III. PURPOSES OF THE PROCESSING
A. PROVISION OF THE WEBSITE AND GENERATION OF LOG FILES
Each time our website is accessed, our system automatically collects data and information
from the operating system of the accessing computer. The following data is collected:

• Referrer (previously visited website)
• Requested website or file
• Browser type and browser version
• Operating system used
• Type of device used
• Time of access
• IP address in anonymized form (only used to determine the access location)

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

The data is stored in log files to ensure the operability of the website. We also use the data to further improve the website and to ensure the security of our IT systems. We do not analyse the data for marketing purposes in this context.

These purposes constitute our legitimate interest in data processing in accordance with art. 6 para. 1 lit. f GDPR.

The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected. If the data is collected to ensure the functioning of the website, it will be deleted when the respective session has ended. If the data is stored in log files, it will be deleted after
seven days at the latest. Further data retention is possible. However, in this case, the IP addresses of the users are deleted or anonymised so that it is no longer possible to identify the visiting user.

You must provide this data without any legal or contractual obligation to do so. Visiting our website without providing this information is not possible or possible with some limitations only.

B. USE OF COOKIES
This website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user accesses a website, a cookie may be stored on the user’s operating system. The cookie contains a characteristic sequence of characters that enables the browser to be uniquely identified when the website is revisited.

We use cookies to improve the usability of our website. Some elements of our website require the accessing browser to be identifiable even after a new page has been visited.

This website uses the local plugin Borlabs Cookie, which sets a technically necessary cookie
(borlabs-cookie) to store your cookie consent.

The following data is stored and transmitted using the cookies:

• operating system, browser, etc.
• language settings
• number of pages viewed
• time stamp
• privacy settings such as cookie preferences.

The legal basis for the processing of personal data using technically necessary cookies is art. 6 para. 1 lit. f GDPR. The user data collected by technically necessary cookies is not used to create user profiles. The legal basis for the processing of personal data using cookies for analytical purposes is art. 6 para. 1 lit. a GDPR provided that the user has granted the required
consent.

Cookies are stored on the user’s computer and transmitted by it to our website. As a user, you
therefore have full control over the use of cookies. You can disable or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done by automated means.

There is no legal or contractual obligation to provide your data. However, visiting our website is not possible or possible with some restrictions if you do not provide this information. If cookies are deactivated on our website, it may no longer be possible to use all functions of the website to their full extent.

C. VIMEO ACCOUNT AND EMBEDDING OF VIDEOS ON THE WEBSITE
Our Vimeo account, provided by Vimeo.com, Inc, 330 West 34th Street, 10th Floor, New York, New York 10001, is used by us to host and manage our videos. Vimeo is the controller of the online video portal within the meaning of data protection law. When you access, subscribe to, comment on or react to our account or individual videos, Vimeo collects
information about you that you provide in the course of your interaction (e.g. user name, comments, subscriptions, likes, dislikes of our videos). Vimeo also collects data about the browser used, the end device and the IP address. Vimeo analyses your reaction and behaviour in relation to our channel and our videos and provides us with statistical information in anonymised form via Vimeo Analytics. This analysis data is provided by Vimeo as a processor within the meaning of art. 28 GDPR. This website also embeds videos from Vimeo to provide you with content. By embedding the URL, Vimeo sets a cookie in the user’s browser. The cookie records the user’s behaviour and passes this on to Vimeo. The following data is collected: technical data (IP address, referrer URL, date and time, browser type, operating system) and usage data such as interactions with the video. If you are logged in as a user, Vimeo records all actions you take on the page and can assign your activities to your individual profile.

The processing of the data collected when you visit our channel is based on our legitimate interest pursuant to art. 6 para. 1 lit. f GDPR regarding the provision of our videos.

The data of website visitors is only read and forwarded to Vimeo when videos are embedded if you have given your consent to data processing (two-click solution). The legal basis in this case is your consent in accordance with art. 6 para. 1 lit. a GDPR. The transfer of personal data to Vimeo is based on the adequacy decision (Vimeo.com Inc. is certified under the Data Privacy Framework).

The data collected by us as in connection with the Vimeo account will be stored for as long as
is necessary for the management of our videos. Vimeo stores the data in accordance with its privacy policy: https://vimeo.com/privacy

You have the right to object to data processing pursuant to art. 6 para. 1 lit. f GDPR. There is
no legal or contractual obligation to provide your data. However, visiting our websites is not possible or possible only with restrictions without the provision of this information.

D. DEPLOYMENT AND USE OF GOOGLE SERVICES (WITH ANONYMIZATION FUNCTION)

1. GOOGLE ANALYTICS
The controller uses the Google Analytics component (with anonymisation function) on its
website. Google Analytics is a web analytics service. Web analysis is the collection,
aggregation and evaluation of data about the behaviour of website visitors. Among other
things, a web analysis service collects data about the website from which a data subject
accessed a website (so-called referrer), which subpages of the website were accessed or how
often and for how long a subpage was viewed. Web analysis is mainly used to optimise a
website and to analyse the cost-benefits of internet advertising. The operating company of the
Google Analytics component is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 
94043-1351, USA.

The controller uses the extension “gat._anonymiseIp” for web analysis via Google Analytics. This extension is used by Google to shorten and anonymise the IP address of the data subject’s Internet connection if our website is accessed from a member state of the European Union or from another state party to the European Economic Area Agreement.

The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information obtained, among other things, to analyse the use of our website, to compile online reports for us that show the activities on our website, and to provide other services in connection with the use of our website.

Google Analytics sets a cookie on the IT-system of the data subject. By setting the cookie,
Google is enabled to analyse the use of our website. Each time one of the individual pages of
our website is accessed, which is operated by the data controller and on which a Google Analytics component has been integrated, the Internet browser on the IT system of the data subject is automatically requested by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. During the course of this technical procedure, Google gains knowledge of personal information, such as the IP address of the
data subject, which serves Google, inter alia, to understand the origin of visitors and clicks,
and subsequently create commission calculations.

The cookie is used to store personal information, such as the access time, the location from
which access was made and the frequency of visits to our website by the data subject. Each
time our website is visited, this personal data, including the IP address of the internet
connection used by the data subject, is transmitted to Google in the USA. This personal data
is stored by Google in the USA. Google may pass on this personal data collected through the
technical process to third parties.

The use of this service is based on your consent in accordance with art. 6 para. 1 lit. a GDPR.
Consent can be withdrawn at any time.

Further information and the applicable data protection provisions of Google can be found
under https://www.google.de/intl/de/policies/privacy/ and
under http://www.google.com/analytics/terms/de.html . Google Analytics is explained in further detail under this link: https://www.google.com/intl/de_de/analytics/.

2. GOOGLE MAPS
This site uses the Google Maps map service via an API. The provider is Google Inc, 1600
Amphitheatre Parkway Mountain View, CA 94043, USA.

For privacy reasons, Google Maps is deactivated when you visit our website for the first time.
A direct connection to Google’s servers is only established when you activate Google Maps yourself (consent in accordance with art. 6 para. 1 lit. a GDPR). In this way, your data is prevented from being transmitted to Google the first time you enter the site.

When activated, Google Maps will record your IP address. It is then usually transmitted to a
Google server in the USA and stored there.

When Google Maps is activated, Google Fonts are also used. Your browser loads the required
web fonts into your browser cache in order to display texts and fonts correctly.

The transfer of personal data to Google takes place on the basis of the adequacy decision. The
provider of this site has no influence on this data transfer after the activation of Google Maps.

You can find more information on the processing of user data in Google’s privacy policy:
https://www.google.de/intl/de/policies/privacy/ .

3. YOUTUBE
Our YouTube channel is provided by Google Ireland Limited, Gordon House, Barrow Street,
Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway Mountain View,
CA 94043, USA. The transfer of personal data to Google is based on the adequacy decision.

Google operates YouTube as the controller within the meaning of data protection law. When
you access, subscribe to, comment on or react to our channel or individual videos, Google
collects information about you that you provide during your visit (e.g. user name, comments,
subscriptions, likes, dislikes to our videos). Google analyses your reaction and behaviour in connection with our channel and our videos and provides us with statistical information in anonymised form via YouTube Analytics. This analysis data is provided by Google as a processor within the meaning of art. 28 GDPR.

F. SOCIAL MEDIA
The processing is carried out for the purpose of providing our fan pages in social networks
(company pages) and for marketing purposes on the basis of an overriding legitimate interest
pursuant to art. 6 para. 1 lit. f GDPR. Our legitimate interests are the promotion of our social
media platforms as well as the presentation of our business activities and the carrying out of
marketing activities.

We have placed a link to the pages of social networks. There is no further data exchange with
these sites on our website. If the social media element is active, a direct connection is
established between your end device and the provider. The provider then receives information
about your visit on this website. If consent has been granted, the above-mentioned service is
used on the basis of art. 6 para. 1 lit. a GDPR. Consent can be withdrawn at any time.

If you access our profile on the social network “LinkedIn” as a registered user, follow us or
interact with us (e.g. message, comment), LinkedIn Ireland Unlimited Company, Wilton
Place, Dublin 2, Ireland (“LinkedIn”) processes personal data in order to provide us with
aggregated information (“Page Insights”). No information is provided that enables us to track
the behaviour of an individual user.

We and LinkedIn are jointly responsible for the processing of personal data for the purpose of
providing Page Insights in accordance with art. 26 GDPR. For more information on the processing of your personal data as joint controllers, please visit the following link https://legal.linkedin.com/pages-joint-controller-addendum.

Moreover, if you as a registered user interact with our profile or posts shared by us (e.g. reading, following, commenting) or we access your profile, LinkedIn processes your information as a separate controller (operation of the social network) and shares with us all information required for the operation of the social network in accordance with LinkedIn’s terms of use.

In this case, we collect user data (e.g. name, location), qualification data (e.g. professional activity, position, education) and communication data (e.g. message content) directly from you or through the use of the LinkedIn social network.

Further information on the processing of personal data by LinkedIn can be found under the following external link: https://de.linkedin.com/legal/privacy-policy.

You are neither legally nor contractually obliged to provide the information. The use of social
networks is independent of the provision of your data, but it is not possible to contact us or visit our profile without the provider of the social network providing us with this data.

G. JOB APPLICATIONS BY E-MAIL OR VIA OUR RECRUITMENT PORTAL
Applicants have the opportunity to submit applications to us by providing personal data. The
data will be transmitted to us by e-mail to the address specified in the job description.

We use the Personio software from Personio GmbH, Rundfunkplatz 4, 80335 Munich to
provide our recruitment portal and to manage applications. We entered into a data processing agreement with Personio. Your application data is stored in encrypted form by Personio in Germany or the European Union and transmitted in encrypted form.

All personal data and attachments to your application will be collected and used by Brookfield CEE Holding GmbH and its affiliates solely for the purpose of evaluating, analysing and assigning data in connection with the application process. The data you submit can only be accessed by authorised employees from the HR department and the employer company who are involved in the application selection and recruitment process. In the event of an application for a specific advertised position, your data will be forwarded to the
responsible HR manager in the relevant specialist departments and branches of the employer
named in the job advertisement. Otherwise, your data will only be passed on to IT processors
subject to our instructions (see art. 28 GDPR) such as web hosts and external IT administrators and to Personio GmbH.

The legal basis for the processing of the data is the establishment of a contractual relationship
and the performance of pre-contractual measures in accordance with sec. 26 para. 1 (1) German Data Protecton Law – Bundesdatenschutzgesetz (BDSG). The server connection to your Personio account to integrate the job adverts into our website is based on consent in accordance with art. 6 para. 1 lit. a GDPR.

The information is required so that we can contact you and check your suitability for the position you have applied for. This enables us to establish a contractual relationship with you for employment with us.

Should you apply for a specific position, your data will be taken into account for the duration
of the selection process. In this case, your data will be passed on to the responsible HR managers in the respective departments and subsidiaries. After six months following a possible rejection we will anonymise your data. All attachments and all communication will be deleted.

If you wish your data to be considered for any other applications in the future, please send us
a separate open application or we will contact you. We will keep open applications for a period of 6 months. After this time, we will proceed with these applications as described above for anonymisation.
If we decide to offer you a position and you accept it, your documents will be transferred to our HR department as part of the standard processes. They will then continue to be processed in accordance with the applicable laws.

As an applicant, you have the option of rectifying or withdrawing your application and having
your data deleted at any time. Please send us an e-mail with an explanation of your request to
the following e-mail address: bewerbungen@cee-group.de

H. ENQUIRIES BY E-MAIL AND PHONE
When you contact us by e-mail or telephone, your details will be stored by us for the purpose
of processing your enquiry and in the event of follow-up questions. We will not forward this
data without your consent.

Where consent has been given, the legal basis for processing the data is art. 6 para. 1 lit. a GDPR. The legal basis for the processing of data submitted in the course of sending an email is art. 6 para. 1 lit. f GDPR. If your enquiry is aimed at the conclusion of a contract, the additional legal basis for the processing is art. 6 para. 1 lit. b GDPR. The processing of personal data serves us solely to process the request. If you contact us by email, we have the necessary legitimate interest in processing your enquiry.

The data will be deleted as soon as it is no longer required for the purpose for which it was
collected, until you request us to delete it or until you withdraw your consent for it to be
processed. For personal data sent by email, this is the case when the respective conversation
with the user has ended. The conversation is ended when it can be concluded from the
circumstances that the matter in question has been clarified completely. This does not affect
mandatory statutory provisions – in particular retention periods.

You may withdraw your consent to the processing of your personal data at any time. When you contact us by email, you can object to the storage of your personal data anytime. In such a case, the conversation can no longer be continued. All personal data stored in the course of contacting us will be deleted in this case.

I. EXERCISING YOUR RIGHTS AS A DATA SUBJECT
If you contact us to exercise your rights as a data subject, we will collect all the personal data
that you provide to us as part of the request. Alternatively, we may also receive the data from
third parties if you have authorized someone to assert your rights on your behalf (e.g. representative, lawyer, guardian) or have contacted other bodies in advance (e.g. data protection officer).

We process this data in order to verify your identity, check the enforceability of the respective
rights, enforce your rights and communicate with you.

Data processing is carried out for the purpose of ensuring the rights of data subjects on the
basis of the fulfillment of legal obligations pursuant to art. 6 para. 1 lit. c GDPR and to
exercise overriding legitimate interests pursuant to art. 6 para. 1 lit. f GDPR. Our legitimate
interest is the assertion, exercise and defense of legal claims.

You are under no legal or contractual obligation to provide your data. However, without the
provision of certain information that enables your person to be identified or your rights to be
implemented, it is not possible or only possible to a limited extent to process your request.

IV. RECIPIENTS OF THE PERSONAL DATA
At Brookfield CEE Holding GmbH, we only disclose personal data to those employees who
are responsible for processing it (e.g. admins, staff in charge).

Certain activities are not carried out by us, but by external service providers as processors in
accordance with art. 28 GDPR. We select these carefully, enter into contracts with them and
monitor them regularly. We transfer your data to Personio GmbH as part of employee
management / applicant management.

In some specific cases, we may transfer personal data to third parties (e.g. legal advisors,
auditors, data protection officers, authorities, courts, our affiliated companies) if this is necessary and legally permitted for the processing or if you have consented to the processing.

Transfers to recipients in third countries outside the EU/EEA or to international organisations
only take place insofar as this is necessary and legally allowed for the respective processing.
In such cases, the transfer takes place on the basis of an EU adequacy decision or, if this does not apply, on the basis of agreed standard contractual clauses or binding internal data protection rules. If the aforementioned guarantees do not exist, the transfer to third countries outside the EU/EEA is based on an exception pursuant to art. 49 para. 1 GDPR (express consent, fulfilment of contract, assertion, exercise or defence of legal claims).

V. OTHER STORAGE PERIODS
To ensure compliance with the principle of storage limitation in accordance with art. 5 para. 1
lit. e GDPR, we store personal data in a form that enables the identification of data subjects
only for as long as is necessary for the respective legitimate purposes.

We have defined the following storage periods:

• Server log files are stored for 1-30 days  depending on the IT system and then
  automatically deleted;
• technically necessary cookies are deleted at the end of a session (e.g. closing the browser) or after reaching the specified maximum age (max-age) or manually by the user in the browser;
• Non-essential cookies are deleted after the specified maximum age (max-age) or manually by the user in the browser.
• Application documents of rejected applicants will be deleted 6 months after rejection without consent for permanent storage.

Personal data that must be stored due to commercial or tax regulations in accordance with §147 German Fiscal Code Abgabenordnung (AO), § 257 German Commercial Code Handelsgesetzbuch (HGB) will not be deleted before 6 years or 10 years have passed. Further storage takes place for the assertion, exercise or defence of legal claims, e.g. in the case of
unresolved tax, audit or administrative proceedings.

Personal data that we process for the assertion, exercise or defence of legal claims will
generally be deleted after 3 years (standard limitation period pursuant to Section 195 German
Civil Code Bürgerliches Gesetzbuch (BGB)); in certain cases (e.g. claims for damages), the
limitation period is 10 years or 30 years from the date on which the claim arises pursuant to
Section 199 BGB, whereby the maximum storage period is 30 years from the date of the
damaging event.

VI. RIGHTS OF THE DATA SUBJECT
If your personal data is processed, you are a data subject within the meaning of the GDPR and
you have the following rights towards the controller:

1. RIGHT OF ACCESS
You can request confirmation from the controller as to whether personal data concerning you
is being processed by us. If such processing is taking place, you can request the following
information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you
  have been or will be disclosed;
• the planned retention period of the personal data concerning you or, if specific
  information on this is not possible, criteria for determining the retention period;
• the existence of a right to rectification or erasure of personal data concerning you, a
  right to restriction of processing by the controller or a right to object to such
  processing
• the existence of a right to lodge a complaint with a supervisory authority;
• tll available information about the origin of the data if the personal data is not
  collected from the data subject
• the existence of automated decision-making, including profiling, referred to in art. 22
  para.1 and para. 4 GDPR and, at least in those cases, meaningful information about the
  logic involved, as well as the significance and the envisaged consequences of such
  processing for the data subject.

You have the right to request information as to whether the personal data concerning you is
transferred to a third country or to an international organisation. In this context, you may
request to be informed of the appropriate safeguards pursuant to art. 46 GDPR in connection
with the transfer.

2. RIGHT TO RECTIFICATION
You have a right to rectification and/or completion against the controller if the processed
personal data concerning you is incorrect or incomplete. The controller must make the
correction without delay.

3. RIGHT TO RESTRICTION OF PROCESSING
You may request the restriction of the processing of your personal data if the following
conditions are met:

• Where you contest the accuracy of the personal data concerning you for a period
  enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you object to the erasure of the personal data and
  instead request the restriction of the use of the personal data
• the controller no longer needs the personal data for the purposes of the processing, but
  they are required by you for the establishment, exercise or defence of legal claims, or
• you have objected to processing pursuant to art.

21 para. 1 GDPR pending the
verification whether the legitimate grounds of the controller override your interests.
If the processing of personal data concerning you has been restricted, such data may only be
processed – apart from being stored – with your consent or for the establishment, exercise or
defense of legal claims or for the protection of the rights of another natural or legal person or
for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions,
you will be informed by the controller before the restriction is revoked.

4. RIGHT TO ERASURE
A) ERASURE OBLIGATION
You have the right to request the controller to erase the personal data concerning you without
undue delay and the controller is obliged to erase this data without undue delay where one of
the following applies:

• The personal data concerning you are no longer necessary in relation to the purposes
  for which they were collected or otherwise processed.
• You withdraw your consent on which the processing was based according to art. 6
  para. 1 lit. a or art. 9 para. 2 lit. a GDPR, and where there is no other legal basis for the
  processing.
  You object to the processing pursuant to art. 21 para.1 GDPR and there are no
  overriding legitimate interests for the processing, or you object to the processing
  pursuant to art. 21 para.2 GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfil a legal obligation
  under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you have been collected in relation to the offer of
  information society services referred to in art. 8 para.1 GDPR.

B) INFORMATION TO THIRD PARTIES
In the event that the controller has made the personal data concerning you publicly available
and is obliged to erase it pursuant to art. 17 para.1 GDPR, the controller, having regard to the
available technology and the cost of implementation, shall take reasonable steps, including
technical measures, to inform controllers which are processing the personal data that you as
the data subject have requested the erasure by such controllers of any links to, or copy or
replication of, those personal data.

C) EXCEPTIONS
The right to erasure does not exist insofar as the processing is necessary for the following
cases:

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member
  State law to which the controller is subject or for the performance of a task carried out
  in the public interest or in the exercise of official authority vested in the controller
• for reasons of public interest in the area of public health in accordance with art. 9 para.
  2 lit. h and i and art. 9 para. 3 GDPR
• for archiving purposes in the public interest, scientific or historical research purposes
  or statistical purposes in accordance with art. 89 para. 1 GDPR, insofar as the right
  referred to in section a) is likely to render impossible or seriously impair the
  achievement of the objectives of that processing, or
• for the establishment, exercise or defence of legal claims.

5. RIGHT TO NOTIFICATION
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right towards the controller to be informed about these recipients.

6. RIGHT TO DATA PORTABILITY
You have the right to obtain the personal data concerning you, which you have provided to
the controller, in a structured, commonly used and machine-readable format. You also have the right to have this data transferred to another controller without hindrance to the controller to whom the personal data was provided, provided that

• the processing is based on consent pursuant to art. 6 para. 1 lit. a GDPR or art. 9 para.
  2 lit. a GDPR or on a contract pursuant to art. 6 para. 1 lit. b GDPR and
• the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically possible. The freedoms and rights of other persons must not be negatively affected by this.

The right to data portability does not apply to the processing of personal data necessary for
the performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller.

7. RIGHT TO OBJECT (TO ADVERTISING)
You have the right to object, on grounds relating to your particular situation, at any time to
processing of personal data concerning you which is based on art. 6 para.1lit. e or f GDPR,
including profiling under those provisions.

The controller will no longer process the personal data concerning you unless the controller
demonstrates compelling legitimate grounds for the processing which override your interests,
rights and freedoms or for the establishment, exercise or defence of legal claims.

If the personal data concerning you are processed for direct marketing purposes, you have the
right to object at any time to the processing of personal data concerning you for such
marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you
will no longer be processed for these purposes.

Notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object
in connection with the use of information society services by means of automated procedures
using technical specifications.

8. RIGHT TO WITHDRAW THE CONSENT UNDER DATA PROTECTION LAW
You have the right to revoke your declaration of consent under data protection law at any
time. The withdrawal of consent does not affect the lawfulness of processing based on consent
before its withdrawal.

9. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a
complaint with a supervisory authority, in particular in the Member State of your habitual
residence, place of work or place of the alleged infringement if you consider that the
processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the
complainant on the progress and the outcome of the complaint including the possibility of a
judicial remedy pursuant to art. 78 GDPR.