DATA PROTECTION INFORMATION

In general, you can visit the VREP website without us needing any personal data. We do not know the name of your internet service provider, the website from which you visit us, or which websites you visit on our site. Each individual visitor remains anonymous to us. Solely for the purpose of analysis and better adaptation of the website are information about the accessed pages and the accessing browser type stored. IP addresses are anonymized during the storage, and access domain names are not stored.

Personal data is only collected and processed for this purpose if you enter it, e.g., to subscribe to our newsletter.

2.1 Use of Cookies

In some areas of the website, VREP uses so-called cookies to provide you with more individualized services. Cookies are identifiers that a web server sends to your computer to identify it for the duration of your visit. You can configure your browser to notify you about the placement of cookies or to prevent them. Generally, VREP uses cookies exclusively for the purpose of technical session control in areas associated with personal logins. Each cookie only stores the identity (ID) of the user session to enable assignment to the user. These cookies are not persistent but are stored only for the duration of the session or browser use. Exceptions are cookies used for integrated analytics services. For data protection reasons, cookies used to disable the collection of analytics data must be stored permanently. The legal basis for the use of cookies and access to the required device information of your end device is your consent in accordance with § 25 Telecommunications Digital Services Data Protection Act (TTDPA).

Open Cookiepreference

2.2 Analytics Services

We use Matomo as an analytics tool for our website. Matomo is an open-source software that uses cookies stored in your browser to analyze the use of our website. These are plain text files. The data is stored by Matomo on a server in Germany. The information generated by the cookie, including your anonymized, shortened IP address, is transmitted to our server. Unlike other analytics tools, the information for usage analysis is stored solely on our server and not shared with third parties. The anonymization of your IP address is automatic and immediate, so that you remain anonymous to us as a user. We do not create usage profiles of any kind at any time.

2.3 Possibility to object

You can prevent the use of cookies by selecting suitable settings in your browser software. However, in this case you may not be able to fully use all functions of this website.

If you do not agree with the storage and evaluation of data from your visit, you can object to the storage and use at any time by making an individual selection in the cookie banner. Even in the case of objection, we use a cookie to inform our system that you do not consent to any form of evaluation of your visit. With the placement of the cookie in your browser, no further session data will be collected.

Please note: If you delete all cookies in your browser, the cookie that prevents the evaluation of session data will also be deleted. In this case, it must be reactivated via our data protection page.

2.4 Google Maps

This website uses Google Maps from Google Inc. of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. By using this website, you agree to the collection, processing, and use of automatically collected data by Google Inc., its representatives, and third parties. Further information on the terms of use and data processing by Google can be found here:
Terms of Use: https://policies.google.com/terms
Privacy Policy: https://policies.google.com/privacy

2.5 Use of the Contact Forms

The data you have entered in the contact forms on our website (e-mail address, request, first name, last name, and company name) is encrypted and sent to VREP. Third parties cannot access your data.

VREP uses this data exclusively to respond to your inquiry or to fulfill your information request and to send you the requested materials. Your data will then be deleted and not shared with third parties, unless subject to legal retention obligations. If you enter and submit your data via the contact form, we will only use this data to process your request. There is no transfer of your data to third parties. The legal basis for processing your personal data is Art. 6(1)(b) GDPR if your request is necessary for the performance of pre-contractual measures, otherwise our legitimate interest pursuant to Art. 6(1)(f) GDPR to process user inquiries.

We store the personal data transmitted to us through the use of the contact form only for the purpose of processing your request or if this is required by statutory retention periods. This does not affect your rights below, including the right to erasure.

2.6 Use of the VREP Login Area

VREP operates an exclusive, password-protected area within its website for business partners and portfolio companies. Information on events and materials for workshops for our portfolio companies are available for free download in the login area. The purpose of data processing here is to provide information and materials on events and workshops from various areas. The legal basis for the processing of your personal data is your consent in accordance with Art. 6 (1a) GDPR. You can withdraw your consent at any time.

The following categories of data are processed:

• Data for correct addressing, e.g., salutation and title
• First and last name
• Company name
• Position
• Contact details, e.g., telephone number, email address
• Username
• Password

Personal data collected within the VREP login area will be stored for an indefinite period subject to withdrawal of the consent by the data subject. This does not apply after the end of the business relationship (e.g., after the termination of an engagement with one of our portfolio companies). In this case, the personal data will be deleted in accordance with the respective retention periods for business partners (see information for business partners, service providers, customers, and journalists).

We maintain publicly accessible profiles on social networks.

Links to our social media presences can be found on our website. Once you click on one of these buttons, the respective link to the social network is called up, and the respective social network is informed that you have visited our website with your IP address.

Social networks can generally comprehensively analyze your user behavior when you visit their website or a website with integrated social media content. By visiting our social media presences, numerous data protection-relevant processing operations are triggered. We point out that, as the provider of VREP´s company profile, we have no knowledge of the content of the transmitted data or its use by the network operators. Please refer to the terms of use and privacy policies of the respective social media portals for details.

3.1 Legal Basis

Our social media appearances aim to ensure the broadest possible presence on the internet. This constitutes a legitimate interest within the meaning of Art. 6 (1f) GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 (1a) GDPR).

3.2 Data controller and Assertion of Rights

When you visit one of our social media profiles (e.g. LinkedIn), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (right of access, right of correction, right of deletion, restriction of processing, right of data portability and complaint) both against us and against the operator of the respective social media portal.

Please note that despite our joint responsibility with the social media platform operators, we have only very limited influence on the data processing operations of the social media platforms.

3.3 Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as the purpose for its storage no longer applies, you ask us to delete it, or you revoke your consent to its storage. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions – in particular retention periods – remain unaffected.
We have no control over the storage period of your data, which is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly.

3.4 Linking to LinkedIn

Links to the social network LinkedIn are integrated on our website. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. You can recognize the link by the LinkedIn logo.

We would like to point out that as the provider of our LinkedIn company page, we have no knowledge of the content of the transmitted data or its use by LinkedIn. If you do not want LinkedIn to establish an association, you must log out of your LinkedIn account.

Further information on this can be found in LinkedIn’s privacy policy at: https://www.linkedin.com/legal/privacy-policy.

If you are or want to be a business partner, service provider, or customer of VREP, or if you are a journalist, we need to collect and use certain information about you and/or individuals within your organization in order to fulfill our contractual obligations or to communicate with you. Without this data, we will generally have to decline to enter into a contract or may no longer be able to maintain an existing contract and may have to terminate it.

We process personal data that we receive from you in the course of our business relationship. In addition, we process – to the extent necessary for the provision of our services – personal data that we have lawfully obtained from other companies within the Volksbanken Raiffeisenbanken Cooperative Financial Network or from other third parties (e.g. for the execution of orders, for the fulfillment of contracts or on the basis of your consent). Furthermore, we process personal data that we have lawfully obtained and are permitted to process from publicly accessible sources (e.g. land registers, commercial and association registers, press, media).
We process the contact details of the contacts of our customers, business partners and persons who contact us (e.g. contacts of potential customers) as well as of journalists who are in contact with us. We process this contact information in order to be able to conduct business communication with the relevant contact person in a targeted manner, to be able to conduct specific business, respond to specific inquiries, or to be able to fulfil any legal obligations in this context.
The processing of contact details also serves to ensure that data contained in the communication does not reach unauthorized persons. If we have not received your contact details directly from you, your employer, possibly represented by your superior or predecessor, has provided them to us.

Relevant personal data includes personal details (name, address and other contact details, date and place of birth), identification data (e.g. ID card details) and authentication data (e.g., signature sample). Nationality is only collected when legally or regulatorily required.

In addition, this may also include data related to a possible equity investment (direct investment or mezzanine) or its evaluation; as well as data related to fulfilling our contractual obligations in our function as a financial investor. Register data, data on your use of our telemedia (e.g., time of accessing our websites, apps or newsletters, pages clicked on or entries made), and other data comparable to the categories mentioned may also be relevant.

Furthermore, we also process information about which transactions or topics the contact persons of our customers, interested parties and business partners are responsible for and – if communicated to us- what tasks and decision-making authorities the contact persons have. This may also include information on the power of attorney or procuration (type and scope of the power of representation). If it is necessary to fulfill compliance obligations, e.g., to prevent money laundering or to identify the acting persons for a beneficial owner, further information on the contact person may be processed.

4.1 Purpose and Legal Basis

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):

a) To fulfill contractual obligations (Art. 6(1)(b) GDPR)

The processing of personal data (Art. 4 No. 2 GDPR) takes place in the context of our investment activities or during the initiation and examination of an investment as a financial investor in companies, in particular for the execution of our contracts or pre-contractual measures with you.

The purposes of data processing primarily depend on the specific project (e.g. direct investment, mezzanine investment, exit process, etc.).

b) Within the scope of legitimate interests (Art. 6(1)(f) GDPR)

If necessary, we process your data beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties, such as in the following cases:

• Advertising, provided you have not objected to the use of your data;
• Assertion of legal claims and defense in legal disputes;
• Ensuring the IT security and IT operations of the company;
• Prevention and investigation of criminal offenses;
• Measures for business management and further development of services and
• products.

C) Based on your consent (Art. 6(1)(a) GDPR)

If you have given us your consent to process personal data for certain purposes (e.g., transfer of data within an association/group), the legality of this processing is based on your consent. You can withdraw your consent at any time.

d) Due to legal requirements (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)

In addition, as a corporation with multiple corporate investments and as a subsidiary of a bank, we are subject to various legal obligations, i.e., legal requirements (e.g., Banking Act, Anti-Money Laundering Act, Securities Trading Act, Tax laws) as well as banking supervisory requirements (e.g., from the European Central Bank, European Banking Authority, German Federal Bank and Federal Financial Supervisory Authority). The Purposes of processing include, among others, identity verification, fraud and money laundering prevention, compliance with tax reporting obligations, as well as risk assessment and management.

4.2 Data Recipients

Within our company, only those departments that require your data to fulfil our contractual and legal obligations will have access to it. Our processors (Art. 28 GDPR) may also receive data for the purposes mentioned above. These include companies in the categories such as credit services, IT services, printing services, telecommunications, consulting as well as sales and marketing.

Regarding the transfer of data to recipients outside our company, it should first be noted that we are bound by confidentiality agreements regarding all customer-related facts and assessments. We may only disclose information about you if this is required by law or regulations, allowed by contractual agreements between you and us or if you have given your consent. Under these conditions, recipients of personal data may include

• Public authorities and institutions (e.g., German Federal Bank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities) in case of legal or regulatory obligations.
• Other credit and financial service institutions or similar entities to which we transmit personal data to carry out business relationships with you (depending on the contract: e.g., companies of the Cooperative Financial Group Volksbanken Raiffeisenbanken, correspondent banks, depository banks, stock exchanges, credit agencies). Additional recipients of data can be those to whom you have consented to the data transfer.

4.3 Storage Period

If required, we process and store your personal data for the duration of our business relationship, including the initiation and execution of a contract (including post-contractual obligations).

Furthermore, we are subject to various retention and documentation obligations, arising from the Commercial Code (HGB), the Fiscal Code (AO), the Banking Act (KWG), the Anti-Money Laundering Act (GwG), and the Securities Trading Act (WpHG). The retention periods specified there range from two to ten years.

Finally, the storage period is also influenced by the statutory limitation periods, which under Sections §§ 195 ff. of the German Civil Code (BGB) generally range from three years to up to thirty years in certain cases.

4.4 Data Transfer to a Third Country or an International Organization

Data will only be transferred to third countries (countries outside the European Economic Area – EEA) if this is necessary within the scope of the business relationship with you, is legally required, or if you have given us your consent. We will inform you separately about the details in each case.

4.5 Rights of Data Subject (see also “General Data Protection Information”)

Every data subject has the right to access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, and the right to data portability under Art. 20 GDPR. Limitations apply to the right to information and the right to erasure under §§ 34 and 35 BDSG. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).

4.6 Obligation to Provide Data

As part of our business relationship, you only have to provide the personal data that is required for the establishment, execution and termination of a business relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude a contract or will no longer be able to fulfil an existing contract and may have to terminate it.

In particular, we are obliged under anti-money laundering regulations to identify you before establishing the business relationship, for example by means of your identity card, and to collect your name, place of birth, date of birth, nationality and address. To comply with this legal obligation, you are required under the Money Laundering Act to provide us with the necessary information and documents and to notify us immediately of any changes that occur during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not be able to establish the desired business relationship.

4.7 Automated Decision-Making in Individual Cases

In general, we do not use fully automated decision-making as defined by Art. 22 GDPR to establish and conduct the business relationship. Should we use such procedures in individual cases, we will inform you of this separately if this is required by law.

4.8 Email Communication

Please note that while we use encryption for email communication, secure e-mail transmission is only possible if both parties support this. It is therefore not sufficient for us to offer this service; the provider of your e-mail environment must also support it. If this information is not available to you, please contact your email provider.

One of the technical disadvantages of unencrypted e-mail communication is that unencrypted e-mails sent over the open Internet computer network can be accessed by unauthorized persons (lack of confidentiality) or even altered (lack of integrity). Additionally, the sender of an e-mail can also be falsified (lack of authenticity). Please note that email communication does not have the confidentiality and security of postal communication. Therefore, carefully consider what information you send us via email and use postal mail for confidential communications to ensure your security.

Due to the possibility of falsifying the sender of an e-mail message and altering the content of e-mail messages, we reserve the right to request a confirmation before accepting the content of an e-mail as binding. Please do not send us any unsolicited advertisements or orders by e-mail.

Below, we inform you about the processing of your personal data by VREP in the course of the application process and a possible employment relationship and about the rights to which you are entitled under data protection laws.

We would like to point out in advance that VREP uses the software of Abacus Umantis GmbH (processor pursuant to Art. 28 GDPR) as a shared system for managing and processing applicant data.

By registering in our applicant portal, you provide your personal data for a specific application with VREP for job search purposes. Your data will be stored and processed on the systems of our service provider, Abacus Umantis GmbH. VREP and Abacus Umantis GmbH have taken the necessary organizational and technical measures to ensure the confidentiality of your application.

All employees in the Human Resources department and our software partner are bound by confidentiality agreements regarding personal data as part of their employment contract. With automatic activated 128-bit encryption, your data is securely transmitted. Data processing follows current standards of data security.

If you have provided us with electronic data via our applicant portal, you can access your data via the portal at any time in order to modify or delete it yourself.

5.1 Purpose and Legal Basis

We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws (e.g. BetrVG, AGG, etc.).

We offer you the opportunity to apply to us (e.g. by e-mail, post or online application form). We assure you that your data will be collected, processed and used in accordance with applicable data protection laws and all other statutory provisions and that your data will be treated with the utmost confidentiality.

Primarily, the data processing serves to carry out and handle the application procedure and to assess the extent to which you are suitable for the position in question. In the event of recruitment, data processing also serves to implement and process the employment relationship. As a result, processing of your applicant data is necessary in order to be able to decide on the establishment of an employment relationship. The legal basis for this is Art. 6 (1) b GDPR (processing for the performance of a contract/implementation of pre-contractual measures) and Art. 6 (1) f GDPR (processing to safeguard a legitimate interest) and – if you have given your consent – Art. 6 (1) a GDPR. Consent can be revoked at any time. Data may be processed for statistical purposes (e.g., reporting), with no conclusions being drawn about individual persons.

5.2 Data Categories

As part of your application, you must provide personal data necessary for conducting the application process and assessment. Without this data, we will not be able to conduct the application process or make a decision regarding the establishment of an employment relationship.

This data will be processed solely in the context of your application (stored, evaluated, processed, or internally forwarded). It is accessible only to employees in the Human Resources department and those responsible for the selection process (see “Data Recipients”).

During the application process, the following categories/types of personal data are processed:

• Applicant basic data (salutation, name, first name, date of birth, address, academic degrees/titles, nationality, contact details)
• Application data (cover letter, questionnaires, qualifications, CV, certificates, assessments)
• Communication data (telephone number, email address)

During the employment relationship, the following categories/types of personal data are processed:

• Basic data (salutation, name, first name, date of birth, address, academic degrees/titles, nationality, contact details, gender, place of birth, social security number, tax ID, children (name & date of birth), bank details, health insurance)
• Application data (cover letter, questionnaires, qualifications, CV, certificates, assessments)
• Communication data (telephone number, email address)

Processing special categories of personal data (such as health data, religious affiliation, degree of disability) is based on your consent according to Art. 9(2)(a) GDPR in conjunction with § 26(2) BDSG. We treat this sensitive data with special care.

Your personal data is generally collected directly from you as part of the hiring process. In addition, we may have received data (e.g., name and contact details) from third parties (e.g., employment agencies).

If your activity requires the involvement of other service providers, your data will be forwarded to them to an extent necessary. These service providers may be, for example:

• Payroll service providers
• etc.

5.3 Data Recipients

Within our company, only those employees and departments (e.g., specialist departments) will receive your personal data who need it for the recruitment decision and to fulfil our contractual and legal obligations.

In addition, we may transmit your personal data to other recipients outside the company if this is necessary to establish and/or implement the employment relationship or if we are obliged to do so by law, e.g., in the context of criminal prosecution measures according to Art. 6 (1) c GDPR e.g.:

• Public authorities and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities) in the event of a legal or official obligation.
• Other credit and financial services institutions or comparable institutions to which we transfer personal data in order to carry out the business relationship with you (depending on the contract: e.g., companies of the Volksbanken Raiffeisenbanken cooperative financial group, correspondent banks, deposit banks, stock exchanges, credit agencies).

Other data recipients may be those entities for which you have given us your consent to transfer data.

5.4 Storage period

We will delete your personal data six months after completion of the application process. This does not apply if statutory provisions prevent deletion or if further storage is necessary for the purpose of providing evidence or if you have consented to longer storage. You will not be notified of the deletion of your data.
As part of the employment relationship, your data will be processed and stored for the duration of your employment. After the termination of the employment relationship, the data will be deleted in accordance with the statutory retention periods.

5.5 Talent Pool

If we do not provide you with a job offer, you may have the opportunity to be included in our applicant pool. If you are accepted, all documents and information from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies. Inclusion in the applicant pool is based exclusively on your express consent (Art. 6 (1) a GDPR). Providing your consent is voluntary and not related to the current application process. Consent can be withdrawn at any time. In this case, the data will be irrevocably deleted from the applicant pool, provided there are no legal grounds for retention. The data from the applicant pool will be irrevocably deleted no later than two years after consent has been granted. Other data recipients may be those entities for which you have given us your consent to transfer data.

The data collected by us during your registration for the mailing list for news, newsletters and event invitations is sent to VREP in encrypted form and is only used for sending our news, newsletters and invitations. The data is stored exclusively at VREP and at the service provider commissioned to send the news, newsletters and invitations and is not shared beyond this.

6.1 Purpose of Data Processing, Legal Basis, and Content of Consent

We only send our information based on the consent of the recipients in accordance with Art. 6 (1) a in conjunction with Art. 7 GDPR. When you register to receive information, you specifically define your areas of interest and consent to receiving information on the selected areas of interest.

6.2 Double Opt-In Procedure

When registering to receive information via the registration form, we use the so-called double opt-in procedure. After registration, the interested party receives an e-mail with a confirmation link to the e-mail address provided, which they must click on to confirm their registration. We log the registrations in order to be able to prove the registration process in accordance with the legal requirements. In this context, we store the time of registration and confirmation as well as the IP address. If you do not give your consent via the confirmation link, your data will be automatically deleted after 24 hours.

6.3 For sending information, the following categories of personal data are processed:

• Salutation, last name, first name
• Position
• Employing company (including company address)
• Email address
• IP address of the requesting computer

You can revoke your registration and your consent at any time with effect for the future. To do so, please send us an e-mail to datenschutz@vrep.de or use the unsubscribe link that you will find in every information e-mail sent. Your data stored with us for the mailing will then be deleted immediately.

Data protection information regarding the production and use of photo and/or video recordings in accordance with Art. 13 GDPR.

7.1 Purpose of the processing

Photos and/or videos are used exclusively for press and public relations work, i.e., for advertising and information purposes.

7.2 Legal basis of the processing

The processing of photos and/or videos (collection, storage, and forwarding to third parties (see under 5.) is carried out based on the explicit consent of the data subject(s) in accordance with Art. 6 (1a) GDPR. The publication of selected image files in (print) publications of VREP and on its homepage/LinkedIn or XING account is necessary for the public relations work of VREP and thus serves to safeguard the legitimate interests of the parties involved, Art. 6 (1f) GDPR.

7.3 Data categories

Photos and/or videos are forwarded to:

• the company that is the subject of the report or photo/video.
• third parties: Web hosts, agencies commissioned with the creation and publication of print and/or online publications, as well as operators of online communication platforms.

Uploading data to the Internet also constitutes a transfer to third parties.

7.4 Storage period

Photos and/or videos created for the purposes of VREP’s press and public relations purposes will be stored for an indefinite period of time, subject to revocation of the consent of the data subject(s).

7.5 Information on the publication of personal data on the web

There are risks associated with the publication of photos and videos on the internet, which we would like to inform you about below. Please note that this list is not exhaustive. The risks include the following:

• The possibility of worldwide access to data posted on the internet from the public and non-public domain.
• Risk to the data subject’s right to informational self-determination if their data is published worldwide, namely also in countries in which there is no or no adequate data protection standard, meaning that an appropriate level of data protection is not guaranteed. The posted data can be read unnoticed and stored, changed, falsified, combined or manipulated in a variety of ways.
• Once stored, the recipient can continue to use the data even if the providing body has already modified or deleted its website.

Below, we would like to inform you about the collection, processing, and use of personal data within the scope of our whistleblower system when you submit a report to our internal reporting office (ombudsman).

8.1 Purpose of Processing

The purpose of this process is to handle reports of actual or potential violations of legal regulations with the aim of uncovering misconduct by individuals or entire companies and mitigating or correcting the negative consequences of such misconduct.

8.2 Legal Basis

The collection of personal data of the reporting person in cases of non-anonymous reporting is based on consent to processing through the transmission of data (implicit consent) pursuant to Art. 6(1) sentence 1(a) GDPR.

Anonymous reports via the whistleblower contact form of our external ombudsman, lawyer Dr. Rainer Buchert, do not fall within the material scope of the GDPR according to Art. 1(1) in conjunction with Art. 4 No. 1 GDPR, as they involve anonymized data where no personal reference exists anymore.

The collection, processing, and disclosure of personal data of individuals mentioned in the report serves the legitimate interests of VREP under Art. 6(1) sentence 1(f) GDPR. It is a legitimate interest of VREP to effectively uncover, process, rectify, and sanction violations of laws and serious breaches of duty by employees with a high degree of confidentiality, thereby mitigating damages and liability risks for the companies (§§ 30, 130 OWiG). The Whistleblower Protection Act (HinSchG) also requires the establishment of a reporting system to allow employees and third parties to safely report violations of laws within the company.

8.3 Categories of Processed Personal Data

When you submit a report via the whistleblower system that is not through the anonymous contact form, we collect the following personal data and information:

• Your name, if you disclose your identity,
• Your contact details, if you provide them,
• The fact that you have submitted a report via the whistleblower system,
• The company where you are employed (if indicated),
• Names of individuals and other personal data of persons you mention in your report,
• Your description of the facts.

8.4 Storage Period

Personal data is stored for as long as necessary for investigation and final assessment, or as long as there is a legitimate interest of the company, or as required by law. Afterward, data will be deleted according to legal requirements. The duration of storage depends particularly on the seriousness of the suspicion and the reported potential breach of duty.

If required, we provide our guests with free Wi-Fi access on our business premises for their (business). In order to be granted access, users must register with the responsible internal department by providing their (work) e-mail address, name and company affiliation.

9.1 Purpose of processing

We collect this personal data from users of our guest WLAN in order to provide WLAN to users, to ensure the security of this service and, in the event of misuse or the commission of criminal offenses, to identify the perpetrators and take appropriate legal action.

9.2 Legal basis

The legal basis for the processing of your personal data is Art. 6 (1) b GDPR, insofar as initiating legal action is necessary. Otherwise, our legitimate interest under Art. 6 (1) f GDPR applies. The declaration of consent can be revoked by the user at any time with effect for the future.

9.3 Categories of personal data processed

The following categories of data are processed when using the WLAN access:

• (Professional) e-mail address
• Device name
• Company affiliation
• IP address

MAC addresses of end devices may also be temporarily stored. Furthermore, we may store log data (“log files”) on the type and scope of service for up to 7 days. This data cannot be directly assigned to the user.

9.4 Storage period

Processed data is only stored for a period of 7 days. At the end of a session, personal data is deleted. In the event of a malfunction or error, the relevant data will be stored for the duration required to rectify the error or resolve the malfunction.

We may update these data protection notices from time to time. Updates will be published on our website and will become effective upon publication. Therefore, we recommend visiting our website regularly to stay informed about any changes.