Data Privacy Statement

Version dated: 25 May 2018 (older versions)

The protection and security of your data is an important issue for us, the ALBA Group, and one that we pay attention to in all our business processes. In this data privacy statement, we would therefore like to provide you with an overview of the data protection-related aspects of our online offer. In the following we will explain:

• Which data we collect when you use the online offer of the ALBA Group
• The purposes for which these data are processed by the companies of the ALBA Group and third-party companies
• Which rights and options you have with respect to the processing of your data
• How you can contact us in data protection matters

This data privacy statement applies to the online offers of the ALBA Group in the domains albagroup.de and alba.info including possible subdomains (such as berlin.alba.info or nisa.alba.info for example) (hereafter referred to as "websites"), the social media presentations of the ALBA Group on Facebook, Google+, Instagram, Xing, LinkedIn, YouTube and Twitter (hereafter referred to as "social media profiles") as well as the customer portal ALBAclick.

All other online offers of ALBA Group companies but the ones detailed above are subject to their respective own data privacy statements, which you can view in the corresponding offer.

The controller of the data processing within the meaning of the European General Data Protection Regulation (GDPR) is the

ALBA Group plc & Co. KG
Knesebeckstr. 56-58
10719 Berlin

ALBA Group plc & Co. KG is the administration company and service provider for ALBA Group companies. In this function it also creates and takes responsibility for the online presentations of the ALBA Group companies introduced in the aforementioned websites (e.g. for ALBA Berlin GmbH in the subdomain berlin.alba.info).

Any mention of "we", "us" or the "ALBA Group" in this data privacy statement exclusively refers to ALBA Group plc & Co. KG.

You can reach the company data protection officer of the ALBA Group at datenschutz (at) albagroup.de or by way of the postal service, "c/o the data protection officer".

You can visit our websites without providing any personal information. Only the access data sent to us by your browser automatically will be collected in this case. This for example includes your online identifiers (e.g. IP address, session IDs, device IDs), information on the web browser and operating system used, possibly the website from where you opened our websites (i.e. if you have come to our website by way of a link), the names of the requested files (i.e. of the texts, videos, pictures etc. you viewed on our websites), the language settings of your browser, possible error reports, and the times of the individual access events.

The access data need to be processed to enable your visit and comfortable use of our websites and ensure their continuous functionality and security.

The access data are temporarily stored in internal log files to provide statistical information about the use of our website. This enables our continuous optimization and further development of our websites with respect to the usage routines and technical equipment of our users, and helps to eliminate faults and security risks. The information stored in the log files is not directly relatable to you personally – especially as we will only store the IP addresses in a truncated, anonymized form. The log files are stored for 30 days and then archived after anonymization.

The legal basis of this data processing is GDPR section 6.1.f (balancing of interests based on our legitimate interests detailed above).

We use own cookies on our websites and cookies from third-party providers. A cookie is a standardized text file that is stored by your browser for a defined period. Cookies enable the local storage of information such as the language settings and temporary identification features that the server which installed the cookie can access when the website is visited again. You can view and delete the cookies used in the security settings of your browser. And you can configure your browser settings as you wish, for example to reject the acceptance of third-party cookies or all cookies. We need to point out that you might not be able to use all the functions of our website in this case.

Our own cookies serve to make your visit of our websites more user-friendly and secure. The legal basis for the attendant data processing is GDPR section 6.1.f.

We use third-party cookies for web analysis and promotional purposes. Please see sections 2.6 and 4 of this data privacy statement for more information on this.

We collect all information and data you communicate to us by way of our websites. In various places of our websites, you are for example provided with the option of sending us messages and partly also data (e.g. PDF documents) by way of "Contact form" or "Contact" functions. The mandatory information required for these functions, if any, is highlighted as a rule.

We will only use the information you provide for processing your request.

We will delete the data accrued in the process as soon as their storage is no longer required, or restrict their processing where statutory retention periods apply.

Your message will only be forwarded to another ALBA Group company or external third party insofar as required for processing your request (we will for example forward your message to another ALBA Group company if it is responsible for processing your request). If you do not want your message to be potentially forwarded to another company, you can directly inform us of this in your message – naturally also as a precautionary measure. We will in this case only forward your message to the other company without the data that could identify you whereby you could be identified (e.g. your name, customer number or contact data).

The legal basis for the data processing detailed above is GDPR section 6.1.b. If you have consented to the forwarding and other processing of the data communicated by you, the legal basis is GDPR section 6.1.c.

Some of our websites include functions provided by the social network Facebook (so-called plug-ins). These plug-ins are operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). Facebook is therefore solely responsible for operating the plug-ins in keeping with data protection requirements.

The plug-ins are integrated by way of a so-called two-click solution, meaning that to use a plug-in, you need to activate it first (= first click) to be able to operate it in the manner intended by Facebook (= second click). This is to prevent Facebook from collecting data about you without your consent.

If you visit a website containing a plug-in that you have previously activated, your browser will establish a direct connection with Facebook servers which sends the content of the plug-in (e.g. "like" or share buttons) to your browser and then integrates it in our website. This lets Facebook know that you have visited our website. If you are logged into Facebook with your personal user account when visiting our website, Facebook will be able to link the website visit with this account. When plug-ins are interacted with, e.g. by clicking the "like" button or leaving a comment, the respective information will be directly collected by Facebook and stored there. If you would like to prevent this, you need to log out of your Facebook account before activating plug-ins.

Further information on the purpose and scope of the data collection by Facebook, the further processing and use of your data there, your rights in this regard and setting options for protecting your privacy is available from Facebook's data privacy information at (http://de-de.facebook.com/privacy/explanation.php). 

The legal basis for the data processing detailed above, insofar as our responsibility, is GDPR section 6.1.f (balancing of interests based on our legitimate interest in making our contents available to a larger number of users).

We have embedded YouTube videos in parts of our websites. YouTube is a video platform operated by the Google company YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). The embedded YouTube videos can be watched on our websites directly. They are integrated in an "expanded data protection mode", meaning that no data about you as the user will be sent to YouTube if you do not watch the video. Data will only be sent to YouTube once you watch the videos. This data transmission is outside our sphere of influence. For the event of personal data being transmitted to the USA, Google and YouTube have subjected themselves to the EU-US Privacy Shield.

Visiting a website with embedded YouTube videos will provide YouTube and Google with the access data accrued in the process, and the information that you have visited the respective sub-page of our website. This happens regardless of whether you are logged into YouTube or Google or not. If you are logged into Google, your data will be directly linked with your Google account. If you do not wish them to be linked with your YouTube profile, you need to log out before watching a video. YouTube and Google may use your access data for the creation of usage profiles for promotional purposes, market research, and the needs-oriented design of their own websites. You have a right to object to the creation of these usage profiles, with objections needing to be directly addressed to YouTube or Google, respectively. For more information, please see the Google data privacy statement applicable to YouTube.

The legal basis for the data processing detailed above, insofar as our responsibility, is GDPR section 6.1.f (balancing of interests based on our legitimate interest in embedding video contents).

Our websites use the web analysis service Google Analytics, which is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies for collecting your access data when our websites are visited. Google compiles the access data into pseudonymous usage profiles at our behest and sends them to a Google server in the USA. Your IP address is anonymized beforehand. We are therefore unable to determine which usage profiles belong to a specific user. We are thus neither able to identify you from the data collected by Google, nor can we determine how you use our websites. For the event of personal data being sent to the USA by way of exception, Google has furthermore subjected itself to the EU-US Privacy Shield. The data processing by Google Analytics therewith comes under an adequacy decision by the EU Commission, meaning that the data protection level is recognized as adequate even if the processing takes place in the USA by way of exception./p>

Google will use the information obtained through the cookies at our behest to analyse the use of our website, compile reports about website activities and provide us with other services in connection with website use and Internet use. Further information on this is also available from the data privacy statement of Google Analytics.

You can object to the creation and analysis of pseudonymous user profiles by Google as described above at any time. You have several options for this:

(1) You can set your browser so that Google Analytics cookies are blocked

(2) You can change the Google advertising settings at Google.

(3) You can install a deactivation cookie by clicking here: deactivate Google Analytics

(4) You can install the deactivation plug-in provided by Google at http://www.google.com/settings/ads/plugin in your browsers Firefox, Internet Explorer or Chrome (this option will not work in mobile devices).

The legal basis for this data processing is GDPR section 6.1.f (balancing of interests based on our legitimate interest in analysing the general usage behaviour).

Social media profiles of the ALBA Group are available to you in the following social networks:

• Facebook
• Google+
• Instagram
• Xing
• LinkedIn
• YouTube
• Twitter

Through these we inform you about the latest news and activities of the ALBA Group and like to use the options provided by social networks to communicate with their members directly.

But please note that we have no say over the data processing by social networks. You should thus please carefully examine the personal information and news you communicate to us in social networks, and use other contact options we offer in case of doubt. We are consequently unable to accept any liability for the behaviour of the operators of social networks and their other members.

When you communicate with us by way of our social media profiles, we will process the information provided to us in this regard by the respective social network (e.g. your name, profile page and contents of the messages you send us) in keeping with the purpose of your message (e.g. service requests, suggestions and criticism).

We will delete the data accrued in the process as soon as their storage is no longer required, or restrict their processing where statutory retention periods apply. With public posts in our social media profiles, we will decide if and when to delete them on a case-by-case basis in consideration of your and our interests.

The legal basis for the data processing described above depends on the purpose of your message. If the purpose resides in availing yourself of our customer service or enquiring about the services of the ALBA Group, the legal basis is GDPR section 6.1.b.

The legal basis in all other respects is GDPR section 6.1.f (balancing of interests based on our legitimate interest in processing your message). If you have consented to the processing of the aforementioned data, the legal basis is GDPR section 6.1.a.

We use the access data obtained from visits of our website for advertising in other providers' online offers (retargeting). We would like to present you with personalized advertising this way, i.e. adverts that cater to your interests and are hence more relevant for you. We also take part in the Google advertising network for this reason. This enables us to place personalized adverts in the online offers of other providers who are also included in the Google advertising network. Further information on Google's online advertising network and data privacy statement is available at http://www.google.com/privacy/ads/.

The legal basis for the data processing described below is GDPR section 6.1.f (balancing of interests based on the ALBA group companies' legitimate interest in providing personalized online advertising).

DoubleClick is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). DoubleClick uses cookies and pseudonymized identification features to collect your access data when visiting our and other websites included in the Google advertising network and to derive your interests from them. These pseudonymized usage profiles enable Google to present you with personalized advertising in the advertising spaces included in the Google advertising network. Every website included in the Google advertising network is allocated a different cookie by Google, meaning that these cookies cannot be tracked by other websites.

Google may also send the access data collected by way of DoubleClick to a server in the USA for analysis. Google has subjected itself to the EU-US Privacy Shieldfor this eventuality. The data processing by Google Analytics therewith comes under an adequacy decision by the EU Commission, meaning that the data protection level is recognized as adequate even if the processing takes place in the USA.

Furthermore, we also use the Audience function of Google Analytics in our websites. This function enables Google to provide you with personalized advertising at our behest when you visit the websites of other providers that are also included in the Google advertising network. To do this, Google uses cookies and the pseudonymous usage profiles created by Google Analytics (see section 2.6) when our website is visited to draw conclusions about your interests.

Based on these pseudonymous usage profiles, Google can provide you with personalized adverts in the advertising spaces included in the Google advertising network (Google can thus for example show you advertising for an offer of the ALBA Group that you have previously informed yourself about on one of our websites).

You can deactivate the processing of your data for personalized advertising in the Google advertising network at any time. There are several options for this:

1. You can set your browser so that it blocks cookies from the domain www.googleadservices.com.
2. You can adjust your advertising settings for Google at https://www.google.de/settings/ads.
3. SYou can install Google's free deactivation plug-in in your browsers Firefox, Internet Explorer or Google Chrome from the link http://www.google.com/settings/ads/plugin (will not work with browsers for mobile devices)
4. In addition to this, you can also centrally deactivate personalized advertising from Google and many other providers taking part in the self-regulation campaign "Your Online Choices" on the website http://www.youronlinechoices.eu.

Please note that Google will only show you general advertising that has not been selected on the basis of the access data collected about you if you deactivate personalized advertising.

We will principally only disclose your data if:

• you have explicitly consented to this as per GDPR section 6.1.a
• this is required as per GDPR section 6.1.f to assert, exercise or defend legal claims of an ALBA Group company and there is no reason to assume that you have an overriding legitimate interest in the data not being disclosed
• we are legally required to disclose them as per GDPR section 6.1.c
• their disclosure is permitted by law and required as per GDPR section 6.1 for the performance of a contract with you or for measures preceding the conclusion of such a contract at your request.

Parts of the data processing described in this data protection statement can be performed by external service providers at our behest. Besides the ones mentioned in this data protection statement, these service providers can in particular also include computer centres that store our websites and data bases, IT service providers that service our systems, and consultancy firms.

Insofar as we disclose data to our service providers, they are only permitted to use this information to fulfil their tasks. We selected and commissioned these service providers with great care. They are contractually bound to our instructions, have suitable technical and organizational measures in place for protecting the rights of data subjects, and are regularly monitored by us.

In the event of our disclosure of your data over and beyond this data protection statement to a service provider based in a country outside the European Economic Area (EEA), we will separately inform you of this fact and the specific guarantees underlying the data transfer, as the case may be. If you require copies of guarantees to substantiate an adequate level of data protection, please contact our data protection officer (see section 1).

Unless stated otherwise in this data protection statement, we will only store and use your data for as long as required to fulfil our contractual or statutory obligations or the purposes the data were collected for. We will, however, restrict their processing after the expiry of the statutory limitation purposes, meaning that your data will only be used to comply with statutory obligations from then on.

We will delete the data immediately thereafter, unless we still need them until the expiry of statutory limitation periods as proof for civil claims, or owing to statutory retention obligations. Even after this, we may still be required to store your data for accounting purposes. We are required to do so by statutory documentation obligations possibly arising from the Commercial Code, Tax Code, Banking Act, Money-Laundering Act and Securities Trading Act. The document storage periods required there range from two to ten years.

The legal basis of this data processing for fulfilling statutory documentation and retention obligations is GDPR section 6.1.c.

If you wish to assert the statutory data privacy rights detailed below, you can contact our data protection officer (see section 1) at any time:

• You are entitled to request information about our processing of your personal data at any time. In this information, we will explain the data processing and provide you with an overview of the personal data stored about you.
• If the data we store should be incorrect or no longer up-to-date, you have a right to have them rectified.
• You can also demand the deletion of your data. Should their deletion be prevented by other statutory requirements in exceptional cases, the data will be blocked to make them available only for that statutory purpose.
• You can also have the processing of your data restricted, e.g. if you are of the opinion that the data we store are incorrect.
• You have a right to data mobility, meaning that we will provide you with a digital copy of the personal data provided by you upon request.

You also have a right to lodge a complaint with a supervisory authority for data protection. The relevant supervisory authority for the ALBA Group is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Friedrichstr. 219, 10969 Berlin.

If you would like to assert your revocation or objection rights detailed below, an informal message to the contact data stated in section 1 above will suffice.

GDPR section 7.2 entitles you to withdraw a previously given consent from us at any time, with the consequence that we will refrain from the data processing that is based on this consent in the future. The withdrawal of your consent will not affect the lawfulness of the processing based on this consent before its withdrawal.

Insofar as we are processing your data based on legitimate interests as per GDPR section 6.1.f, GDPR section 21 gives you the right to object to this processing of your data on grounds relating to your particular situation, or if the objection concerns direct marketing. In the latter case, you have a general objection right which we will also implement without you citing reasons.

We maintain adequate technical measures for our online offers to ensure data security and especially protect your data from risks in data transmission and from unauthorized third-party access. These measures are constantly adapted to the state of the art. To protect the personal data disclosed by you on our website, we rely on Transport Layer Security (TLS), which encrypts the information you enter.

We update this data privacy statement from time to time, e.g. when we adjust our website or if the statutory or official requirements change.