Privacy Policy PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft

This data protection information is directed to our clients and customers, our contact persons and contact persons for clients and customers, our service providers and contact persons for our service providers as well as PwC's other business contacts.

You have a business contact with PwC because either you or your employer is a customer or prospective customer of PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft ("PwC") or because you had contact with PwC or employees of PwC for example during an event, pitch or in some other capacity and gave us your contact details at that time.

This document provides information on how PwC processes your personal data in the context of providing tax/legal/corporate advisory or auditing services or performing other engagements. It also explains how PwC processes the personal contact data of customers, contact persons and other business contacts to build, manage and maintain business contacts.

In this document, the term "personal data" means personal data as defined in Article 4 (1) GDPR. It means any information relating to a (natural) person by means of which that person can be directly or indirectly identified.

The following data protection information aims to provide you with an understandable, transparent and concise explanation of how we intend to process your data. However, should you require further explanations relating to data protection at PwC, please do not hesitate to contact our data protection officer, Dr. Tobias Gräber, at DE_Datenschutz@pwc.com or via the alternative channels specified below.

Controller

The controller within the meaning of Article 4 (7) EU General Data Protection Regulation (GDPR) which is responsible for the processing of your personal data is:

PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main
E-mail: DE_Kontakt@pwc.com
Switchboard: +49 69 9585-0
Fax: +49 69 9585-1000

Data protection officer

PwC has appointed a data protection officer pursuant to Article 37 GDPR. You can contact PwC's data protection officer, Dr. Tobias Gräber, via the following channels:

E-mail: DE_Datenschutz@pwc.com

Tel: +49 69 9585-0

Postal address:

PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main

Purposes and legal basis for processing

PwC processes your personal data for the following purposes:

• Data processing for the purpose of initiating and performing contracts

PwC processes your personal data for the implementation of pre-contractual measures (such as preparing quotes, performing internal pre-contractual compliance checks or creating contracts) as well as to provide the contractually agreed services, including the project administration and billing. The legal basis for processing is Article 6 (1) (b) GDPR, and for certain engagements (particularly audits of the annual financial statements) also Article 6 (1) (c) GDPR. In this context, your contact data, i.e., name, address, telephone number and e-mail address, in particular, will be processed.

PwC uses IT systems to process inquiries and engagements in which your personal data is stored and managed.

No automated decision-making or profiling is carried out.

The duration of storage will be determined by the below-described processing for purposes of filing, documentation and archiving.

If you yourself have not personally mandated PwC, we most likely received your contact data from your employer, our customer, who has named you as the contact person within the organization. In this case, the processing of your personal data is carried out on the basis of Article 6 (1) (f) GDPR, as a legitimate interest in the processing exists. PwC has been mandated by contract with its customer and as such has an obligation to provide the commissioned services. In order to provide those services, the information of the customer's contact persons must be processed. This gives PwC a legitimate interest in the processing of that data. The same applies in the case of preparing quotes.

In the context of certain engagements (particularly audits of the annual financial statements), processing is also carried out on the basis of Article 6 (1) (c) GDPR because in such cases PwC must process some of the data based on statutory requirements for the auditing of annual financial statements.

If you yourself are a customer of PwC, additional personal data of yours which may be necessary in order to provide the agreed services will be processed in the course of the engagement. This may include, in particular, banking data, payment data, and where applicable information on your personal, professional and financial situation to the extent that these are relevant to the performance of the engagement by PwC and you provide this information to us in accordance with the engagement with PwC.

In this case, the legal basis for the processing of your data by PwC is Article 6 (1) (b) GDPR because the processing is necessary for the performance of the contract to which you and PwC are party.

Please be advised that under PwC's General Engagement Terms you as a customer are subject to a duty of cooperation, which means that you are required to provide all documents and information necessary for the performance of the engagement. If and to the extent that the necessary information is not provided, PwC will not be able to process your engagement and perform the agreed services at all, or may only be able to do so to a limited extent.

• Data processing for the purpose of procurement and use of services

If you yourself are or your employer is a service provider of PwC, we process your personal data (particularly your contact data, i.e., name, address, telephone number and e-mail address) in order to initiate or execute the contract or perform services which PwC purchases from you or your employer. The processing of your contact data is carried out on the basis of Article 6 (1) (b) GDPR for the performance of a contract to which you are party insofar as you are a service provider of PwC or based on a legitimate interest within the meaning of Article 6 (1) (f) GDPR insofar as your employer renders services for us.

• Data processing for purposes of filing, documentation and archiving

PwC is required by law to keep proper files and records and comprehensive documentation of its engagements. These files and documentation must also be kept and stored after completion of an engagement for the stipulated statutory retention periods. PwC is also subject to other statutory documentation and retention obligations in connection with tax law, accounting, commercial or corporate law requirements for companies.

The documentation, work products and associated client correspondence to be documented also contain personal data and as such are also part of file management and archiving.

Filing, documentation and archiving of client documents is carried out electronically in PwC's IT systems and in part in the form of paper files.

The processing is carried out on the basis of Article 6 (1) (c) GDPR; PwC's filing, documentation and archiving activities fulfill its statutory obligations under the laws of the profession, tax law, commercial and corporate law, among other things.

• Data processing for marketing and advertising purposes

PwC also uses your contact data, (particularly name, address, e-mail address) to obtain customer feedback or to send you information about other PwC offers or events.

Such processing is carried out based on a legitimate interest of PwC within the meaning of Article 6 (1) (f) GDPR. PwC has a legitimate economic interest in informing customers and clients about additional offers and events in order to cultivate and maintain long-term customer relationships.

• Data processing for the purpose of managing business contacts

If PwC obtains your contact data during a business event sponsored by PwC or others, or a business meeting (e.g., when business cards are exchanged) or in the context of an engagement, we use that contact data (particularly name, address, e-mail address) to also manage our business contacts, and to do this we transfer your contact data into our CRM (Customer Relationship Management) system.

Such processing is carried out based on a legitimate interest of PwC within the meaning of Article 6 (1) (f) GDPR. PwC has a legitimate economic interest in cultivating business contacts beyond the initial contact and using them to build a customer relationship and to stay in touch with the data subjects.

Categories of recipients of data and transfers to third countries

In the context of providing the services you have commissioned, data is transferred to third parties; this may also include the transfer of personal data to European and non-European countries and the storage of data outside the EU.

Specifically, data is transmitted to the following categories of recipients:

• Data transfer to public authorities, courts or other bodies

Depending on the nature of the specific engagement, the provision of services by PwC may also make it necessary for PwC to transfer information, work products and documents to public authorities, courts or other public or private bodies in order to process the engagement. If the commissioned service involves a foreign jurisdiction, these may also include bodies located outside Germany.

PwC will also transfer personal data to public authorities, courts or other bodies in those cases where it is required by law or by administrative or court order to turn personal data over to public authorities, courts or other bodies.

• Engagement-related cooperation with other member firms of the PwC network

PricewaterhouseCoopers GmbH WPG is part of the global PwC network of member firms, each of which is a separate and independent legal entity.

If the provision of the commissioned services so requires, it works together with other member firms of the global PwC network. This may be the case if the engagement involves a foreign jurisdiction or if for some other reason the expertise of a colleague from another (foreign) member firm of the PwC network is required.

Insofar as the transfer is made to a member firm of the PwC network established outside the European Economic Area, an adequate level of data protection is ensured by using standard contractual clauses laid down by the EU Commission within the meaning of Article 46 (2) (c) GDPR. The member firms of the PwC network have entered into an internal data protection agreement which provides for compliance with the EU standard contractual clauses laid down by the EU Commission when transferring personal data from EU/EEA member states to other member firms.

The EU standard contractual clauses may be accessed at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF.

• Data transfer to PwC network-internal service providers

In the context of its work, PwC also uses other German or foreign-established member firms of the PwC network as network-internal IT service providers to provide services for the operation, service and maintenance of the IT systems and applications used by the member firms of the PwC network.

For the most part, this involves PwC IT Services Ltd. established in the UK.

PwC also uses network-internal Service Delivery Centers (SDCs), which provide support services to the other member firms of the PwC network in the area of organization and settlement of customer orders and engagements. These support services include, for example, billing, layout and design, proofreading, translation and other services related to the engagement. SDCs are located in Germany, Poland and Argentina, among other places.

Insofar as the transfer is made to a member firm of the PwC network established outside the European Economic Area, an adequate level of data protection is ensured by using standard contractual clauses laid down by the EU Commission within the meaning of Article 46 (2) (c) GDPR. The member firms of the PwC network have entered into an internal data protection agreement which provides for compliance with the EU standard contractual clauses laid down by the EU Commission when transferring personal data from EU/EEA member states to other member firms.

• Data transfer to external IT service providers

PwC also uses external IT service providers.

-          General IT service providers: PwC uses external IT service providers who provide general IT services or IT systems utilized by the whole business and for  each engagement. This includes, for example, operating systems for internal and external (e-mail) communication.

-          Subject-specific and engagement-specific utilized IT service providers: Besides, PwC partly also uses external service providers who offer special applications for tax advisors, auditors and/or lawyers.

If the IT service providers are foreign cloud service providers, the data is stored in the service provider's data centers within and outside the EU. An adequate level of data protection as required by EU data protection law is ensured by contractual agreement of the EU standard contractual clauses (EU model clauses). For more information on the cloud service providers PwC uses, click here: www.pwc.de/externe-dienstleister.

If it is not possible to ensure an adequate level of data protection comparable to that within the EU under the GDPR in a given case, we would only be able to transfer data subject to your prior express consent.

Rights of data subjects/your rights under data protection law

Under the applicable data protection law you have the following rights with respect to your personal data.

Right of access: You may request information from PwC at any time as to whether PwC has stored your personal data and which personal data it has stored. PwC is required to provide this information to you free of charge.

The right of access does not exist or is subject to limitations if and to the extent that confidential information, such as information that is subject to professional secrecy, is disclosed.

Right to rectification: If your personal data which is stored by PwC is inaccurate or incomplete, you have the right to demand at any time that PwC rectify this.

Right to erasure: You have the right to demand that PwC erase your personal data if and to the extent that the data is no longer needed for the purposes for which it was collected or if the data is processed on the basis of your consent and you have opted to revoke your consent. In such cases, PwC must cease processing your personal data and remove that data from its IT systems and databases.

The right to erasure does not apply if

• the data may not be deleted due to a statutory obligation or must be processed due to a statutory obligation;
• the processing of data is necessary for the establishment, exercise or defense of legal claims.

Right to restriction of processing: You have the right to demand that PwC restrict the processing of your personal data.

Right to data portability: You have the right to receive from PwC the data provided by you in a structured, commonly used, machine-readable format as well as the right to have these data transmitted to a different controller. This right exists only if

• you have made this data available to us on the basis of consent or an agreement entered into with you;
• the processing is carried out by automated means.

Right to object to processing: If your data is processed by PwC on the basis of Article 6 (1) (f) GDPR, you have the right to object at any time to processing by PwC.

Processing on the basis of Article 6 (1) (f) GDPR applies, for example, if your employer is a client of PwC and has provided us with your data as a contact person in your organization, or if PwC uses your contact data to send you information about PwC offers and events.

You may assert any and all of the rights of data subjects described above against PwC by addressing your specific requests via the following channels:

By e-mail: DE_Datenschutz@pwc.com

By post:

PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main

Right to lodge a complaint with a data protection supervisory authority

Pursuant to Article 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes data protection law.

Duration of data storage

PwC will store and process your personal data for as long as is necessary to fulfill the purposes of processing described herein. If your personal data is subject to statutory retention requirements or is contained in documents which are subject to statutory retention requirements, PwC will store such data for the duration of the stipulated statutory retention period.

The retention periods to which PwC is subject vary and for the most part range between 6 and 10 years. Below are the main statutory retention periods to which PwC is subject:

Insofar as the relevant data is subject to different retention periods, the longest retention period shall apply in each case. In individual cases, the prescribed statutory retention period may also be extended if, for example, the information is necessary for the establishment, exercise or defense of legal claims, even after the retention period has expired.

Information concerning rules of the profession

This document provides information solely on the processing of personal data. It has no bearing on duties of confidentiality and non-disclosure under rules of the profession to which PwC and its employees may be subject as tax advisors, auditors and lawyers. These professional obligations apply in full to all data and information that we receive from you in the course of the contractual relationship with you, regardless of whether this information is personal or not.

Additional data protection information regarding the processing of special categories of personal data

If you yourself have mandated PwC to provide services, PwC processes not only your personal contact data in the context of performing the engagement, but also other personal data that you provide to us in that context having to do with your personal, economic and/or professional situation.

Depending on the nature of the specific engagement, special categories of personal data within the meaning of Article 9 GDPR may be involved in addition to the above-mentioned personal data. These categories of personal data are afforded special protection under data protection law and may only be processed under certain conditions.

The following provides additional information relating to the processing of special categories of personal data by PwC.

Special categories of personal data

Special categories of personal data are personal data revealing information about the following attributes:

• racial or ethnic origin;
• political opinions (such as receipts from donations to political parties or foundations or receipts for membership dues to such institutions);
• religious or philosophical beliefs (such as information about a religious affiliation in the form of church tax attribute or grants to religious or philosophical associations);
• trade union membership (such as receipts for membership dues or donations to trade unions);
• genetic data;
• biometric data for the purpose of uniquely identifying a natural person (such as fingerprints or biometric photos);
• data concerning health (such as information about payments from disability or health insurance policies; information about status as a severely disabled person; or medial bills/private health insurance statements);
• data concerning a natural person's sex life or sexual orientation (this could for example even be information about marital status, such as information about a same-sex registered life partnership same-sex marriage/partnership).

Purposes and legal basis for processing

PwC uses such special types of personal data solely to perform the engagement with you and only to the extent that you have provided such data to us in that context and the processing of such data is necessary for the performance of the engagement.

This involves particularly sensitive information that merits higher protection than other personal data. In order to process personal data of this type, we require your consent.

Processing is therefore carried out on the basis of your consent within the meaning of Article 6 (1) (a) in conjunction with Article 7 GDPR.

By signing the engagement and transmitting such sensitive personal data to PwC, you express your approval to the data processing by PwC for the purpose of executing the specific engagement and thus grant your consent under data protection law.

Withdrawal of consent to data processing

Consent to data processing is voluntary and may be withdrawn by you at any time with effect for the future.

If you wish to withdraw your consent to the processing of special categories of personal data by PwC, simply send your withdrawal of consent  by e-mail or by post to:

E-mail: DE_Datenschutz@pwc.com

By post:

PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main

Please be advised that if you withdraw your consent, PwC will not be able to process your engagement and perform the agreed services at all, or may only be able to do so to a limited extent.