1. Controller for Data Processing

We have not appointed a Data Protection Officer and are not obliged to appoint one.

2. Information on Processing Operations

We indicate the respective legal basis for individual processing operations. If we intend to transfer data to third countries outside the European Union (EU) or the European Economic Area (EEA), this will also be indicated.

3. Data Subject Rights

As a data subject, you have the following rights:

• pursuant to Art. 15 GDPR, you may request information about your personal data processed by us; furthermore, you may request information regarding the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your data have been or will be disclosed, the planned retention period or the criteria for determining the retention period, the origin of your data if they were not collected from you, the existence of automated decision-making including profiling and, where applicable, meaningful information about the details thereof such as logic, significance and envisaged consequences, the existence of a right to rectification or erasure of the data concerning you, the right to restriction of processing or to object to such processing, the existence of a right to lodge a complaint with the supervisory authority; finally, you have the right to be informed whether personal data have been transferred to a third country or to an international organisation and — if so — about the appropriate safeguards in connection with the transfer;
• pursuant to Art. 16 GDPR, you may request the immediate rectification of inaccurate or the completion of your personal data stored by us;
• pursuant to Art. 17 GDPR, you may request the erasure of your personal data stored by us, to the extent that the processing is not necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
• pursuant to Art. 18 GDPR, you may request the restriction of the processing of your personal data, to the extent that the accuracy of the data is contested by you, the processing is unlawful but you object to its erasure and we no longer require the data, you require the data which we no longer need for the establishment, exercise or defence of legal claims or you have lodged an objection to processing pursuant to Art. 21 GDPR but it has not yet been established whether our legitimate grounds for processing override your interests;
• pursuant to Art. 20 GDPR, you may request the transfer of your personal data that you have provided to us in a structured, commonly used and machine-readable format or the transmission to another controller;
• pursuant to Art. 21 GDPR, you may object to the processing of your personal data, to the extent that there are grounds for this arising from your particular situation or the objection is directed against direct marketing and the legal basis for the processing of the personal data is legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR;
• pursuant to Art. 7 para. 3 GDPR, you may withdraw any consent you have given to us at any time. This has the consequence that we may no longer continue the data processing that was based on this consent for the future;
• pursuant to Art. 77 GDPR, you may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

If you wish to exercise the aforementioned data subject rights, you may contact us at any time using the contact details provided above.

4. Erasure and Restriction of Personal Data

Unless otherwise provided for individual cases in this Privacy Policy, personal data will be erased if they are no longer necessary for the purposes for which they were collected or otherwise processed and if there are no longer any statutory retention obligations.

We erase the personal data we process at the request of the data subject under the conditions of Art. 17 GDPR. Personal data that are required for other lawfully permissible purposes will not be erased. This applies, for example, to personal data that are required for the pursuit of any claims to which we may be entitled or that we must retain for commercial or tax law reasons. Documents are thus retained for 6 years pursuant to § 257 para. 1 nos. 2 and 3 HGB and § 147 para. 1 nos. 2, 3, 5 AO, and for 10 years pursuant to § 257 para. 1 nos. 1 and 4 HGB and § 147 para. 1 nos. 1, 4, 4a AO.

The processing of such data will be restricted pursuant to Art. 18 GDPR and the data will not be processed for other purposes.

5. Cookies

We use cookies as part of our services. Cookies are small text files that your browser automatically creates and stores on your end device (laptop, tablet, smartphone, PC, or similar) when you visit our site. Cookies do not cause any damage to your end device and do not contain any viruses or other malicious software. A cookie stores information relating to the specific end device used. This does not, however, mean that we thereby obtain immediate knowledge of your identity. Cookies serve primarily to make the internet offering more user-friendly, effective and secure.

Our internet offering creates a cookie banner and an overview of the cookies we use for our service. You can view this overview at [please insert link]. If you consent or decline via the form displayed in the cookie banner, you are deciding whether additional cookies may be set on your end device by our internet offering beyond the technically necessary cookies. For the additional cookies, the name of each cookie, the purpose it is intended to serve, any third-party access to the cookie and the functional duration are stated, as well as after what period a cookie will be deleted. Session cookies are deleted after the end of your respective use of our service or after the browser session ends.

We store the date, time and scope of the declarations of consent you have given for one year in a separate cookie on your end device. From this cookie stored in your browser or end device, our website can read on subsequent visits which cookies we are permitted to set or use. You may amend or withdraw the declarations of consent you have given at any time at [please insert link]. Alternatively, you can also delete the cookies set by our internet offering in your end device or browser. In that case, however, you will be asked again to give your consent when you next visit our internet offering.

This technology enables us to allow you to lawfully consent to or decline the use of cookies for our internet offering. It is not possible to use our internet offering with full functionality without making this declaration. The legal basis for the processing of your personal data is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in providing an efficient and attractive internet offering, as well as our legal obligation pursuant to Art. 6 para. 1 lit. c GDPR to inform you as a user of our internet offering about the use of cookies and to obtain your consent if we use cookies that are not necessary for our internet offering.

6. Consent to the Transfer of Personal Data to the USA and Other Third Countries

If we ask for your consent pursuant to Art. 49 para. 1 lit. a GDPR as the legal basis for data transfers to the USA and/or other third countries, the following conditions apply to such consent:

Your personal data may be transferred to a country or an international organisation outside the European Union (EU) or the European Economic Area (EEA). Personal data are transferred, subject to statutory or contractual permissions, in accordance with the requirements of Article 44 et seq. GDPR. This means that an adequacy decision of the EU Commission pursuant to Art. 45 GDPR exists for the country in question, appropriate safeguards for data protection pursuant to Art. 46 GDPR or binding corporate rules pursuant to Art. 47 GDPR are in place in order to ensure an adequate level of data protection. Further information is contained in the explanations of the individual processing operations in this Privacy Policy.

The adequacy decision of the EU Commission for the USA requires, for an adequate level of data protection, that the recipients are certified under the EU-US Data Privacy Framework when personal data are transferred to the USA. Nevertheless, there is a risk in the USA that authorities may access your data without you being informed and without you being able to take legal action against this.

For some countries, no adequacy decision of the EU Commission pursuant to Art. 45 GDPR exists, and it may also not be possible to establish an adequate level of data protection corresponding to that in the European Union through either appropriate safeguards pursuant to Art. 46 GDPR or binding corporate rules pursuant to Art. 47 GDPR. There is a risk that these third countries may not offer an adequate level of protection. There may be no supervisory authority and/or no data processing principles in these third countries and/or you as the data subject may not have data protection rights in the third country. You may therefore not have adequate legal remedies available to you in the event of violations of your rights in these countries.

1. Hosting

We use the services of a hosting provider, such as web servers, storage, database services, security services and maintenance services, to provide our offering. In this context, we, or our hosting provider on our behalf, process personal data of users on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in order to provide our offering efficiently and securely. Our legitimate interest arises from the purposes of data collection described below.

Our hosting provider is

We have concluded a data processing agreement with Hetzner Online GmbH.

In addition to the information you may have provided yourself, when you access our internet offering or individual pages, information is automatically sent to the server of our internet offering by the browser on your end device. The following information is stored in log files:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the retrieved file
• Website from which access is made (referrer URL)
• Browser used and, where applicable, the operating system of your computer
• Status codes and volume of data transferred
• Type of end device used
• Name of your access provider

These data are processed for the following purposes:

• Provision of the internet offering including all functions and content
• Ensuring a smooth connection to the website
• Ensuring comfortable use of our website
• Ensuring system security and stability
• Anonymised statistical analysis of access
• Optimisation of the website
• Transfer to law enforcement authorities in the event of an unlawful intrusion/attack on our systems
• Other administrative purposes

These data are deleted after six months, unless they are no longer required for other purposes (for example, the defence or assertion of claims).

We use a specialised service provider to send emails and SMS from the BKF App. For this purpose, we transmit your data on the basis of our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in the secure and efficient management of our company and the processing of our customers' orders to an external provider who provides these services on our behalf.

2. Registration / User Account

In order for us to create a user account for you for our service, the following data must be provided:

• Last name, first name
• Company address
• Mobile phone number
• Email address

If you are creating the user account for your personal use of our training courses, the following applies:

Registration is voluntary and is carried out pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR on the basis of your consent so that we can provide our services. Your data will be used for the purposes of our offering and for contact regarding offer- and registration-relevant information. Via a personal user access, you can view and change your data. Your data will be stored until you delete the user account or instruct us to delete your data. If we are required to store your personal data due to statutory obligations, in particular tax and commercial law obligations, the processing of your personal data will be restricted accordingly until the retention periods expire. Your data will then be deleted.

If you are creating a user account with us in order to (i) use our training courses as an employee of a company or organisation that has booked them for you, or (ii) if a company or organisation has provided us with your email address in order to invite you to use our training courses, or (iii) to manage the use of our training courses by your company or organisation as an employee, the following applies:

Registration is carried out on behalf of the company or organisation for which you work. We provide our corporate clients with access to our training courses for employees and the management of such access as a service provider, and we require our corporate clients to comply with data protection regulations. The respective company or organisation is responsible for the transfer of employee data to us. If you have questions about the transfer of your data by a company or organisation to us, please contact the company or organisation by which you are employed.

Your data will be used for the purposes of our offering and for contact regarding offer- and registration-relevant information. Via a personal user access, you can view and change your data. Your data will be stored until the company or organisation by which you are employed deletes the user account or instructs us to delete your data. If we are required to store your personal data due to statutory obligations, in particular tax and commercial law obligations, the processing of your personal data will be restricted accordingly until the retention periods expire. Your data will then be deleted.

When you register for our offering or use the user account, we store the IP address and the time of the respective usage action. Storage is carried out on the basis of our and your legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in the provision of our offering and protection against misuse and other unauthorised use. The user account and the data stored in this context also serve in particular to facilitate the booking of our courses and the use of the BKF App and to access your usage history. In principle, these data will not be passed on to third parties, unless this is necessary for the fulfilment of contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR or for the pursuit of any claims to which we may be entitled, or there is a statutory obligation to do so pursuant to Art. 6 para. 1 lit. c GDPR. IP addresses are anonymised or deleted no later than after 7 days.

3. Data Processing for Continuing Education under the Professional Drivers Qualification Act

In order to participate as a driver in our training courses that qualify as instruction for continuing education within the meaning of § 5 BKrFQG, you must provide the following data in addition to the data mentioned in clause 2:

• Birth name and family name, first names
• Home address
• Date and place of birth
• Academic title
• Gender
• Serial number of the currently valid driver qualification card, if one has already been issued

The collection of these data is necessary for compliance with our statutory obligations. If you do not provide these data, you cannot participate in training courses that qualify as instruction for continuing education within the meaning of § 5 BKrFQG.

When you have completed a training course with us that qualifies as instruction for continuing education within the meaning of § 5 BKrFQG, the data you have provided will be transmitted together with the following information to the Federal Motor Transport Authority (Kraftfahrt-Bundesamt) for storage in the professional driver qualification register:

• Name and address of our company as a training institution as well as information on the approval and supervisory authority responsible for us and the reference number of our approval notice
• Period and type of instruction as well as the duration of actual participation in the instruction, broken down by type of instruction
• Information on the sub-knowledge areas covered pursuant to Annex 1 of the Professional Drivers Qualification Ordinance as well as on other completed special measures within the meaning of § 12 no. 4 BKrFQG, namely the subject area of the measure (transport of dangerous goods or transport of animals), the period of validity of the qualification acquired through the measure and the body that notified the completion of the measure

The legal basis for data processing for the transmission of your data to the Federal Motor Transport Authority is the fulfilment of our statutory obligations in conducting the training courses as a recognised training institution pursuant to §§ 19 in conjunction with 14 no. 4 BKrFQG in conjunction with Art. 6 para. 1 sentence 1 lit. c GDPR.

If you book our training courses in your own name, the legal basis for the processing of data in the conduct of our training courses is furthermore the performance of our contract with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR. Data will be passed on to third parties insofar as this is necessary for the performance of pre-contractual measures and contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR, e.g. to banks, payment service providers, credit card companies for the processing of payment and to postal service providers for the dispatch of documents.

If our training courses are booked for you by a company or organisation for which you work, our training courses are conducted on behalf of your company or organisation. If you have questions about the transfer of your data by a company or organisation to us for the conduct of our training courses, please contact your company or organisation.

4. Contract Data in the Conduct of Our Training Courses

In connection with and for the purpose of the performance of pre-contractual measures and contractual obligations for our internet offering that are carried out at your request, we process, in the conduct of our training courses, in addition to the data mentioned in clause 3, your data that we collected when creating your user account and that were entered by you, for the purpose of contract performance.

In addition to the data collected during registration and the creation of the user account, we also process and store the following further data from you when you use your user account and our training courses with us:

• Training courses used by you
• Time of the training course
• Result of identity verification
• After participation in the training course, your certificate

When you use a training course in the BKF App, we record when you began using that training course. While you use the training course, we send you numeric codes by SMS to the mobile phone number stored in your user account. You must enter these codes during the training course when prompted so that we can verify your participation. In doing so, we record during the training course whether you entered the correct codes quickly enough. On this basis, upon confirmed successful participation, we can issue you with your Certificate, which you can use to prove your participation in the training course.

Our Certificates are issued electronically and are available for download as a PDF file in your user account. In order to be able to prove to third parties that the Certificate is genuine, the Certificates contain a QR code. When this QR code is scanned with a common app, the data from the user account of the person who participated in the training course are displayed via our internet offering. If you do not agree with this, you may delete your Certificate at any time in your user account. However, you may then no longer be able to prove that you participated in the respective training course.

The data in your user account will remain stored with us for as long as you maintain a user account with us.

If you book our training courses in your own name, the legal basis for data processing in the conduct of our training courses is the performance of our contract with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR. Data will be passed on to third parties insofar as this is necessary for the performance of pre-contractual measures and contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR, e.g. to banks, payment service providers, credit card companies for the processing of payment and to postal service providers for the dispatch of documents.

If our training courses are booked for you by a company or organisation for which you work, our training courses are conducted on behalf of your company or organisation in order to perform the corresponding contract. If you have questions about the transfer of your data by a company or organisation to us for the conduct of our training courses, please contact your company or organisation.

We use a specialised service provider to send emails and SMS from the BKF App. For this purpose, we transmit your data on the basis of our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in the secure and efficient management of our company and the processing of our customers' orders to an external provider who provides these services on our behalf.

5. Two-Factor Authentication

You can activate two-factor authentication in your user account for enhanced security. When you have activated two-factor authentication, you are shown a QR code which you can scan with a common smartphone authentication app. In doing so, our company name and the email address used for the user account are transmitted to the app. Please note that we have no influence whatsoever over how the providers of such apps process your personal data. With the key read from the QR code, the app you use can generate secure random numeric codes that you must additionally enter when logging in.

If you use two-factor authentication, we store this in your user account. Your data are processed pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR on the basis of the consent you have given.

In any event, please store the backup code shown to you when activating two-factor authentication in a safe place. You will need this code to regain access to your user account if the device you use for two-factor authentication is not available.

1. Contact Form / Other Contact

When you contact us, we require your name and contact details by which we can reach you (for example, email address, postal address, telephone number or fax number). If you do not provide these data, we cannot process your enquiry. You may additionally provide further data on a voluntary basis.

If you use the contact form within the BKF App, we process your email address stored with us and/or further contact details and your enquiry in order to contact you personally and process your enquiry.

Your data are processed pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR on the basis of the consent you have given. The purpose of the data processing is to enable you to contact us and to respond to your enquiry. Without this consent, we cannot contact you.

All personal data collected in connection with the contact will be deleted once your enquiry has been dealt with, unless it is necessary for other reasons to continue storing the data (e.g. subsequent conclusion of a contract or defence against claims asserted against us).

2. Chat (Crisp)

If you use the chat function in our offering to contact us, you must provide the subject of your enquiry and, where applicable, your name and email address and/or further contact details so that we can communicate with you and process your enquiry. We use your data to handle your matter on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as your enquiry is related to the performance of a contract concluded with you or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR and/or our legitimate interest in the effective processing of enquiries directed to us pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

The chat function ("Crisp") is provided by Crisp IM SAS, Boulevard de Launay, 44100 Nantes, France. We have concluded a data processing agreement with Crisp IM SAS. We use Crisp to offer you a simple way to contact us directly.

Crisp IM SAS processes the following data on our behalf:

• Your email address
• IP address, date and time of contact
• The chat history
• Where applicable, further data that you have entered in the chat

All personal data collected via our chat function will be deleted after your enquiry has been dealt with, unless the data are required for other processes (e.g. subsequent conclusion of a contract or defence against claims asserted against us) or must continue to be stored for other reasons (e.g. due to mandatory statutory retention periods).

3. Postal Advertising

If you book and use our training courses for yourself or if you use a company account for the management of employees and we have received your data in connection with the use of our offering, we may use your data (first and last name, address, company where applicable) for postal direct marketing of goods or services offered by us or by third parties. In addition to these data, we may store further data for the stated advertising purposes that we have lawfully collected about you or the company and/or organisation for which you work. This may include, for example, your usage history or the type of training courses you have used with us or booked for employees.

The purpose of this data processing is to address you as precisely as possible with advertising that corresponds to your interests and to avoid advertising that does not interest you. The legal basis for the processing is our legitimate interest in direct marketing pursuant to Art. 6 para. 1 lit. f GDPR.

Postal advertising requires a certain lead time prior to dispatch in order to print and prepare the mailings for dispatch. If you object to postal advertising, it may exceptionally happen that you still receive advertising by post from us. This occurs when the production process for the relevant mailing was already underway when you objected. This does not mean that we are not taking your objection into account.

4. Email Direct Marketing to Customers

If you book and use our training courses for yourself or if you use a company account for the management of employees and book training courses for employees and we have received your email address in connection with the use of our offering, we may use your email address for direct marketing of our own similar goods or services. This only applies provided that you have not objected and that we clearly and explicitly draw your attention to the option of objecting both when collecting the email address and with each use. For email direct marketing, we process the following data:

• Your email address
• Your name and salutation
• Your company affiliation
• The type of services you have obtained from us
• Open and click rates captured via pixel tracking and URL tracking, IP address, date and time of access
• Date/time of email dispatch
• Recipient/subject/content of the email

The legal basis for processing is our legitimate interest in direct marketing pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with § 7 para. 3 UWG.

Our email direct marketing is sent via brevo. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin. brevo is used for the dispatch and evaluation of the reach of our emails. For this purpose, your email address and, where applicable, further data required by brevo for the provision of the service are processed on our behalf.

In this context, we process the following data:

• Your email address
• IP address, date and time of access, open and click rates captured via pixel tracking and URL tracking
• Date/time of email dispatch
• Recipient/subject/content of the email

The personal data collected may also be stored and processed on servers in the USA. These servers are operated by companies that are certified under the EU-US Data Privacy Framework, have committed to compliance with European data protection standards and thereby fulfil the EU requirements for legitimising the transfer of personal data to the USA. Brevo has also concluded standard contractual clauses with the operators in order to fulfil the EU requirements for legitimising the transfer of personal data to third countries outside the EU or the EEA.

Information on Brevo's use of standard contractual clauses can be found at https://www.brevo.com/de/legal/data-processing-addendum/ .

Further information on how Brevo handles your personal data can be found in the relevant Privacy Policy: https://www.brevo.com/de/legal/data-processing-addendum/ .

5. Collection of Customer Satisfaction with Userback

Our internet offering uses Userback to conduct surveys on the satisfaction of users of our service. The provider is Userback Pty. Ltd, 9 Aspire Street Rochedale, Queensland 4123, Australia. The controller responsible for data subjects in the European Union is Prighter EU Rep GmbH, Kriegerstraße 44, 30161 Hannover, Germany (hereinafter "Userback"). Userback collects data on the visits of users of our internet offering and analyses their behaviour. These data serve the purpose of ensuring a needs-based design and the ongoing optimisation of our internet offering, measuring the success of marketing measures and producing statistical analyses.

Userback collects, among other things:

• IP address of the requesting computer
• Date and time of access
• Cookies
• Name and URL of the retrieved file
• Website from which access is made (referrer URL)
• Browser used and, where applicable, the operating system of your computer
• Status codes and volume of data transferred
• Type of end device used
• Geographic location
• Further data that you enter in the surveys (for example, name, first name, company address, your department, professional position, contact details, etc.)

Using these data, usage profiles may be created under a pseudonym. Cookies may be used for this purpose. You can prevent the storage of cookies by adjusting your browser software settings accordingly; however, we would like to point out that in this case you may not be able to use all functions of this internet offering to their full extent.

The information and personal data collected by Userback are transferred to countries outside the European Union, namely to Userback in Australia and to Userback servers in the USA, and stored there. The servers used by Userback in the USA are operated by companies that are certified under the EU-US Data Privacy Framework, have committed to compliance with European data protection standards and thereby fulfil the EU requirements for legitimising the transfer of data.

Australia is a third country outside the European Union for which no adequacy decision of the EU Commission exists. Userback relies on standard contractual clauses pursuant to Article 46 para. 2 lit. c GDPR as an appropriate safeguard for data transfers. Information on Userback's use of standard contractual clauses can be found at https://userback.io/dpa/#fr-toc-content__heading-17 .

The legal basis for the use of Userback is your voluntarily given consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. The legal basis for the transfer of data to third countries, including the USA, is your likewise voluntarily given consent pursuant to Art. 49 para. 1 lit. a GDPR. The conditions set out under clause II. 6 apply to your consent to the transfer of your data to third countries outside the EU or the EEA.

1. Meta Pixel

We use the so-called "Meta Pixel" as part of our internet offering. For the processing of personal data of persons in the EU, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland is responsible. The personal data collected may be stored on servers in third countries outside the EU or the EEA.

Meta has concluded standard contractual clauses in order to fulfil the EU requirements for legitimising the transfer of personal data to third countries outside the EU or the EEA. Information on Meta's use of standard contractual clauses can be found at https://www.facebook.com/help/566994660333381 .

Information on the self-commitment of Meta's affiliated group companies in the USA can be found at https://www.facebook.com/privacy/policies/data_privacy_framework .

The use of this technology enables Meta to assign visitors to our internet offering to specific groups (e.g. visitors to our internet offering or according to the areas of interest submitted by us to Meta, so-called "Custom Audiences") for the display of specific advertisements and thus to recognise them. This ensures that these users are shown exclusively interest-relevant advertisements, thereby avoiding the nuisance of inappropriate advertising. The use of the Meta Pixel also enables us to track and assess the effectiveness of our Meta advertisements for statistical purposes and to determine whether and how a user used our offering after clicking on the advertisement.

Further information about the Meta Pixel and its functionality can be found at https://www.facebook.com/business/help/742478679120153 .

Details of the processing of data obtained by Meta and general information about Meta advertisements can be found in Meta's Privacy Policy: https://www.facebook.com/privacy/policy .

In your Facebook account under "Settings", you also have the option of objecting to the collection of your data via the Meta Pixel and its use for the display of specific advertisements. Information on these settings can be found at https://www.facebook.com/settings?tab=ads (login required).

The legal basis for the use of the Meta Pixel is your voluntarily given consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. The legal basis for the transfer of data to third countries, including the USA, is your likewise voluntarily given consent pursuant to Art. 49 para. 1 lit. a GDPR. The conditions set out under clause II. 6 apply to your consent to the transfer of your data to third countries outside the EU or the EEA.

2. Hotjar

Our internet offering uses the Hotjar analytics service. The provider is Hotjar Ltd, Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta (hereinafter "Hotjar"). Hotjar collects data on the visits of users of our internet offering and analyses their behaviour. These data serve the purpose of ensuring a needs-based design and the ongoing optimisation of our internet offering, measuring the success of marketing measures and producing statistical analyses.

Hotjar collects, among other things:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the retrieved file
• Website from which access is made (referrer URL)
• Browser used and, where applicable, the operating system of your computer
• Status codes and volume of data transferred
• Type of end device used

Using these data, usage profiles may be created under a pseudonym. Cookies may be used for this purpose. You can prevent the storage of cookies by adjusting your browser software settings accordingly; however, we would like to point out that in this case you may not be able to use all functions of this internet offering to their full extent.

The information and personal data collected by Hotjar in connection with the provision of the respective service may be transferred to Hotjar servers or other recipients in countries outside the European Union, including the USA, and stored there. Hotjar and Hotjar-affiliated group companies in the USA adhere to the EU-US Data Privacy Framework and only transfer personal data to recipients in the USA if those recipients are certified under the EU-US Data Privacy Framework, have committed to compliance with European data protection standards and thereby fulfil the EU requirements for legitimising the transfer of personal data to the USA.

Information on Hotjar's use of standard contractual clauses can be found at https://contentsquare.com/privacy-center/data-processing-agreement/ .

The legal basis for the use of Hotjar is your voluntarily given consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. The legal basis for the transfer of data to third countries, including the USA, is your likewise voluntarily given consent pursuant to Art. 49 para. 1 lit. a GDPR. The conditions set out under clause II. 6 apply to your consent to the transfer of your data to third countries outside the EU or the EEA.

1. Google Analytics

This internet offering uses Google Analytics by Google without cookies. Google collects anonymised data on visits by users of our website and analyses their behaviour. These data serve the purpose of ensuring a needs-based design and the ongoing optimisation of our internet offering, measuring the success of marketing measures and producing statistical analyses. In this context, pseudonymised usage profiles are created. For this purpose, Google Analytics collects information including browser type/version, operating system used, referrer URL (the page previously visited), hostname of the accessing computer (IP address), time of the server request, among other things. None of this information is read from the memory of your end device or stored on your end device. The data collected about your end device in this way are encrypted by calculating a hash value using a randomly selected character string (so-called "salt"), so that the attribution to individual users is practically impossible.

You can prevent the storage of cookies by adjusting your browser or end device settings accordingly. Under certain circumstances, you may then not be able to use all functions of our offering to their full extent.

You can also prevent the collection of the data generated by the cookie and related to your use of the website by Google, and the processing of such data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout .

You can prevent data collection by Google Analytics by clicking on the following link to set an opt-out cookie: Disable Google Analytics.

This cookie has the effect that no visitor data from your browser or end device will in future be collected and stored by Google Analytics when you visit our offering. Please note: If you delete your cookies, this also results in the opt-out cookie being deleted and it may need to be set again by you.

2. Demographic Features in Google Analytics

Our offering uses the Google Analytics "demographic features" function. This allows reports to be created that contain statements about the age, gender and interests of our users. These data originate from interest-based advertising by Google and from visitor data from third-party providers. These data cannot be attributed to any specific individual.

You can disable this function at any time via the advertising settings in your Google account or object to the collection of your data by Google Analytics as described above.

3. Google Fonts

This internet offering uses external fonts from Google, so-called web fonts, for the display of typefaces. For this purpose, when the website is accessed, your browser loads the required web font into the browser cache. If your browser does not support this function, a standard font from your computer will be used to display the website. Google collects your IP address, which of our internet pages you have visited and, where applicable, further data required by Google for the provision of the web fonts. The information generated about your use of this website is stored on a server in the USA. This information may also be transferred to third parties where required by law or where third parties process these data on our or Google's behalf. The legal basis for the use of this service is our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in optimising and marketing our internet offering effectively.

4. Google Tag Manager

This internet offering uses the Google Tag Manager for tag labelling. This service enables website tags to be managed via an interface. The Google Tag Manager only implements tags. This means: no cookies are used and no personal data are collected. The Google Tag Manager triggers other tags, which may in turn collect data. However, the Google Tag Manager does not access these data. If a deactivation has been made at the domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager.

5. Google Ads

This website uses Google Ads by Google and, within the framework of Google Ads, conversion tracking. Google Conversion Tracking is used to track and evaluate clicks on advertisements, purchases, registrations, telephone calls, app downloads and other actions by you on our internet offering. Cookies are used for analysis and evaluation. This service collects your IP address, which of our internet pages you have visited, online identifiers (including cookie identifiers) and device identifiers, as well as, where applicable, further data required by Google for the provision of conversion tracking. This information may be transferred to third parties where required by law or where third parties process these data on our or Google's behalf. You can prevent the storage of cookies by adjusting your browser software settings accordingly.