Privacy Statement

Information on data processing within the scope of netinform

The protection of personal data is very important to us. Transparency of data processing is one of the key principles of the GDPR. The information below provides an overview of the processing of your personal data and your rights under the GDPR.

1. Who is responsible for data processing, and who can I contact in this respect?

The responsible legal entity (controller) is: TÜV SÜD Industrie Service GmbH Westendstr. 199, 80686 München 089 / 5791 - 0 Please send any written communication by regular mail to our Data Protection Officer at the above address, adding "For the attention of the Data Protection Officer” or email to email address:

2. What kind of data do we use?

The data categories processed by us were • collected by us directly from you (e.g. within the scope of contracts or by post, telephone, or email communication) and may be processed by us for the agreed purposes. This concerns in particular (but not exclusively) the following categories of personal data: • Personal details and contact details (e.g. last name, first name(s), address, phone number, email address) • Company name and address • Registration data • IP address

3. For which purposes do we process your personal data, and on what legal basis?

We process your personal data in compliance with the GDPR and local data protection requirements (e.g. BDSG-Neu) as well as all other relevant legal regulations. a. For the performance of a contract (Art. 6 (1) lit. b GDPR) We process data to provide services within performance of our contracts concluded with our clients, or to perform requested pre-contractual measures. The purposes of data processing primarily depend on the specific service. For further details on the purposes of data processes, see the relevant contract documentation and our General Terms and Conditions of Business.

4. Who will have access to my data?

Your data will be transferred and/or made available to the employees and organizational units that require these data to fulfill our contractual, pre-contractual, and legal obligations or which absolutely need these data for our legitimate interests. We will only transfer your data to external third parties for specific purposes, in particular • In the context of performance of contractually agreed measures and activities; • On the basis of our legitimate interests or the legitimate interests of third parties; • In compliance with legal requirements which place us under the obligation to disclose data; • To external service providers which act as processors on our behalf (e.g. IT service providers, application providers, hotlines, data destruction and disposal specialists, courier services, procurement, marketing, accounting, financial auditors, credit institutions)

5. Are data transferred to third countries?

Data processing generally only takes place in Member States of the European Union or the European Economic Area. Data transfer to “third countries” will only take place if you expressly request same within the scope of a contract or a pre-contractual measure, or if such transfer is necessary (e.g. if a contractual partner is headquartered in a third country), if required by law (e.g. reporting duty under tax law), or if you have given us your consent. Should transfer to a third country be necessary, we require data protection measures suitable for the contract, so that you receive a comparable level of protection of your personal data in the third country.

6. For how long will my data be stored?

We will process and store your personal data for as long as is necessary to fulfil our contractual and legal obligations. Important in this context is that storage periods vary depending on the purpose of data processing. • Compliance with retention duties under commercial and tax law: Examples in this context include the German Commercial Code (Handelsgesetzbuch, HGB) and the Tax Code (Abgabenordnung, AO). They define document retention and/or documentation periods of up to ten years. • Retention of evidence in line with the legal statutes of limitation. According to Sections 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), limitation periods can be up to 30 years. However, the regular period of limitation is three years. All data that are no longer needed for compliance with contractual or legal obligations will be deleted or anonymized at regular intervals.

7. What are my rights regarding the protection of my personal data?

All data subjects have the right of access and information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to deletion under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Art 21 GDPR, and the right to data portability under Art 20 GDPR. In addition to the above, you have the right to file a complaint with the competent supervisory authority. You also have the right to contact the competent Data Protection Officer (DPO) at any time. You have the right at any time to withdraw your consent to the processing of your personal data provided to us. Please note that such withdrawal will only affect processing in the future. It does not affect data processing that took place before the withdrawal of your consent.

8. Do I have to provide personal data?

Within the scope of our business relationship, you need to provide the personal data which are required to start and carry out a business relationship and to fulfill our associated contractual obligations, or which we are legally required to collect. Without these data, we will generally not be able to conclude or execute our contract with you.