data, you can withdraw this consent at any time without giving reasons and in an informal manner. Withdrawal of consent does not affect the lawfulness of the processing that has taken place on the basis of the consent up to the point of withdrawal.

As a matter of principle, the processing of your personal data by us is always linked to a specified, explicit and legitimate purpose, which has already been defined before the processing activity is commenced, in accordance with the principle of purpose limitation under Art. 5 I lit. b GDPR. In the further course of this privacy policy, when a processing activity is cited, a description of the specific purpose is also included.

We process your personal data in accordance with the GDPR. Accordingly, the processing of your personal data is always founded on a legal basis. Article 6 of the GDPR defines legal bases for the processing of personal data.

4.1 Legal bases for the processing of personal data

Consent

If we obtain your consent for the processing of your personal data, the processing will be carried out on the legal basis of Art. 6 I lit. a GDPR. The following example serves to clarify this legal basis: You receive advertising from us by electronic mail and/or telephone and have given your prior consent.

Contract or pre-contractual measure

If the processing of your personal data is necessary for the fulfilment of a contract with you or for the implementation of pre-contractual measures taken in response to your request, the legal basis on which the processing of your personal data is based is Art. 6 I lit. b GDPR.

Legal obligation

In cases where the processing of your personal data is necessary to comply with a legal obligation to which we are subject, this processing is based on Art. 6 I lit. c GDPR.

Vital interest

Should the processing of your personal data be necessary to protect your vital interests or those of another person, this processing is carried out in accordance with Art. 6 I lit. d GDPR.

Public interest

In cases where we process your personal data in order to perform a task which is in the public interest or in the exercise of official authority delegated to us, Art. 6 I lit. e GDPR constitutes the legal basis.

Legitimate interest

If the processing of personal data is necessary to safeguard a legitimate interest of our company or a third party and at the same time the interests, basic rights and fundamental freedoms of the data subject, which require the protection of personal data, do not override our legitimate interest, Art. 6 I lit. f GDPR serves as the legal basis for the processing.

4.2 Legal bases for the processing of special categories of personal data

If, in extraordinary cases, we need to process special categories of personal data, such as

• data on racial or ethnic origin (e.g. skin color or special languages),
• data on political opinions (e.g. party memberships),
• data on religious or philosophical beliefs (e.g. membership of a sect),
• data on trade union membership,
• genetic data,
• biometric data (e.g. fingerprints or photographs),
• health data (e.g. identification numbers for disabilities),
• or data concerning the sex life or sexual orientation

by you, this processing is based on one of the following legal bases, which are de-fined in Article 9 GDPR:

Explicit consent

If you have given us your explicit consent for the processing of the above categories of personal data, this constitutes the legal basis for the processing in accordance with Art. 9 II lit. a GDPR.

Performing duties under social security/protection and employment law

If the processing of special categories of personal data relating to you is necessary in order to comply with a legal obligation arising from social security/protection or employment law, the legal basis for this processing is Art. 9 II lit. b GDPR.

Protection of vital interests

If the processing of special categories of personal data relating to you should be necessary to protect your vital interests or those of another person, such processing is carried out pursuant to Art. 9 II lit. c GDPR.

Manifestly public data

Insofar as special categories of personal data of yours are processed, which have previously been made public by yourself, the processing of these data is based on Art. 9 II lit. e GDPR.

Establishment / Exercise / Defence of legal claims

Insofar as the processing of the special categories of personal data relating to you serves us to establish, exercise or defend legal claims, Art. 9 II lit. f GDPR constitutes the legal basis for the processing.

Substantial public interest

In the case of the processing of special categories of personal data concerning you in order to safeguard a substantial public interest arising from EU or national law, the processing is based on Art. 9 II lit. g GDPR.

Assessment of the person's work capacity or other medical purposes such as health care

If the processing of special categories of personal data relating to you arises from a law of the EU or a Member State or a contract concluded with a member of a health profession and is carried out for the purposes of preventive health care, occupational medicine, assessment of an employee's work capacity, medical diagnosis, care or treatment in the health or social field or the management of systems and services in the health or social field, this processing is based on Art. 9 II lit. h GDPR.

Public interest in the area of public health

If the processing of special categories of personal data of yours should be necessary for public health reasons, including protection against cross-border health threats such as pandemics, this processing is carried out on the legal basis of Art. 9 II lit. i GDPR.

Archival purposes, scientific / historical research purposes, statistical purposes

Should the processing of special categories of personal data relating to you arise from a right of the EU or a member state, which stipulates processing for archiving, scientific or historical research or statistical purposes in the public interest, this processing is based on Art. 9 II lit. j GDPR.

Unless otherwise stated, we delete personal data in accordance with Art. 17 GDPR or restrict its processing in accordance with Art. 18 GDPR. Apart from the retention periods stated in this privacy policy, we process and store your personal data only as long as the data are necessary for the fulfilment of our contractual and legal obligations. Personal data that are no longer required after the purpose has been fulfilled will be regularly deleted. We delete transaction-related information (e.g. relating to a specific order transaction or order relationship) after completion of the respective transaction with a period of three years after the end of the respective calendar year, unless further processing is required for a limited period of time, which may result from other legally permissible purposes. In order to fulfil documentation obligations as well as to comply with statutory obligations to preserve records in Germany, the necessary documents are stored for five years in accordance with § 8 Money Laundering Act (GwG), six years in accordance with § 257 I Commercial Code (HGB) and for ten years in accordance with § 147 I of the Fiscal Code of Germany (AO).

Recipient of your data

We do not sell or rent user data in principle. A transfer to third parties beyond the scope described in this privacy policy will only take place if this is necessary for the processing of the respective requested service. For this purpose, we work together with service providers in the areas of marketing, sales, IT, logistics and human resources, among others. We select these service providers extremely carefully. In other cases we transfer data to requesting governmental authorities. However, this only takes place if there is a legal obligation to do so, for example if a court order exists.

Locations of the processing of your personal data

In principle, we process your data in Germany and in other European countries (EU/EEA). If your data is processed in countries outside the European Union or the European Economic Area (i.e. in so-called third countries), this will only take place if you have expressly consented to it, if it is stipulated by law or if it is necessary for our service provision to you. If, in these exceptional cases, we process data in third countries, this will be done by ensuring that certain measures are taken (i.e. on the basis of an adequacy decision by the EU Commission or by presenting suitable guarantees in accordance with Art. 44ff. GDPR). The EU Commission has determined that an adequate level of data protection also exists for U.S. companies under the EU-U.S. Data Privacy Framework (DPF). Companies based in the U.S. have the opportunity to confirm compliance with the DPF through self-certification. If the DPF applies to data transfers, we provide you with additional information.

8.1 Processing activity – Google Tag Manager

On our website, we use the Google Tag Manager, of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: Google). With the help of the Tag Manager, we can centrally integrate and manage various software solutions such as Google Analytics via corresponding code sections - also known as tags - on our website. These code sections are also used to collect data regarding your browser, your website visits or to set cookies.

The Google Tag Manager itself is integrated via Java Script. The corresponding files for the integration of the Google Tag Manager are downloaded from Google's servers. After consent has been given, your end device establishes a connection with Google's servers in order to start a request to receive the required files. In the process, personal data from you, such as your IP address, will be transmitted to Google and processed by Google in order to transfer the files in response to the request.

Due to Googles headquarter localisation, the transfer of your personal data to Google may constitute a so-called third country transfer to the USA. Google LLC is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Google Tag Manager is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

Further information on the processing of your personal data within the scope of the individual solutions used can be found below in the separate texts for the individual solutions.

8.2 Processing activity – Visiting of our website

Insofar as you use our website solely for informational purposes, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your personal browser transmits to our server. This data is technically necessary so that the website can be displayed to you. Furthermore, this data is technically necessary to ensure the stability and security of our website. The legal basis for the processing of your personal data in this case is Art. 6 I lit. f GDPR; the legitimate interest in this case is the provision and optimal presentation of this website as well as the protection of this against external attacks and their traceability. We delete this personal data after the end of the usage process, unless we need it for purposes of abuse detection and abuse traceability; in such a case, we retain this data for up to a maximum of 3 days.

When visiting our website, the following personal data may thus be processed, which is automatically transmitted by your browser to our servers and stored there in the form of so-called "log files":

• IP address of the terminal device used to access the website
• Date, time and duration of the request
• Country of origin of the requestContent of the request (specific page / file)
• Access status/http status code (e.g. "200 OK")
• Internet address of the website from which the request to access our website was made
• Browser and installed add-ons (e.g. Flash Player)
• Operating system and interface
• Language and version of the browser software
• Amount of data transferred in each case
• Time zone difference to Greenwich Mean Time (GMT)

We can only provide some of the services offered on our website if we are able to contact you. In this respect, the possibility of using these services depends on you providing us with certain personal (contact) data. We collect, use and process this personal data only to the extent necessary to provide you with the respective service. If you contact us by e-mail or via a contact form, the personal data you provide in each case (your e-mail address and other information you provide voluntarily, such as your name/telephone number) will be stored by us in order to process your request and, if necessary, answer your questions.

Here, the legal basis for the processing of your personal data is Art. 6 I lit. f GDPR; the legitimate interest is to answer your request. After a final response to your request, we delete your request and the information on the processing with a period of three years after the end of the respective calendar year.

8.3 Processing activity – Website management

Our website is managed by Active Elements GmbH, Heinrich-Nordhoff-Ring 5, 30826 Garbsen, Germany and hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA, on servers of Amazon Web Services (AWS).

Thus, your personal data collected on our website is stored on the servers of these service providers. The data may be, for example, your IP address, meta and communication data or data from a contact form.

The AWS servers on which our website is hosted are located in Europe, but due to Vercel’s and Amazon's localisation, the processing of your personal data may constitute a third country transfer. Vercel and Amazon is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the use of Active Elements, Vercel and Amazon for the hosting and management of our website is our legitimate interest according to Art. 6 I lit. f GDPR, to ensure the operation and security of our website and to provide an optimised experience for our customers and interested parties on our websites.

8.4 Processing activity – Content Management System / Contentstack

For our website we use the Content-Management-System (short: CMS) by Contentstack Inc., 315 Montgomery St., Suite 909, San Francisco, CA 94104, USA. The CMS is used to present and manage websites, online stores, intranets or other corporate websites. We use the Software as a Service solution of Contentstack for creation and maintenance of our corporate websites. It enables us to create website content and distribute it to the websites of our subsidiaries and partner companies via defined workflows.

Due to Contentstack’s localisation the USA, the processing of your personal data may constitute a third country transfer. Contentstack is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Contentstack is our legitimate interest pursuant to Art. 6 I lit. f GDPR. Our legitimate interest here is to ensure the operation and security of our website.

Further information on data protection at Contentstack can be found under the following address:
Privacy Policy - Legal | Contentstack

8.5 Processing activity – Cloudfront

This website uses the content delivery network (CDN) Cloudfront. This is a service of Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210 (hereinafter: Amazon Web Services). The CDN is integrated in the form of Java script code on our website and reloaded during a visit. Cloudfront allows us to provide increased loading performance, improved availability and data loss prevention by providing duplicate data (e.g. graphics or scripts) from this website on different servers around the world. However, when you visit this website, photo/video files may be automatically requested from Cloudfront, and this automated request for photo/video files may result in personal data, such as your IP address, being transmitted to servers of Amazon Web Services.

Due to Amazon's localisation, the transfer of your personal data to Amazon may involve the transfer of personal data to a third country that is neither in the European Union nor in the European Economic Area, in this case in particular to the USA. Amazon Web Services, Inc. is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Cloudfront is our legitimate interest, which in this case is to ensure the security and availability of this website, according to Art. 6 I lit. f GDPR.

You can obtain further information on the subject of data protection at Amazon Web Services at the following address(es):
https://aws.amazon.com/de/data-protection/ or
https://aws.amazon.com/de/privacy

8.6 Processing activity – Consent Management Platform / Usercentrics

On our website we use the Usercentrics Consent Management Platform. This is a consent management tool based on JavaScript. With the help of this tool, we can give the visitor of our website both an overview of the essential software solutions used and the possibility to decide on the use of any other software solutions that require prior consent. Furthermore, the platform offers the visitor the possibility to withdraw any given consent at any time without giving reasons and thus to prevent the future processing of personal data by the respective software solution. Furthermore, with the help of the platform, we can meet the requirement resulting from the GDPR for consent management, which provides, among other things, the possibility to prove that consents have been given or not.

In the context of the use of the Usercentrics Consent Management Platform, the following data may be processed, among other things:

• Consent data
• Consent –ID
• Consent status (Opt-in, Opt-out)
• Consent timestamp
• Language of the consent banner
• Version of the banner template
• Device data (http Agent, http Referrer)

The use of the Usercentrics Consent Management Platform and the associated processing of personal data serves to fulfill legal obligations within the meaning of Art. 6 I lit. c GDPR. Thus, the use of the platform is necessary both to comply with the obligation to provide documentary evidence within the meaning of Art. 5 II GDPR and the legal obligation resulting from the judgment "ECLI:EU:C:2019:801" of the European Court of Justice and the related judgment "I ZR 7/16" of the German Federal Court of Justice, according to which § 15 III 1 of the German Telemedia Act (TMG) is to be interpreted with regard to Art. 5 III 1 of Directive 2020/58/EC in such a way that the service provider may only use cookies to create usage profiles for the purposes of advertising or market research with the consent of the user.

Deletion of your personal data in connection with the use of the Usercentrics Consent Management Platform will take place as soon as it is no longer required to fulfill the purpose. In case of withdrawal of consent, we retain the information regarding the withdrawal for three years. The retention results on the one hand from the accountability according to Art. 5 II GDPR and on the other hand from the regular statute of limitations according to § 195 German Civil Code (BGB). The period of this limitation begins according to § 199 BGB with the end of the year in which the claim arose. Thus, the statute of limitations begins at the end of December 31 of the year in which the withdrawal occurred and ends three years later on December 31 at 00:00.

8.7 Processing activity – Google Fonts

On our website, we use fonts from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. These fonts are grouped together by Google under the name Google Fonts.

So-called cascading style sheets and font files are required for the integration of Google Fonts. Style sheets are files that are used to change the design of a website, such as the font or font size. A font file contains any information about how the font is displayed. The corresponding files (cascading style sheets, font files) for the integration of Google Fonts are stored on our web server. This means that no connection to Google's servers needs to be established in order to obtain these files and therefore no data transfer to Google takes place within the scope of Google Fonts.

8.8 Processing activity – Algolia Search

To offer our visitor an on-site search on our website, we use the solution from Algolia, Inc. (301 Howard St., Ste. 300, San Francisco, California 94105, USA).

The customer has the possibility to search for products and pages from our portfolio. If the search function is used and thus a request is sent to our website, only the IP address is used to display the result. Through a proxy solution on our server, no data transfer occurs, and no data is stored.

The processing of the IP address is based on our legitimate interests in the fast processing of search requests and thus also the higher customer friendliness on our website in accordance with Art. 6 I 1 lit. f GDPR.

8.9 Processing activity – Web Analytics

8.9.1 Google Analytics 4

On our website, we use the Google Analytics 4 service (in short: GA4). This is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google). We use GA4 to collect website visitor data, which is used by GA4 to compile reports on the use of this website. These reports help us to better understand how visitors use our website and to improve it regularly.

The collection of your visitor data is based on events and parameters. The parameters covered differ according to the event being monitored. However, the following parameters are recorded for each event:

• Language
• Page position
• Referrer URL
• Page title
• Screen resolution

Other possible parameters that can be captured by optimised analyses for events are:

• Clicks
• File downloads
• First visit of the website
• Interaction with forms
• Page visits
• Scrolling on the website
• Start of a session
• Video interaction
• Performed search on the website

Independently of the parameters described above, your IP address is also processed. This is used for geo-localisation and is then automatically anonymised according to Google.

In addition, detailed location and device data can be collected. This is the following data:

• City
• Latitude (city)
• Longitude (city)
• Version of the browser
• User agent string of the browser
• Device brand
• Device model
• Device name
• Version of the operating system
• Screen resolution

Your visitor data may be collected in particular through cookies that are set by GA4 on your end device and enable an analysis of the visit / use of our website. Further information on the subject of cookies can be found under "7. Cookies" in this privacy policy.

GA4 can use various methods to aggregate your visitor data across devices. On the one hand, GA4 can assign you a unique user ID that enables cross-device mappings. However, we do not use this feature. In the event that you have a Google account, are logged in to it and have activated personalised advertising, Google may associate the information collected with your Google account using Google signals. On the basis of this data, personalised ads may then be displayed. With the help of the device ID, which corresponds to the client ID for a website and the ID of the app instance for an app, GA4 can also assign data across devices.

If GA4 is not allowed to use cookies and user IDs because you have not given your consent for this, GA4 can fill this data gap with the help of so-called behaviour modelling, which is based on the concepts of machine learning. GA4 will try to fill the missing information with so-called "observed" data of similar users who have consented to the processing.

The data collected by the GA4 service, such as the screen resolution of your terminal device, may be aggregated with other Google services that we use in order to trigger further processing. This includes, for example, Google Ads. The data collected from GA4 can be used to create target groups in Google Ads and used for remarketing purposes. Deletion of the user-level data processed in GA4 takes place automatically after 14 months.

Due to the localisation of Google, the transfer of your personal data to Google may constitute a third country transfer. A third country transfer is a transfer of personal data to a destination in a country that is neither in the European Union nor in the European Economic Area. Google LLC is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Google Analytics 4 is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

8.9.2 Microsoft Clarity

This website uses features of the web analytics service Microsoft Clarity. The provider is Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter: Microsoft).

Microsoft Clarity provides website usage statistics, session recordings, and heatmaps, created mainly through the tracking of mouse movements. Microsoft Clarity will use the processed information for evaluating the use of our website, compiling reports on website activity, and providing other services related to the use of the website. Hence, we use Microsoft Clarity to analyze and regularly improve the user behavior on our website and with the help of the statistics we obtain, we can make our offer more interesting and user-friendly for you as a user.

The collection of your user data is done via cookies, which are set on your end device and enable an analysis of the visit of our website. For more information on cookies, please see "7. Cookies" in this privacy policy.

We will process the following data with Microsoft Clarity:

• Unique user ID
• Date and time of visit
• IP Address
• Location data
• Session ID
• User behavior
• Interaction data
• Mouse movements
• Clicks
• Scrolling activity

The deletion of the data processed on a user level in Microsoft Clarity takes place automatically after 13 months. Text fields, such as contact forms, surveys or search fields are masked out in the screen recordings so that the entries you make are not recorded. Personal data entered in our online forms is therefore not processed by Microsoft Clarity.

In exceptional circumstances, due to Microsoft's headquarters, your personal data may be transferred to the USA and thus be transferred to a so-called third country. A transfer to a third country is a transfer of personal data to a destination in a country that is neither in the European Union nor in the European Economic Area. Microsoft Corporation is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Microsoft Clarity is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point "2.8 Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

8.10 Processing activity – Targeting and advertisement

8.10.1 Google Ads

On our website we use the service Google Adwords from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google). This service enables us to draw attention to our appealing offers on external websites by means of advertising material (so-called Google Ads). These advertising materials are delivered by Google via so-called "Ad Servers". Ad server cookies are used for this purpose. For further information on the topic of cookies, please go to "7. cookies". Ad server cookies enable the evaluation of performance parameters (e.g. ad impressions, clicks or conversions). In this way we can determine how successful the individual advertising measures are. If you come to our website via an ad from Google, Google Adwords stores a cookie on your end device. This cookie stores analysis values (unique cookie ID, number of ad impressions per placement (frequency), last impression, opt-out information (marking that the user no longer wants to be addressed)). The cookies set by Google Adwords lose their validity after 30 days. These cookies are not intended to identify you personally. Rather, they enable Google Adwords to recognize your internet browser. If you visit certain pages on the website of an Adwords client, Google and the client will recognize that you have been redirected to the client's page via a clicked advertisement. Google provides us as an Adwords customer with a statistical analysis. This analysis enables us to measure the effectiveness of our advertising measures. We do not receive any further data beyond this.

Due to the localisation of Googles headquarters, the transfer of your personal data to Google may constitute a third country transfer to the USA. Google LLC is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Google Adwords is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

Further information on data protection at Google can be found here:

• 
  www.google.com/intl/de/policies/privacy/
• services.google.com/sitestats/en.html

8.10.2 LinkedIn Insight Tag

On our website we have included the conversion tool "LinkedIn Insight Tag" from the LinkedIn Ireland Unlimited Company (hereinafter: LinkedIn).

The LinkedIn Insight Tag is a small JavaScript code snippet that we have implemented on our website. With the help of the LinkedIn Insight tag, data about the visit of our website is collected and transmitted to LinkedIn. This data includes the referrer URL, IP address, device information, browser information, and a timestamp for the visit of our website. LinkedIn does not provide us with access to the personal data collected in detail. LinkedIn uses this information to provide us with reports on website audiences and ad performance, based on aggregate data, so that we can optimize our website based on the information we receive. In addition, LinkedIn provides us with the ability to track conversions and retarget our website visitors through the LinkedIn Insight tag. This allows us to display targeted advertising outside of our website without identifying the website visitor.

Due to the localisation of LinkedIn, the transfer of your personal data to LinkedIn may constitute a third country transfer to the USA. LinkedIn Corporation is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of the LinkedIn Insight Tag is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

The data processed in the LinkedIn Insight tag is encrypted and anonymized within seven days. After 90 days at the latest, the anonymized data is automatically deleted if it is no longer required for the fulfillment of the defined purpose.

For more information about LinkedIn's privacy policy, please visit the following address:
https://www.linkedin.com/legal/privacy-policy

8.10.3 Marketo

We use the marketing automation software Marketo from Adobe Systems Software Ireland Ltd. (4–6 Riverwalk, City West Business Campus, Dublin 24, Ireland) to register for the newsletter and to send you information. With the help of Marketo, we also collect statistical data on the use of our website, communication measures and webinars in order to optimise our offer accordingly and to conduct e-mail marketing and sales activities. In doing so, the processing is partly automated with the aim of evaluating certain personal aspects (profiling). Marketo collects your IP address and uses cookies to track and analyse the use of the website in order to provide information specifically tailored to the user's interests. For more information about cookies, please see "7. Cookies".

On our behalf, Marketo uses this information to evaluate the use of the website by registered persons and to compile reports on website activity. You can prevent the storage of cookies by setting your browser accordingly. However, browser settings made by you may mean that you are unable to use all the functions of our online offer.

Marketo is hosted on Equinix servers in London. Due to the location of the headquarters of Adobe and Equinix in the USA, the transfer of your personal data to Adobe may constitute a third country transfer. A third country transfer is a transfer of personal data to a destination in a country that is neither in the European Union nor in the European Economic Area. Adobe Inc. is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Marketo is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

Further information about Adobe and Marketo can be found at:
Adobe Privacy Center

8.10.4 Customer Mailings

Konica Minolta offers mailings to customers and interested parties on a consent-based approach. The only mandatory data for receiving the mailings is your e-mail address. The provision of further, separately marked data is voluntary and will be used to address you personally. Registration for the newsletter takes place by means of the so-called double opt-in procedure. This means that after your registration, we will send you an e-mail to the e-mail address you provided, in which we ask you to confirm that you wish to receive the information. If you do not confirm your registration by clicking on the link provided in the e-mail, the link sent to you will be deactivated and your data will be deleted. If you agree to receive information, you will have access to the following information:

• News and information about Konica Minolta's product portfolio
• Exclusive invitations to events, trade fairs and webinars
• Sending of testimonials and success stories
• Market trends in the form of studies, market research and white papers
• Possibility of taking part in customer satisfaction surveys

As part of the double opt-in process carried out during registration, we store the IP addresses you use for a period of 30 days as well as the times of registration and confirmation. Based on your consent, we will evaluate your user behavior on our websites as well as within the newsletters which we send out and assign them to your e-mail address / user profile within our database. In addition, we store information about the browser you use and the settings made in your operating system as well as information about your Internet connection with which you have accessed our website. Via the newsletter sent to you, we receive, among other things, receipt and read confirmations as well as information about the links you have clicked on in our newsletter. We also store which areas you have visited on our website and in our apps. By creating a personal user profile, we want to tailor our advertising approach to your interests and optimize our offers on our website for you.

Our newsletter contains information and news from Konica Minolta Business Solutions Europe GmbH and other affiliated group companies (Konica Minolta Business Solutions Deutschland GmbH, Konica Minolta Business Solutions Austria GmbH, Konica Minolta Business Solutions (Belgium) N.V., Konica Minolta Business Solutions Nederland B.V., Konica Minolta Business Solutions Spain S.A., Konica Minolta Business Solutions Italia S.p.A., Konica Minolta Business Solutions Portugal, Unipessoal Lda., NEA RENT - ALUGUER E COMÉRCIO DE EQUIPAMENTOS S.A., Konica Minolta Business Solutions Sweden AB, Konica Minolta Business Solutions Denmark A/S, Next Agenda ApS, Konica Minolta Business Solutions Finland Oy, Konica Minolta Business Solutions Norway AS, Konica Minolta Business Solutions Czech spol. s r.o., Konica Minolta Business Solutions Bulgaria EOOD, WEBCOM Poland Sp. z o.o., Konica Minolta Hungary Business Solutions Ltd., Konica Minolta Business Solutions SE Ltd, Konica Minolta Croatia - business solutions, Ltd, Konica Minolta Poslovna Rjesenja BH d.o.o., Konica Minolta Business Solutions Polska Sp.z o.o., Konica Minolta Slovakia spol. s r.o., Konica Minolta Business Solutions Romania s.r.l., Konica Minolta Business Solutions Slovenija, poslovne resitve, d.o.o., Konica Minolta Baltia, UAB, Konica Minolta Business Solutions Greece S.A., Konica Minolta Marketing Services Limited, Konica Minolta Marketing Services Ireland Limited, Konica Minolta Marketing Services B.V., Charterhouse Print Management AG, Charterhouse AB, Indicia Group Limited, Hamsard 3099 Limited, Evolving Media Limited, Indicia Limited, Indicia Edinburgh Limited, Konica Minolta Business Solutions France S.A.S., Conibi S.A.S, Dactyl Buro du Centre S.A.S., OMR Impressions S.A.S., Konica Minolta Business Solutions (UK) Ltd., Konica Minolta Business Solutions East Ltd., KONICA MINOLTA Business Solutions (Northern Scotland) Ltd, Capture Imaging Ltd, ProcessFlows Holdings Ltd, ProcessFlows (UK) Ltd, Software Paradise Ltd, Digital Document Solutions Ltd, Konica Minolta Business Solutions (Ideal) Ltd., Konica Minolta Printing Solutions (UK) Ltd., Konica Minolta Business Solutions (Wales) Ltd., Konica Minolta Sensing Europe B.V., Mobotix AG).

The legal basis for the processing of your personal data for the above-mentioned purposes is your consent pursuant to Art. 6 I lit. a GDPR. Your consent can be withdrawn at any time without giving reasons. You can revoke your consent
here or you can send an email to the contact details given in the imprint. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. For more information about your right of withdrawal, please see point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

8.10.5 Webinars

Konica Minolta uses Marketo Interactive Webinars to offer webinars and other online events to our customers and other interested parties.

The following data is required for registration:

• First Name
• Last Name
• Email Address
• Country

This data is necessary to be able to provide you with the webinar you have registered for. In addition, the duration of participation in our webinars is stored and analysed. If surveys are conducted as part of our webinars, these responses are also stored and processed. The number of downloads of files and web links clicked on during the webinar is also processed. We use this data to evaluate our webinars and to optimise our services.

The legal basis for the processing of your personal data for the above-mentioned purposes is your consent pursuant to Art. 6 I lit. a GDPR. Your consent can be withdrawn at any time without giving reasons. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. For more information about your right of withdrawal, please see point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy. For further information on Marketo, please see section “8.10.3 Marketo”.

8.10.6 Processing activity – Spam avoidance / Google reCAPTCHA

We integrate the Google reCAPTCHA service on our website. This service is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google). Google reCAPTCHA is used to differentiate between manual input by a natural person and abusive and automated input by programs / bots in form fields in order to avoid spam or similar. As part of providing the functionality of the service and in particular the verification process of Google reCAPTCHA, your IP address and possibly other hardware and software information required by Google, such as the version of the browser used, are transmitted to Google.

Due to the localisation of Googles headquarters, the transfer of your personal data to Google may constitute a third country transfer to the USA. Google LLC is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Google reCAPTCHA represents our legitimate interest in accordance with Art. 6 I lit. f GDPR. Our legitimate interest is to ensure the security and therefore the functionality of our website, especially by preventing spam and abuse.

Your personal data will not be stored by us as the controller.

Further information regarding the processing by Google can be found in the privacy policy of Google:
https://policies.google.com/privacy?hl=en

8.11 Processing activity – Application at Konica Minolta

8.11.1 Review of your application

We process the personal data provided in your application for the purpose of reviewing your application and determining your suitability for the advertised position. We may use specialized service providers to review your application. Suitable applications for a position will be passed on by the human resources department to the respective specialist department or national company for further examination. In order to comprehensively assess your application, we always need your CV as well as certificates or corresponding evidence. When entering your data, the following fields are mandatory: Name, first name, e-mail address, address, salary expectations and period of notice. It is also necessary that you include at least one attachment. Further details, such as a video or a photo, are voluntary.

In addition, our applicant portal offers you the following options:

• Application: Here you will find an overview of your applications to Konica Minolta. By clicking on the individual application, you can view the details. If you are asked by us via e-mail to submit missing documents, you can upload them here. You also have the possibility to withdraw your application.
• Appointments: As soon as we have sent you an appointment proposal by e-mail, you can view it in the "Appointments" section and confirm or reject it. If you are unable to keep an appointment, you will receive a new suggestion from us.
• Profile: You can edit and update your data at any time. You can also delete your data at any time by logging in and clicking on "Delete user" or by contacting us. Any changes will be automatically forwarded to us.

We delete your application details six months after the end of the application process in accordance with § 61b I of the German Labour Courts Act (ArbGG) in conjunction with § 15 of the German General Act on Equal Treatment (AGG). The application process ends after a final status has been set for the individual application (Rejection | Hiring) and you are no longer active in the applicant portal. If you request us to delete your data before this, please note that we reserve the right to retain your data for three months until the end of the deadline for a possible legal action against the selection decision for the purpose of providing evidence of our selection decision regarding your application.

This processing of personal data takes place on the basis of Art. 6 I lit. b GDPR, § 26 of the new Federal Data Protection Act (BDSG-neu).

If you are under 18 years of age, we require the consent of your legal guardians in order to conclude a contract with you.

8.11.2 Shared applicant portal

For the above-mentioned period, we store your application data in our applicant portal. The companies Konica Minolta Business Solutions Deutschland GmbH and Konica Minolta Business Solutions Europe GmbH have access to this portal.

This enables us to compare your qualification profile with other positions and to draw your attention to other suitable positions. Access can be particularly useful if you have applied for a position that is available in the same or similar form in the above-mentioned companies or if you live in a border region. If you have applied for a transnational position, the respective countries may be involved in the selection process.

The processing of your application documents is basically based on § 26 BDSG and in case you have applied for a transnational position, the processing of your application documents is carried out by the respective countries on the legal basis of your consent according to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy. Please note that if your consent is withdrawn, we can no longer consider your application for transnational positions.

Your rights are protected by internal contractual regulations that guarantee a high standard of data protection.

8.11.3 Applications from apprentices, students and school interns

We gladly accept applications from you as apprentices, students and school interns. We also treat these applications according to the above-mentioned principles.

8.12 Processing activity – Social networks on our website

On our website, we offer you the possibility to share or recommend individual content with your contacts or your network on social platforms or simply to access our page in the corresponding social network (Instagram, Xing, LinkedIn and YouTube). For the above-mentioned purposes, the common buttons of the respective social networks are available. By simply visiting our website, no personal data is initially transmitted to the providers of the social networks. Only when you yourself become active and click on one of the corresponding buttons of the social networks to share or recommend content, data such as your IP address, the date and time of the click and the address of the website on which you are currently located will be transmitted, if applicable. If you are simultaneously logged in to the corresponding social network at the time you click on a social network button on our website, the social network will automatically assign your page view to your profile. Even if you use the button of the social network in order to recommend content from this website, the social network can still associate this information with your profile. If you do not want the social network to associate your visit to our website with your profile, please log out of the social network before clicking on the button of the respective social network.

Furthermore, please note that your data will also be transferred to the respective social network provider if you do not have an account on the social network or are simply not logged in and still click on one of the corresponding buttons of the social networks on our website. In this case, your data can be used by the social networks to create usage profiles and subsequently for the purposes of advertising, market research or the demand-oriented design of the own website. You can object to this type of processing in accordance with Art. 21 GDPR. To exercise this right, however, you need to contact the respective provider of the social network.

You will find information on the individual objection possibilities of the individual providers of the social networks under section “Possibilities of objection in social networks" in this privacy policy.

You should also take into account that due to the localization of Instagram, LinkedIn, Xing and YouTube when your personal data is transferred to the provider of the respective social network, a transfer to a third country, i.e. a transfer of personal data to a destination that is neither in the European Union nor in the European Economic Area, such as the USA, may occur.

Furthermore, we would like to point out that we ourselves do not collect any personal data that is transferred to the respective social network by clicking on one of the corresponding buttons.

By clicking on the respective button of a social network on our website, you give your consent in accordance with Art. 6 I lit. a GDPR for your browser to establish a connection to the servers of the corresponding social network and for the aforementioned data to be transmitted. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

8.13 Processing activity – Online presence in social networks

Within social networks, we, as the provider of the website, use the offers of online platforms to inform active users about information offers and services from Konica Minolta and, if interested, to communicate directly via the platforms. The social media channels thus complement our own website presence and offer interested parties who prefer this type of information an alternative means of communication. We are currently represented in the following networks with our own online profiles:

• Instagram:
  https://www.instagram.com/konicaminoltaeu
• Xing:
  Konica Minolta Business Solutions Europe GmbH: Informationen und Neuigkeiten | XING
• LinkedIn:
  https://de.linkedin.com/company/konica-minolta-business-solutions-europe-gmbh
• Youtube:
  Konica Minolta Business Solutions Europe GmbH - YouTube

As soon as you access the respective Konica Minolta profiles on the corresponding social network in your network, the terms and conditions and data processing guidelines of the respective providers apply.

We have no influence on the data collection and its further use by the social networks. Thus, we only know that your data will be processed for market research and advertising purposes and that usage profiles will be created from your usage behavior and the resulting interests. Furthermore, advertising can also be placed to this effect on the basis of supposed interests. For this purpose, cookies are usually stored on your end device.

We therefore expressly draw your attention to the fact that the personal data of users (e.g. the IP address) is stored by the providers of the networks in accordance with their data usage guidelines and used for business purposes. We would also like to point out that your data may be processed outside the European Union or the European Economic Area.

We process the data of users in Konica Minolta's presences on the corresponding social networks only insofar as they contact and communicate with us via comments or direct messages. You can assert your rights as a data subject both against us (see also point 2 "What are my rights as a data subject?") and against the provider of the social network. You can find information on the processing of your personal data by the individual social network providers as well as the options for objecting to this under section "Possibilities of objection in social networks" of this Privacy Policy.

The processing of users' personal data is based on our legitimate interests in effective information of users and communication with users in accordance with Art. 6 I lit. f GDPR. If you are asked by the respective providers to give your consent to data processing (i.e. declare your consent, e.g. by ticking a check box or confirming a button), the legal basis for processing is Art. 6 I lit. a GDPR, i.e. your consent.

Possibilities of objection in social networks

For a detailed presentation of the respective processing and the possibilities of objection (opt-out), we refer to the following linked information of the providers.

Information on the individual providers of the social networks:

LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland)

• Privacy Policy:
  https://www.linkedin.com/legal/privacy-policy
• Opt-Out:
  https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland)

• Privacy Policy / Opt-Out:
  https://privacy.xing.com/de/datenschutzerklaerung

In addition, European marketing providers offer a new possibility of objection under the following link:
http://www.youronlinechoices.com/. This is an initiative to educate about online advertising. In the preference management section
http://www.youronlinechoices.com/de/praferenzmanagement/ you will find an overview of providers whose online advertising can be deactivated or activated there. Also, in the case of access requests and the assertion of further rights of data subjects, we would like to point out that these can most effectively be asserted with the providers. Only the providers have access to the personal data of the users and can directly take appropriate measures and provide information. Should you nevertheless require assistance, you can contact us.

8.14 Processing activity – Youtube

On our websites we have integrated YouTube videos. These are stored at www.youtube.com but can be played directly from our website. YouTube is a platform of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: Google). We have activated the enhanced privacy mode when embedding the videos on our website. This means that no information about you will be sent to YouTube if you do not play the videos. However, when you play videos, data is transferred to YouTube. First, YouTube is notified that you have visited the appropriate subpage of our website where the video is embedded. In addition, other data may be transferred to YouTube that we are not aware of. We also have no influence on the data transfer. If you are registered on YouTube, the transferred data is directly associated with your account. YouTube stores your data as usage profiles and uses them for the purpose of advertising, market research and/or the needs-based design of the website. Such an evaluation can be carried out in particular (even for users who are not logged in) for the purpose of providing need-based advertising. You have the right to object to the creation of usage profiles by YouTube in accordance with Art. 21 GDPR, which you must assert directly with YouTube.

Due to the localisation of Google, the transfer of your personal data to Google may constitute a third country transfer. Due to the localisation of Googles headquarters, the transfer of your personal data to Google may constitute a third country transfer to the USA. Google LLC is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of YouTube is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

Further information on data protection at Google can be found at the following address:
www.google.com/intl/en/policies/privacy/

8.15 Processing activity – Localisation of business partners / Google Maps

We integrate the Google Maps service on our website. This service is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: Google). Google Maps is a digital map service that enables us to integrate interactive maps on our website in order to give you an overview of our locations and to offer you the possibility of planning your route.

When you visit a sub-page on which Google Maps is integrated, your personal data, such as your IP address, is transferred to Google. Further information on the subject of cookies can be found under "7. Cookies". If you have a user account at Google to which you are logged in at the time of visiting the corresponding sub-page, the data transmitted to Google will be directly assigned to your user account. If you do not wish to be assigned in this way, you must log out of your Google user account before visiting the relevant sub-page. However, your personal data will also be processed by Google if you are not logged in to a Google user account, and Google will use the transmitted data to create usage profiles for the purposes of tailored advertising and market research. You can object to this type of processing by Google at any time by asserting your right of objection to Google in accordance with Art. 21 GDPR.

Due to the localisation of Google, the transfer of your personal data to Google may constitute a third country transfer. A third country transfer is a transfer of personal data to a destination in a country that is neither in the European Union nor in the European Economic Area. Google LLC is certified under the DPF so that an adequate level of data protection is ensured.

The legal basis for the processing of your personal data in the context of the use of Google Maps is your consent pursuant to Art. 6 I lit. a GDPR. Information on your right of withdrawal can be found under point 2.8 "Right of withdrawal (Art. 7 GDPR)" in this privacy policy.

Your personal data will not be stored by us as the controller.

Further information on data protection at Google can be found at the following address:
https://policies.google.com/privacy?hl=en