Privacy policy by ZF Micro Mobility GmbH for the websites

https://www.dsp.zfmicromobility.com

Contents

2. Contact data of the data protection officer 1

4. General information on data processing; legal basis, purposes of processing, duration of storage, objection, and possibility of erasure. 1

5. Collection of general data and information. 1

6. Contact form and ticket system.. 1

7. Registration on our dealer service portal

8. Newsletter 1

9. Cookies. 1

10. Note on data processing on our Facebook fan page. 1

11. Privacy policy on the use and application of external scripts jQuery and Cloudflare CDN 1

12. Your rights. 1

13. Customer and supplier information, at the same time information on data processing according to Art. 12 ff. GDPR. 1

1. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other provisions of a data-protection nature is:

ZF MICRO MOBILITY GmbH

Escher-Wyss-Strasse 25

88212 Ravensburg

Germany
Website: www.zfmicromobility.com
E-Mail: info@zfmicromobility.com

Phone: +49(0) 6188 916 9065

2. Contact data of the data protection officer

For questions or ideas regarding data protection you may contact the ZF Data Protection Officer:

ZF Friedrichshafen

Data Protection Officer

Löwentaler Str. 20

88046 FRIEDRICHSHAFEN

GERMANY

Or via e-Mail: privacy@zf.com

3. Definitions

The data protection notice of ZF Micro Mobility GmbH is based on the defined terms of the General Data Protection Regulation (GDPR). Our data protection notice should be easy to read and understand. In order to ensure this, we would like to clarify in advance the definitions used.

3.1 Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2 Data subject
Data subject is any identified or identifiable natural person whose personal data are processed by the controller for the processing.

3.3 Processing
Processing means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.4 Restriction of processing

Restricting of the processing is the marking of personal data as stored with the objective of restricting its processing in the future.

3.5 Profiling
Profiling is each type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

3.6 Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, in so far as this additional information is kept in a special way and subjected to technical and organizational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person.

3.7 Controller or party responsible for the processing
Controller or party responsible for the processing (hereafter controller) is the natural person or legal entity, authority, institution or other post, which alone or together with others decides on the purposes and means of the processing of personal data. If the purposes and means of the processing are laid down in European Union legislation or the legislation of the member states, then the controller or the particular criteria of the appointment of this controller in accordance with European Union legislation or the legislation of the member states can be provided.

3.8 Processor
Processor is a natural person or legal entity, authority, institution or other post, which processes the personal data on the instructions of the controller.

3.9 Recipient
Recipient is a natural person or legal entity, authority, institution or other post to which personal data are disclosed regardless of whether this is a third party or not. However, authorities, which receive within the framework of a particular investigation order in accordance with European Union legislation or the legislation of the member states data which possibly may be/contain personal data, do not hold good as recipients.

3.10 Third party
Third party is a natural person or legal entity, authority, institution or other post with the exception of the data subject, the controller, the order processor and those persons which are authorized under the direct responsibility of the controller or of the order processor to process the personal data.

3.11 Consent
Consent is each declaration of will given voluntarily by the data subject for the definite case in an informed and unambiguous manner in the form of a declaration or other unambiguous confirmatory action, with which the data subject makes clear that he/she agrees to the processing of personal data relating to himself/herself.

4. General information on data processing; legal basis, purposes of processing, duration of storage, objection, and possibility of erasure

4.1 General information on the legal basis

Where we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

Art. 6 para. 1 lit. d GDPR serves as a legal basis in the event that vital interests of the data subject or another natural person necessitate the processing of personal data.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights, and fundamental freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

4.2 General information on data erasure and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. In addition, the data may be stored if the European or national legislator has provided for this in EU regulations, laws or other provisions to which the person responsible is subject. The data shall also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless it is necessary for further storage of the data for the conclusion or performance of a contract.

4.3 General information on processing on our website

Data protection, data security and secrecy protection have high priority for ZF Micro Mobility GmbH. The permanent protection of your personal data, your company data and your trade secrets is particularly important to us.

In principle, you can visit our website without providing any personal information. However, if you make use of the services of our company via our website, this requires the disclosure of your personal data. In general, we use the data communicated by you and collected by the website and the data stored during use exclusively for our own purposes, namely for the implementation and provision of our website and for the initiation, implementation and processing of the services offered via the website (contract performance) and do not pass these on to outside third parties, unless there is an officially ordered obligation to do so. In all other cases, we will obtain your separate consent.

Your personal data will be processed in accordance with the requirements of the General Data Protection Regulation and in accordance with the country-specific data protection regulations applicable to us. By means of this data protection note, we would like to inform you about the type, scope and purpose of the personal data processed by us. In addition, we will inform you of your rights by means of this data protection notice.

The ZF Micro Mobility GmbH has implemented technical and organizational measures to ensure adequate protection of personal data processed via this website. Nevertheless, Internet-based data transmissions can in principle have security gaps, so that absolute protection cannot be guaranteed.

5. Collection of general data and information

The website of ZF Micro Mobility GmbH collects a range of general data and information each time the website is called by a data subject or an automated system. This general data and information is stored in the log files of the server. Able to be collected are: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website, from which an accessing system reaches our website (so-called referrer), (4) the sub-websites, which are steered to on our website via an accessing system, (5) the date and time of an access to the website, (6) an Internet-protocol-address (IP-address), (7) the Internet service provider of the accessing system and (8) other similar data and information, which serve the warding off of hazards in the case of attacks to our IT systems.

In using this general data and information ZF Micro Mobility GmbH draws no conclusions about the data subject. Much more is this information needed (1) to be able to deliver out the content of our website correctly, (2) to permit the optimization of the content of our website and of the advertising for this, (3) to ensure the durable functionality of our IT systems and of the technology of our website and (4) to be able to make available to the law enforcement authorities the information necessary for criminal prosecution in the case of a cyber-attack. This anonymously collected data and information is evaluated ZF Micro Mobility GmbH on the one hand statistically and on the other hand with the objective of increasing the data protection and the data security in our company in order finally to ensure an optimal level of protection for the personal data processed by ourselves. The anonymous data of the server-logfiles are stored separately from all the personal data stated by a data subject.

Legal basis	Article 6 Para. 1 lit. f GDPR (legitimate interest)
Storage purpose	The temporary storing of the IP-address by the system is necessary to permit the delivery of the website to the computer of the user. For this the IP-address of the user must remain stored for the duration of the session.
Storage duration	The data is deleted as soon as it is no longer necessary for achieving the purpose of their collection. This is the case when the particular session has ended in situations where the data is collected for making the website available. This is the case at the latest seven days after the time when the data was stored in log files. More extensive storing is possible. In this case the IP-addresses of the users are deleted or distorted so that an assignment of the client calling in is no longer possible.
Objection / opportunity for elimination	None, because the data is essential for operating of the website

6. Contact form and ticket system

6.1 General contact

Our website contains a contact form that can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask is transmitted to us and stored. These data are:

· Name

· Email address*

· Subject

· Description*

· Uploaded files

* Mandatory data

The following data is also stored at the time the message is sent:

· The IP address of the user

· The date and time of sending

Contact information is also provided on our website. It is possible to contact us via the provided e-mail address, fax or telephone number. If you contact us via one of these options, your personal data transmitted to us will be stored automatically (e-mail, fax) or recorded by us and stored manually.

In this context, the data will not be passed on to third parties. The data will be used exclusively for the processing of the conversation or the processing of your request.

6.2 Ticket system (Freshdesk)

We also have a contact us feature on our website, as well as a Frequently Asked Questions (FAQ) overview. The provider of this service is Freshworks Inc, 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066 (hereinafter "Freshdesk").

When you open a support ticket via Freshdesk, the data you enter is transmitted to Freshdesk.

The transfer of your data to Freshdesk is based on Art. 6 para. 1 lit. b GDPR (contract performance). Your personal data will be processed exclusively for the purpose of processing your request or the ticket and will be deleted in accordance with the information in the "Storage period" column in the table below.

For more information about Freshdesk's use of data, please see Freshdesk's privacy policy: https://www.freshworks.com/gdpr/.

Legal basis	The legal basis for the processing of data in the case of inquiries via the contact form and/or e-mail and telephone is usually Art. 6 para. 1 lit. b. GDPR (performance of contract; pre-contractual measures); Art. 6 para. 1 lit. c. GDPR (fulfillment of a legal obligation, e.g., answering questions about data protection); and otherwise Art. 6 para. 1 lit. f GDPR (legitimate interest).
Storage purpose	The processing of personal data from the input mask or e-mail and telephone serves us solely to process the contact. This is also the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
Storage duration	The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail or communicated by telephone, this is the case when the respective conversation with the user has ended. The conversation shall be deemed to have ended when the circumstances indicate that the matter in question has been conclusively clarified. The above does not apply if the correspondence is subject to a retention obligation under commercial law. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.
Objection / opportunity for elimination	The user has the option to object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

7. Registration on our dealer service portal

If an order is placed from a user account, we use the data from your customer account on the basis of Art. 6 (1) lit. b to fulfill the purchase contract with you. For this we need your address data, payment information and your name.

After completion of the contract, we store such data according to Art. 6 para. 1 lit. c, which we are legally obliged to store.

You can initiate the deletion of their personal data at any time by deleting their customer account. However, please note that we may have to store the data of their orders for a longer period of time until the legal storage period expires.

We may forward your personal data if this is necessary for the processing of the purchase contract. This may be, for example, our payment processor or our supplier. We use the payment data you provide exclusively for processing the payment in the store.

Legal basis	Art. 6 para. 1 lit. a GDPR Art. 6 para. 1 lit. b GDPR Art. 6 para. 1 lit. c GDPR
Storage purpose	The purpose of the storage is the quick and easy fulfillment of a contract with the user.
Storage duration	The data will be deleted as soon as the buyer closes his account or selects this option within the account. Some data might be subject to longer legal retention periods and thus remain stored.
Objection / opportunity for elimination	By deleting your customer account, you can revoke your consent. Data may remain stored longer due to legal retention periods.

7.1 Learning Platform Docebo

If you, as a customer of ZF Micro Mobility GmbH, use the learning offer via Docebo, your personal data will be processed for the provision of the learning platform and the associated functions.

We process your personal data on the learning platform exclusively in accordance with the information provided here and in any case in compliance with the legal provisions. The Learning Platform is operated with the assistance of the service provider Docebo (Docebo NA Inc., 600 N. Thomas Street, Suite A - Athens). Thomas Street, Suite A - Athens GA 30601 - USA +1.800.681.4601), with whom we have concluded a contract for the processing of your personal data.

Docebo is a US company and therefore a transfer of your personal data to an insecure third country (USA) cannot be excluded. In order to ensure the security of your personal data in this third country transfer, the standard data protection clauses approved by the Commission pursuant to Art. 46 (2) lit. c GDPR have been concluded for this transfer and processing.

In order for you to be able to access the learning portal, you will be provided with an account upon your request, which will enable you to access the learning platform. For this purpose, we process the following personal data about you:

- Name

- Company or employer

- Access data (user name & password)

- Assigned learning content

- Learning progress

- Date of training or learning success

This processing serves the purpose of limiting access to the learning portal to our customers who are to be provided with corresponding access and to enable them to participate in the training courses offered by us via Docebo and to obtain proof of successful completion. In this respect, the legal basis is the fulfilment of the contract in accordance with Art. 6 Para. 1 lit. b GDPR.

You can object to the described data processing at any time. In this case, we will delete your account on our learning platform as well as the associated personal data. In this case, you will no longer be able to use the learning platform.

The personal data collected about you will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the processing of your personal data for the provision of the learning platform, this is the case at the latest 5 years after your last access to the learning platform. Furthermore, your personal data will be deleted immediately in the event of an objection.

Data processing for technical provision

The learning platform collects a series of general data and information with each call by a data subject or an automated system. This general data and information is stored in the log files of the server.

The following can be recorded

(1) browser types and versions used,

(2) the operating system used by the accessing system,

(3) the website from which an accessing system arrives at our website (so-called referrer),

(4) the sub-websites which are accessed via an accessing system on our website,

(5) the date and time of an access to the website,

(6) an Internet protocol address (IP address),

(7) the Internet service provider of the accessing system and

(8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using this general data and information, we do not draw any conclusions about your person. Rather, this information is required in order to

(1) deliver the contents of our website correctly,

(2) optimise the contents of our website as well as the advertising for the same,

(3) ensure the long-term functionality of our information technology systems and the technology of our website; and

(4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

Therefore, the data and information collected anonymously is, on the one hand, evaluated statistically and is further evaluated with the aim of increasing the data protection and data security of our enterprise, and ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject. The legal basis for this processing is our legitimate interest under Article 6(1)(f) GDPR to deliver our learning platform to interested parties and customers and to defend against potential cyber-attacks.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of collection for the provision of the learning platform, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after seven days at the latest.

8. Newsletter

You have the option to voluntarily subscribe to our newsletter, with which we keep you constantly informed about current information and offers within our product range. For this we only need your e-mail address.

You can revoke your consent to receive our newsletter at any time by clicking on the opt-out link in the newsletter email. Alternatively, you can unsubscribe from the newsletter at any time within your profile under "My account", "Overview" and "Newsletter subscription" via checkbox.

Legal basis	Art. 6 para. 1 lit. a GDPR
Storage purpose	The purpose of the storage is to send the newsletter to the e-mail address you have provided.
Storage duration	The data will be deleted as soon as you unsubscribe from the newsletter.
Objection / opportunity for elimination	You have the right to unsubscribe from the newsletter at any time as described above

9. Cookies

Our website uses cookies. Cookies are text files which are stored in the Internet browser or, as the case may be, in the Internet browser on the computer system of the user. If a user calls a website, then a cookie may be stored on the operating system of the user. Such a cookie contains a characteristic string which permits unambiguous identification of the browser if the website is called again.

On our website, we only use cookies that are technically necessary for the uninterrupted operability of the website.

In the cookies the following date is stored and transmitted:

Session cookie: Used to enable user login and to ensure that the login remains active when using the site.
CSRF protection: This cookie protects our site from so-called CSRF attacks. A cross-site request forgery (CSRF) is an attack on a computer system in which the attacker carries out a transaction in a web application. This is not done directly, but the attacker uses a victim who must already be logged into a web application. An HTTP request is foisted on the victim's web browser without their knowledge. The attacker selects the request so that when it is called, the web application performs the action desired by the attacker.
Time zone: This cookie is required so that the date and time can be displayed to the user of the page in the user's correct time zone.

When our website is called, the users are informed by means of an information banner about the use of cookies for analytical purposes and are referred to this data protection information. Following in this connection is a reference to how that storing of cookies can be prevented in the browser settings.

Under the following links you can find out how to disable cookies on the main browsers:

Mozilla Firefox: https://support.mozilla.org/en-US/kb/block-websites-storing-cookies-site-data-firefox

Chrome Browser: https://support.google.com/accounts/answer/61416?hl=en

Legal basis	Article 6 Para. 1 lit. f GDPR (legitimate interests) for strictly technically essential cookies
Storage purpose	The purpose behind the use of strictly technically essential cookies is that of making use of the website easier for the user. Certain functions of our website cannot be offered without the use of cookies. For these functions it is necessary that the browser is recognized even after a page change. Analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies we learn how the website is used and in this way, we can continually optimize our offer. These purposes also include our legitimate interest in the processing of the personal data in accordance with Article 6 Para. 1 lit. f GDPR.
Storage duration	Cookies are stored on the user's computer and are transmitted from this to our website. Accordingly, you as user have full control over the use of cookies.
Objection / opportunity for elimination	Cookies are stored on the user's computer and are transmitted from this to our website. Accordingly, you as user have full control over the use of cookies.

You can also find more information in our Cookie Policy, at:

https://zfmicromobility.com/cookie-policy-eu/

10. Note on data processing on our Facebook fan page

· Fundamental

We, ZF Micro Mobility GmbH, operate our own Facebook fan page at https://www.facebook.com/ZFMicroMobility/. As the operator of this Facebook page, we are the responsible party together with the provider of the Facebook social network (Meta Platforms Ireland Ltd.) within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR). When visiting our Facebook page, personal data of the page visitors are processed by both controllers.

We have concluded a data protection joint responsibility agreement (Page Controller Addendum) with Meta Platforms Inc. (also referred to as Facebook). With this agreement, Facebook recognizes the joint responsibility with regard to so-called insights data and assumes essential data protection obligations for informing data subjects, for data security or for reporting data protection breaches. The agreement also stipulates that Facebook is the primary contact for the exercise of data subjects' rights (Art. 15 - 22 GDPR). As the provider of the social network, Facebook alone has direct access to the necessary information and can also take any necessary measures and provide information immediately. However, if our support is required, we can be contacted at any time.

· Use of Insights and Cookies

In connection with the operation of this Facebook fan page, we use the Insights function from Facebook to obtain anonymized statistical data on the users of our Facebook fan page. Information about Insights and Facebook Fanpages is provided by Facebook, for example, via its privacy notice.

In connection with visiting our and other Facebook pages, Facebook also uses cookies and other comparable storage technologies. You can find more information about Facebook's use of cookies in their cookie policy.

· Comments and messages; participation in competitions

On our Facebook fan page, you also have the opportunity to comment on our posts, rate them and get in touch with us via private messages or participate in competitions.

Legal basis	We operate this Facebook page in order to present, interact and communicate with the users of Facebook as well as other interested persons and our customers who visit our Facebook page. The processing of the users' personal data is based on our legitimate interests, in an optimized company and product presentation (Art. 6 para. 1 lit. f GDPR) as well as when participating in competitions or answering product application questions based on a (pre-)contractual relationship according to Art. 6 para. 1 lit. b) GDPR.
Storage purpose	The processing of the information generated by Insights is intended to enable us, as the operator of the Facebook fan page, to obtain statistics that Facebook compiles based on visits to our Facebook fan page. The purpose of this is to control the marketing of our activity. For example, it allows us to gain knowledge of the profiles of visitors who like our Facebook page or use applications of the page in order to provide them with more relevant content and develop features that may be of greater interest to them. In addition, to help us better understand how our Facebook Page can better achieve our business goals, demographic and geographic analyses are also created and provided to us based on the information we collect. We can use this information to target interest-based ads without directly knowing the identity of the visitor. If visitors use Facebook on multiple devices, the collection and analysis can also take place across devices if they are registered visitors who are logged into their own profiles. The visitor statistics created are transmitted to us exclusively in anonymized form. We have no access to the underlying data. Furthermore, we use our Facebook page to communicate with our customers, interested parties and Facebook users and to inform them about us and our products. In this context, we may receive further information, e.g. due to user comments, private messages or because you follow us or share our content. The processing takes place exclusively for the purpose of communication and interaction with you.
Storage duration	Your data will be deleted when the purpose ceases to exist, provided there is no obligation to retain it
Objection / opportunity for elimination	Facebook users can influence the extent to which their user behavior may be recorded when visiting our Facebook page under the settings for advertising preferences. Further options are offered by the Facebook settings or the form for the right to object.

· Transfer of data

Since Meta Platforms Inc. is a US company, a transfer of personal data to the USA cannot be conclusively ruled out in the given context. Against this background, we would like to inform you about the circumstances of a data transfer to the USA. As part of its more recent case law, the ECJ declared the previous basis of data transfers to the USA (Privacy Shield) to be invalid in its "Schrems II" ruling. The reason for this was far-reaching and comprehensive access and information authorizations of U.S. authorities with regard to personal data stored on servers of U.S. companies. In principle, the U.S. Patriot Act of 2001 authorizes access to personal data stored on servers of U.S. companies located in the United States. This authority was also extended under the Cloud Act 2018 to include data stored on servers of U.S. companies abroad, including within the European Union. Subsequently, the ECJ requires the integration of so-called EU "standard contractual clauses" in the context of a transfer of personal data in the context of a commissioned processing pursuant to Art. 28 GDPR in order to comply with the requirements of Art. 46 GDPR. We have concluded a joint responsibility agreement with Facebook incorporating the EU standard contractual clauses in order to be able to ensure the integrity and security of your personal data in the context of any transfer of those to the USA. We do not ourselves share any personal data that we receive through our Facebook page.

· Information on contact options and further rights as a data subject

For further information on our contact details, including those of our data protection officer, the rights of data subjects vis-à-vis us and how we process personal data in other respects, please refer to the relevant sections of this data protection notice.

11. Privacy policy on the use and application of external scripts jQuery and Cloudflare CDN

We use external JavaScript code. The libraries of the various providers are integrated externally via a CDN (Content Delivery Network) in order to always have access to the latest and most secure version. In addition, we thus reduce loading times of our pages, since the probability is very high that you have already used the CDN on another page. In that case, your browser can access the cached copy and does not have to download it again. If your browser does not have a cached copy, data such as your IP address is transferred from your browser to the corresponding CDN. The data may also be processed in the USA for this purpose.

ZF Micro Mobility GmbH is aware of the transfer of its personal data to a third country and has implemented appropriate safeguards in accordance with Art. 46 GDPR to ensure lawful and secure processing of its personal data.

We use external code of the JavaScript framework jQuery, provided by the third-party provider jQuery Foundation (https://jquery.org). We use external code of the JavaScript framework provided by Cloudflare https://www.cloudflare.com.

Legal basis	Art. 6 para. 1 lit. f GDPR. (legitimate interest)
Storage purpose	The purpose of the storage is the improvement of our website and in visual and functional level.
Storage duration	The data will be deleted as soon as our legitimate interest no longer exists or we are obliged to delete the data due to statutory or legal orders.
Objection / opportunity for elimination	As a user, you have the option to object to the processing of your data at any time.

12. Your rights

If your personal data is processed, then you are the data subject in the sense of the GDPR and you are entitled to the following rights against the controller:

12.1 Right of access by the data subject

You can demand from the controller confirmation as to whether personal data that relates to you has been processed by us

If such processing has taken place, you can demand information on the following from the controller:

(1) The purposes for which the personal data is processed;

(2) The categories of personal data which are processed;

(3) The recipients or, as the case may be, the categories of recipients to which the personal data relating to you has been disclosed or will be disclosed;

(4) The planned duration of the storage of the personal data relating to you or - if concrete statements on this are not possible - the criteria for the laying down of duration of storage;

(5) The existence of a right to correction or deletion of the personal data relating to yourself, of a right to a restriction of the processing by the controller or of a right of objection to this processing;

(6) The existence of a right of appeal at a supervisory authority;

(7) All the available information on the origin of the data if the personal data was not collected at the data subject;

(8) The existence of an automated decision-finding process including profiling in accordance with Article 22 Para. 1 and 4 GDPR and – at least in these cases - meaningful information on the logic involved and its scope and the effects strived for of such a processing for the data subject in question.

You are entitled to the right to demand information on whether the personal data relating to yourself is transmitted to a third country or an international organization. In this connection you can demand to be instructed on the suitable guarantees in accordance with Article 46 GDPR in connection with the transmission.

12.2 Right to rectification

You have a right to correction and/or complementing vis à vis the controller in so far as the personal data as processed and which relates to yourself is incorrect or incomplete. The controller has to carry out the correction without delay.

12.3 Right to restriction of the processing

Subject to the meeting of the following preconditions you can demand restriction of the processing of the personal data relating to you:

(1) if you dispute the correctness of the personal data relating to yourself for a period which makes it possible for the controller to check the correctness of the personal data;

(2) the processing is unlawful and you reject deletion of the personal data and instead demand restriction of the use of the personal data;

(3) the controller no longer needs the personal data for purposes of the processing but you need the data for the advancing, exercising or defending of legal claims, or

(4) if you have advanced objection to the processing in accordance with Article 21 Para. 1 GDPR but it has not yet been established whether the justified reasons of the controller outweigh your reasons.

If the processing of the personal data relating to yourself has been restricted, then this data - apart from the storing of this - may only be processed with your consent or for the assertion, exercising or defending of legal claims or for the protection of the rights of another natural person or legal entity or for reasons relating to an important public interest of the European Union or of a member state.

If the restriction of the processing has been restricted in accordance with the afore-mentioned preconditions, then you will be informed by the controller before the restriction is removed.

12.4 Right to erasure

· Delation obligation

You can demand from controller that the personal data relating to yourself is deleted without delay and the controller is then obliged to delete this data without delay in so far as one of the following reasons applies:

(1) The personal data relating to yourself is no longer required for the purposes for which it was collected or for which it was processed.

(2) You revoke your consent, on which processing in accordance with Article 6 Para. 1 lit. a or Article 9 Para.2 lit. a GDPR was based, and there is no other legal foundation for the processing.

(3) You submit an objection to the processing in accordance with Article 21 Para. 1 GDPR and there are no justified reasons for the processing with a higher priority, or you submit an objection to the processing in accordance with Article 21 Para. 2 GDPR.

(4) The personal data relating to you was processed in an unlawful manner.

(5) The deletion of the personal data relating to you is required to fulfil a legal obligation in accordance with European Union law or the law of the member states, which laws the controller is subject to.

(6) The personal data relating to you was collected in relation to services offered by the information company in accordance with Article 8 Para. 1 GDPR.

· Information to third parties

If the controller has made the personal data relating to you public and if he/she is obliged to delete this data in accordance with Article 17 Para. 1 GDPR, then he/she shall take reasonable measures including ones of a technical nature - whereby account shall be taken of the available technology and the implementation costs - to inform the responsible parties for the data processing which process the personal data that you as data subject have demanded from them the deletion of all links to this personal data or of copies or replicates of these.

· Exceptions

The right to deletion does not exist in so far as the processing is necessary for

(1) the exercising of the right of free expression of opinion and to information;

(2) for the fulfilment of a legal obligation, which requires the processing in accordance with the law of the European Union or the law of the member states, which laws the controller is subject to, or for the carrying out of a task, which lies in the public interest or which is carried out in the exercising of public authority, which authority was transferred to the controller;

(3) for reasons of public interest in the field of public health in accordance with Article 9 Para. 2 lit. h and i as well as Article 9 Para. 3 GDPR;

(4) for archiving purposes, scientific or historical research purposes lying in the public interest or for statistical purposes in accordance with Article 89 Para. 1 GDPR, in so far as the right named in section a) probably makes the reaching of the objectives of the processing impossible or impairs it seriously, or

(5) for the advancing, exercising or defending of legal claims.

Moreover, the right to deletion does not exist in so far as the personal data has to be stored by the controller in order to fulfill legal duties to preserve records and legal retention periods. In such a case instead of deletion blockage of the personal data applies.

12.5 Right to information

If you have advanced the right to the correcting, deleting or restricting of the processing vis à vis the controller, then the latter is obliged to inform all recipients, to which the personal data relating to you was disclosed, of this correction or deletion of the data or of the restricting of the processing, unless this proves itself to be impossible or linked with unreasonable expenditure.

You have the right against the controller to be informed about these recipients.

12.6 Right to data portability

You have the right to receive the personal data relating to you, which you made available to the controller, in a structured, conventional and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance by the controller to whom the personal data was made available, in so far as

(1) the processing is based on a consent in accordance with Article 6 Para. 1 lit. a GDPR or Article 9 Para. 2 lit. a GDPR or on a contract in accordance with Article 6 Para. 1 lit. b GDPR and

(2) the processing is carried out with the aid of automated processes.

In exercising this right, you have in addition the right to bring about the situation that the personal data relating to you is transferred directly from one controller to another controller in so far as this is technically possible. The freedoms and rights of other persons may not be impaired thereby.

The right to data portability does not hold good for the processing of personal data, which is necessary for the carrying out of a task, which lies in the public interest or in the exercising of public authority and which task was transferred to the controller.

12.7 Right to object

For reasons which result from your particular situation you have the right to advance at any time objection to the processing of the personal data relating to you, which processing is carried out on the basis of Article 6 Para. 1 lit. e or f GDPR; this right also holds good for profiling based on these provisions.

The controller shall then no longer process the personal data relating to you, unless he/she can demonstrate compelling reasons worthy of protection, which reasons overweigh your interests, rights and freedoms or where the processing serves the advancing, exercising or defending of legal claims.

If the personal data relating to you is processed for the carrying out of direct advertising, then you have the right to advance at any time objection to the processing of the personal data relating to you for purposes of such advertising; this holds good too for profiling in so far as this is carried out in connection with such direct advertising.

If you object to the processing for purposes of direct advertising, then the personal data relating to you will no longer be processed for these purposes.

You have the opportunity - in connection with the use of services of the information company and regardless of directive 2002/58/EC – to exercise your right of objection with the aid of automated processes in which technical specifications are used.

12.8 Right to withdraw from the declaration of consent under data protection law

You have the right to withdraw your consent at any time and without giving reasons. In the event of withdrawal, we immediately will delete your personal data and no longer process it. The legality of the processing carried out on the basis of your given consent and carried out prior to your withdrawal is not affected by your withdrawal.

12.9 Automated decision-making in individual cases including profiling

You have the right to not subject yourself to a decision based solely on an automated processing process - including profiling - which unfolds a legal effect vis à vis yourself or which impairs you significantly in a similar way. This does not hold good if the decision

(1) is necessary for the concluding or fulfilment of a contract between you and the controller,

(2) is permissible on the basis of legal regulations of the European Union or of its member states, which the controller is subject to, and these regulations contain reasonable measures for the maintenance of your rights and freedoms as well as for your legitimate interests or

(3) is carried out with your explicit consent.

However, these decisions may not be based on particular categories of personal data in accordance with Article 9 Para. 1 GDPR, in so far as Article 9 Para. 2 lit. a or g does not hold good and reasonable measures have been taken for the protection of the rights and freedoms as well as of your legitimate interests.

In respect of the cases named in (1) and (3) above the controller shall take reasonable measures to ensure the rights and freedoms as well as your legitimate interests, whereby belonging thereto is at the least the right to the affecting of the intervention of a person on the side of the controller for the representation of the controller’s standpoint and to the challenging of the decision.

12.10 Right to complain at a supervisory authority

Regardless of another regulatory or judicial remedy, you are entitled to the right to lodge a complaint at a supervisory authority and here in particular at a supervisory authority in the member state of your place of residence, of your place of work or of the place where the suspected infringement took place when you are of the opinion that the processing of the personal data relating to you infringes the GDPR.

In this situation the supervisory authority, at which the complaint was lodged, shall inform the complainant on the status and the results of the complaint including the possibility of a judicial remedy in accordance with Article 78 GDPR.

13. Customer and supplier information, at the same time information on data processing according to Art. 12 ff. GDPR

13.1 Purpose of the data processing

Your personal data is processed for the purpose of establishing, implementing and terminating a contractual relationship with you.

13.2 Data categories

In the context of this, we process the following personal data or categories of personal data from you in particular:

· Company

· Surname

· First name

· Date of birth

· Address data

· Mail addresses

· Bank details

· Information about orders placed

13.3 Legal basis for processing

The legal basis for the processing of your personal data follows from:

· Contract according to Art. 6 para. 1 lit. b) GDPR (e.g.: purchase, delivery and service contracts)

· Consent according to Art. 6 para. 1 lit a), 7 GDPR (e.g. newsletter, transfer to branches in third countries),

· Fulfillment of a legal obligation and in individual cases pursuant to Art. 6 para. 1 lit c) GDPR (e.g. notifications to the tax office; responses to legal and data protection inquiries).

· Weighing of interests pursuant to Art. 6 (1) f) GDPR (e.g., advertising to existing customers, exercise of domiciliary rights; assertion of legal claims and defense in legal disputes; ensuring IT security and IT operations of the controller; prevention and investigation of criminal acts; video surveillance serves to collect evidence in the event of criminal acts. They thus serve to protect customers and employees as well as to exercise domiciliary rights; measures for building and facility security (e.g., access controls).

13.4 Recipient or category of recipients

In order to fulfill our contractual and legal obligations, your data will be forwarded to the following recipients or categories of recipients:

· Clerk

· Department manager

· Banking institutions

· External service providers (please specify)

· IT service provider

· Translation service provider

· Hosting service provider

· Tax office

· Document destruction

· Data Protection Officer

13.5 Transfer to a third country

Your personal data may be transferred to the above-mentioned recipients located in an insecure third country (e.g. USA). With an appropriate guarantee, we ensure that the transfer of your personal data is secure. The legal basis for the transfer is:

· Binding internal data protection rules (Art. 46 (2) (b) in conjunction with Art. 47 GDPR)

· Standard data protection clauses of the EU Commission (Art. 46 para. 2 lit. c GDPR)

· Approved rules of conduct (Art. 46 (2) (e) in conjunction with Art. 40 GDPR)

· Approved certification mechanism (Art. 46 (2) (f) in conjunction with Art. 40 GDPR)

· Existence of an exception (Art. 49 GDPR)

13.6 Duration of storage, deletion of personal data

In order to fulfill our contractual and legal obligations, we store the data for the following periods, unless there is a legitimate interest within the meaning of Art. 6 (1) f) GDPR that would justify longer storage:

To the extent necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract. In addition, we are subject to various retention and documentation obligations, which result, among other things, from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG) and the German Money Laundering Act (GwG). The retention and documentation periods specified there range from two to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.

In detail:

· Business correspondence: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No. 1, 4 in conjunction with § 238 I HGB

· Contracts: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No. 1, 4 in conjunction with § 238 I HGB

· Receipts for invoices: 10 years, § 147 I No. 4,5 in conjunction with III AO; § 257 I No. 1, 4 in conjunction with § 238 I HGB

· Applications: 6 months (if no employment relationship is established

· Judgments, decisions and titles: 30 years

13.7 Existence of a right to information, rectification, etc.

You have the following rights with respect to us regarding personal data concerning you:

· Right to information

· Right of rectification or erasure

· Right to restriction of processing

· Right to data portability

· The right to complain to a data protection supervisory authority about the processing of your personal data by us if you do not agree with the handling of your data as well as

· Right of revocation: You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation;

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions
The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility, in connection with the use of information society services - notwithstanding Directive 2002/58/EC - to exercise your right to object by means of automated procedures using technical specifications.

Version: January 2023

Controller: ZF Micro Mobility GmbH