Privacy notice

§ 1 Controller

§ 2 The data protection officer

§ 3 General information on data processing when visiting our website

§ 4 General information on the use of cookies

§ 5 Use of Google Analytics

§ 6 Hesse Chat

§ 7 Registration and order

§ 8 Contact form

§ 9 Newsletter

§ 10 Processing your customer and delivery details as part of commercial communication

§ 11 Your rights as a data subject

§ 12 Integration and use of various social networks

§ 13 Information on events

§ 14 Further information and amendments

As the site operator, Hesse GmbH & Co. KG (hereinafter: "we") is the data controller responsible for processing the personal data of the website's users. Our contact details can be found below under "controller".

We take the protection of your privacy and private data very seriously. We collect, store and use your personal data in compliance with the contents of this privacy statement and the applicable legal provisions on data protection, in particular the European General Data Protection Regulation (GDPR) and national provisions on data protection.

With this privacy statement, we would like to inform you about the scope and purpose of processing personal data in connection with using the website.

§ 1 Controller

Hesse GmbH & Co. KG
Warendorfer Straße 21
D-59075 Hamm
Telefon: +49 2381 963-00
Telefax: +49 2381 963-849
info(at)hesse-lignal.de

§ 2 The data protection officer

Michael Herzig, pco GmbH & Co. KG
Email: datenschutz(at)hesse-lignal.de
Tel.: +49 2381 963-00

§ 3 General information on data processing when visiting our website

Type and purpose of processing: When you access our website, general information is automatically recorded. This information (server logfiles) contains the type of web browser used, the operating system used, information about the browser type and the version used, the domain name of your internet service provider, the host name of the accessing computer, your IP address, the website through which you accessed our website, websites which are accessed through our website, the date and time of access, a report on whether access was successful and information on the amount of data transferred.

This information is particularly processed for the following reasons:

• To ensure a seamless connection to the website

• To ensure seamless use of our website

• To analyse system security and stability and

• for further administrative purposes

Our legitimate interest in data processing is based on these purposes. We do not use your data to trace your person. Any information of this type will only be used for statistical analyses, in order to optimise our website and the technology used in it.

Legal basis: Processing takes place on the basis of article 6 para. 1 lit. f) GDPR and on the basis of our legitimate interest in improving the stability and functionality of our website.

Recipients: The recipients of the data are technical service providers, who are employed to operate and maintain our website as data processors.

Storage duration: The data is deleted as soon as it is no longer required for the purpose of collection. This is generally the case for data used to provide the website upon termination of the session.

Provision mandatory or required: The provision of the aforementioned personal data is neither legally or contractually mandatory. Without the IP address, however, the service and functionality of our website cannot be guaranteed. Furthermore, individual services may be restricted or unavailable. Objection on this basis is excluded.

§ 4 General information on the use of cookies

Type and purpose of processing: Like many other websites, we use so-called "cookies". Cookies are small text files which are stored on your end device (laptop, tablet, smartphone etc.) when you visit our website. Through these, we obtain specific data, such as your IP address and the browser and operating system you use. Using the information contained in the cookies, we can simplify your navigation of our website and display it correctly. Under no circumstances will the data we collect be passed onto third parties or linked to other personal data without your consent. Of course, you can also theoretically view our website without cookies. Browsers are configured so as to automatically accept cookies. Generally, you can deactivate the use of cookies at any time in your browser settings. Please consult the help centre in your internet browser in order to learn how to change these settings. Please note that certain functions of our website may not work if you have deactivated the use of cookies.

Storage duration and cookies used: If you allow cookies through your browser settings or by consenting to their use, the cookies will be used on our website. Insofar as these cookies (also) concern personal data, we will inform you of such using our consent banner. You can delete individual cookies or the entire cookie cache in your browser settings. Moreover, you can receive information and instructions on how these cookies are deleted or how to block their storage in advance.

You can access the cookie settings and adjustment options via the "privacy settings" symbol at the bottom left or here.

§ 5 Use of Google Analytics

Type and purpose of processing: This website uses Google Analytics, a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (hereinafter: "Google"). Google Analytics uses so-called "cookies", text files stored on your computer that allow analysis of your use of the website. The information created by the cookie on how you use this website is generally sent to and stored on a Google server in the USA. However, where IP anonymisation is activated on this website, your IP address is shortened beforehand by Google within Member States of the European Union or in other states party to the Treaty on the European Economic Area. The full IP address is only sent to and stored on a Google server in the USA in exceptional circumstances. Google will use this information on behalf of the operator of this website to assess how it is used, to compile reports into the website activities and to provide the website operator with additional services associated with the use of the website and the internet. The IP address of your browser passed under Google Analytics is not included with other data from Google. The purposes for data processing are the analysis of use of the website and the compilation of reports on website activity. On the basis of your use of the website and the internet, additional, associated services will be provided.

Legal basis: The processing of data takes place on the basis of user consent (article 6 para. 1 lit. a GDPR).

Recipients: The recipient of the data is Google.

Storage duration: The data will be deleted as soon as it is no longer required for our recording purposes, generally after six months.

Provision mandatory or required: The provision of your personal data is voluntary and solely on the basis of your consent. Of course, you can also theoretically view our website without cookies. Browsers are configured so as to automatically accept cookies. Generally, you can deactivate the use of cookies at any time in your browser settings (see revoking consent). Please note that certain functions of our website may not work if you have deactivated the use of cookies.

Revoking consent: You can prevent cookies from being stored by setting you browser software accordingly. We must point out however that in this event not all functions of this website can be used to their full extent.

Using the options in our consent banner, you can also prevent the use of Google Analytics. You can access the cookie settings and adjustment options via the "privacy settings" symbol at the bottom left.

Profiling: Using the tracking tools, Google Analytics can analyse the visitor's behaviour and their interests. When doing so, we use an anonymised user profile.

You can access the cookie settings and adjustment options via the "privacy settings" symbol at the bottom left or here.

§ 6 Hesse Chat

Type and purposes of processing: On our website, we use the chat function provided by Onlim (Onlim GmbH, Michael-Gaismair-Straße 13, 6410 Telfs, Austria, hereinafter "Onlim"). Use of the chat function establishes a direct connection to Onlim's servers. By typing in the chat, data is sent to the Onlim server. An employee from our service department will process your query or resolve your issues in the chat. The conversations are assigned a randomly-generated pseudonym, so that the chat user cannot be identified, thus ensuring the anonymity of the user. The duration and time of communication will be stored anonymously for the purpose of statistical analysis, in particular the optimisation of the service. Further information on privacy with Onlim can be found at onlim.com/en/privacy-policy. The provision of further data is optional. Further personal data, where required, will only be used to answer your query.

Legal basis: Processing the data entered into the chat window takes place on the basis of a legitimate interest (article 6 para. 1 lit. f GDPR). By providing the chat, we would like to enable a simple way to get in touch with us. The details you enter will be stored in order to process the query and any subsequent questions.

Recipients: The recipient of the data is the processor (e.g. Onlim).

Storage duration: If personal data is required in order to fulfil your query, the details you input will be stored by us for 14 days. Moreover, we only store your data insofar as statutory provisions permit or insofar as we require your data to assert or defend legal claims. The chat record will be made available to the chat user for 12 hours.

Provision mandatory or required: The provision of your personal data is voluntary. It may be the case that we can only process your query if you provide us with your name or email address.

§ 7 Registration and order

Type and purpose of processing: You can register to use our online website (online order tracker, download of safety sheets, additional information/documents). In connection with the registration, you are required to provide us with certain data ( at least your such as your first and surname, address and email address). In addition to this, we collect the date and time of registration and your IP address.

Registration is voluntary. You are, however, not obliged to register and you can, for example, make an order as a guest. You have the benefit of not having to enter this data every time you use the website or make an order and you can benefit from the use of our abovementioned customer portal.

Legal basis: The legal basis for processing the registration data is our legitimate interest, according to article 6 para. 1 lit. f GDPR, as we would like to get in touch with you based on your interest in our products. Insofar as you register with us to fulfil or arrange a contract (e.g. when ordering via our webshop) an additional legal basis for processing the data is article 6 para. 1 lit. b) GDPR.

Storage duration: Your personal data is generally deleted or block once the purpose for storage no longer applies. Moreover, data will be stored to fulfil statutory commercial and fiscal retention periods (generally six or ten years) insofar as longer storage is not required to defend legal claims. You can request the erasure of your customer account at any time.

Recipients: We only use your personal information within our company and related companies, as well as companies who are tasked with processing the order. To process orders, we work together with various companies who are responsible for the processing of payment (see § 9 payment processing) and logistics. We thereby ensure that our partners also uphold the legal provisions on data protection. Therefore we provide your address data (name and address) to the relevant transportation company, so that they can deliver the product to you. The legal basis for this is article 6 para. 1 lit. b) GDPR.

Storage duration: The data will only be stored by us for as long as is required for the fulfilment of the contract. Moreover, we store this data for the legally required duration so as to fulfil post-contractual obligations and legal trade and fiscal retention periods. This retention period generally lasts 10 years from the end of the relevant calendar year.

§ 8 Contact form

Type and purpose of processing: The data you input will be stored for the purpose of individual communication. This will require the provision of a valid email address and your name. We also store your IP address, as well as the date and time of your query. We only process the data transmitted through the contact form in order to answer your query or address your issue.

Legal basis: Processing the data entered into the contact form takes place on the basis of a legitimate interest (article 6 para. 1 lit. f GDPR). By providing the contact form, we would like to enable a simple way to get in touch with us. The details you enter will be stored in order to process the query and any subsequent questions. If you get in touch with us to ask about an offer, the data input in the contact form will be used to establish pre-contractual measures (article 6 para. 1 lit. b GDPR).

Recipients: The recipient of the data is any relevant processor.

Storage duration: Data will be deleted no later than 6 months after processing the query. If a contractual relationship is then established, we are subject to the statutory retention periods as set out in the German Commercial Code (HGB) and we will delete your data upon expiry of these dates.

Provision mandatory or required: The provision of your personal data is voluntary. It may be the case that we can only process your query if you provide us with your name, email address and the reason for your query.

§ 9 Newsletter

Type and purpose of processing: When you subscribe to our newsletter, your email address will be used for advertising purposes until you unsubscribe. In connection with this, you will receive regular information on current issues by email, as well as emails on certain occasions, such as during special campaigns. The emails may be personalised and customised based on the information we hold about you. To receive the newsletter, the input of your email address will suffice. To subscribe to our newsletter and insofar as you have not provided us with your written consent, we will use the so-called double-opt-in procedure, whereby we will only send you a newsletter by email once you have explicitly confirmed in advance that you would like us to send it. We will then send you an email notification and ask that you click on a link contained in this email to confirm that you would like to receive our newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month.

The Hesse newsletter contains so-called tracking pixels. A tracking pixel is a miniature graphic, which is embedded in emails and sent in HTML format, in order to record logfiles and enable logfile analysis. It enables the statistical analysis of the success (or lack thereof) in online marketing campaigns. By using the embedded tracking pixels, Hesse can tell whether and when an email was opened by the person in question and which links in the email were invoked by the person in question. The personal data gathered by the tracking pixels in newsletters is stored for the purpose of processing. It is analysed in order to optimise the newsletter and to adjust the content of future newsletters to better match the interests of the person in question. This personal data is not passed onto third parties. You can object to this tracking at any time by clicking on the dedicated link provided in each email or by getting in touch with us through another means. This information is stored for as long as you subscribe to the newsletter. After deregistering, we store purely statistical and anonymous data.

Legal basis: On the basis of your explicit consent (article 6 para. 1 lit. a GDPR), we regularly send our newsletter or similar information by email using the address provided.

Recipients: The recipient of the data is any relevant processor.

Storage duration: The data is only processed for this purpose insofar as consent has been given. Thereafter it will be discarded. Analyses on newsletter statistics will be deleted after one month.

Provision mandatory or required: The provision of your personal data is voluntary and solely on the basis of your consent. Without your consent, we cannot send you the newsletter.

Objection and rectification option: The consent to store your personal data and use it to send the newsletter can be revoked at any time with future effect. You can find the corresponding link for this in each newsletter. You can also revoke your consent by getting in touch with us via the contact details in this privacy notice.

§ 10 Processing your customer and delivery details as part of commercial communication

Type and purposes of data processing: We gather and store your data in order to communicate with you for commercial purposes. This may take place in order to establish a commercial relationship, to fulfil contractual and legal obligations, to offer products and services or to strengthen customer relationships, whereby we simultaneously have a legitimate interest in data processing. The data may also be used to process any warranty or liability claims. Without providing your personal data, we often cannot achieve the aforementioned objectives.

Legal basis: Depending on the phase of contact, the following legal bases for processing your data may apply:

• For the conduct of pre-contractual measures or to fulfil a contract, the basis is article 6 para. 1 lit. b) GDPR

• For the fulfillment of legal obligations that we are subject to, it is article 6 para. 1 lit. c) GDPR

• To protect our legitimate interests, it is article 6 para. 1 lit. f) GDPR

• If you have provided us with your consent to process data, it is article 6 para. 1 lit. a) GDPR

Recipients or categories of recipients of the data: Within our company, we ensure that only the people required to fulfil the contractual and legal obligations shall obtain your personal data. We partly use other service providers and contractors to process transactions. It may be the case that our service providers are also located in a third country outside the EU, in which an adequacy decision by the Commission is not present. If required, we will conclude standard EU Commission contract clauses with these service providers. Insight into the relevant documents can be obtained via our data protection officer.

Duration of storing your personal data: Your personal data is generally deleted or block once the purpose for storage no longer applies. Continuing obligations require the storage of personal data during the contract period. Certain guarantee periods may need to be adhered to for this. Moreover, data will be stored to fulfil statutory commercial and fiscal retention periods (generally six or ten years) insofar as longer storage is not required to defend legal claims.

Provision mandatory or required: An obligation to provide your personal data may arise as part of the relevant contractual relationship.

§ 11 Your rights as a data subject

Using the contact details for our data protection officer, you can exercise the following rights at any time with regards to all of the data processes described above:

• Information about the data we store on you and its processing (article 15 GDPR)

• Rectification of incorrect personal data (article 16 GDPR)

• Erasure of the data we store on you (article 17 GDPR)

• Restriction of data processing, unless we are not allowed to delete your data due to legal obligations (article 18 GDPR)

• Object to the processing of your data (article 21 GDPR) and

• Data transferability, unless you have consented to data processing or if you have concluded a contract with us (article 20 GDPR)

If you have given us your consent, you can revoke it at any time with future effect. You can appeal to a supervisory authority at any time, e.g. the relevant supervisory authority in the state of your residence, or to the supervisory authority applicable to us. A list of supervisory authorities (for the non-public sector) with addresses can be found at:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

§ 12 Integration and use of various social networks

General information on processing your data: Hesse maintains numerous company profiles on various social networks and similar platforms. This concerns Facebook, Instagram, LinkedIn, XING and YouTube. These pages aim to promote the company and establish a means of contact for potential customers and customers. We place some links to these websites on our own pages.

If you use our profile on social networks to contact us (e.g. by making your own posts, reacting to our posts or sending a private message to us), we will process the data shared with us solely for the purpose of getting in touch with you in order to resolve your issues.

We wish to point out, however, that the personal data you provide in the abovementioned networks is also gathered, used and stored by the operators of the respective social networks. This is even the case if you do not have a profile with the respective social networks. The individual data processing procedures and their extent vary depending on the operator of the social network and they are not necessarily transparent to us. It cannot therefore be excluded that your data may be processed by the provider of the respective platform for market research and advertising purposes. It is therefore possible, for example, for user behaviour and the resulting user interests to result in the creation of a user profile. Such user profiles may be used, for example, to display advertisements on and off the respective platforms, which roughly correspond to the user's interests. Furthermore, the user profiles may also store information on the devices used by the users, as well as location data and other so-called meta data. For these purposes, cookies and similar files are generally stored on the users' computers, which store the user behaviour and interests. Moreover, most platforms use so-called tracking pixels.

For detailed information on the respective processes and objection options (opt-outs), we refer you to the details linked below on the respective providers:

Facebook fan page: As the operator of a Facebook fan page, we can only see the information stored in your public Facebook profile (only if you have such a profile), and if you are logged into this when you access our fan page. Facebook also provides us with anonymous user statistics, which we use to improve our user experience when visiting our website. However, we do not have access to the individual user data, which Facebook gathers in order to generate these statistics. Nor do we make any decisions with regards to the processing of insight data and all other information resulting from article 13 GDPR, including legal bases, the identity of the responsible party or the storage duration for cookies on users' end devices. Facebook has undertaken to assume primary responsibility under the GDPR for the processing of this data, to fulfill all obligations under the GDPR with regard to this data and to make the fundament of this obligation available to the data subjects (see under

https://www.facebook.com/legal/terms/page_controller_addendum).

Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Privacy policy: www.facebook.com/about/privacy/ Information on insight data:

https://www.facebook.com/legal/terms/information_about_page_insights_data

Instagram:
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Privacy policy/ Opt-Out: instagram.com/about/legal/privacy/

LinkedIn:
LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
Privacy policy: www.linkedin.com/legal/privacy-policy

XING:
XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany)
Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung

Google / YouTube:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy policy: https://policies.google.com/privacy,
Opt-Out: adssettings.google.com/authenticated,

Legal basis Communication data: Depending on the phase of contact, the following legal bases for processing your data may apply:

• For the conduct of pre-contractual measures or to fulfil a contract, the basis is article 6 para. 1 lit. b) GDPR

• For the fulfillment of legal obligations that we are subject to, it is article 6 para. 1 lit. c) GDPR

• To protect our legitimate interests, it is article 6 para. 1 lit. f) GDPR

• If you have provided us with your consent to process data, it is article 6 para. 1 lit. a) GDPR Other processing: Other data processing used as part of the social networks serve our legitimate interest and those of the respective providers, to target the improvement of the user experience when visiting our company profiles. The legal basis for data processing is therefore article 6 para. 1 lit. f) GDPR. If the user is requested by the respective platform operator to provide consent to mandatory data processing, the legal basis for processing is article 6 para. 1 lit. a) GDPR.

Duration of storage: We delete the stored data as soon as storage is no longer required or as soon as you request its erasure. In the event of statutory retention periods (generally six or ten years), we restrict processing of the stored data, unless longer storage is required to defend legal claims.

Recipients: We do not pass on the data we obtain about you to third parties. We cannot, however, exclude (nor do we have influence over) the extent to which the network operators pass on your data to third parties (e.g. business partners, advertising agencies etc.).

Third country transfers: We wish to point out that user data in social networks may also be processed outside the European Union. This may result in risks for the user, for example it may become more difficult for the user to assert their rights.

Your rights as a data subject: Supplementary to the section "Your rights as a data subject", we wish to point out that your rights (in particular your right to information) is most effectively asserted directly to the provider. Only the providers have access to the user data and can take corresponding measures to provide information. If you still require help, you can contact us.

§ 13 Information on events

Type and purposes of data processing: As part of the planning and conduct of events, we process personal data from participants and any service providers. This includes the names, contact details, occasion and time of the event, as well as any billing details. This is required to identify participants, plan and organise the event or, where relevant, to provide proper invoices, amongst other things.

During our advertising events, it may be the case that we take photographs for presentation and advertising purposes. The production of photos should primarily document the character of the event, so that no individual photographs need to be taken (where possible). Any photos from events will be published across various media.

Recipients: We partly finance our events through manufacturers and partner companies. It may be the case that we pass on your participant data in order to pursue commercial activity with you.

Legal basis: The legal basis for processing in connection with participant registration is article 6 para. 1 lit. b GDPR. The production and publication of photos during events is subject to our legitimate interest, according to article 6 para. 1 lit. f GDPR and § 23 German Copyright Act (KuG).

Duration of storage: The data is deleted as soon as it is no longer required for the purpose of collection. During the registration process, this is in order to fulfill a contract or to carry out pre-contractual measures when the data is no longer required for the execution of the contract. Even upon concluding the contract, it may be necessary to store personal data in order to meet contractual or statutory obligations. Furthermore, warranty periods must be adhered to and data may be stored for fiscal purposes. The exact storage periods that must be adhered to cannot be specified in general terms, but must be determined for the respective concluded contracts and contracting parties in each individual case.

Provision mandatory or required: The provision of personal data is required in order to conduct the event. Without these details, we cannot permit you to access the event.

Objection and rectification option: As a user, you have the option to delete your registration at any time. The data stored on you can be modified by you at any time. The publication of photos in which you can be identified can be objected to at any time. The contact options can be found above under the name and address of the data controller and data protection officer. If the data is required to fulfil a contract or to conduct pre-contractual measures, premature erasure of the data is only possible if it is not subject to contractual or statutory obligations on deletion.

§ 14 Further information and amendments

Links to other websites

Our website may contain links to other websites. These links are generally marked as such. We have no influence over the extent to which the linked websites uphold the provisions on data protection. We therefore recommend that you also read the other websites' privacy statements.

Amendments to this privacy statement

The date of this privacy statement will be stated (below). We retain the right to amend this privacy statement at any time with future effect. In particular, amendments are made for technical adjustments to the website or changes to the legal provisions on data protection. The currently valid version of the privacy statement is always available on the website. We recommend that you read about amendments to this privacy statement on a regular basis.

Date of this privacy statement: December 2020

There will be no automatic decision-making on the basis of the personal data collected through use of the website. Parts of this privacy notice were generated with the aid of activeMind AG, the experts for external data protection officers (Version #2019-04-10).