Further data protection information

I. General The protection of personal data is of particular importance to Craftview Software GmbH. Therefore, Craftview Software GmbH only processes personal data in accordance with the applicable legal provisions and ensures technical and organisational compliance with data protection regulations. The following information provides an overview of the handling of data and the rights of data subjects arising from the European General Data Protection Regulation (GDPR) as of 25.05.2018. Information pursuant to Art. 13 (data collection directly from the data subject) and Art. 14 (data collection from third parties) of the General Data Protection Regulation (GDPR). Personal data are collected in connection with the provision of our services and in the context of the employment relationships required for this purpose. Please note the following data protection information:

1. Contact details of the responsible body: Responsible for data collection is:

Craftview Software GmbH Mainzer Landstr.178-190, D-60327 Frankfurt a. Main Germany

02823 / 42560 info@craftview.de Internet address: www.craftview.de Managing Director: Klaus Enke

2. Contact details of the data protection officer:

External Data Protection Officer Creditreform Compliance Services GmbH Hammfelddamm 13 D - 41460 Neuss Tel.: 02131 / 1091072 E-mail: datenschutz-extern@craftview.de

3. Information on the supervisory authority

The responsible supervisory authority for data protection is:

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Düsseldorf, Germany Telephone: 0221 / 38424-0 Fax: 0211 / 38424-10 E-mail: poststelle@ldi.nrw.de

4. Purposes and legal bases of the processing Legal bases for the processing of data:

• Processing for the performance of contracts concluded with Craftview Software GmbH pursuant to Art. 6 para. 1 letter b GDPR. If personal data are collected and processed for the performance of pre-contractual measures or on the basis of a contract, these data are used for the conclusion of the contract, the performance of the contractual relationship and, if applicable, its termination. This also includes, for example, data processing within the scope of employment relationships pursuant to Section 26 BDSG.

• Processing for the protection of legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR It may happen that data are processed in order to safeguard legitimate corporate interests of Craftview Software GmbH or, if applicable, those of third parties. This may be necessary, for example, to ensure IT security and IT operations, to update address data of customers and contractual partners, to prevent and clarify criminal offences/ administrative offences, to secure house rights, to be able to offer our customers a post-contractual service, or for the purposes of direct advertising to our own customers if further requirements are met.

• Processing based on consent, Art. 6 para. 1 lit. a GDPR Insofar as the data subject has given consent to Craftview Software GmbH to process data for specific purposes, such personal data may be lawfully used in accordance with the scope of the consent.

• Processing for the fulfilment of legal obligations, Art. 6 para. 1 lit. c GDPR The processing of data may ultimately be necessary for the fulfilment of legal obligations, in particular retention obligations under the German Commercial Code and the German Fiscal Code

• If we process special categories of personal data, the legal basis for this is Art. 9 para. 2 and para. 4 GDPR, if applicable in conjunction with § SECTION 22 BDSG.

5. Categories of data we collect from third parties We process the following categories of personal data that we receive from third parties: • Contact details of prospective customers (name, address, email, telephone). • Creditworthiness information

6. Sources (third parties) from which the personal data are obtained Craftview Software GmbH processes personal data insofar as this data has been provided or transmitted by the data subjects themselves (e.g. customers, employees) or, as the case may be, by third parties. Insofar as Craftview Software GmbH receives personal data from third parties, these are in particular the following bodies: • Credit agencies • Commercial agents (specialised trade partners) • Business partners in the context of the fulfilment of contractual services

7. Recipients or categories of recipients of the personal data At Craftview Software GmbH, personal data are accessed by those persons who require it for the respective legitimate fulfilment of tasks. Insofar as commissioned external service providers receive personal data for these purposes, we ensure that suitable technical and organisational measures are implemented and necessary agreements are concluded in such a way that the processing is carried out in accordance with the applicable data protection regulations and guarantees the protection of the rights of the data subject. We may share personal data with: • External service providers (IT service providers, payroll service providers). • Business partners for whom the transfer of data is necessary for the fulfilment of tasks and/or the provision of our services (such as payment service providers/banking institutions, postal/parcel services, event partners) • Collection agencies in order to collect debts • Authorities and companies in the context of updates or to fulfil legal notification obligations (e.g. social insurance institutions, financial authorities, police and public prosecutors, supervisory authorities, road traffic offices) • Other third parties for whom the data subjects have given consent to data transfer or for whom there is a legal authority to transfer data (e.g. legal profession, insolvency administrator)

For the area of employee data, this might be for example: • Employer's Liability Insurance Association • Responsible chambers (IHK) • Cooperation partners in training • Occupational health service • Further education/training institutions 8. Intention to transfer data to a third country or to an international organisation When using service providers and passing on data to third parties with your consent (= approval), personal data may be transferred to recipients in countries outside the European Union ("EU"), Iceland, Liechtenstein and Norway (= European Economic Area) and processed there. This concerns the USA in particular. From the EU's point of view, an adequate level of protection for the processing of personal data corresponding to EU standards exists in the following countries (so-called adequacy decision): Andorra, Argentina, Canada (limited), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay. With recipients in other countries, we agree to use EU standard contractual clauses, binding corporate rules or other permissible mechanisms to provide an "adequate level of protection" in accordance with legal requirements. We will be happy to provide you with further information on this via the aforementioned contact options upon initial request 9. Duration of storage or criteria for determining the duration Personal data will only be stored for as long as permitted by the applicable legal basis. In particular, for as long as necessary to fulfil the contractual purposes for which the personal data were collected, for as long as their continued storage is necessary to comply with retention obligations or for overriding legitimate interest, or until the data subject revokes the consent on which the processing was based.

10. Rights of the data subjects You have the following rights when your personal data are collected: • Right of access, Art. 15 GDPR: Pursuant to Art. 15(1) GDPR, the data subject has the right to request confirmation as to whether personal data relating to him or her are being processed. If this is the case, he or she also has the right of access to this personal data and to the further information pursuant to Art. 15(1)(a) to (h) of the GDPR. • Right to rectification, Art. 16 GDPR: Should the personal data be inaccurate or incomplete, taking into account the purposes of the processing, there is a right under Art. 16 GDPR to request rectification or completion of the personal data. • Right to erasure, Art. 17 GDPR: According to Art. 17(1) GDPR, there is a right to request erasure of personal data if the processing of personal data is unlawful for one of the reasons mentioned in this provision. However, erasure cannot be requested if further processing is necessary in the cases of Art. 17 (3) GDPR, e.g. to comply with legal obligations. • Right to restriction of processing, Art. 18 GDPR: Under the conditions of Art. 18(1)(a) to (d) GDPR, the data subject has the possibility to request the restriction of processing (blocking). • Right to data portability according to Art. 20 GDPR: the data subjects have the right to receive their personal data, which they themselves have provided to Craftview Software GmbH and which are processed automatically by Craftview Software GmbH on the basis of consent or a contract, in a common machine-readable format. This right is subject to, among other things, technical feasibility. • Right to object, Article 21 of the GDPR: Data subjects have the right to object to the processing of their personal data processed on the basis of a balance of interests (Article 6(1)(f) of the GDPR), taking into account the requirements of Article 21 of the GDPR. If the objection is directed against direct advertising, data processing will no longer take place. In other cases, processing may only continue despite the objection if compelling legitimate grounds for the processing override the interests, rights and freedoms of the data subject or the processing serves to assert, exercise or defend legal claims.

11. Right of revocation for consent In addition, consent given can be amended or revoked entirely at any time and without giving reasons with effect for the future. The revocation does not affect the lawfulness of the processing of your data carried out on the basis of your consent up to any revocation. You can send the revocation to Craftview Software GmbH either by post at Emmericher Weg 12, 47574 Goch, by e-mail (info@craftview.de) or by fax (02823 / 4256-999). In doing so, you will not incur any further costs outside the basic rates.

12. Right of complaint to the supervisory authority You have the right to lodge a complaint with a supervisory authority for data protection. The contact details of the supervisory authority responsible for us can be found under point 3..

13. Obligation to provide personal data An obligation to provide certain personal data arises from the contracts concluded or to be concluded insofar as the performance of the contract cannot take place without the provision of the data. Furthermore, legal obligations may have to be observed, which would oblige us to collect / process certain data. In the case of data that is required as part of a contract, the contract cannot be concluded if the information is missing. If data must be provided due to legal obligations. The associated service cannot be provided without the provision of the data. In the context of your application, you must provide the personal data that is required for the application procedure and the suitability assessment. Without this data, we will not be able to carry out the application process and make a decision on whether to offer you employment.

14. Automated decision-making or profiling Automated decision-making in individual cases, including profiling in accordance with Art. 22 GDPR, does not take place at Craftview Software GmbH.