Data Protection and Privacy Statement

Status: 24 May 2018

We, TER HELL & CO. GMBH, Börsenbrücke 2, 20457 Hamburg, Germany, are glad you've chosen to visit our website. Protecting your privacy is a high priority for us. We take the protection of your personal data very seriously, and comply strictly with the rules of data protection laws. On this website, personal data is only collected to the extent it is technologically required. Below, we will inform you about the type, scope, and purpose for collecting, processing, and using your personal data in connection with your use of our website.

Information about the collection and processing of your personal data
Care and transparency is the foundation of trustful collaboration with our customers and suppliers. This is why we will inform you about how we process your data and how you can exercise the rights that are due to you pursuant to the EU General Data Protection Regulation (GDPR). What personal data we process and for what purpose depends on the respective contractual relationship.

1. Who is responsible for data processing?
The controller is:
Company: TER HELL & CO. GMBH
Address: Börsenbrücke 2, 20457 Hamburg, Germany

represented by the CEOs: Christian Westphal, Thomas Sprock und Andreas Früh

2. How can you contact the Data Protection Officer?
You can contact our Data Protection Officer under:
Dr. Klaus zu Hoene, Data Protection Officer, intersoft consulting services AG, Beim Strohhause 17, 20097 Hamburg, Data.Protection@tergroup.com

3. What part of your personal data do we use?
We process personal data that we receive from our customers, suppliers, or other affected parties in the course of our business relationships. We also process – inasmuch as it is necessary for our business relationships – personal data that we receive from publicly available sources in a permissible manner or that is legitimately disclosed to us by other companies of the TER Group or by other third parties. We also process your personal data for reasons including the fulfillment of legal obligations, to protect a legitimate interest, or on the basis of consent that you have given.

According to the legal basis, this concerns the following categories of personal data:

- First name, last name
- Address
- Communication data (telephone number, email address)
- Date of birth - Citizenship
- Master data of the contract, in particular the contract number, term, notice period for termination, type of contract
- Invoice information/sales information
- Information about creditworthiness
- Payment information/contact information
- Account information, in particular the registration and log-ins
- Videos or images
- Applications, resume, certificates and evidences of formal qualifications

In the course of contract initiation, we also use data that has been provided to us by third parties. According to the type of contract, this concerns the following categories of personal data:

- Information about creditworthiness (via credit agencies/credit insurers)

4. What is the source of the data?
We process personal data that we receive from our customers, suppliers, or applicants in the course of our business relationships.
We also receive personal data from the following sources:
- Credit agencies
- Internet and media
- Publicly available sources: commercial registers or registers of associations, records of debtors, land registers
- Other Group companies
- Job portals
Our websites may contain links to other websites or services that do not belong to us and are not controlled by us. This Data Protection and Privacy Statement only applies to information that is collected from our website.

5. For what purpose are we processing your data, and what is the legal basis?
We process your personal data particularly under observation of the EU General Data Protection Regulation (GDPR), as well as of all other relevant laws.

5.1 On the basis of consent that you have given (Art. 6 para. 1 a GDPR)
If you have given us your free consent to collect, process, or transfer certain personal data, this consent remains the legal basis for the processing of this data.
In the following cases, we process your personal data on the basis of your consent:
- Contact forms: Personal data is recorded by us if you voluntarily share it with us , such as if you contact us. When we ask for entries that are not necessary to contact you on our contact form, we have marked them as optional. This information helps us to add detail to your inquiry and improves our ability to carry out your request. A communication of this information explicitly occurs on a voluntary basis and with your consent. If this concerns information about communication channels (such as email address, telephone number), you also consent to having us contact you using these communication channels to answer your request.
- Sending an email newsletter - Personalized newsletter tracking
- Market research (e.g. customer satisfaction surveys)
- Marketing and advertisement development using customer profiles
- Publication of a customer reference (name and image)
- Storage of your application data beyond 6 months
- Use of cookies to measure reach (Google Analytics)

5.2 To perform a contract (Art. 6 para. 1 b GDPR)
We use your personal data to process customer and supplier orders. Within the contractual relationship, we particularly process your data to perform the following activities:
- Contract related contact
- Order management
- Purchasing
- Delivery and billing
- Ongoing customer service and supplier relations
- Fulfillment of warranty claims
- Claims management
You can find more detailed information about the purposes for data processing in the respective contractual documents and General Terms and Conditions.

5.3 To comply with legal obligations (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)
As a company, we are subject to various legal obligations. To fulfill these obligations, it may be necessary to process personal data:
- Monitoring and reporting obligations
- Creditworthiness, age, and identity checks
- Prevention of/defense against criminal actions

5.4 On the basis of a legitimate interest (Art. 6 para 1 f GDPR)
In certain cases, we process your data to protect a legitimate interest of ourselves or of a third party.
- Central customer data administration within the Group of companies
- Measures for building and facility security
- Video monitoring to protect the right to grant or deny building access
- Consultation of and data exchange with credit agencies
- To determine creditworthiness or default risks
- To ensure IT security and IT operations
- Sending an email newsletter to existing customers
- The use of cookies that are necessary to provide our services on our homepage.

5.5 To decide whether to establish an employment relationship (Sec. 26 para. 1 p. 1 German Federal Data Protection Act)
The legal basis for processing your application data is Sec. 26 para. 1 clause 1 German Federal Data Protection Act (BDSG). Accordingly, personal data may be processed for purposes of the employment relationship, if this is necessary for the decision about whether to establish an employment relationship.

6. To whom will we disclose your data?
If necessary to fulfill our contractual and legal obligations, your personal data will be disclosed to the following public or internal bodies or external service providers. Companies within the Group of companies:
TER HELL & CO. GMBH contains a central customer/supplier data administration that employees of the major Group companies may access. The companies of the TER HELL & CO. GMBH Group can access it at our website, www.tergroup.com.
External service providers:
- IT service providers (e.g. maintenance providers, hosting providers)
- Service providers for file and data destruction
- Printing service providers
- Telecommunication
- Payment service providers
- Consulting
- Service providers for marketing or sales
- Credit agencies
- Distributors
- Web hosting service providers
- Certified accountants
Public bodies:
We may also be obligated to disclose your personal data to other recipients, such as to the authorities, to fulfill statutory reporting obligations.
- Fiscal authorities
- Customs authorities
- Social insurance agencies

7. Will your data be transmitted to companies outside of the European Union (third party countries)?
Countries outside of the European Union (and the European Economic Area "EEA") handle the protection of personal data differently than countries in the European Union. To process your data, we also use service providers that are located in third party countries outside of the European Union. At the present time, the EU Commission has not issued a resolution that these third party countries generally offer an appropriate level of protection.
For this reason, we have taken special measures to ensure that your data is processed exactly as securely in these third party countries as it is within the European Union. With service providers in third party countries, we conclude the standard data protection clauses provided by the Commission of the European Union. These clauses stipulate appropriate guarantees for the protection of your data with service providers in third party countries.
Our service providers in the USA are also certified in accordance with the EU-US Privacy Shield agreement.
If you would like to view the present guarantees, please contact us at Data.Protection@tergroup.com.

8. How long will your data be stored?
We store your data for as long as is necessary for the fulfillment of our statutory and contractual obligations.
If it is no longer necessary to store the data for the fulfillment of contractual or legal obligations, your data will be deleted unless its continued processing is necessary for the following purposes:
- Fulfillment of corporate and tax law retention obligations. This includes retention periods pursuant to the German Commercial Code (HGB) or the German Tax Code (AO). The retention periods extend for up to 10 years.
- Retention of evidence in the context of legal statutes of limitations. According to the statutes of limitations of the German Civil Code (BGB), these periods of limitation may be up to 30 years in some cases, while the standard period of limitation is three years.
- Your application data will be deleted 6 months after the application procedure is concluded. If it is necessary to store it for a longer period, we will ask you for written consent.
- Anonymized user data that is collected by Google Analytics is deleted after 14 months.

9. What rights do you have in connection with the processing of your data?
Every affected person has the right of access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to object pursuant to Art. 21 GDPR, and the right to data portability pursuant to Art. 20 GDPR.

9.1 Right to Object You can object to the use of your data for advertising purposes at any time, and no costs may arise beyond the communication costs according to base rates. In particular, you can unsubscribe from the email newsletter by clicking the provided link at the end of the newsletter.
• What rights do you have in cases when data is processed on the basis of a legitimate or public interest?
Pursuant to Art. 21 para. 1 GDPR, you have the right, for reasons resulting from your specific situation, to make an objection to the processing of your personal data that occurs on the basis of Art. 6 para. 1 e GDPR (Data processing in the public interest) or on the basis of Art. 6 para. 1 f GDPR (Data processing to protect a legitimate interest), which also applies to profiling based on one of these regulations. In the event that you object, we will no longer process your personal data unless we can prove necessary legitimate reasons for processing that outweigh your interests, rights, and freedoms, or if processing serves the assertion, exercise, or defense of legal claims.
• What rights do you have in cases of data processing to operate direct marketing?
Inasmuch as we process your personal data to operate direct marketing, you have the right pursuant to Art. 21 para. 2 GDPR to make an objection to the processing of your personal data for purposes of direct mail advertising at any time; this also applies to profiling in connection with such direct marketing. In the event that you object to processing for purposes of direct marketing, we will no longer process your data for these purposes.

9.2 Withdrawing Consent
You may withdraw your consent to the processing of your personal data at any time. Please note that this withdrawal only affects the future. In particular, you can unsubscribe from the email newsletter by clicking the provided link at the end of the newsletter. You can prevent the collection of data that relates to the use of the website (incl. your IP address) by Google Analytics and the processing of this data by Google by downloading and installing the browser plugin available under the following link: tools.google.com/dlpage/gaoptout

9.3 Right to Access
You can request confirmation as to whether we have stored personal data about you. If you request it, we will tell you for what data this is the case, for what purposes the data was processed, to whom the data was disclosed, for how long the data will be saved, and what rights you have in connection with this data.

9.4 Other Rights
You also have the right to rectification of incorrect data or deletion of your data if one of the prerequisites pursuant to Art. 17 para. 1 GDPR is present. If there is no reason for data to continue to be stored, we will delete your data; otherwise, we will restrict processing. You can also request that we provide all personal data that you have provided to us to yourself or to a person or company of your choice in a structured, comman, and machine readable format.
You also have a right to complain to the responsible data protection authorities (Art. 77 GDPR).

9.5 Asserting Your Rights
To assert your rights, you can contact the controller or the Data Protection Officer under the indicated contact information, particularly at: Data.Protection@tergroup.com. We will process your inquiries immediately and in accordance with the statutory provisions and will tell you what measures we have taken.

10. Is there an obligation to provide your personal data?
To enter into a business relationship, you must give us some of your personal data that is necessary for the performance of the contractual relationship or that we must collect due to legal regulations. If you do not provide this data to us, it is not possible for us to perform and process the contractual relationship.

11. Data collection and processing on our websites
When you visit our websites, we temporarily store some general technical information, such as the software and hardware you use, the IP address of the requesting computer, the Internet site from which you are visiting us, the pages you visit, and the date, time and duration of your visit. We collect this data exclusively to ensure the functionality of our websites.

On our websites, we use cookies to facilitate the use of certain functions. Cookies are files that are stored on the hard drive of your computer and make navigation easier. They prevent all necessary data from having to be entered again for each new use. Cookies help us to adapt our websites to your needs, such as to your national language.

Inasmuch as the use of cookies is necessary to provide our services, this use is based on a legitimate interest pursuant to Art. 6 para. 1 clause f) GDPR.

If you have given your consent, Google Analytics, a web analysis service provided by Google Inc. ("Google") will be used on these websites. Google Analytics uses "cookies," which are text files that are saved on your computer and facilitate analysis of your use of the website. The information about your use of the website that is recorded by the cookie will generally be transferred to a Google server in the USA and stored there. In the event that IP anonymization is activated on this website, your IP address will first be shortened by Google within member states of the European Union or other contracting states of the treaty concerning the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to create reports about website activities, and to perform other services connected with website usage and internal usage for the website operator. The IP address transmitted from your browser in the context of Google Analytics will not be collated with other data from Google. You can prevent cookies from being stored by using the setting in your browser software; however, we must inform you that it may not be possible to fully use all functions of this website in this case. You can also prevent data that is created by cookies and relates to your usage of the website (incl. your IP address) from being sent to Google and this data from being processed by Google by downloading and installing the browser plugin available under the following link: tools.google.com/dlpage/gaoptout

You can find more detailed information about usage conditions and data protection under Google Analytics Conditions and under the Google Analytics Overview. We would like to inform you that on this website, Google Analytics has been expanded using the code "ga('set', 'anonymizeIp', true)" to ensure that IP addresses are recorded in an anonymized form (IP masking).

12. Changes to this information
If the purpose or type and manner of processing your personal data changes significantly, we will update this information promptly and promptly inform you of the changes.