Data Protection Statement

1. Name and address of responsible party

The responsible party in the sense of the General Data Protection Regulation and other national data protection laws as well as other statutory data protection provisions is: Saubermacher Outsourcing GmbH Hans-Roth-Straße 1 8073 Feldkirchen bei Graz Tel.: +43 59 800 7000 Email: outsourcing@saubermacher.at Website: www.saubermacher-outsourcing.com

2. Contact information for the data protection officer

The responsible party’s data protection officer can be reached using the following contact information: Tel.: +43 59 800 Email: datenschutz@saubermacher.at

3. General information about data processing

1. Scope of processing for personal data We collect and use personal data for our users only to the extent that this is necessary in order to provide a functional website as well as our content and services. As a rule, the collection and use of our users’ personal data only takes place with prior consent from the user. An exception applies in cases where it is not possible to obtain consent in advance for practical reasons, and where data processing is permitted by the statutory provisions. 2. Legal basis for processing personal data If and to the extent that we obtain consent from the relevant persons to process their personal data, Art. 6 Sec. 1 lt. a EU General Data Protection Regulation (GDPR) serves as the legal basis for processing personal data. When processing personal data that is necessary in order to fulfill a contract with the relevant person, Art. 6 Sec. 1 lt. b GDPR serves as the legal basis. This also applies to processing steps that are necessary in order to perform pre-contractual measures. If and to the extent that personal data must be processed in order to fulfill a legal obligation for our company, Art. 6 Sec. 1 lt. c GDPR serves as the legal basis. In the event that vital interests of the relevant persons or of another natural person necessitate the processing of personal data, Art. 6 Sec. 1 lt. d GDPR serves as the legal basis. If data processing is necessary in order to protect a justified interest of our company or of a third party, and if the interests, basic rights and basic liberties of the relevant party do not outweigh the former interest, Art. 6 Sec. 1 lt. f GDPR serves as the legal basis for such processing. 3. Deletion of data and storage period Personal data for the relevant persons will be deleted or blocked as soon as the reason for storing it no longer applies. Longer storage periods may apply as required by European or national legislation in Union ordinances, laws, or other regulations to which the responsible party is subject. Data will also be deleted or blocked once a storage period established by the abovementioned standards comes to an end, unless the data must continue to be stored for the purpose of concluding or executing a contract.

4. Availability of the website and creating log files

1. Description and scope of data processing Each time our website is called up, our system automatically records data and information from the visitor’s computer system. The following data is collected: (1) Information about the browser type and version used (2) The user’s operating system (3) The user’s internet service provider (4) Date and time of access (5) Websites from which the user’s system accesses our website (6) Websites accessed by the user’s system via our website This data is also stored in our system’s log files. It does not include the user’s IP addresses or other data that would allow the collected data to be assigned to a specific user. The data is not stored in conjunction with the user’s other personal data. 2. Legal basis for data processing The legal basis for temporary storage of the data is Art. 6 Sec. 1 lt. f GDPR. 3. Purpose of data processing We use the data to optimize the website and to ensure the security of our information technology systems. This also constitutes our justified interest in data processing as per Art. 6 Sec. 1 lt. f GDPR. 4. Storage period The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected. In the event that data is collected in order to make the website available, this is the case once each session has ended. 5. Right to objection and removal Collecting the data in order to make the website available, and saving this data in log files, is necessary in order to operate the website. Therefore the user does not have a right to object to this.

5. Use of cookies

1. Description and scope of data processing Our website uses cookies. Cookies are text files that are saved in the user’s internet browser and/or by the internet browser on the user’s computer system. When a user calls up a website, a cookie can be stored in the user’s operating system. This cookie contains a unique string of characters that allow the browser to be clearly identified the next time it calls up the website. Cookies that are already on the computer can be deleted at any time. You can find instructions for this in your browser settings (under “Help” in the browser menu). We use cookies to make our website more user-friendly. Some elements on our website also require the visiting browser to be identified after going to a new page. The cookies save and transmit the following data: (1) Language settings (2) Auto-fill function for entry forms In addition, our website uses cookies that allow us to analyze the user’s surfing behavior. This allows the following data to be transmitted: (1) Search terms entered (2) Frequency of visits (3) Use of website features User data that is collected in this way is rendered pseudonymous by technical means. Therefore it is no longer possible to assign the data to the visiting user. This data is not saved together with any other personal data for the user. When users visit our website, an info banner informs them about the use of cookies for analytical purposes and refers them to this Data Protection Statement. In this context, there is also information about how to prevent cookies from being stored by adjusting the browser settings. 2. Legal basis for data processing The legal basis for processing personal data using cookies is Art. 6 Sec. 1 lt. f GDPR. 3. Purpose of data processing The purpose of implementing technically necessary cookies is to make it easier for users to use the websites. Some of the features on our website cannot be offered without the use of cookies. It must be possible to recognize the browser even after the user goes to a new page on the site. We use cookies for the following applications: (1) Adjusting language settings (2) Remembering search terms User data collected via technically necessary cookies will not be utilized to create user profiles. Analysis cookies are used to improve the quality of our website and its content. The analysis cookies tell us how the website is being used, which allows us to continuously improve our offerings. We use analysis cookies for the following purposes: (1) Adjusting language settings (2) Remembering search terms These purposes also constitute our justified interest in processing personal data as per Art. 6 Sec. 1 lt. f GDPR. 4. Storage period, right to objection and removal Cookies are saved on the user’s computer and transmitted by the computer to our site. Therefore you as a user also have complete control over the use of cookies. You can adjust your web browser’s settings in order to disable or limit the transmission of cookies. Previously saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, you may not be able to use all of the website’s features to their fullest extent.

6. Use of Google Analytics and Google AdWords

1. Description and scope of data processing In order to improve the efficiency of our website, we use the services of Google Analytics, a web analysis service from Google Inc. (“Google”). Google Analytics uses “cookies.” These are text files stored on your computer that enable analysis of your website usage. Information generated by the cookie about your use of this website (including your IP address) is transmitted to a Google server in the United States and saved there. In order to protect users’ interests in protecting their personal data, this is done through anonymization of the data. Thus your IP address is not recognizable when it is transmitted to Google. You can prevent storage of Google cookies by adjusting your browser settings appropriately; in this case, however, please note that you might not be able to fully use all functions offered by this website. In addition, you can prevent data generated by the cookie and relating to your use of the website (including your IP address) from being collected and processed by Google, by downloading and installing a browser plug-in from the following link: tools.google.com/dlpage/gaoptout This website also uses cookies to contact visitors with online advertisements at a later time via remarketing campaigns in the Google advertising network. In order to place remarketing ads, third-party providers like Google use cookies based on your visit to our website. You as the user have the option to disable Google cookies by calling up the following page to disable Google at www.google.com/ads/preferences. The following data is collected during the registration process: (1) The user’s encrypted IP address (2) Date and time of access (3) Frequency of page visits (4) Use of website features (5) The user’s operating system (6) The user’s internet service provider (7) Date and time of access (8) Websites from which the user’s system accesses our website (9) Websites accessed by the user’s system via our website (10) Operating systems used by end devices (11) Age, gender, languages, interests, country of origin 2. Legal basis for data processing The legal basis for processing data is our justified interest in improving efficiency and in financing the website in the sense of Art. 6 Sec. 1 lt. f GDPR. 3. Purpose of data processing Transmitting the anonymized IP address to Google helps us improve the efficiency of our website and create corresponding anonymized analyses of user behavior as well as financing this website. 4. Storage period The data is deleted as soon as it is no longer needed to achieve the stated purpose.

7. Rights of the relevant person

If your personal data is processed, you are the relevant person, and you have the following rights with regard to the responsible party: 1. Right to information You can request confirmation from the responsible party about whether your personal data is being processed by us. If such processing is taking place, you can request the following information from the responsible party: (1) the purposes for which the personal data is being processed; (2) the categories of personal data being processed; (3) the recipients and/or categories of recipients to whom your personal data has been or will be disclosed; (4) the planned storage period for your personal data or, if no concrete information can be provided in this regard, criteria for determining the storage period; (5) whether you have a right to have your personal data corrected or deleted, a right to limit processing by the responsible party, or a right to object to such processing; (6) whether you have a right to lodge a complaint with a supervisory authority; (7) all available information regarding the origin of the data if the personal data is not collected from the relevant person; (8) whether there is an automated decision-making process, including profiling as per Art. 22 Sec. 1 and 4 GDPR, and – at least in these cases – meaningful information about the involved logic and reach as well as the intended effects of such processing for the relevant person. You have the right to request information about whether your personal data is transmitted to a non-EU country or an international organization. In this context, you can ask to be informed about the appropriate guarantees as per Art. 46 GDPR in conjunction with this transmission. 2. Right to correction You have a right to ask the responsible party to correct and/or complete your personal data if your processed data is incorrect or incomplete. The responsible party must perform such corrections immediately. 3. Right to limit processing Under the following conditions, you can request that processing of your personal data be limited if: (1) you dispute the accuracy of your personal data for a period of time that allows the responsible party to check the accuracy of the personal data; (2) the processing is illegal and you waive the right to delete the personal data, instead asking to limit use of the personal data; (3) the responsible party no longer needs the personal data for the stated processing purposes, but you need it in order to assert, exercise or defend legal claims, or (4) you have raised an objection to the processing as per Art. 21 Sec. 1 GDPR and it is not yet clear whether the responsible party’s justified reasons outweigh your reasons. If processing of your personal data has been limited, this data – aside from its storage – may only be processed with your consent or in order to assert, exercise or defend legal claims or to protect the rights of another natural or legal person, or for the sake of an important public interest of the Union or a member state. If processing has been limited according to the abovementioned requirements, you will be informed by the responsible party before the limitation is lifted. 4. Right to deletion a) Deletion obligation You can ask the responsible party to delete your personal data immediately, and the responsible party is obligated to delete this data immediately, if one of the following reasons applies: (1) Your personal data is no longer needed for the purposes for which it was collected or otherwise processed. (2) You revoke your consent, which was the basis for processing as per Art. 6 Sec. 1 lt. a or Art. 9 Sec. 2 lt. a GDPR, and there is no other legal basis for the processing. (3) You object to the processing as per Art. 21 Sec. 1 GDPR and there are no prior-ranking justified reasons for processing, or you object to the processing as per Art. 21 Sec. 2 GDPR. (4) Your personal data was processed illegally. (5) It is necessary to delete your personal data in order to fulfill a legal obligation under Union law or the law of the member states to which the responsible party is subject. (6) Your personal data was collected with regard to information society services as per Art. 8 Sec. 1 GDPR. a) Information for third parties If the responsible party has published your personal data and is obligated to delete it as per Art. 17 Sec. 1 GDPR, it will take appropriate (technical) measures – with consideration for the available technology and the implementation costs – to inform the parties responsible for processing your personal data that you as a relevant person have asked them to delete all links to this personal data and any copies or replications of this personal data. b) Exceptions The right to deletion does not apply if processing is required: (1) to exercise the right to freedom of expression and information; (2) to fulfill a legal obligation that requires processing according to the law of the Union or the member states to which the responsible party is subject, or to perform a task that is in the public interest or was assigned to the responsible party in the exercise of public authority; (3) for the sake of public interest in the sphere of public health as per Art. 9 Sec. 2 lt. h and i as well as Art. 9 Sec. 3 GDPR; (4) for archival purposes, scholarly or historical research purposes that are in the public interest, or for statistical purposes as per Art. 89 Sec. 1 GDPR, to the extent that the right named in Section a) will likely make it impossible to realize the objectives of this processing or will significantly impair it, or (5) in order to assert, exercise or defend legal claims. 5. Right to information If you have asserted your right to have the data corrected or deleted or its processing limited by the responsible party, this party must inform all recipients to whom your personal data was disclosed about this correction or deletion of data or limitation on processing, unless this is impossible or is associated with an unreasonable effort or cost. You have the right to be informed about these recipients by the responsible party. 6. Right to data portability You have the right to obtain your personal data that you provided to the responsible party in a structured, common and machine-readable format wherever technically possible. In addition, you have the right to provide this data to another responsible party without hindrance from the responsible party that was originally provided with the personal data as long as (1) the processing is based on a declaration of consent as per Art. 6 Sec. 1 lt. a GDPR or Art. 9 Sec. 2 lt. a GDPR or on a contract as per Art. 6 Sec. 1 lt. b GDPR and (2) the processing takes place using automated procedures. In exercising this right, you are also entitled to have the relevant personal data transmitted directly from one responsible party to another responsible party wherever technically possible. In doing so, other people’s freedoms or rights may not be impaired. The right to data portability does not apply to the processing of personal data that is necessary in order to perform a task that is in the public interest or was assigned to the responsible party in the exercise of public authority. 7. Right to object For reasons relating to your particular situation, you have the right to object at any time to the processing of your personal data that takes place on the basis of Art. 6 Sec. 1 lt. e or f GDPR. The responsible party will no longer process your personal data in this case unless it can demonstrate urgent, legitimate grounds for such processing that outweigh your interests, rights and freedoms, or unless such processing is being used to assert, exercise or defend legal claims. If your personal data is being processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling where this is connected to such direct advertising. If you raise an objection to processing for the sake of direct advertising, your personal data will no longer be processed for this purpose. You have the option to exercise your right to object in conjunction with the use of information society services – regardless of Directive 2002/58/EC – by way of automated processes in which technical specifications are used. 8. Right to revoke the declaration of consent under data protection law You have the right to revoke your declaration of consent under data protection law at any time. Revoking your consent will not affect the legality of any processing that took place before the revocation. 9. Right to submit a complaint to a supervisory authority Regardless of any other administrative or judicial action, you have the right to submit a complaint to a supervisory authority, particularly in the member state where you are located, at your workplace, or in the city of the alleged violation, if you believe that the processing of your personal data violates the GDPR. The supervisory authority to which the complaint is submitted will then inform the complainant about the status and results of the complaint, including the possibility of taking legal action as per Art. 78 GDPR.