Data protection information for external service providers

1. Name and contact details of the person responsible

2. Contact details of the data protection officer

3. Purposes for which the personal data are to be processed and the legal basis for the processing

3.1 Data processing for the fulfillment of the contract concluded between you and us (Art. 6 para. 1 lit. b GDPR)

3.2. Data processing for the performance of a contract with legal entities (Art. 6 para. 1 lit. f GDPR)

3.3. Data processing for the management of IT systems (Art. 6 para. 1 lit. f GDPR)

4. Obligation to provide data

5. Recipients of data and data sources

5.1 Categories of recipients of data

5.2. Data sources

6. Data transfer to a third country

7. Automated decision making including profiling

8. Storage period and criteria for determining the duration

9. Information on your data subject rights

10. Right of appeal to a supervisory authority

goetzpartners Holding AG
Prinzregentenstr. 56
80538 Munich
Germany

(hereinafter "goetzpartners", "we", "us").

Holzhofer Consulting GmbH
Martin Holzhofer
Lochhamer Str. 31
82152 Planegg
Germany

Tel.: (+ 49) (0 89) 1 25 01 56 00

E-mail: datenschutzbeauftragter@holzhofer-consulting.de

As a matter of principle, we process your personal data for the purpose of establishing and implementing a contract for services or work with you. The legal basis for this is Art. 6 para. 1 lit. b GDPR, provided that the contracting party is the data subject.

In order to be able to fulfill the service or work contract, we process, as well as, if applicable, third parties or processors assigned by us, the following data from you, insofar as you have provided us with these in the course of the contractual negotiations or the data accrue in the course of the contractual relationship. These are:

• personal data (first name, last name, address, telephone, e-mail address, mobile phone number)
• bank data (esp. account number/IBAN) for transfer of remuneration
• if applicable, information on possible previous employment
• if applicable, other data in: curriculum vitae, employment references, certificates for the assessment of qualification

Health data may be requested as far as required by law, e.g. under the German Infection Protection Act (Infektionsschutzgesetz; IfSG). The provision of further health data is voluntary on the basis of your consent.

All consent is voluntary and can be withdrawn from goetzpartners at any time.

In order to be able to carry out and maintain the business relationship, in particular to carry out the preparation and fulfillment of the contract, we process, as well as, if necessary, third parties or processors assigned by us, the following data:

• Contact information of the contact person and, if applicable, further employees of the service provider

• First name, last name
• business address
• Business phone number
• business mobile phone number
• business email address

• Further information whose processing is required in the course of a business relationship with goetzpartners or which is provided voluntarily by our contact persons:

• if applicable, information on qualifications and expertise
• Information collected from publicly available sources, information databases, or credit agencies

The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. A balancing of interests was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the implementation of pre-contractual measures and the implementation and fulfillment of contracts with service providers. We have a legitimate interest in the initiation, implementation and processing of the business relationship with our service providers, for which the processing of the above data is necessary.

If, exceptionally, access to our IT systems becomes necessary for reasons of ensuring IT security needs, further of your data (e.g. e-mail address, user ID, IP-address) will be processed for the administration and security of the IT system. This includes created and archived text documents (e.g. correspondence). This also includes data collected in the course of internet use and use of the internal WI-Fi.

Without this data processing, secure operation of the system and thus cooperation with our company is not possible.

The legal basis for this is our legitimate interest pursuant to Art. 6 para. 1 lit. f GPDR. A balancing of interests was carried out and came to the conclusion that the

interests of the external service providers concerned, among other things due to the technical and organizational measures we have taken, do not outweigh our interests in the proper and trouble-free functioning of the IT system.

The provision of personal data is necessary for the conclusion of a contract with a natural person at goetzpartners. Failure to provide would result in the contract not being concluded.

To the extent permitted by law, we share personal data with the following external recipients:

• banks involved in the disbursement
• external service providers for financial accounting
• authorities in the event of reviews/audits
• IT service provider to maintain our IT infrastructure
• lawyers in case of legal advice
• company auditor
• courts
• other third parties in the course of the transfer of functions

For the processing of personal data for the purposes mentioned here (exceptional access to IT systems), we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

• software service provider for hosting and operation of online video conferencing systems
• service provider for hosting servers for the provision of web-based services
• service provider for the operation of the e-mail servers
• other software service providers

We process personal data that we have received from you in the course of concluding a contract (service or work contract) or that you have provided to us in the course of the contractual relationship.

A data transfer to countries outside the EU or the European Economic Area ("Third Countries") or to countries without an adequacy decision results within the scope of administration, development and operation of IT systems.

The transfer is made only on the basis:

• of an adequacy decision of the European Commission pursuant to Art. 45 GDPR.
• of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the Third Country.
• of standard data protection clauses adopted by the Commission in accordance with the examination procedure pursuant to Art. 93 para. 2 GDPR.

Currently, in connection with the establishment and execution of a service/ or work contract with external service providers, data transfer to countries outside the EU and the European Economic Area ("Third Countries") takes place in the following cases:

• in case of exceptional access to our IT systems: transmission of data to Microsoft Corporation, 1 Microsoft Way, Redmond, Washington 98052-8300, USA amongst others in connection with the use of our video conferencing system.

For the USA, the European Commission has issued an adequacy decision according to Art. 46 Sec. 3 GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. Microsoft is certified under the DPF and thus committing to comply with European data protection principles.

Your personal data will not be processed by goetzpartners to make automated individual decisions, including profiling, pursuant to Art. 22 para. 1 and 4 GDPR.

Personal data will generally only be kept for as long as is necessary to fulfill the purposes stated here or as required by the retention periods stipulated by law.

In the event that a service or work contract is concluded with external service providers, personal data is generally stored for the duration of the contractual relationship. Personal data may also be stored for the performance of a task that is in the public interest or in the exercise of official authority.

In addition, personal data may also be stored for the duration of the exercise or defense of legal claims. For these cases, the data will be stored after termination of the contractual relationship, in principle until the expiry of the statutory limitation period (three years from the origin/knowledge of the claim).

Individual documents may furthermore be retained for a period of up to six years (in accordance with the German Income Tax Act (Einkommensteuergesetz) and the German Tax Code (Abgabenordnung) or for up to ten years respectively (in accordance with the German Commercial Code (Handelsgesetzbuch).

Should exceptionally our Wi-fi be used: When using the internal Wi-fi, log data ("log files") about the type and extent of use of the services will be stored for 24 hours. These include for example the IP address/MAC-address of the user, personal authorization identifiers, location data, as well as the start and end of the respective connection according to date and time, as well as other traffic data necessary for the establishment and maintenance of telecommunications.

The company responsible for processing your data is goetzpartners Holding AG, Prinzregentenstr. 56, 80538 Munich, Germany, unless otherwise indicated.

You can request information from us at any time (Art. 15 GDPR) about the data stored about you and request their rectification (Art. 16 GDPR) in the event of errors. Furthermore, you may request the restriction of processing (Art. 18 GDPR), the portability (Art. 20 GDPR) of the data provided to us by you in a machine-readable format or request the erasure of your data (Art. 17 GDPR) - insofar as they are no longer required. In addition, you have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 GDPR).

Insofar as we process your data on the basis of consent given by you, you may revoke this consent at any time with effect for the future (Art. 7 para. 3 GDPR). As of the receipt of your revocation, we will no longer process your data for the purposes specified in the consent.

If you wish to exercise your data protection rights, please send your request to:

goetzpartners Holding AG
Prinzregentenstr. 56
80538 Munich
Germany

E-mail address: info@goetzpartners.com

E-mail address: datenschutzbeauftragter@holzhofer-consulting.de

In addition, you can file a complaint with a supervisory authority at any time. The Bayerische Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), PO box 1349, 91504 Ansbach, Germany, is generally responsible for us. Alternatively, you can approach your local supervisory authority.

Status: October 2023