We are pleased that you would like to apply for a job with us. With this attachment, we inform you as a data subject about the processing of your personal data by Heidelberger Druckmaschinen AG (hereinafter "HEIDELBERG" on the basis of your application. In addition, we hereby inform you of the data protection claims and rights to which you are entitled.

To our data protection information for applicants

This document is to inform you as a data subject about the processing of your personal data by Heidelberger Druckmaschinen AG (hereinafter referred to as "HEIDELBERG") or one of its group companies in connection with your activity or service with us. In addition, we hereby inform you about the data protection claims and rights to which you are entitled.

Name and address of the person responsible within the meaning of the GDPR and address of the data protection officer

Controller for contractual partners of HDM AG: Heidelberger Druckmaschinen AG
Kurfürsten-Anlage 52-60
69115 Heidelberg
Germany

Tel.: +49 (0)6221 92 00
Fax: +49 (0)6221 92 69 99
E-mail: information@heidelberg.com

Controller for contractual partners of HCS GmbH: Heidelberg Catering Services GmbH
Gutenbergring 19
69168 Wiesloch
Germany

Phone: +49 (0)6222 82 00
Fax: +49 (0)6222 82 1999
E-mail: hcs-kontakt@heidelberg.com

Controller for contractual partners of HMD GmbH: Heidelberg Manufacturing Deutschland GmbH
Gutenbergring 19
69168 Wiesloch
Germany

Phone: +49 (0)6222 82 00
Fax: +49 (0)6222 82 1999
E-mail: information@heidelberg.com

Controller for contractual partners of HPD GmbH: Heidelberg Postpress Deutschland GmbH
Gutenbergring 19
69168 Wiesloch
Germany
Phone: +49 (0)6222 82 00
Fax: +49 (0)6222 82 1999
E-mail: information@heidelberg.com

Controller for contractual partners of PFI GmbH: Heidelberg Print Finance International GmbH
Gutenbergring 19
69168 Wiesloch
Germany
Phone: +49 (0)6222 82 00
Fax: +49 (0)6222 82 1999
E-mail: HEI.FS-PFI@heidelberg.com

The data protection officer of HDM AG, HCS GmbH, HMD GmbH, HPD GmbH and PFI GmbH can be reached by post at the above address with the addition of "Datenschutzbeauftragter" (please note in the first line of the address), via internal in-house post, recipient "Datenschutzbeauftragter" (in a sealed envelope) or by e-mail: Datenschutzbeauftragter@heidelberg.com. If you would like to contact our data protection officer personally and confidentially, please contact him via his personal e-mail address: Datenschutzbeauftragter@heidelberg.com and arrange an on-site appointment.

Controller for contractual partners of HDD GmbH: Heidelberger Druckmaschinen Vertrieb Deutschland GmbH
Gutenbergring 19
69168 Wiesloch
Germany

Tel.: +49 (0)6222 82 00
Fax: +49 (0)6222 82 1999
E-mail: information@heidelberg.com

You can reach the HDD GmbH data protection officer, Mr Gattwinkel, by post at the above address. Please note his name in the first address line. You can also reach him by internal mail, recipient Mr. Gattwinkel (in a sealed envelope) or by e-mail: Thomas.Gattwinkel@heidelberg.com. If you would like to contact the HDD GmbH data protection officer personally and confidentially, please contact him via his personal e-mail address: Thomas.Gattwinkel@heidelberg.com and arrange an on-site appointment.

PURPOSES, DATA CATEGORIES AND LEGAL BASIS OF DATA PROCESSING

Introduction
Within the scope of your activity or service with us, we process your personal data in accordance with the GDPR and the German Federal Data Protection Act (BDSG), insofar as this is necessary and legally permissible.

Purposes, categories of data and legal basis for data processing
We process personal data for the following purposes and on the basis of the following legal grounds:

(a) contract preparation and execution, invoice verification, complaint and repair processing including payment processing on the basis of the legitimate interest of both contracting parties in the execution of the contract pursuant to Art. 6 para. 1 lit. f GDPR. This is exclusively business contact and communication data which is used in accordance with this purpose;

b) Risk management based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in compliance with legal requirements, as well as proof thereof; in particular Section 91 para. 2 German Stock Corporation Act (AktG), Section 76 para. 1 AktG, as well as in the protection of the company;

c) Supplier development based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR in the optimisation of contract processing and implementation; this is intended to bring economic benefits to both partners. Only business information is used in accordance with its intended purpose;

d) Internal accounting, tax processing and documentation for the fulfilment of legal obligations according to Art. 6 para. 1 lit. c GDPR, and as proof thereof, in particular according to the principles of proper accounting in connection with Section 331 German Commercial Code (HGB), Sections 370 et seq. German Tax Code (AO), further standards from AO, HGB, German Value Added Tax Act (UstG), German Income Tax Act (EStG), German Stock Corporation Act (AktG), German Limited Liability Companies Act (GmbHG);

e) Ensuring material and chemical compliance on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in compliance with statutory requirements and proof thereof, in particular Regulation (EC) No. 1907/2006 (REACH Regulation), Regulation (EC) No. 1272/2008 (CLP), the German Electrical and Electronic Equipment Act (ElektroG) and German Electrical and Electronic Equipment Substances Ordinance;

f) Ensuring compliance on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in preventing the commission of criminal offences and the proof of due diligence in connection with Sections 299 et seqq. UK Bribery Act, 15 U.S.C. Sections 78dd-1 et seq. (FCPA), 31 C.F.R. part 501ff. (SDN list), Council Regulation (EC) No. 2580/2001, Sections 1 et seq. German Act against Restraints of Competition (GWB), Sections 95 et seq. German Residence Act (AufenthG), Council Regulation (EC) No. 428/2009 of 5 May 2009;

g) Assertion and defence of legal claims, including insurance on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the enforcement of legal and contractual claims.

If you have also given us consent to process personal data for specific purposes, the lawfulness is based on your consent Art. 6 para. 1 lit. a GDPR. Processing of data in accordance with Art. 9 and 10 GDPR is not provided for in the normal course of business.

Consent given can be revoked at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

FURTHER INFORMATION

Recipients or categories of recipients of the personal data

Internally
Within HEIDELBERG, the departments involved in the execution of the contract, for example such as Purchasing, Invoice Verification, Incoming Goods, Quality Management, Service and Logistics, as well as their carefully selected service providers who are contractually obliged to comply with data protection requirements and contractually obligated to comply with data protection requirements, have access to the data required for the fulfilment of their tasks.

Other internal Group service providers such as IT, Compliance, Auditing, Tax, Shared Service Centres for the for the handling of purchasing processes, as well as their respective carefully selected and contractually and contractually obligated to comply with the requirements of data protection law required for the fulfilment of their tasks.

In particular, for the performance of compliance checks and to ensure compliance with the quality and health protection requirements, we regularly make use of a carefully selected service provider's platform (processor).

The additional processing of personal data that occurs in the course of this is described in the platform's privacy policy.

External
HEIDELBERG also discloses personal data to companies affiliated with HEIDELBERG, as well as to sales partners and service providers commissioned by HEIDELBERG with the performance of individual services, insofar as this is necessary for the proper operation of HEIDELBERG or its affiliated companies. HEIDELBERG shall ensure that in this case the affiliated companies, the partners and the service providers are subject to appropriate data protection obligations.

HEIDELBERG will only make personal data available to third parties (including authorities) if this is necessary. In particular, this is necessary if Heidelberg is required to do so in the event of a legal provision, court decision or official order, or if it wishes to assert its own rights.

In the course of checking creditworthiness, HEIDELBERG does not pass on any personal data to third parties, unless this from the information on a company (e.g. in the case of sole traders).

Transfer to third countries or to an international organisation
A transfer to third countries (outside the European Economic Area (EEA)) or to international organisations is not provided for in the normal course of business.

unless you actively request it or the business process in which you are involved takes place wholly or in part in a third country.

business process in which you are involved takes place wholly or partly in a third country.

If, in exceptional cases, we or our subcontractors (cf. data transfer point 6) make use of third countries or have to transfer data to third countries, we will ensure that the requirements of Art. 44 et seq. GDPR are complied with.

Storage period
We process personal data for as long as it is needed for the specific purpose of processing. This may vary in each individual case due to special circumstances or special

agreements between the contracting parties. In the following we give you an overview of the most common storage periods that are relevant when dealing with suppliers.

a) In the case of contract preparation and implementation, the storage period is as long as they are needed for the specific purpose in each case (Art. 6 lit. f GDPR: Legitimate interest of both parties in the execution of the contract).

b) In the case of risk management, the storage period is as long as they are needed for the respective concrete purpose (Art. 6 lit. f GDPR: Legitimate interest in keeping the evidence, in connection with the limitation of liability of the board of directors pursuant to Section 93 para. 6 of the German Stock Corporation Act (AktG)).

c) For internal accounting and tax processing and documentation, the storage period of invoices and receipts, business communication and evidence of the provision of services is generally at least 10 years from the end of the year in which the service was provided or the invoice was issued. The legal basis for this is the fulfilment of our retention obligations under tax and commercial law: Art. 6 lit. c GDPR in conjunction with, in particular, Section 147 para. 3 s. 1 German Tax Code (AO), Section 257 para. 4 first half-sentence in conjunction with. para. 1 no. 1 and 4 of the German Commercial Code (HGB), Section 14 of the German Value Added Tax Act (UStG), as well as our legitimate interest in keeping documents, communication and evidence until the expiry of the limitation period of mutual claims, Art. 6 lit. f of the GDPR, Sections 199 para. 4, 195 of the German Civil Code (BGB).

d) To ensure material and chemical compliance, data is retained for as long as it is needed for the specific purpose in each case (Art. 6 lit. f GDPR: Legitimate interest in keeping the evidence, in conjunction with the regulations mentioned as the legal basis and their limitation periods (including Section 93 para. 6 AktG).

e) To ensure compliance, data is retained for as long as it is needed for the specific purpose in each case (Art. 6 lit. f GDPR: Legitimate interest in keeping the evidence, in conjunction with the regulations mentioned as the legal basis and their limitation periods).

f) For the assertion and defence of legal claims, the storage period is as follows: Insofar as the information is not already subject to another retention period mentioned, but may become relevant for claims for damages or defects, it will be retained for the duration of the regular limitation period of a possible claim for damages or defects (Art. 6 lit. f GDPR: Legitimate interest in the assertion and defence of legal claims, in connection with the respective limitation period, for example according to Sections 195, 199 BGB).

Storage periods may be extended or shortened due to new legal requirements, internal process adjustments or agreements with a contractual partner.

We will inform you about significant changes as far as possible, in particular by updating this data protection declaration on our website. If you have any questions about the specific storage period in individual cases, please contact our data protection officer directly.

From which sources your personal data originate
We generally collect your personal data directly from you. However, we also receive personal data from you from third parties, both public and non-public, insofar as this is legally permissible. These may include executing persons of the market participant, published lists of authorities (e.g. sanctions and terror lists) or credit agencies.

Is there an obligation to provide the personal data?
The provision of your personal data is not required by law. However, it is necessary for the performance of the contract.

No credit reports and automated decisions, incl. profiling
In the normal course of business, we do not use automated decision-making pursuant to Art. 22 GDPR including profiling. Should we use these procedures in individual cases, we will inform you of this separately, provided this is required by law. This also applies to any profiling.

Right of access, rectification, erasure, restriction, data portability and objection
You as a data subject (as defined in Art. 4 No. 1 GDPR) are entitled to the rights listed below when your personal data is processed by us as a data controller (as defined in Art. 4 No. 7 GDPR).

Please address your requests to exercise your rights, your revocation or objection to the postal address listed under ""Name and address of the controller and address of the data protection officer"" or send your message via the e-mail address listed there.

a) Data subject rights (Art. 15-20 GDPR)
If the legal requirements are met, you have the right of access (pursuant to Art. 15 GDPR), the right to rectification (pursuant to Art. 16 GDPR), the right to erasure (pursuant to Art. 17 GDPR), the right to restriction of processing (pursuant to Art. 18 GDPR) and the right to data portability (pursuant to Art. 20 GDPR) of your personal data. Please note that there are legal restrictions on the right to information and the right to deletion (Sections 34, 35 BDSG).

b) Revocation of consent (Art. 7 para. 3 GDPR)
You may revoke your declarations of consent under data protection law at any time. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of your consent until the revocation.

c) Individual right of objection (Art. 21 para. 1 GDPR)
If data processing is based on a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, you may object to this processing for reasons arising from your particular situation. We will then only process the personal data if there are demonstrably compelling grounds for doing so that outweigh your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims.
d) Right to lodge a complaint (Art. 77 para. 1 GDPR)
You also have the right to complain to a supervisory authority. The data protection supervisory authority responsible for us is: "Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit", Königstraße 10 a, 70173 Stuttgart, poststelle@lfdi.bwl.de.

APPENDICES

Further information on special processing situations
Please see the appendices for information on specific processing situations that may apply to you:

• Workday Learning Management System Privacy Notice for External Users
• Virtual Workplace Privacy Notice
• Data Protection Information for Image/Video Use

This document informs you as a data subject about the processing of your personal data by Heidelberger Druckmaschinen AG (hereinafter referred to as "HEIDELBERG") in connection with your visit to our company and factory premises. In addition, we hereby inform you of the data protection rights and entitlements to which you are entitled.

Name and address of the controller within the meaning of the GDPR and address of the data protection officer.

The controller is:

Heidelberger Druckmaschinen AG
Kurfürstenanlage 52-60
69115 Heidelberg

Phone: +49 (0)6221 92 00
Fax: +49 (0)6221 92 69 99
E-mail: information@heidelberg.com

You can reach the data protection officer of HEIDELBERG at:

Heidelberger Druckmaschinen AG
Datenschutzbeauftragter
Gutenbergring
69168 Wiesloch

datenschutzbeauftragter@heidelberg.com

PURPOSES, DATA CATEGORIES AND LEGAL BASIS FOR DATA PROCESSING

Introduction
Within the scope of visitor management on the premises, we process your personal data in accordance with the GDPR and the German Federal Data Protection Act (BDSG), insofar as this is necessary and legally permissible.

Registration
The purpose of the registration is the orderly and expeditious handling of visitor management, as well as to ensure that only authorised and expected persons enter the premises, where hazardous chemicals, heavy machinery, air and sea freight safety areas impose high legal safety requirements. Also from an occupational safety point of view, we would like to ensure through our visitor management that no unaccompanied persons are on the premises who are not informed about the safety requirements on the premises.

The legal basis is therefore Art. 6 para. 1 lit. c and f GDPR: Compliance with our legal obligations arising from occupational health and safety, hazardous goods regulations, as well as the Aviation Security Act, combined with our and your legitimate interest in the orderly and safe handling of your visit.

Registration data
If you enter the premises as a visitor, you must register with your surname, first name and company.

Confirmation of the rules of order by signature: Your signature serves to confirm that you have read the visitor information and will abide by the regulations, as well as the time and planned duration of the visit and the identity of the contact person at HEIDELBERG is required.

The registration can be done by the visitor personally, usually the pre-registration is done by the visited staff member.

Creation of the plant ID card
The purpose of creating the plant ID card and storing the data for this purpose is the technical implementation of the access regulations on the plant premises, as well as the possibility of tracing the areas of the plant where people are located in the event of a disaster.

The legal basis is therefore Art. 6 Para. 1 lit. c and f GDPR: Compliance with our legal obligations from occupational health and safety, hazardous goods regulations, as well as the Aviation Security Act, combined with our and your legitimate interest in the orderly and safe processing of your visit.

Plant badge information include surname, first name, company, badge number, security briefing, access authorisation, validity period, contact person at HEIDELBERG.

Disaster management
In the event of a disaster, we must be able to determine at any time whether all persons have left the site and gone to the assembly points. If it turns out that a person is missing, we can use the recorded arrival and departure times to find out where to look for them.

The legal basis is therefore Art. 6 para. 1 lit. c and f GDPR: Compliance with our legal obligations arising from occupational health and safety, combined with our and your legitimate interest in the orderly and safe processing of your visit.

Times and places of stay the time of entering and leaving the premises, as well as individual security areas, are recorded on the basis of the visitor badge issued.

Safety instruction
There are a lot of people, vehicles, heavy machinery, as well as hazardous chemicals on the premises. In order to prevent you from endangering yourself and others, we must provide you with information on safe behaviour on the premises. The legal basis is therefore Art. 6 para. 1 lit. c, f GDPR in conjunction with our obligations under the Occupational Health and Safety Act, the Workplace Act and the Industrial Safety Ordinance: compliance with our legal obligations and our and your legitimate interest in a safe stay on our premises.

Your successful participation in the safety instruction will be linked to your registration data, documented and stored.

Proof of identity
By means of the proof of identity, we ensure that only persons instructed in safety are actually on the premises. We control this in random samples.

The legal basis is therefore Art. 6 para. 1 lit. c, f GDPR in conjunction with our obligations under the Occupational Health and Safety Act and the Workplace Ordinance, as well as the Operational Safety Ordinance: compliance with our legal obligations and our and your legitimate interest in a safe stay on our premises.

Verification of driving authorisation
We require the driving licence number to ensure that only persons with a driving licence drive a vehicle onto the premises and check these in random samples. In addition, we require the driver's licence number to confirm your identity as the registered driver who has been instructed and authorised for safety. The transport documents and order number are used for the proper processing of the order.

The legal basis for the driver's licence number is therefore Art. 6 para. 1 lit. c, f GDPR in conjunction with our obligations under the Occupational Health and Safety Act and the Workplace Safety Act.

The compliance with our legal obligations and our and your legitimate interest in a safe stay on our premises, as well as in the proper handling of delivery and collection.

Driving licence number, vehicle registration number, order number, transport documents (consignment notes, waybills, accompanying documents)

We receive the driver's licence number and vehicle registration number directly from you.

The order number and transport documents can be submitted in full or in part in advance in the course of a pre-announcement by our employees or a freight forwarder.

Control of hazardous goods
When hazardous goods are transported, this entails extensive documentation and safety obligations, compliance with which we ensure on the basis of this information. We check this information within the legal framework.

The legal basis is therefore Art. 6 lit. c, f GDPR in conjunction with the regulations on the transport of dangerous goods. Regulations on the transport of dangerous goods: Our legitimate interest in ensuring compliance with the legal obligations for the handling of dangerous goods.

This information may already be provided to us in advance during the pre-registration process by our employees or by a freight forwarder. However, the information is only linked to the specific driver and vehicle through your on-site registration.

Control of foreign cargoes
When external loads are brought onto the premises, we want to ensure and document that they leave the premises unchanged.

The legal basis is therefore Art. 6 lit. f GDPR: Our legitimate interest in ensuring and proving that the third-party load leaves the premises unchanged.

This information can already be provided to us in advance during the pre-registration process by our employees or by a freight forwarder. However, the information is only linked to the specific driver and vehicle when you register on site.

Confirmation of the data protection information
In this way, we want to ensure that you receive the information to which you are legally entitled in any case.

The legal basis is therefore Art. 6 lit. f GDPR: our legitimate interest in ensuring and proving that we have provided you with this information.

As part of the security briefing, you will be made aware of this data protection information at the terminal and asked to confirm that you have understood the information on data processing.

All the information listed is also required in order to assert legal claims in the event of damage or to defend ourselves against such claims. In this respect, the legal basis is our legitimate interest in asserting or defending legal claims.

FURTHER INFORMATION

Recipients or categories of recipients of the personal data
At HEIDELBERG, personal data is initially processed by the employees and service providers entrusted with plant security in order to ensure security on the premises. In the context of processing deliveries, collections or services, the data required for this purpose is also processed by the contact person or client on the premises. Other internal departments, such as the internal IT department, will be involved in the processing of personal data as necessary.

In addition, the personal data will be disclosed to third parties, such as insurance companies, authorities or the employment/client of the person concerned, if and insofar as this is necessary to safeguard the legitimate interests of HEIDELBERG or third parties, for example to assert or defend legal claims.

Disclosure to helpers and authorities may take place in the event of a disaster. In this case, it is also possible to pass on the data to the employer/client of the person concerned.

Finally, HEIDELBERG will disclose personal data to third parties if and to the extent that this is required by mandatory law or by official or court order.

Transfer to third countries or to an international organisation
Your personal data will not be transferred to third countries.

Storage period
Employee badge data: Quarterly deletion of data of all employees no longer working in the company/location.

Plant ID card data for visitors: Deletion at the end of the visit period.

Company ID card data for all other ID card holders: Deletion upon return of your ID card, upon notification by your deposited principal (""company"") that you are no longer authorised, as well as upon expiry of the validity of the ID card.

All other information with the exception of the coming and going times for visitors with safety instruction: 15 months from the last visit.

All other information with the exception of the coming and going times for visitors without safety instruction: 6 months from the last visit.

Arrival and departure times: 6 months after collection of the information, it will be anonymised.

Documentation on dangerous goods transports include name, company, time of delivery and unloading, as well as the documents on the transported dangerous goods: 5 years from the date of documentation.

All relevant information in the case of visitors involved in accidents or thefts: Extension of the retention period to 15 months is provided for if necessary; longer retention is possible for specific occasions (cf. information below the table).

Personal data may be retained longer than provided for on specific grounds. This is the case, for example, if they are required in the course of a legal dispute or have to be retained on the basis of a court or official order. As far as possible and permissible, we will inform you about such an extension of retention.

From which sources your personal data originate
We generally collect your personal data directly from you. However, we also receive personal data from you from third party public and non-public bodies to the extent that this is legally permissible. These can be (examples): Pre-registration by forwarder

Is there an obligation to provide the personal data?
You are under no legal or contractual obligation to us to provide the information. A contractual obligation may exist in individual cases; should this special case you are aware of this on the basis of the contract; the other contents of this information sheet continue to apply.

No creditworthiness information and automated decisions, incl. profiling

We do not carry out any checks or assessments of your creditworthiness. We also do not pass on any such data to third parties (e.g. credit agencies). We also do not make any automated decisions in individual cases.

Right of access, rectification, erasure, restriction, data portability and objection
You as a data subject (as defined in Art. 4 No. 1 GDPR) are entitled to the rights listed below when your personal data is processed by us as a data controller (as defined in Art. 4 No. 7 GDPR).

Please address your requests to exercise your rights, your revocation or objection to the postal address listed under "Name and address of the controller and address of the data protection officer" or send your message via the e-mail address listed there.

a) Data subject rights (Art. 15-20 GDPR)
If the legal requirements are met, you have the right of access (pursuant to Art. 15 GDPR), the right to rectification (pursuant to Art. 16 GDPR), the right to erasure (pursuant to Art. 17 GDPR), the right to restriction of processing (pursuant to Art. 18 GDPR) and the right to data portability (pursuant to Art. 20 GDPR) of your personal data. Please note that there are legal restrictions on the right to information and the right to deletion (Sections 34, 35 BDSG).

b) Revocation of consent (Art. 7 para. 3 GDPR)
You may revoke your declarations of consent under data protection law at any time. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of your consent until the revocation.

c) Individual right of objection (Art. 21 para. 1 GDPR)
If data processing is based on a legitimate interest pursuant to Art. 6 lit. 1 f GDPR, you may object to this processing on grounds relating to your particular situation. We will then only process the personal data if there are demonstrably compelling grounds for doing so that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

You also have the right to lodge a complaint with a supervisory authority. The data protection supervisory authority responsible for us is: "Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit", Königstraße 10 a, 70173 Stuttgart, poststelle@lfdi.bwl.de.

APPENDICES

Further information on special processing situations
In the appendices you will find information on special processing situations which may also apply to you:

Data protection information for image/video use

This document is to inform you as a data subject about the processing of your personal data by Heidelberger Druckmaschinen AG (hereinafter referred to as "HEIDELBERG" in connection with your customer relationship with us. In addition, we hereby inform you about the data protection claims and rights to which you are entitled.

Name and address of the controller within the meaning of the GDPR and address of the data protection officer.

The Controller is:

Heidelberger Druckmaschinen AG
Kurfürstenanlage 52-60
69115 Heidelberg

Phone: +49 (0)6221 92 00
Fax: +49 (0)6221 92 69 99
E-mail: information@heidelberg.com

You can reach Heidelberg's data protection officer at:

Heidelberger Druckmaschinen AG
Datenschutzbeauftragter
Gutenbergring
69168 Wiesloch
datenschutzbeauftragter@heidelberg.com

PURPOSES, CATEGORIES OF DATA AND LEGAL BASIS OF DATA PROCESSING

Introduction
We process personal data that we have received from you in the context of the performance of the contract, for the fulfilment of your contractual and pre-contractual obligations and for direct marketing purposes. This also includes the processing of personal data which we have received from you in the course of your use of the applications, services, services (technician assignments, remote service - hereinafter referred to as ""services"") and software of HEIDELBERG. In addition, we process - to the extent necessary for the provision of our services - personal data that we have received on the basis of your consent.

Relevant personal data are:

• Contract master data, including billing and payment data;
• Communication and contact data (e.g. business email address, business telephone number, business address);
• Personal master data (e.g. title, name, user ID);
• Usage data such as user administration change logs (e.g. administrator username in the log record of a change to a user or permission) or access logs (IP address or user ID in the automatic system records of logon operations, system accesses and error events);
• Planning and control data (e.g. log data, logs); customer history for customers of the client within Prinect Production Manager.

Purposes
The processing is carried out for the purpose of implementing the contract, fulfilling contractual and pre-contractual obligations and for direct advertising. It is also carried out for the purpose of informing the users of the HEIDELBERG applications, services and software about the operation, the applications and the use as well as ensuring the IT security and the IT operation of the HEIDELBERG applications, services and software. The processing also takes place for the purpose of advertising.

Legal basis: For the fulfilment of contractual obligations (Art. 6 para. 1 lit. b GDPR)
Personal data is processed for the purpose of fulfilling the contract, for the fulfilment of your contractual and pre-contractual obligations and for the provision of the services of the HEIDELBERG applications, services and software. Details on the purpose of data processing can be found in the respective contractual documents as well as in the terms of use or general terms and conditions of the HEIDELBERG applications and software.

Legal basis: Within the framework of the balancing of interests (Art. 6 para. 1 lit. f GDPR)
Where necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of us or third parties.

Examples:

• Tailoring the performance of Heidelberg's applications, services and software by analysing usage behaviour;
• Ensuring IT security and IT operation of Heidelberg's applications, services and software;
• Assertion of legal claims and defence in legal disputes;
• Advertising, insofar as you have not objected to the use of your data;
• Measures for business management and further development of services and products.

Legal basis: Based on your consent (Art. 6 para. 1 lit. a GDPR)
Insofar as you have given us your consent to process personal data for certain purposes (advertising by e-mail or telephone), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time. Please note, that the revocation is only effective for the future. Processing that took place before the revocation is not affected by this.

FURTHER INFORMATION

Recipients or categories of recipients of the personal data
HEIDELBERG shall also pass on personal data and usage data to companies affiliated with HEIDELBERG sales partners and service providers commissioned by HEIDELBERG to perform individual services, insofar as this is necessary to provide the applications, services and software of HEIDELBERG. HEIDELBERG shall ensure that in this case the respective companies affiliated with it, the partners and the service providers are subject to the same obligations under data protection law. Otherwise, HEIDELBERG shall only make personal customer data from the use of the services outside of the provision of services available to third parties (in particular authorities) on the basis of a contractual agreement with the customer or with the customer's consent, or insofar as HEIDELBERG is obliged to disclose such data in the event of a mandatory legal provision, court decision or official order.

Transfer to third countries or to an international organisation
A data transfer to third countries (countries outside the European Economic Area - EEA) is not intended.

Storage period

We process personal data on the basis of consent for as long as this is permissible according to the wording of the consent or until the consent of the person concerned has been revoked.
We keep tax-relevant personal data for 10 years, Section 147 para. 3 s. 1 of the German Tax Code (AO); Section 257 para. 4 in conjunction with para. 1 no. 1 and 4 of the German Commercial Code (HGB), as well as Sections 14 b, 10 para. 1 s. 1 and 2 of the German Value Added Tax Act (UstG). We keep business letters and other documents relevant for taxation for 6 years. We store data relevant for the proof of the proper fulfilment of the contract on the basis of our legitimate interest for the defence or assertion of legal claims until their limitation for 3 years from the end of the year in which the processing was carried out, Art. 6 para. 1 lit. f GDPR, Sections 280 para. 1, 195, 199 para. 1 German Civil Code (BGB).
In addition, we also store personal data if there is another legitimate interest according to Art. 6 para. 1 lit. f GDPR, or a legal obligation according to Art. 6 para. 1 lit. c GDPR, for example to prove the proper provision of services or as evidence in a legal dispute.
If personal data is subject to several retention periods, the longest period shall apply in each case.

From which sources your personal data originate
We generally collect your personal data directly from you. However, we also receive personal data from you from third parties, both public and non-public, insofar as this is legally permissible.

Is there an obligation to provide the personal data?
The provision of your personal data is not required by law. However, they are required for the execution of the contract and for the desired use of the services of the applications, services and software of HEIDELBERG.

No creditworthiness information and automated decisions, incl. profiling.
We do not carry out any checks or assessments of your creditworthiness. We also do not pass on any such data to third parties (e.g. credit agencies). We also do not make any automated decisions in individual cases.

Right of access, rectification, erasure, restriction, data portability and objection
You as a data subject (as defined in Art. 4 No. 1 GDPR) are entitled to the rights listed below when your personal data is processed by us as a data controller (as defined in Art. 4 No. 7 GDPR).

Please address your requests to exercise your rights, your revocation or objection to the postal address listed under ""Name and address of the controller and address of the data protection officer"" or send your message via the e-mail address listed there.

a) Data subject rights (Art. 15-20 GDPR)
If the legal requirements are met, you have the right of access (pursuant to Art. 15 GDPR), the right to rectification (pursuant to Art. 16 GDPR), the right to erasure (pursuant to Art. 17 GDPR), the right to restriction of processing (pursuant to Art. 18 GDPR) and the right to data portability (pursuant to Art. 20 GDPR) of your personal data. Please note that there are legal restrictions on the right to information and the right to deletion (Sections 34, 35 BDSG).

b) Revocation of consent (Art. 7 para. 3 GDPR)
You may revoke your declarations of consent under data protection law at any time. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of your consent until the revocation.

c) Individual right of objection (Art. 21 para. 1 GDPR)
If data processing is based on a legitimate interest pursuant to Art. 6 lit. 1 f GDPR, you may object to this processing on grounds relating to your particular situation. We will then only process the personal data if there are demonstrably compelling grounds for doing so that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

You also have the right to lodge a complaint with a supervisory authority. The data protection supervisory authority responsible for us is: "Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit", Königstraße 10 a, 70173 Stuttgart, poststelle@lfdi.bwl.de.

APPENDICES

Further information on special processing situations

In the appendices you will find information on special processing situations which may also apply to you:

• HEIDELBERG Customer Portal and related apps
• Concept customer agreement
• General Communication Industry - Industrial Clients
• Data protection information for image/video use

The protection of personal data is an important concern for Heidelberger Druckmaschinen AG (hereinafter "HEIDELBERG", "we", "us"). We operate the Workday Learning Management System for External Users (hereinafter "LMS") in compliance with applicable laws on the protection of personal data.

HEIDELBERG uses services provided by Workday Limited, Ireland for registration, booking and confirmation of training and courses offered by HEIDELBERG.

Registration takes place via an external authentication service provided by Zaikio GmbH, whereby the application-specific authorisation check takes place via Heidelberg's own application.

The delivery and documentation of e-learning, as well as the documentation created around the course during classroom training, takes place in Workday's LMS.

The LMS is aimed at our customers, dealers, suppliers and the employees of our external partners (hereinafter all referred to as "external partners") for their professional training. The main purpose of the LMS is the transfer of knowledge of predominantly technical content for the HEIDELBERG product portfolio as well as a corresponding documentation of participation.

Below we inform you about the collection, processing and use of personal data in the context of the use of the LMS.

Continuous technological development, changes to our services or the legal situation as well as other reasons may require adjustments to our data protection information. We therefore reserve the right to change this data protection information at any time and therefore ask you to inform yourself regularly about the current status.

The controller pursuant to Art. 4 No. 7 GDPR and service provider pursuant to Section 13 of the German Telemedia Act (TMG) is Heidelberger Druckmaschinen AG. Further information on the company can be found in the imprint of our website at www.heidelberg.com.

You can reach our data protection officer under the following contact details:

Datenschutzbeauftragter
c/o Heidelberger Druckmaschinen AG
Gutenbergring
69168 Wiesloch

E-mail: Datenschutzbeauftragter@heidelberg.com

Joint responsibility
In relation to certain processing operations (provision of learning content (e-learning) and delivery of instructor-led face-to-face and online training), we share with other group companies the LMS in which your personal data is processed for the fulfilment of certain purposes (see section Purposes and legal basis of data processing below). When processing your data in connection with these purposes, we and the other group companies act as joint controllers (within the meaning of Art. 4 No. 7, Art. 26 EU General Data Protection Regulation, or GDPR for short).

Each joint controller shall in particular ensure that only data required for the respective purpose is processed via the LMS and that it is only made accessible to those persons in the group who require it for the tasks assigned to them.

What personal data do we process for what purpose, on what legal basis and for how long?

Data processing when using the LMS
In connection with and for the purpose of using the LMS, personal data of users are processed automatically, namely company, country, first name, last name,

e-mail address, user name, learning modules assigned to themselves or by an administrator and completed. These categories of data are necessary for the authentication of the learner, for the planning and the traceable learning progress by the respective responsible internal employee or the administrator.

After a period of 5 years after registration, both the technical account data and the contents of the account are deleted. If the user was active in the system during this time, the processing of this data is extended by a further 12 months.

This follows the legal basis of Art. 6 para. 1 lit. b GDPR or Section 17 of the German Aviation Security Act (LuftSiG) in conjunction with. Section 3 para. 2, Section 8 para. 3 of the German Aviation Security Training Ordinance (LuftSiSchulV).

Logging of system data and storage of IP addresses

When the website is used, the following data is recorded to ensure operational security the IP address of the calling client, date and time, the page called up, status codes and browser identification are stored in the web server log files. This is based on the legal basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to check web traffic and record and evaluate possible access and performance problems. This data is processed for 30 days by default.

Log data is collected and stored in order to optimise the service and for technical reasons, such as error analysis. These log user behaviour during operation. They may contain personal data, such as user IDs and other personal data (e.g. user data, organisational data, notifications) from requests or responses from/to other system components. They are used to maintain the service and to be able to recognise and rectify error conditions.

This follows the legal basis of the protection of legitimate interests of the responsible party or a third party according to Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the optimisation and maintenance of operations.

This data is processed by default for 30 days after collection.

Setup, access and operation of the Zaikio account (authentication)
Registration with the LMS requires a Zaikio account with the external service provider Zaikio GmbH via www.zaikio.com. The use of the authentication service Zaikio is based on the terms of use and privacy policy of Zaikio with the user. When using the Zaikio account to access the LMS, the Zaikio user ID and a confirmation of a successful login are transmitted to Zaikio. Transmission of this data is based on Zaikio's terms of use and privacy policy.

E-mail notifications within the registration process
To complete the registration process it is necessary to confirm the registration. For this purpose, a confirmation e-mail is sent to the e-mail address provided during registration. This e-mail contains a link via which the registration can be confirmed and thus completed. The system used stores the date and time of registration and confirmation for this purpose.

The legal basis for these notifications is based on Art. 6 para. 1 lit. b GDPR, the performance of the contract.

This data is processed by default for 30 days after collection.

Other system messages
In addition, we would like to inform you by e-mail about relevant events, e.g. planned maintenance, changes and new or modified functions or conditions.

The legal basis for these notifications is based on Art. 6 para. 1 lit. b GDPR, contract performance.

This data is processed by default for 30 days after collection.

Support
If users request support from us or the locally responsible country and sales company or sales partner, the necessary data is processed on the legal basis of Art. 6 para. 1 lit. b GDPR. In the context of this contract fulfilment or contract-preparatory measures at the request of the person concerned within the meaning of Art. 6 para. 1 lit. b GDPR, data may be passed on to external service providers, e.g. hosting providers, software providers, IT specialists, in individual cases.

This data is processed by default for 30 days after collection.

Transport encryption
The transmission of data between the user's device and the LMS is encrypted via TLS/SSL according to the current state of the art.

This data is processed by default for 12 months after collection.

Provision of learning content
In the LMS, we - together with other Group companies - provide our external partners with various training materials (online modules, image, video and sound recordings, etc.) in connection with the performance of technical services for the purpose of training and further education on a global level. The main purpose is to impart knowledge of technical content with the aim of being able to perform technical services for our employees and customers in the best possible professional manner. These are mainly technical, legal and methodological topics (e.g. methods for knowledge transfer and training design) for Heidelberg's product and service portfolio.

For the provision of learning content in the LMS, the following personal data is processed: Name, e-mail address, course participation, test results (if required for successful participation).

The required data is processed on the legal basis of Art. 6 para. 1 lit. b GDPR.

This data is processed by default for 12 months after collection.

Conducting face-to-face training
Face-to-face trainings are trainer-led trainings that can be conducted either physically, i.e. on site, or online.

In the case of on-site training, personal data is processed in the LMS before and after the training in the context of registration. In addition to the data listed under ""Data processing when using the LMS"" (see above), the participant's attendance is also recorded ("attended"; "did not attend"; "partially attended").

Online trainings are conducted via "teams". The web server for the operation of the online trainings is technically operated by Microsoft. The name, e-mail address and attendance of the participant are processed ("participated"; "not participated"; "partially participated").

Further information on data processing within the framework of Teams can be found in the data protection declaration on our website under the heading "Data protection information Microsoft Teams".

After a period of 5 years after registration, both the technical account data and the contents of the account will be deleted. If the user was active in the system within this period, the processing of this data is extended by a further 12 months.

This follows the legal basis of Art. 6 para. 1 lit. b GDPR or Section 17 of the German Aviation Security Act (LuftSiG) in conjunction with. Section 3 para. 2, Section 8 para. 3 of the German Aviation Security Training Ordinance (LuftSiSchulV).

Provision of billing data
For the purpose of invoicing for the respective booked training, your participant data (name, e-mail address, company) will be processed by us and forwarded to the responsible internal departments of invoice verification and controlling or to the group companies for this purpose.

The required data is processed on the basis of the legal basis Art. 6 para. 1 lit. b GDPR.

This data is processed by default for 10 years after the end of the calendar year in which the invoice is issued and then deleted.

Reporting
For the purpose of continuous training planning for the entire HEIDELBERG Group as well as for planning regarding the design of the platform, user and licence management, we regularly carry out internal reporting. The following personal data is processed in this process: Name, email, company, training title.

This data is processed by default for 12 months after collection.

Feedback (request and evaluation)
For the purpose of planning and quality assurance, we and/or a Group company request your feedback. In the context of face-to-face training, participants can take part in a paper-based evaluation.

Data that you as a user submit as personal data in the course of communication and telecommunication are processed for the purpose of handling. The legal basis for this is Art. 6 para. 1 lit. b GDPR. In addition to the data transmitted directly by users, the messages or communication processes contain meta data, for example, the e-mail address and IP address used, the date and time of processing.

This data is processed by default for 30 days after the training.

Recipients or categories of recipients of personal data
Access to your data is granted to responsible employees of HEIDELBERG Druckmaschinen AG, the locally responsible national and sales companies or sales partners of HEIDELBERG Druckmaschinen AG, as well as commissioned service providers and their subcontractors.

If commissioned service providers have access to personal data and this constitutes commissioned processing, an agreement on commissioned processing has been concluded with the service providers, which also takes into account regulations for possible subcontractors.

Other processing within the scope of legitimate interest
For other processing in the context of legitimate interest, personal data may be transferred to the judiciary, authorities, legal representation, insurance companies and necessary companies, e.g. internet providers, cloud service providers or security service providers.

Intention to transfer data to third countries or international organisations
Relevant data collected within the framework of the LMS will be transferred to the relevant country or sales company.

Beyond the above-mentioned processing, no participant data will be forwarded by the responsible party to a third country or other international organisation, unless this is necessary for processing, the participant is based there or operates corresponding devices or services for communication there or corresponding routing takes place for technical reasons over which we have no influence.

Virtual Workspace represents a virtual workstation which enables the user to access the HEIDELBERG virtual work environment without PC hardware from HEIDELBERG

The entity responsible for data protection in connection with Virtual Workspace is Heidelberger Druckmaschinen AG, Kurfürsten-Anlage 52-60, 69115 Heidelberg.

Your user and log data will be processed to manage your user account and grant you access, to enable communication from HEIDELBERG to your device and for the purpose of usage and security analysis. For these purposes, your data will be retained for 30 days.

The legal basis for the processing of your personal data is our legitimate interest according to Art. 6 para. 1 lit. f GDPR. HEIDELBERG has a legitimate interest in providing secure and stable access for employees and external parties without providing HEIDELBERG hardware.

Your personal data may be transferred to the following categories of recipients:

Internally: Employees from the areas of Information Security, Internal Audit, Information Technology (Operation Team and Azure Global Administrators);

Externally: software and IT infrastructure service providers and endpoint security service providers. This may also involve the transfer of personal data to third countries (see "Transfer to third countries or to an international organisation").

With the following information, we would like to inform you about the processing of your personal data in the context of image or video use in the context of events.

On the basis of our legitimate interests according to Art. 6 para. 1 lit. f GDPR, we process the data listed below: Photos and videos with atmospheric images of the participants of the respective event. Only groups are shown in the pictures; if an individual or group of two is the focus, we will only photograph you with your consent. The data is processed for the purpose of advertising HEIDELBERG or the respective event.

Possible uses of the data include publication on the intranet, in the trade press, in daily or weekly newspapers, on heidelberg.com or on other local websites or social media channels.

You are not obliged to provide the data listed in the consent for the purposes mentioned. You may object to the use of your personal data at any time for reasons arising from your particular situation, in person at the respective event or via the contact details listed in "Name and address of the person responsible within the meaning of the GDPR and address of the data protection officer".

You can revoke consent at any time with effect for the future.

Insofar as the processing is based on a legitimate interest, you may object to the processing if your overriding interests are against the processing. You may object to processing for direct marketing purposes based on legitimate interests at any time and without giving reasons.

Transfer within the Heidelberg Group
Your personal data will be passed on within the Heidelberg Group (Heidelberger Druckmaschinen AG and its affiliated companies pursuant to Section 15 of the German Stock Corporation Act (AktG)) worldwide insofar as this is necessary to fulfil the purpose of the processing.

In particular, the data may be passed on to the following bodies:

• local sales companies
• the parent company in Germany
• marketing, sales, corporate communications, product management, human resources, investor relations employees worldwide, as well as to commissioned by them.

In the case of transfers outside the EEA, the required level of data protection pursuant to Art. 44 et seq. GDPR is ensured by appropriate guarantees.

Heidelberg's internal IT department and the selected service providers commissioned by it may access all personal data processed to the extent that this is necessary in the course of fulfilling their tasks.

Transfer to third parties in third countries outside the EU and the EEA
In the normal course of business, your data will not be transferred to third countries unless you arrange this yourself or the entire matter takes place in the third country. If a transfer to a third country takes place in deviation from this, then only on the basis of your consent.

Publication on the internet or social media services Information on the internet is accessible worldwide and can be found using search engines and linked to other information, from which personality profiles can be created under certain circumstances. Information posted on the internet, including photos, can be copied and redistributed without you or HEIDELBERG being able to influence it. There are specialised archiving services, the aim of which is to permanently preserve the state of certain websites at certain dates. This can mean that information published on the Internet can still be found on the original site even after it has been deleted.

Data published on social media services are also accessible worldwide in case of doubt, can be found with search engines and linked to other information. Deletion of the data is not or not reliably possible. Whether and how the data is further used by the social media services themselves is beyond your control and that of HEIDELBERG

Duration of the processing of your data
We store the personal data mentioned above, which we process on the basis of our legitimate interests mentioned above, for a maximum of 3 years or, in the case of regular events or regularly published printed works, for up to 6 months after the next similar event or publication. In these cases, however, processing without your express consent is intended for a maximum of 5 years.

Prior to publication / use of the data, the legality of storage and use will be reviewed again in each case.

If there is a given reason, for example to assert or defend legal claims, we can also store your data for longer.

Purposes of the processing(s) and their legal basis(s):
Please note all processing operations listed below that may take place in the course of using the HEIDELBERG Customer Portal (Heidelberg's cloud-based customer portal) and the associated apps. In this document, you will find the processing of information and data within the scope of the HEIDELBERG Customer Portal, and the individual apps mentioned by name, including user administration. Processing of personal data via other apps that can be used via the HEIDELBERG Customer Portal is described in this document at the appropriate place of the respective apps.

Correspondence and telecommunications
Data that users transmit as personal data in the context of communication and telecommunication are processed for the purpose of processing. The legal basis for this is Art. 6 para. 1 lit. b GDPR. In addition to the data transmitted directly by users, the messages or communications contain meta data, for example the phone number used, e-mail address and IP address, date and time of processing.

Support
If users request support from Heidelberger Druckmaschinen AG or the locally responsible country and sales company or sales partner, the necessary data is processed on the legal basis of Art. 6 para. 1 lit. b GDPR. In the context of this contract fulfillment or contract-preparatory measures at the request of the person concerned within the meaning of Art. 6 para. 1 lit. b GDPR, it may be necessary in individual cases to pass on data to external service providers, e.g. hosting providers, software providers, IT specialists but also, for example, the user's service providers.

Web server log files
When accessing the HEIDELBERG Customer Portal, the IP address of the calling client, date and time, the page called up, status codes and browser identification are stored in the web server log files. This is based on the legal basis Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to check web traffic and record and evaluate possible access and performance problems. This data is processed for 7 days by default.

Log data of the HEIDELBERG Customer Portal
In order to optimize the HEIDELBERG Customer Portal, with the aim of offering users better and better services, as well as for technical reasons, such as error analysis, log data is collected and stored. These log the behavior and states of each individual component of our service during operation. They may contain personal data, such as user IDs and other personal data (e.g. user data, organizational data, notifications) from requests or responses from/to other system components. These data are used to monitor the performance of the HEIDELBERG Customer Portal. They are used to maintain the service, to detect error conditions and to be able to correct them. This follows the legal basis of safeguarding legitimate interests of the controller or a third party according to Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the optimization and maintenance of the operation. This data is processed for 30 days by default.

Security monitoring and forensics
Certain log data, through which security-relevant events can be detected and traced, are stored separately. This serves to protect the HEIDELBERG Customer Portal, its users and their data. Possible cyber attacks can thus be detected at an early stage and, if necessary, averted or reconstructed retrospectively. Our legitimate interest is to secure the HEIDELBERG Customer Portal and to detect and ward off possible attacks, as well as to document corresponding processes. In addition, this data may be used within the scope of legitimate interest (Art. 6 para. 1 lit. f GDPR) for the assertion, exercise or defense of legal claims or damages. For this purpose, a transfer to third parties may also be necessary in individual cases; see also section "Recipients or categories of recipients of personal data".

Use of contact data for promotional purposes in legitimate interest
We also process the contact data of interested parties and users collected within the framework of the HEIDELBERG Customer Portal for advertising purposes on the basis of the legal basis Art. 6 para. 1 lit. f GDPR in conjunction with Art. 47 GDPR. It is our legitimate interest to inform interested parties and also users about our products and services for promotional purposes.

The collected relevant contact data, as well as interest in our products and services, will be transmitted to the relevant country or sales company or sales partner if necessary. The processing takes place in our CRM program, as well as e-mail and telecommunication systems.

Please note the right to object to processing for the purpose of direct advertising, which you will find in the section "Data subject rights".

Use of contact data for advertising purposes with consent
For the promotional use of certain contact channels, we require the voluntary consent of the data subjects in Germany. These consents are requested during registration or in the course of using the HEIDELBERG Customer Portal. The receipt of promotional e-mails must be confirmed by data subjects via double opt-in. The consent according to Art. 6 para. 1 lit. a GDPR is voluntary and can be revoked at any time. The use of the HEIDELBERG Customer Portal is also possible without consent or after revocation of consent.

Other processing in the context of legitimate interest.
Processing of personal data within the scope of legitimate interest (Art. 6 para. 1 lit. f GDPR) may take place for the assertion, exercise or defense of legal claims or regulation of damages or compliance with regulations. For this purpose, a transfer to necessary third parties may also be necessary in individual cases. Information on the right to object on a case-by-case basis is provided in the "Data Subject Rights" section. Information about possible recipients is listed in the section "Recipients or categories of recipients of the personal data".

Recipients or categories of recipients of the personal data:
Access to data from the HEIDELBERG Customer Portal, as well as the apps and related services, is granted to responsible employees of Heidelberger Druckmaschinen AG, the locally responsible country and sales companies or sales partners of Heidelberger Druckmaschinen AG, as well as commissioned service providers and their subcontractors.

If commissioned service providers have access to personal data and this constitutes commissioned data processing, an agreement on commissioned data processing has been concluded with the service providers, which also takes into account regulations for possible subcontractors.

Other processing within the scope of legitimate interest
For other processing in the context of legitimate interest, personal data may be transferred to the judiciary, authorities, legal representation, insurance companies and necessary companies, e.g. Internet providers, cloud service providers or security service providers.

Intention Data transfer to third country or international organization:
Relevant contact data collected in the course of registering and using the HEIDELBERG Customer Portal and the apps included in the HEIDELBERG Customer Portal, as well as interest in products and services or support requests (support), will be transferred to the respective responsible country or sales company or sales partner of Heidelberg.

There is no transfer of user data by the responsible party to a third country or other international organization in accordance with the GDPR beyond the above-mentioned processing, unless

• we do not have to do so for legal reasons
• this is not necessary for processing or
• is necessary in the context of legitimate interest,
• the data subject has consented to it
• the data subject is domiciled there,
• the data subject operates corresponding devices or services for communication there, or
• for technical reasons, a corresponding routing takes place, over which we have no influence.

Cloud services
Heidelberger Druckmaschinen AG uses services from Amazon Web Services of Amazon Web Services EMEA SARL, Luxembourg, for the provision and operation of the HEIDELBERG Customer Portal. Other cloud services, such as Google for Google Analytics, are documented for the respective processing in this document or in the data protection information of the respective app.

Unless otherwise noted in a processing operation, no transfer of user data by the controller to a third country or other international organization pursuant to the GDPR will take place unless

• we do not have to do so for legal reasons,
• this is not necessary for processing or
• is necessary in the context of legitimate interest,
• the data subject is domiciled there,
• the data subject operates corresponding devices or services for communication there, or
• for technical reasons, e.g. corresponding routing takes place, over which the data controller has no influence.

Duration or criteria for the duration of storage:
The user data is stored in the HEIDELBERG Customer Portal for the duration in which the user is authorized to access the HEIDELBERG Customer Portal, but for a maximum of 30 days after the authorization is withdrawn.

Unless otherwise described in individual processing operations, personal data is processed, e.g. in the context of telecommunications and correspondence or support, for as long as it is necessary for the respective purpose or, on the legal basis of Art. 6 para. 1 lit. c GDPR, for compliance with corresponding regulations.

A longer storage in the context of legitimate interest according to Art. 6 para. 1 lit. f GDPR can take place, provided that these data are necessary, for example, for the assertion, exercise or defense of legal claims, compliance with regulations or regulation damage.

User data will be processed for promotional purposes until the data subject objects or the purpose of the promotional use ceases to apply.

Transport encryption via TLS/SSL
The transmission of data between the user's device and the HEIDELBERG Customer Portal is encrypted via TLS/SSL according to the current state of the art.

Use of cookies

Consent management solution
When using the HEIDELBERG Customer Portal, cookies may be stored on the end device. Technically required cookies are based on the legal basis Art. 6 para. 1 lit. b GDPR. Technically unnecessary cookies, for which we require consent in certain regions, are based on the legal basis Art. 6 para. 1 lit. a GDPR. Consent is given via consent management solution (""Consent Banner""). Consents granted can be adjusted or revoked here at any time with effect for the future.

We use a consent management solution. The service allows users to decide which of the various services available on the HEIDELBERG Customer Portal (associated with personal data processing), which are only permitted on the basis of consent, they would like to use. Furthermore, the consent management solution allows us to document this consent to data processing and to provide the legally required proof thereof. In this context, your indication applies to all our websites and apps.

The following data is processed:

• Date and time of the visit
• Device information
• Browser information
• Anonymized IP address
• Opt-in and opt-out data

The legal basis for the processing is Art. 6 para. 1 lit. f GDPR in conjunction with Art. 7, 24 para. 1 GDPR.

For retention: All information is stored for three years from the end of processing. The legal reason for this is our obligation to document compliance with data protection requirements according to Art. 6 para. 1 lit. c GDPR in conjunction with. Art. 5 para. 2 and Art. 24 GDPR, combined with our legitimate interest in proving compliance, Art. 6 para. 1 lit. f GDPR in conjunction with Section 41 BDSG in conjunction with Section 41 para. 2 no. 1 German Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten – OwiG). The platform is operated by our order processor, Usercentrics GmbH, Sonnenstrasse 23, 80331 Munich.

You can find more information about the data protection of Usercentrics here: https://usercentrics.com/de/datenschutzerklaerung

Cookie:

Name: ssm_au_c
Provider: Usercentrics
Description: This cookie is used to manage cookie consent on our site and to store your preference.
Expiration: It will remain until you delete cookies from your browser or changes are made within the cookie consent tool.

Google Analytics
For the purpose of demand-oriented design and continuous optimization of our pages, we use Google Analytics, a web analytics service provided by Google Ireland Ltd ("Google"), on the basis of user consent pursuant to Art. 6 para. 1 lit. a GDPR. Google Analytics uses ""cookies"" that enable an analysis of your use of our websites. In this context, our order processor Google creates pseudonymized usage profiles and uses cookies.

Processed data:

• Browser type/version,
• Operating system used,
• Referrer URL (the previously visited page),
• host name of the accessing end device (IP address, advertising ID)
• Time of the server request

Google Analytics is only used by us in conjunction with activated IP anonymization (IP masking). This means: The IP address of a user is shortened by Google for users within the member states of the European Union and other contracting states of the Agreement on the European Economic Area. Only in exceptional cases (e.g. in the event of a technical defect in the European Union) is the IP address sent to a US server and shortened there.

The method of anonymizing IP addresses used by Google does not write any IP addresses to the hard disk, as the anonymization takes place directly after receiving the request in the RAM. We do not receive any personal data from Google, only anonymized statistics.

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by the user's device as part of Google Analytics is not merged with other data from Google. The storage of cookies can be prevented by users by means of a corresponding setting in the browser. If technically required cookies are not allowed to be set due to user settings, the corresponding functions cannot be used.

Transfer to third countries (outside the EU and EEA):
Google receives personal data in the course of analyzing user behavior based on your consent and processes this data if necessary for the provision of services worldwide:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

Tel: +353 1 543 1000
Fax: +353 1 686 5660
Email: support-deutschland@google.com

Google Privacy Policy
We store the data on pseudonomized profiles, which cannot be assigned to an individual person, for a period of 26 months in order to optimize our websites. At the end of the 26 months, this data is automatically deleted.

Cookies:

Name: _ga, _gat
Provider: Google Universal Analytics
Description: both analyze browsing behavior and allow the creation of flow statistics; _ga is used to distinguish individual users by determining a randomly generated number as a client identifier (depending on the browser and device), which allows the calculation of visits and sessions; _gat is used to distinguish between the different objects created in the session.
Expiration:
_ga | Two years from setting, updating, or until you delete cookies from your browser;
_gat | 20 minutes from setting or updating.

Name: Source
Provider: Google Universal Analytics
Description: Captures the origin from where a user came to our pages.
Expiration: 1 year from setting or update

Google Tag Manager
We use the Google Tag Manager. The provider of the Google Tag Manager component is Alphabet Inc. This service enables the management of website tags via an API. Google Tag Manager only implements tags. This means that cookies are not used and no personal data is collected. The Google Tag Manager triggers other tags with which data can be collected. However, the Google Tag Manager does not access this data. If disabled on a domain or cookie basis, the disabling applies to all tracking tags if implemented with Google Tag Manager.

Statutory or contractual requirement to provide data and possible consequences of failure to provide such data:

In order to use the HEIDELBERG Customer Portal and the apps provided therein, the following are required

• The use of a Zaikio account,
• a registration with the HEIDELBERG Customer Portal,
• the assignment of user rights,
• the assignment to one or more organizations,
• the provision of required information for desired functions, and
• the organizational and technical data necessary for the fulfillment of the contract and, if applicable, the communication data required. Without this information, use is not possible.

Optional voluntary information or consent to the use of technically unnecessary cookies, are voluntary and have no influence on the use of the HEIDELBERG Customer Portal.

Automated decision-making:
There is no automated decision in individual cases, including profiling in accordance with Art. 22 GDPR.

Adaptations of this data protection information
Both the modular content and functions and the content and functions of the basic HEIDELBERG Customer Portal are subject to ongoing development. Accordingly, this data protection information will be continuously adapted to the new content and functions.

HEIDELBERG Account and user administration
The HEIDELBERG Customer Portal enables authorized users with an HEIDELBERG Account to access information (e.g. product information), digital content (e.g. videos) and functions (apps, e.g. machine information) via the portal and to use them within the scope of the terms of use.

The structure of the HEIDELBERG Customer Portal, including the apps, is modular, i.e. not all content and functions are generally available to all users, but are dependent on authorizations, existing contracts or the operation of certain machine types. The scope of services of the HEIDELBERG Customer Portal and the apps can be found in the respective terms of use.

Access, operation and setup of the HEIDELBERG Account in connection with Zaikio
With an HEIDELBERG Account, users have the ability to access the HEIDELBERG Customer Portal. There, the user can create one or more organizations independently. Users who create an HEIDELBERG Customer Portal organization become the organization owner, hereafter called organization owner. The Organization Owner can be changed.

For the initial registration for the HEIDELBERG Account and subsequent logins, the user must have an HEIDELBERG Customer Portal ID.

Heidelberg uses the Zaikio authentication service to create the HEIDELBERG Customer Portal ID. A Zaikio account with the external service provider Zaikio GmbH via www.zaikio.com is required to register the HEIDELBERG Account. If no Zaikio account exists, it can be created as part of the registration process for the HEIDELBERG Account. The use of the Zaikio authentication service is based on the terms of use and privacy policy of Zaikio with the user. When using the Zaikio account to access the HEIDELBERG Customer Portal, including apps, the Zaikio user ID and a confirmation of a successful login are transmitted to Zaikio. A transmission of this data is based according to the terms of use and privacy policy of Zaikio.

Legal basis for the provision of the HEIDELBERG Customer Portal
The legal basis for the provision of the HEIDELBERG Customer Portal until registration is based on the legal basis Art. 6 para. 1 lit. f GDPR. The legitimate interest is the provision of a modern online portal solution for accessing information and digital content and functions. The technically necessary data is processed upon access, as described in the following sections under web server log files and security monitoring and forensics.

Legal basis as of registration and use of the HEIDELBERG Customer Portal.
The legal basis as of registration is Art. 6 para. 1 lit. b GDPR ""Contract performance or measures in preparation of a contract at the request of the data subject"". If a user wishes to access an organization of another organization owner, this is based on the legal basis Art. 6 para. 1 lit. b GDPR. In the context of the fulfillment of the contract in the sense of the GDPR according to Art. 6 para. 1 lit. b GDPR - a transmission of the data to the respective organization -owner takes place.

User administration and data exchange with the Zaikio account
The HEIDELBERG Customer Portal has a user administration by default. Via this, it is possible for authorized users of an organization to grant access to the organization to other users and to assign corresponding rights. In addition, it is possible for users to make access requests for one or more organizations. Correspondingly authorized users of an organization can then approve access via the user administration and grant corresponding rights or deny access.

Via the HEIDELBERG Customer Portal, new and changed user and organization data such as organization, country and language can be transmitted to the respective Zaikio account to Zaikio. This is based on the legal basis Art. 6 para. 1 lit. b GDPR for the respective user. If changes are made by other authorized organizational users, the legal basis is based on Art. 6 para. 1 lit. f GDPR ""legitimate interest"". Our legitimate interest is to transmit the desired changes to user accounts, e.g. language settings, to Zaikio in the context of simple and convenient user administration as part of portal operation. The Zaikio user can also change these changes in his Zaikio account, which synchronizes them with the HEIDELBERG Customer Portal.

Notifications by email as part of the registration process, invitations and notifications.
To complete the registration process, it is necessary to confirm the registration. For this purpose, a confirmation e-mail will be sent to the e-mail address provided during registration. This e-mail contains a link through which the registration can be confirmed and thus completed. The system used stores the date and time of registration and confirmation for this purpose.

If authorized organizational users add a Zaikio user to the HEIDELBERG Customer Portal, these added Zaikio users receive an e-mail with a link via which they can confirm their addition to the portal.

In addition, Heidelberger Druckmaschinen AG may inform HEIDELBERG Customer Portal users by e-mail about relevant events, e.g. planned maintenance, changes, and new or modified functions or conditions.

The legal basis for these notifications is based on Art. 6 para. 1 lit. b GDPR, the performance of a contract.

Analytics apps

• Analytics includes the apps
• Benchmarking
• PAT
• Totalizer Booth
• Insights

Purposes of the processing(s) and their legal basis(s)
Production data can be viewed and evaluated via the Analytics apps. In addition, users can be informed when certain events occur. Which data a user can view or which functions can be used depend on the user rights that the account owner or an authorized user in the user management of the HEIDELBERG Customer Portal can grant to the user.

Use and legal basis
To use the Analytics app, the user needs an HEIDELBERG Account with the corresponding portal permissions. Other stored user details, such as the name, email address, mobile device address and language, are required for functions such as notification of events. During use, the IP address, date and time of access, as well as status messages and browser recognition are also processed for technical delivery, log files, security monitoring and forensics.

The legal basis as of registration is Art. 6 para. 1 lit. b GDPR "Contract performance or contract-preparatory measures at the request of the data subject".

Both the modular content and functions and the content and functions of the basic HEIDELBERG Customer Portal solution are subject to ongoing development. Accordingly, this data protection information will be continuously adapted to the new content and functions.

Administration apps

• Contracts
• Equipment Status

Purposes of the processing(s) and their legal basis(s)
Contract data and a machine overview can be viewed and evaluated via the administration apps. In addition, users can be informed when certain events occur. Which data a user can view or which functions can be used depend on the user rights that the account owner or an authorized user can grant to the user in the user administration of the HEIDELBERG Customer Portal.

Use and legal basis
To use the admin apps, the user needs an HEIDELBERG Account with the corresponding portal permissions. Other stored user details, such as the name, e-mail address, mobile device address and language, are required for functions such as notification of events. During use, the IP address, date and time of access, as well as status messages and browser recognition are also processed for technical delivery, log files, security monitoring and forensics.

The legal basis as of registration is Art. 6 para. 1 lit. b GDPR "Contract performance or contract-preparatory measures at the request of the data subject".

Both the modular content and functions and the content and functions of the basic HEIDELBERG Customer Portal solution are subject to ongoing development. This data protection information will be adapted accordingly to the new content and functions on an ongoing basis.

Shopping apps

• eShop
• Invoices
• Return Shipments
• Shipments
• Used Equipment

Purposes of the processing(s) and their legal basis(s)
Via the Shopping Apps, data on purchases and sales of consumables and spare parts, invoice overviews, returns, delivery status, overview of deliveries as well as overviews of currently available used equipment can be viewed and evaluated. In addition, users can be informed when certain events occur. Which data a user can view or which functions can be used depends on the user rights that the account owner or an authorized user can grant the user in the HEIDELBERG Customer Portal user administration.

Use and legal basis
To use the Shopping apps, the user needs an HEIDELBERG Account with the corresponding portal authorizations. Other stored user details, such as the name, e-mail address, mobile device address, supplier and billing data, and language, are required for functions such as notification of events. During use, the IP address, date and time of access, as well as status messages and browser recognition are also processed for technical delivery, log files, security monitoring and forensics.

The legal basis as of registration is Art. 6 para. 1 lit. b GDPR "Contract performance or contract-preparatory measures at the request of the data subject".

Both the modular content and functions and the content and functions of the basic HEIDELBERG Customer Portal solution are subject to ongoing development. Accordingly, this data protection information will be continuously adapted to the new content and functions.

Support apps

• Equipment Status Report
• Knowledge Base
• Maintenance Manager
• Pedictive Monitoring
• Service Scheduler
• Service Tickets
• Training Service

Purpose(s) of the processing and its (their) legal basis(s)
Via the Support -Apps, data on machine status and functionality as well as customer data (name, address, contact person, contact details) can be viewed and evaluated. In addition, users can be informed when certain events occur. Which data a user can view or which functions can be used depend on the user rights that the account owner or an authorized user in the user administration of the HEIDELBERG Customer Portal can grant to the user.

Use and legal basis
To use the support apps, the user needs an HEIDELBERG Account with the corresponding portal authorizations. Other stored user details, such as the name, e-mail address, mobile device address and language, are required for functions such as notification of events. During use, the IP address, date and time of access, as well as status messages and browser recognition are also processed for technical delivery, log files, security monitoring and forensics.

The legal basis as of registration is Art. 6 para. 1 lit. b GDPR "Contract performance or contract-preparatory measures at the request of the data subject".

Both the modular content and functions and the content and functions of the basic HEIDELBERG Customer Portal solution are subject to ongoing development. Accordingly, this data protection information will be continuously adapted to the new content and functions.

Further links:

• Imprint
• HEIDELBERG Customer Portal - Terms of Use

What data do we process and for what purpose
By fulfilling the concept customer agreement, we process the following data: Last name, first name, company, company address, business telephone number and business e-mail address and, if necessary, your ""G status"" in accordance with the German Infection Protection Act (Infektionsschutzgesetz). Here we only document whether a ""2G+ status"" exists or not.

We also process this data to carry out internal compliance checks with regard to adherence to internal guidelines and legal requirements.

You are not obliged to provide the listed data for the purposes mentioned.

Legal basis for processing
We process your personal data for the purposes listed above based on the following regulations:

The legal basis for processing your personal data for the purpose of processing the concept customer agreement is the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR.

The legal basis for the processing of your personal data for the performance of internal compliance checks with regard to compliance with internal guidelines and legal requirements is Art. 6 para. 1 lit. c GDPR in conjunction with Sections 299, 300 in conjunction with 78 para. 3 no. 3, 4 in conjunction with Section 78a of the German Criminal Act (StGB), Section 130 German Regulatory Offences Act (OwiG), Section 309 in conjunction with 57 of the Austrian Criminal Act (ÖStGB), 7 Section 1, 11 UK Bribery Act, Art. 322 et seq. of the Swiss Criminal Act (ChStGB).

Disclosure of data and transfer of data to a third country

Internal disclosure:
There are no plans to share your data internally.

Disclosure to third parties:
An external transfer of your data is not planned.

For the assertion and defence of legal claims, your data may have to be passed on to third parties such as insurance companies, courts and authorities.

Duration of the processing of your data
All data relating to the performance of the contract will be processed for the duration of the concept customer agreement and for 10 years after the end of the event.

We will delete the date of the existence of a "2G+" status 6 weeks after the event.

If there is a given reason, for example to assert or defend legal claims, we may also keep your data for longer.

In the course of our business relations and general communication, we at HEIDELBERG process personal data of our business and communication partners. Here we describe the processing of personal data in the course of this general and business-related communication. Depending on the business relationship, further data processing may take place, about which we will inform you at the appropriate point.

Categories and sources of personal data processed
In the course of normal business operations and general communication, we process the following data from you in particular, which we receive from yourself or your employer: Name and contact details such as email address, telephone number, postal address Information about the position or role in which you contact us and your employer or business activity Communication content. We do not receive some information directly from you, but obtain it from publicly available sources, such as public telephone, address and trade directories, public notices, publicly accessible registers and the Internet, provided the data is freely accessible there.

Purpose and legal grounds for collecting, processing or using data
Insofar as we obtain your consent for the processing of personal data (e.g. for sending advertising), this serves as the legal basis in accordance with Art. 6 para. 1 lit. a GDPR. If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR. In business contact, many of our data processing operations are based on our and your legitimate interests (Art. 6 para. 1 lit. f GDPR): General communication, as well as communication for contract preparation or execution: in your and our interest, we process your contact information and, if applicable, the assignment to your employer or to your business activity, as well as communication content, in order to enable general communication, contract preparation or execution between us. The legal basis is then Art. 6 para. 1 lit. f GDPR. Deviating from this, the legal basis is Art. 6 para. 1 lit. b GDPR if you (and not your company or your employer) are our contractual partner.

Maintaining contacts and sending interesting information (Art. 6 para. 1 lit. f GDPR) In the course of our general business operations, we come into contact with various persons such as employees of business partners, interested parties, public institutions. In order to promote a long-term pleasant and trustful cooperation, our employees may send you information about interesting internal changes, events or products, or personal messages such as a thank you for pleasant cooperation or Christmas greetings. If you do not wish this, you can object at any time directly to the sender, or by e-mail to [company-specific address, NOT data protection officer]. These and possibly other processing of your data for the maintenance of our business operations are based on our legitimate interests.We process personal data in this context, of course, only to the extent necessary.

Recipients or categories of recipients to whom we pass on your data
In the normal course of business, your personal data will be processed as necessary by various departments within HEIDELBERG and, depending on the content of your request, also by other HEIDELBERG companies or, in exceptional cases, by third parties. This depends on the type and content of the contact in the individual case, so that we can only provide general information below. If you have any questions about a specific individual case, please contact us.

Internal transfer of personal data:
The internal IT departments of the HEIDELBERG Group and the selected service providers commissioned by them may access your data insofar as this is necessary in the course of fulfilling their tasks.

Transfer to third parties:
Such transfer is not foreseen in the normal course of business.

Transfer to third countries or international organisations:
Such a transfer is not provided for in the normal course of business.When using processors in third countries, we ensure the adequacy of the level of data protection in accordance with the provisions of Art. 45 et seq. GDPR.

Duration of data storage
We process personal data which we process on the basis of consent for as long as this is permissible according to the wording of the consent or until the consent of the person concerned has been revoked.

We keep tax-relevant personal data for 10 years, Section 147 para. 3 s. 1 of the German Fiscal Code (AO); Section 257 para. 4 in conjunction with. para. 1 No. 1 and 4 of the German Commercial Code (HGB), as well as Sections 14 b, 10 para. 1 s. 1 and 2 of the German Value Added Tax Act (UstG). We keep business letters and other documents relevant to taxation for 6 years.

We store data relevant for the proof of the proper fulfilment of the contract on the basis of our legitimate interest for the defence or assertion of legal claims until their limitation for 3 years from the end of the year in which the processing was carried out, Art. 6 para. 1 lit. f GDPR, Sections 280 para. 1, 195, 199 para. 1 German Civil Code (BGB).

In addition, we also store personal data if there is another legitimate interest according to Art. 6 para. 1 lit. f GDPR, or a legal obligation according to Art. 6 para. 1 lit. c GDPR, for example to prove the proper provision of services or as evidence in a legal dispute. If personal data is subject to several retention periods, the longest period shall apply in each case.