Privacy/data protection information

'Data protection declaration' and 'Information on the processing of personal data pursuant to Art. 13, 14DSGVO'

Introduction

The following 'Data Protection Declaration' and the 'Information on the processing of personal data in accordancewith Art. 13, 14 DSGVO' explain what data we collect about you, what we need this data for and to whom we pass thisdata on. In addition, they also include your rights in relation to your data and the contact persons you can contactfor further information or inquiries.

While the 'Privacy Policy' is primarily intended to explain what data we process, store and protect about you whenyou use 'our website' (as defined below), the 'Information on the processing of personal data pursuant to Art. 13,14 DSGVO' is primarily intended to explain the processing of your data within the scope of our services for you/ourcustomers and within the scope of all other activities that are part of the performance of our business activities.

Last revision: May 2019

I. Privacy policy

To whom does this privacy policy apply and what is covered by it?

This privacy policy applies exclusively to the specific website of deloitte.ai, for which Deloitte ConsultingGmbH, based in ('Deloitte', 'we', 'us' or 'our') is responsible.

We are committed to protecting your privacy and processing your data in an open and transparent manner.

This privacy policy explains how we process, store and protect information about you when you use our website. Wealso explain how we process your data when we provide services to you/our customers and in all other activities thatare part of the performance of our business.

When this policy refers to 'our website' or 'this website', it refers to the specific website at deloitte.ai.

This Privacy Policy also contains information about when we share your personal information with other members ofthe Deloitte Network (nationally independent member firms or affiliates of Deloitte Touche Tohmatsu Limited ('DTTL')(together the 'Deloitte Network') ('About Deloitte') and other third parties (for example our service providers).

If you provide us with information via the Deloitte Website, you agree in accordance with Art. 6 paragraph 1 lettera, 7 of the DSGVO (German Data Protection Act) that we may process your personal data in accordance with theprinciples set out here. This also applies to any necessary transfer of personal data to foreign member companies ofDeloitte Touche Tohmatsu Limited. Please note in this context that certain links (electronic references) on theGerman Deloitte website lead to the websites of third parties or other member companies of Deloitte Touche TohmatsuLimited which, due to their national autonomy and independence as well as any differing laws there, are not subjectto the content of this privacy statement. Deloitte Consulting GmbH assumes no liability for the content and/or thedata protection treatment of data left on these other websites.

to other areas of deloitte.ai

Please note that in addition to the deloitte.ai website, other country-specific, regional andservice-specific websites are offered on deloitte.ai. These are provided by other companies/entities withinthe Deloitte network, e.g. the deloitte.com site is provided by Deloitte GmbH Wirtschaftsprüfungsgesellschaft andnot by us. The provisions of this Privacy Policy do not apply to these websites or any other websites to which thisWebsite may be linked. We encourage visitors to our website to review the privacy statements of any of these otherwebsites before disclosing personal information.

Which data will be collected?

Although the use of our Website is not conditional upon the transmission of your personal data and we do not storeany personal data via the Deloitte Website without your consent, we may process personal data of you if youvoluntarily provide us with such data for specific purposes in the designated areas of our Website.

Within the scope of providing services for you/our customers and carrying out necessary preliminary checks inconnection with our services (e.g. conflict or 'know-your-client' checks required by regulations) or within thescope of discussing possible services to be provided by us, we process personal data about you to the extentnecessary.

We may collect or receive this information because you provide it to us (for example, on a form on our website),because we have received it from other people (for example, your employer or consultant or from third parties wehave engaged to assist us in carrying out our business, to the extent permitted by law) or because it is publiclyavailable.

In order to improve the operation of our Websites for you and to ensure their effective functionality, we usecookies (small text files that are offered/stored in the user's browser) and web beacons (small image files thatallow the Deloitte Website to determine the number of visitors for a specific area of the Deloitte Website and torequest certain stored cookies). We use these instruments to collect user data such as IP address, domain, browsertype, language, access times and the pages visited on our Website. This collected information is forwarded to ourwebmaster to ensure that our website remains a useful and effective source of information.

Neither our cookies nor our web beacons collect personal information such as names or e-mail addresses. To preventyour Internet browser from receiving cookies or web beacons in the first place, you should set your Internet browserto either not receive cookies or web beacons at all or to prompt you for your consent to receive each cookie or webbeacon. Please read our Cookie Notice for more information on how to disable these tools. However, theDeloitteDigital Website may require the receipt of a cookie and/or web beacon and may otherwise deny visitors accessto certain areas.

You can use opt-out to prevent your anonymous Internet activities on websites from being recorded by analysiscookies. We use the following service providers : Google Analytics & Adobe Analytics (as described below). For moreinformation about their privacy policies, how you can use the opt-out and additional information about cookies,please click on the following links:

Adobe: opt-out

Deloitte Cookie Note

The personal data we collect or obtain about you may include the following: Name; age; date of birth; gender; e-mailaddress; country of birth; employment and education information (for example, which company you work for, your jobtitle and information about your education); financial and tax information (for example, where you reside for incomeand tax purposes); your postings on blogs, forums, wikis and any other social media applications and servicesprovided by us; your IP address; your browser type and language; your access times; complaint details; details ofhow you use our products and services; details of how you prefer to interact with us and other similar information.

The personal data processed by us may also include so-called 'sensitive' or 'special categories' of personal data,provided that you provide us with such data voluntarily. The types of personal data and special categories ofpersonal data processed by us may vary depending on the type of services we provide to you/our customers or the wayyou use our website.

We underline the importance of the protection of the private and personal sphere of minors (explicitly childrenunder the age of 13), especially with regard to the possible misuse of today's Internet communication. For thisreason, we would like to emphasize that our website and services are not designed for children or intentionallytargeted at minors. We do not knowingly collect or store information about minors./p>

How will your data be processed by us?

Processing of personal data collected via our website

In addition to the above-mentioned purposes in connection with our business activities, we may also process yourpersonal data collected via our website:

If, as a registered visitor, you no longer wish to use the information offered or other areas, you can object tofurther processing of your personal data for the future at any time. To do so, please contact Deloitte ConsultingGmbH as the person responsible within the meaning of the DSGVO, Schwannstraße 6, 40476 Düsseldorf or kontakt@deloitte.de. The objection shall not give rise to any costs otherthan the transmission costs according to the basic rates.

Processing of personal data for the provision of services to our customers

We process your personal data for the purpose of implementing individual contractual relationships, for theprovision of services for you/our customers. In this context, we may process your personal data in the course of acorrespondence regarding the services. Such correspondence may take place with you, our client, other members of theDeloitte network, our service providers or competent authorities. We may also process your personal data in order toconduct necessary preliminary checks in connection with our services (e.g. conflict or 'know-your-client' checks) orin the course of discussing possible services to be provided by us.

Because we offer our customers a wide range of services, the way in which we process personal data in relation toour services also varies. For example, we may use personal data:

processing of personal data for other activities that are part of our business activities

We may also process your personal data in connection with the following purpose related to the original purpose(depending on necessity and professional admissibility in individual cases):

Legal basis for the processing of personal data

We process your personal data for the above-mentioned purposes on the basis of the following legal principles: (a)because of our legitimate interest in the effective provision of our services to you and our customers; (b)because of our legitimate interest in the effective and lawful exercise of our business activities, unless yourinterests outweigh this interest; (c) because of the legal obligations applicable to us;(d) because the data isnecessary to provide our services to you/our customer.

To the extent that we process sensitive personal data relating to you for any of the above purposes, we do soeither because: (i) you have given us your express consent to process such data; (ii) we are required by law toprocess such data to ensure that we comply with our 'know your client' and 'anti-money laundering' obligations (orother legal obligations applicable to us); (iii) the processing is necessary to comply with our obligations underemployment, social security or social security law; (iv) the processing is necessary to establish, exercise ordefend legal claims; or (v) you have made the data public.

Where we are required by law to obtain your express consent in order to offer you certain promotional materials,we will only offer you such materials if we have received such consent from you. If you no longer wish to receivefurther promotional materials from us, you can click on the unsubscribe function in the message or send an e-mailto kontakt@deloitte.de and object to the processing of your personal datafor these purposes at any time without stating reasons. The objection will not incur any costs other than thetransmission costs according to the basic tariffs.

Who do we pass on your data to?

In relation to one or more of the subjects mentioned in the section 'How we process your data?'we may disclosedetails about you to: other members of the Deloitte Network; third parties who provide services to us and/or theDeloitte Network; competent authorities (including courts and authorities supervising us or other members of theDeloitte Network); your employer and/or its advisors; your advisors; organisations that assist us in identifyingfraud; and other third parties who legitimately request access to personal data relating to you for one or more ofthe purposes set out in the section 'How we process your data'. In any case, data will only be passed on if thisis also permitted under consideration of relevant confidentiality obligations.

Our Site hosts various blogs, forums, wikis and other social media applications or services that allow you toshare content with other users (collectively, 'Social Media Applications'). However, when using these social mediaapplications, please always be aware that the information disseminated via this information channel can (also) beread, collected, stored and/or used by other users of the application. We have little or no control over theseother users and therefore cannot guarantee that all information you contribute to the social media applicationswill be handled in accordance with this privacy policy. We therefore accept no responsibility for these persons orfor how these persons handle your (personal) data.

Please note that some of the above recipients of your personal information may be located in countries outside theEuropean Union, whose data protection laws may be less comprehensive. In these cases we will ensure thatappropriate security measures have been taken, to protect your personal data in accordance with our legalobligations. If the recipient is not a member of the Deloitte Network, an appropriate security measure may be adata transfer agreement with the recipient based on standard contractual clauses for the transfer of personal datato third countries recognised by the European Commission.

Further details of the above-mentioned transmissions and the appropriate security measures implemented by Deloittein relation to these transmissions are also available from us. Please contact us at datenschutz@deloitte.de.

We may also need to disclose your personal information if we are required to do so by law, regulatory authority orlegal process.

We may share non-personal, anonymous, and aggregate information with third parties for a variety of purposes,including data analysis, research, proposal preparation, thought leadership, and promotional purposes.

Please note, if you transmit data to other member companies of Deloitte Touche Tohmatsu Limited, that theindividual member companies are nationally autonomous and independent, are generally subject to a law that differsfrom the DSGVO and, where applicable, have made a declaration that differs from this with regard to the protectionof privacy and personal data. We would therefore like to ask you to read the respective privacy statements beforeyou request the transfer of your personal data to certain other member companies of Deloitte Touche TohmatsuLimited. This also applies if you instruct us to pass on your personal data to them. Deloitte Consulting GmbHassumes no liability for the content and/or data protection treatment of data that you or we leave on otherwebsites at your request.

Protection of your personal data

Deloitte Consulting GmbH uses technologically generally accepted security standards to protect visitor dataentered on the German website from misuse, loss and falsification. In addition, only certain Deloitte employeesare authorised to access visitor data that is personally identifiable. These employees ensure that theconfidentiality of this sensitive data is maintained within the scope of the purpose for which the data istransferred. This policy also applies to the website of other participating companies (including certain membercompanies of Deloitte Touche Tohmatsu Limited) and their employees, agents and affiliates to whom visitorinformation is disclosed in accordance with the purpose for which the information is provided, in accordance withthe confidentiality policies of those companies.

All visitors to our websites are also advised that links (electronic 'references') on the German website lead toother websites and information provided by third parties. Unless expressly warranted above, Deloitte ConsultingGmbH does not assume any responsibility for the content of third-party websites, not even with regard tocompliance with certain security standards or compliance with the basic data protection regulation.

Notwithstanding the foregoing with regard to visitor data on the German website, we use various physical,electronic and operational measures to ensure that your personal data is generally secure, accurate and up todate. These measures include, but are not limited to

If the recipient is not a member of the Deloitte network, an appropriate security measure may be a data transferagreement with the recipient based on standard contractual clauses for the transfer of personal data to thirdcountries recognised by the European Commission.

Further details of the above-mentioned transmissions and the appropriate security measures implemented by Deloittein relation to these transmissions are also available from us. Please contact us at datenschutz@deloitte.de.

We may also need to disclose your personal information if we are required to do so by law, regulatory authority orlegal process.

We may share non-personal, anonymous, and aggregate information with third parties for a variety of purposes,including data analysis, research, proposal preparation, thought leadership, and promotional purposes.

Please note, if you transmit data to other member companies of Deloitte Touche Tohmatsu Limited, that theindividual member companies are nationally autonomous and independent, are generally subject to a law that differsfrom the DSGVO and, where applicable, have made a declaration that differs from this with regard to the protectionof privacy and personal data. We would therefore like to ask you to read the respective privacy statements beforeyou request the transfer of your personal data to certain other member companies of Deloitte Touche TohmatsuLimited. This also applies if you instruct us to pass on your personal data to them. Deloitte Consulting GmbHassumes no liability for the content and/or data protection treatment of data that you or we leave on otherwebsites at your request.

Protection of your personal data

Deloitte Consulting GmbH uses technologically generally accepted security standards to protect visitor dataentered on the German website from misuse, loss and falsification. In addition, only certain Deloitte employeesare authorised to access visitor data that is personally identifiable. These employees ensure that theconfidentiality of this sensitive data is maintained within the scope of the purpose for which the data istransferred. This policy also applies to the website of other participating companies (including certain membercompanies of Deloitte Touche Tohmatsu Limited) and their employees, agents and affiliates to whom visitorinformation is disclosed in accordance with the purpose for which the information is provided, in accordance withthe confidentiality policies of those companies.

All visitors to our websites are also advised that links (electronic 'references') on the German website lead toother websites and information provided by third parties. Unless expressly warranted above, Deloitte ConsultingGmbH does not assume any responsibility for the content of third-party websites, not even with regard tocompliance with certain security standards or compliance with the basic data protection regulation.

Notwithstanding the foregoing with regard to visitor data on the German website, we use various physical,electronic and operational measures to ensure that your personal data is generally secure, accurate and up todate. These measures include, but are not limited to

Although we take reasonable security measures once we have received your personal information, the Transmission ofdata over the Internet (including by e-mail) is never completely secure. While we strive and make every effort toprotect personal information, we cannot guarantee the security of any information transmitted to or from us.Please note that we have an ISO 27001 certified information security management system, which aims to ensure theoptimal protection of all information processed by us.

How long do we keep your data?

We store your personal data on our systems for the longest of the following periods: (i) for as long as necessaryfor the activity or services in question; (ii) for a period of retention required by law; (iii) until the end ofany period in which a dispute or investigation relating to the services may arise

Specifically, depending on the category of data, Deloitte will store your personal data in accordance with theapplicable legal retention requirements.

Your rights

You have various rights in connection with your personal data. In particular, you have the right:

In order to exercise your rights or in case of any other questions about how your personal data are processed byus, please send an e-mail to datenschutz@deloitte.de or write to usat the following address:

Deloitte Consulting GmbH
Schwannstrasse 6
40476 Düsseldorf

right of appeal

If you do not agree with the way in which your personal data is processed by us, or if you have a concern orinquiry about privacy that you have directed to us, please contact datenschutz@deloitte.de. You are also entitled to contact the dataprotection supervisory authority responsible for Deloitte. For an overview of the competent supervisoryauthorities, please refer to the corporate information of Deloitte and Deloitte.

Changes to this privacy policy

We may change or amend this privacy policy if necessary.

To let you know when we make changes to this privacy statement, we will adjust the revision date at the top of thepage. The new modified or amended Privacy Policy will be effective as of that revision date. Therefore, weencourage you to periodically review this Statement to be informed about how we process and protect yourinformation.

Please note that the Deloitte Digital Website, including this Privacy Notice, has been made available to providegeneral information and guidance on specific topics, but not to address specific topics in greater depth. TheDeloitte Website is not designed to provide binding advice (including on accounting, tax, legal or investmentmatters), any other service or work, or to answer any question related thereto. Accordingly, you may not rely oncontent on the Deloitte Digital website and should therefore always consult a suitably qualified advisor forquestions regarding your personal finances and business.

Questions regarding the protection of privacy and personal data

If you have any questions about this declaration on the protection of privacy and personal data or if you thinkyou have certain concerns about it which should be given special consideration, you are welcome to send us yourquestions and suggestions directly via kontakt@deloitte.de.

Privacy policy for the use of Google Analytics & Adobe Analytics

Our websites use the web analysis service Google Analytics of Google Inc. ('Google') as well as Adobe Analytics byAdobe Systems, Inc. This involves the storage of small text files known as 'cookies' on your PC by a server on theInternet, which enable an analysis of your usage behaviour on this website. The information generated andcollected by the cookie is usually transferred to a Google or Adobe Analytics server in the USA where it isevaluated and stored.

If IP anonymisation is activated on this website, the IP address of Google or Adobe will be shortened beforehandwithin the member states of the European Union and in the other contracting states of the Agreement on theEuropean Economic Area. The complete transfer of the IP address to the server of Google or Adobe Analytics in theUSA and a shortening of the IP address there is only carried out in exceptional cases.

Google and Adobe Analytics use the above-mentioned information on behalf of the website operator in order toevaluate visitor flows and interactions on this website and to compile reports on website activities. In addition,other services related to the website and internet use are provided to the website operator.

Demographic features at Google Analytics

Our website collects information on 'demographic characteristics' from Google Analytics. This provides us withinformation about the age, gender and interests of our site visitors. This information is collected in Analyticsonce retargeting and advertising reporting features are enabled in Analytics. These features can be disabled atany time through your Google Account. Click here for more information about opting out.

It is possible for you to prevent the storage of cookies on your computer by adjusting your browser softwaresettings accordingly and thus prevent the use of Google Analytics and Adobe Analytics. However, this setting maymean that you will not be able to use all functions of this website to their full extent.

Furthermore, you have the possibility to prevent the transmission of your data about the use of this website toand the processing of this data by Google or Adobe Analytics by downloading and installing the browser pluginsavailable under the following links: gaoptout

II. Information on the processing of personal data pursuant to Art. 13, 14 DSGVO

In addition to the information below, please ensure that you are familiar with Deloitte's privacy policy asdescribed above. If you have any questions of understanding or other queries, please contact us atdatenschutz@deloitte.de.

Consulting Digital GmbH provides consulting services to companies and institutions from all sectors of theeconomy; Deloitte Consulting GmbH is a company affiliated with Deloitte GmbH Wirtschaftsprüfungsgesellschaft,which provides auditing, risk advisory, tax advisory, financial advisory and consulting services to companies andinstitutions from all sectors of the economy; legal advice is provided in Germany by Deloitte LegalRechtsanwaltsgesellschaft mbH ('Deloitte Legal') (hereinafter jointly referred to as 'Deloitte'/'we'). Deloitteprocesses personal data as part of the assignment to provide the aforementioned services, depending on theindividual assignment. This information complements the above privacy policy and is subject to the followingprivacy policyand provide a more detailed description of how Deloitte processes your personal data in the course of providingthe commissioned service.

Please note that this information relates exclusively to personal data within the meaning of Art. 4 No. 1 DSGVO,i.e. it does not include all data and information that Deloitte receives in connection with the underlying clientrelationship, but essentially only such information that relates to an identified or identifiable natural person.Notwithstanding the foregoing, the statutory and contractual confidentiality and secrecy obligations to whichDeloitte and the employees of Deloitte are subject, where applicable, apply in full to all data and informationwhich we receive from you in connection with the client relationship, regardless of whether such data andinformation is personal data within the meaning of the DSGVO.

responsible in the sense of DSGVO

The person responsible in accordance with Art.4 para. 7 EU Data Protection Regulation (DSGVO) for the processingof your personal data in connection with all services provided by Deloitte Consulting is

Deloitte Consulting GmbH
Schwannstrasse 6
40476 Düsseldorf

If the contractor of a contract for the performance of our services is another German Deloitte company, thiscompany will act as the responsible body in this case. An overview of the German Deloitte companies can be foundhere.

Data protection officer & data protection supervision

All German Deloitte companies have appointed data protection officers. You can reach the respective dataprotection officer at datenschutz@deloitte.de. The respectivesupervisory authorities can be found here.

purposes of processing and legal basis for processing

Deloitte processes your personal data for the purpose of fulfilling our (pre-)contractual obligations to ourcustomers. In this context, we process in particular your contact data such as name, address, telephone number ande-mail address for the purpose of carrying out pre-contractual measures (such as internal pre-contractualcompliance checks or as part of the customer/contract annex) as well as for the performance of our respectivecontractual service obligations, including the administrative execution and invoicing of the respective order onthe basis of Art. 6 para. 1 lit. b) DSGVO. For the management and execution of order enquiries/contracts, Deloitteuses IT systems to manage and store your personal data, but no automated decision making and profiling takesplace.

Depending on the category of documents, Deloitte stores personal data for record keeping / documentation andarchiving purposes in accordance with the relevant legal requirements.

As a rule, Deloitte receives the necessary personal data from the customers. To this extent, Deloitte has alegitimate interest in processing this personal data pursuant to Art. 6 para. 1 lit. f) DSGVO, as Deloitte isobliged to perform the commissioned service under the underlying contract agreement. In this context, it isessential for Deloitte to process any personal data of the contact persons and contact persons of our customer(also already in the context of the preparation of the offer).

If you yourself have commissioned Deloitte to perform certain services, such further personal data in addition toyour contact details will be processed by Deloitte in the course of order processing, to the extent that this datais necessary to provide the service agreed with you and you have provided it to us. In this respect, theprocessing of your personal data is necessary for the performance of the contract concluded between you andDeloitte and is justified in accordance with Art. 6, Paragraph 1, Letter b) of the German Data Protection Act.

Please note that Deloitte's General Terms and Conditions of Contract generally require the client to cooperate, toprovide Deloitte with all the information required for the assignment, and to ensure that the client'srequirements are met.to provide Deloitte with all documents and information necessary for the execution of thecontract. In this respect, the processing of the respective order and the associated performance of thecontractually agreed service by Deloitte shall not be possible or only possible to a limited extent if and to theextent that the necessary information is not provided.

Since Deloitte is legally obliged to maintain proper records, to provide comprehensive documentation of itsmandates and orders (also beyond the conclusion of an order) and to comply with further storage and documentationobligations, Deloitte also processes your personal data in the context of documents to be documented, work resultsor related customer-related correspondence for the purposes of record keeping, documentation and archiving, bothin the form of paper files and in the context of IT systems used for this purpose, on the basis of Art. 6 para. 1lit. c) DSGVO to fulfil our aforementioned legal obligations.

Irrespective of the above-mentioned purposes, Deloitte will process your contact data (in particular name,address, e-mail address) for marketing and advertising purposes, i.e. to send you information on our other offersor events. This is done on the basis of Deloitte's consent and/or a legitimate economic interest within themeaning of Art. 6 para. 1 lit. f) to inform its customers about further offers and events of its own and thus tobe able to establish and maintain a long-term customer relationship.

Finally, Deloitte will also process your contact data for the purpose of maintaining our business contacts, if wehave received them within the scope of a business event, within the scope of a business appointment (e.g. byexchanging business cards) or within the scope of an order, and transfer them to the CRM system (CustomerRelationship Management System) used by us.

Since Deloitte has a legitimate economic interest in maintaining contacts made in the course of its businessdealings beyond the initial contact, in using them to establish a business relationship, and in staying in contactwith the persons concerned for this purpose, the aforementioned processing of your personal data is based on Art.6 para. 1 lit. f) DSGVO.

Categories of recipients of data and transfers to third countries

In connection with the execution of our commissioned service, personal data, as specified below, may also betransferred to third parties. In this respect, data may be transferred both to European and non-European countriesand your personal data may be stored outside the EU:

To other Deloitte member companies1for the purpose of cooperation within the scope of our service provision

To the extent necessary for the provision of the commissioned service, i.e. in the case of a foreign assignment orwhere the expertise of a foreign colleague is required, Deloitte cooperates with other companies from the globalDeloitte network. Insofar as such a transfer is made to a network company outside the EU/European Economic Area,an appropriate level of data protection is ensured by the use of standard contractual clauses of the EU Commissionin the sense of Art. 46 para. 2 lit. c) DSGVO. The EU standard contractual clauses can be found at eur-lex.europa.eu.

To authorities, courts or other bodies

In connection with the performance of our services, it may also be necessary to transmit information, work resultsand documents to authorities, courts or other public or private bodies (in the case of a foreign assignment alsoabroad). The same applies to cases in which Deloitte is obligated by law, official or court order tosurrender/disclose personal data. This shall only occur if there are no legal obligations to secrecy.

To Deloitte internal service providers and external IT service providers

In the course of its activities, Deloitte makes use of other German or or foreign Deloitte network companies asintra-network IT service providers that provide services for the operation, maintenance and servicing of the ITsystems and applications used by the Deloitte network companies. These companies with access rights to personaldata are only used if this has been agreed in the contract agreements with our clients or is legally permissiblein individual cases without consent.

Insofar as access is provided by a network company outside the European Economic Area, an adequate level of dataprotection is ensured by the use of standard contractual clauses of the EU Commission in the sense of Art. 46 (2)lit. c) DSGVO.

Specialist IT service providers used for specific mandates, e.g. for processing mandates, specialist applicationsand cloud services are only used in consultation with our customers where legally required.

Your rights in connection with data processing

The DSGVO essentially grants those affected the following rights, which you can assert at any time by contactingthe data protection officer named in this information at datenschutz@deloitte.de or kontakt@deloitte.de.

In principle, you may at any time request information from Deloitte as to whether and what personal data about youis being processed or stored by Deloitte and how. Please note that your right to information may be limited to theextent that such information would be in conflict with professional secrecy and that confidential informationwould therefore be disclosed.

In addition to your right to information, you can request the correction of your data at any time. You also havethe right to have your data deleted if and to the extent that the data is no longer required for the purposes forwhich it was collected or, if the processing is based on your consent, but you have revoked your consent. Theaforementioned right to delete your data is not applicable if your data may not be deleted due to a legalobligation or if it must be processed due to a legal obligation or if data processing is necessary for theassertion, exercise or defence of legal claims.

Furthermore, you have the right to request that Deloitte limit the processing of your personal data.

In addition, there is a right to data transferability, i.e. you can demand that Deloitte provide the data you haveprovided in a structured, common and machine-readable format and/or that this data be transferred to anotherresponsible party. Please note that this does not apply if you have provided us with the data on the basis of yourconsent or on the basis of a contract concluded with you or if the processing is carried out using automatedprocedures.

If Deloitte processes your personal data on the basis of Art. 6 para. 1 lit. f) DSGVO (e.g. if your employer, as aclient of Deloitte, has provided us with your personal data as a contact person in your company, or if we use yourcontact data to send you information about Deloitte offers and events), you may object to this processing at anytime.

Right of appeal to a data protection supervisory authority

In addition to the above-mentioned rights of data subjects, you also have the right to complain to a dataprotection supervisory authority pursuant to Art. 77 DSGVO if you believe that the processing of your personaldata violates data protection law. In each case, the supervisory authority of the federal state in which theresponsible authority is located is responsible.

Duration of data storage

Please note that Deloitte will store and process your personal data for as long as it is necessary to fulfil theabove-mentioned processing purposes. Insofar as personal data is subject to statutory retention obligations or ispart of documents subject to statutory retention obligations, Deloitte will store such data for the duration ofthe statutory retention period.

Depending on the category of documents, Deloitte stores personal data on the basis of applicable legal retentionrequirements

The longest retention period is decisive, if the data concerned are subject to different retention periods, andthe legally required retention period can be extended depending on the individual case, if, for example, theinformation is required for the assertion, exercise or defence of legal claims even after the retention period hasexpired.

1) Deloitte refers to Deloitte Touche Tohmatsu Limited('DTTL'), a private company limited by guarantee, its network of member firms and its affiliates. DTTL and eachof its member companies are legally distinct and independent. DTTL (also known as 'Deloitte Global') does notitself provide services to customers. A more detailed description of DTTL and its member firms can be found atwww.deloitte.com/de/UeberUns.