We process personal data of business partners and interested parties as well as their employees.

We process the following categories of personal data in particular:

• contact information, in particular salutation, first and last name, title if applicable, company if applicable, address, telephone number (landline and/or mobile), e-mail address,
• details of professional activity,
• bank account details.

Insofar as we do not receive personal data directly from data subjects (e.g. in the context of correspondence with contact persons at business partners), the data originates from our business partners.

We process personal data in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR, which are necessary for the fulfillment of obligations in the context of a possible contract initiation and from the contractual relationships with our business partners.

The personal data collected will be stored until the expiry of the statutory retention obligation (e.g. ten years for tax-relevant documents or six years for other business letters in accordance with the German Commercial Code and Fiscal Code) and then deleted, unless you have consented to further storage in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or the purpose of the data processing has not yet ceased to apply; in these cases, the personal data will be blocked until the purpose ceases to apply and then deleted.

Your personal data will only be passed on to third parties if this is necessary for the execution of the order (Art. 6 para. 1 sentence 1 lit. b GDPR).
For certain technical and organizational processes, BRP RENAUD uses the services of external service providers who are given access to personal data in order to provide these services. These service providers are bound by instructions and are obliged to comply with data protection regulations and may not use the data for any other purpose. In detail, these are the following service providers:

• We use TEAMS for virtual meetings and use the services of Microsoft in this respect. Microsoft Corporation, USA is certified in accordance with the EU-U.S. Data Privacy Framework (Art. 45 GDPR).
• We sometimes use the services of software companies for the administration, care and maintenance of our information technology systems.
• We use the services of waste disposal companies for the disposal and destruction of confidential documents.

We process personal data from our applicants.

We process the following categories of personal data:

• Personal data that you voluntarily provide to us as part of the application process - in particular your first and last name, address, e-mail address, date of birth, place of birth, profession, CV, references and special categories of personal data (e.g. information about your religious beliefs or health data).
• Additional data relevant to the application that is collected during the application process.

Your personal data will only be processed to carry out the application process. The legal basis for data processing is § 26 para. 1 sentence 1 German Federal Data Protection Act (BDSG) and Art. 6 para. 1 sentence 1 lit. b GDPR.
In the event of a successful application, the data will be transferred to your personnel file for the purpose of implementing the employment relationship, § 26 para. 1 sentence 1 BDSG.

If your application is not successful, your personal data will be deleted no later than six months after the end of the application process, unless the processing of your data is necessary for the assertion, exercise or defense of legal claims (see Art. 17 para. 3 lit. e GDPR).
Your data will only be processed beyond the specific application procedure if you have expressly consented to your data remaining stored in our database after the end of the specific application procedure so that you can be contacted by us at a later date if there are any vacancies. If you no longer want us to contact you, you can revoke your consent at any time with effect for the future in writing, by e-mail or by telephone. Otherwise we will delete your data after two years. If we contact you within this period regarding new vacancies, this period will start anew each time.

Your personal data will only be disclosed to those persons who are involved in processing your application.
For certain technical and organizational processes, BRP RENAUD uses the services of external service providers who are given access to personal data in order to provide these services. These service providers are bound by instructions and are obliged to comply with data protection regulations and may not use the data for any other purpose. In detail, these are the following service providers:

• We use TEAMS for virtual meetings and use the services of Microsoft in this respect. Microsoft Corporation, USA is certified in accordance with the EU-U.S. Data Privacy Framework (Art. 45 GDPR).
• We sometimes use the services of software companies for the administration, care and maintenance of our information technology systems.
• We use the services of waste disposal companies for the disposal and destruction of confidential documents.

1. Storage period

Personal data processed by us will be stored by us for as long as necessary for the respective purpose - in particular the processing of requests and orders. Thereafter, personal data will be deleted.

Storage beyond this is possible if you have consented to this in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or § 25 para. 1 sentence 1 TDDDG or if we are legally obliged to retain data (e.g. ten years for tax-relevant documents or six years for other business letters in accordance with the German Commercial Code and Fiscal Code; (Art. 6 para. 1 sentence 1 lit. c GDPR).

2. Recipients or categories of recipients

The relevant recipients and categories of recipients are listed in the relevant supplementary information.

In addition to the recipients named in the supplementary information, personal data may be passed on to our website administrator, anders und sehr GmbH, Heßbrühlstraße 7, 70565 Stuttgart, Germany. The website is hosted exclusively on servers within the EU by the German service provider Host Europe GmbH, Hansestraße 111, 51149 Cologne. In both cases, the service providers are bound by instructions and are obliged to comply with data protection regulations and may not use the data for any other purpose.

3. Deactivating and deleting cookies

Some of the services described below on our website use cookies, which are stored on your end device. You can deactivate the storage of cookies on your device in your browser settings. You can also delete cookies that have been saved in your browser settings at any time. However, in this case you may not be able to use all the functions of our website to their full extent.

In some cases, the processing of data is absolutely essential in order to be able to provide our website without technical or functional restrictions and in accordance with legal requirements. In these cases, data is also processed if you have refused any additional data processing via the Consent Management ("CMT").

1. Access to our websites and server log files

Your browser automatically sends data requests to our servers in order to retrieve content from our website and display it correctly on your device. Each data request from your browser contains the following information, among other things: (dynamic) IP address, browser type and version, operating system and version, domain accessed, previously visited website and date and time of access. The data requests from your browser are automatically stored in so-called "server log files".

The data processing described is absolutely necessary to ensure that our website can be accessed and displayed correctly on your device. The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. b GDPR.

2. Consent management tool (CMT)

We have integrated a CMT to obtain and document your consent to data processing by various services.

When you open our website, you can use the CMT to submit declarations of consent for individual data processing operations that are stored by the CMT. For this purpose, the CMT assigns a so-called "Controller ID" and also stores information in the session storage and local storage of your browser:

Session storage:

• uc_user_country: Saves your country and region to display the output language of the Usercentrics interface in the appropriate language. Will be deleted at the end of the session. There is no access by third parties to the processed data.

Local-Storage:

• uc_tcf: Helps to query and transmit user consent. Will be deleted the next time you empty your browser cache. There is no access by third parties to the processed data.
• uc_settings: Contains your settings in Usercentrics for consenting to various data processing operations and the time of your consent/refusal. Will be deleted the next time you clear your browser cache. There is no access by third parties to the processed data.
• uc_user_interaction: Saves whether you have already selected a setting for your data processing preferences (i.e. whether you have already interacted with the CMT). Will be deleted the next time you clear your browser cache. There is no access by third parties to the processed data.

In this way, when you reopen the website, it is possible to see which data processing by which services you have consented to or not consented to. This means that you do not have to make your settings for consenting to individual data processing operations each time you visit the website. For this purpose, it is absolutely necessary to store the listed information on your end device (§ 25 para. 2 No. 2 TDDDG).
Of course, you can open the CMT at any time using the "fingerprint symbol". This allows you to easily revoke any consent you have given.

3. Cookies for the provision of the website

When you open our website, cookies, i.e. small text files, may be stored on your computer:

• PHPSESSID: Assignment of an ID for the current session - this is standard for PHP-based websites. The cookie and session ID are deleted when the website is closed. Third parties have no access to the processed data.
• wp-wpml_current_language: It stores which language the user has selected so that the correct language is displayed immediately on the next visit. The cookie and session ID are deleted when the website is closed. Third parties have no access to the processed data.

The data processing by these cookies is absolutely necessary for the provision of our website. The legal basis for data processing is § 25 para. 2 No. 2 TDDDG.

The Matomo service is integrated on our website. This is open source software that we have integrated ourselves. Data processing by the service only takes place after you have consented to this via the CMT. You can withdraw your consent at any time via the CMT (see also Section A. III. 1.).
The service collects this information about your end device and your visit to our website: The IP address of your end device (anonymized immediately after collection), date and time of the first, last and current access to our website, total number of visits to our website, location and language settings of your end device. The service also assigns a user ID to your device.
For this purpose, the service stores the following cookies, i.e. small text files, on your end device:
• _pk_id...: Stores the visitor's session ID associated with Matomo. Storage period: 13 months. There is no access by third parties to the processed data.
• _pk_ses...: Saves information about the current session. Storage duration: Is deleted after the session has ended. There is no access by third parties to the processed data.
• _pk_ref...: Saves the website that the user visited before our website (referrer). Storage period: 6 months. There is no access by third parties to the processed data.
• MATOMO_SESSID: Temporary cookie that is used for security reasons to execute the opt-out. Storage duration: Will be deleted after the session has ended. There is no access by third parties to the processed data.
The legal basis for access to stored information and the storage of information on your end device by the service is your consent (§ 25 para. 1 sentence 1 TDDDG).
The data collected is used to create and evaluate pseudonymous usage profiles. The pseudonymous usage profiles only refer to our website. Tracking across services and websites does not take place. Likewise, no personal identification of the individual visitor takes place. The legal basis for the generation of the pseudonymous usage profiles is your consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
For more information on data processing by Matomo, see:
• matomo.org/gdpr-analytics
• matomo.org/faq/general/faq_18254

Read here which data is processed when you contact us or use functions of the website.

1. Contact

We collect personal data that you enter in a contact form or transmit to us in the course of contacting us. If certain input fields are marked as "mandatory", we collect the data required to carry out the requested action. Of course, you can provide us with further data if you wish.
This data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as this is necessary to carry out a measure requested by you. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 sentence 1 lit. f GDPR).

2. Advertising measures

We may process personal data for advertising our own services; this is a legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR; you can object to this processing at any time (please also read section A.III.2.). If you exercise your right to object, we will store the address data mentioned in a "blacklist" to implement your objection. If you wish your data to be deleted completely, it may be processed again for advertising purposes if your data is collected again in the absence of knowledge of your objection. For the dispatch of newsletters by post, we partly use Winkhardt + Spinder GmbH & Co. KG, Ernsthaldenstraße 53, 70565 Stuttgart, Germany.

If you have consented to this (Art. 6 para. 1 sentence 1 lit. a GDPR), we will also use your data to send you an e-mail newsletter. We partly use the services of CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede ("CleverReach") for sending our e-mail newsletters.

You can unsubscribe from an e-mail newsletter at any time and thus withdraw your consent to the sending of the newsletter with effect for the future by contacting us either via the link provided in every e-mail newsletter or directly at newsletter-cancel@brp.de.

We operate a so-called "company page" on these social media platforms:

• "Facebook": Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
• "LinkedIn": LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• "Xing": New Work SE, Am Strandkai 1, 20457 Hamburg, Germany

1. General information about company pages, legal basis

As the owner of an online presence on a social media platform, we process personal data if you write to us directly in a personal message or via the public comment function on the platform. Which data is collected depends on the information you provide and the contact details you provide or share. This data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as this is necessary to carry out a measure requested by you. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 sentence 1 lit. f GDPR).
When you visit a company page, the respective provider collects information that enables it to recognize users and comprehensively analyse user behaviour. The operator of the social media platform can also use the data collected in this way to create user profiles. If you are logged in to your corresponding social media account when you visit a company page, the respective provider can also assign this visit to your account.
The respective provider merely provides us with an anonymized statistical evaluation of the use of our company page based on the information obtained. This enables us to make our contributions even more targeted in future. In this respect, we have a legitimate interest in collecting and processing this information. In addition, we have a legitimate interest in being able to use as many communication options as possible and thus reach as many interested parties as possible personally. In this respect, the legal basis for the operation of a company page is Art. 6 para. 1 sentence 1 lit. f GDPR.
We ourselves do not pass on any personal data that we collect via our company pages to third parties. However, we can neither influence nor exclude the possibility that the providers mentioned may transfer the data collected to third parties - in particular to their partner companies, which may also be based in other EU countries. In particular, data transfers to the USA are permitted on the basis of an adequacy decision by the EU Commission if the company in the USA is certified under the EU-US Privacy Framework (e.g. Meta Platforms, Inc. and LinkedIn Corporation).
In principle, you can assert your data subject rights (please also read Section A.III.) with regard to data processing by our company pages both against us and against the respective provider. However, we would like to point out that these can be asserted most effectively with the respective provider. This is because only the respective provider has access to the user's data and can take appropriate measures and provide information directly.

Further information on data processing by the respective provider can be found at:
Facebook: de-de.facebook.com/about/privacy
LinkedIn: https://www.linkedin.com/legal/privacy-policy
Xing: https://privacy.xing.com/de/datenschutzerklaerung

2. Agreements in accordance with Art. 26 GDPR

We have concluded an agreement with Facebook and LinkedIn in accordance with Art. 26 GDPR, in which the data protection obligations arising from the operation of our company page are divided between us and the respective provider. The providers have assumed a large part of the data protection obligations, such as the fulfillment of the rights of data subjects pursuant to Art. 12 et seq. GDPR, the obligation to provide suitable technical and organizational measures to protect the security of personal data and the reporting and notification obligations in the event of a data breach. If you contact us regarding your rights as a data subject, we will immediately forward your request to the respective provider. We are obliged to do so under the agreement with the respective provider.

Further information on the agreement between us and the respective provider can be found at:
Facebook: https://www.facebook.com/legal/terms/page_controller_addendum
LinkedIn: https://www.linkedin.com/help/linkedin/answer/124838?lang=de