Privacy Policy:

1. COMPETENT AUTHORITY
The competent authority for the processing of your personal data within the meaning of the
German Federal Data Protection Act is OSB AG, Theresienhöhe 30, 80339 Munich (hereinafter
referred to as OSB). The external data protection officer is Mr. Jörg Hermann, jmh
datenschutzberatung, Werk 1, Atelierstraße 29, 81671 Munich, info@jmh-datenschutz.de.

If you wish to object to the processing of your data by OSB in accordance with these data privacy
provisions – either as a whole or with regard to individual measures, or if you wish to exercise
your other rights (see also Section 6), or if you have questions relating to data privacy, you can
send your objection, request or questions by email, fax or letter using the following contact
details: OSB AG, Theresienhöhe 30, 80339 Munich, Fax: +49 89 23 88 57 400, email:
datenschutz@osb-ag.de

2. WHICH DATA IS PROCESSED AND HOW?

2.1 PERSONAL DATA

Personal data refers to information that can be attributed to an identified or directly/indirectly

identifiable natural person.

Personal data includes, but is not limited to, general personal master data (e.g. name, address,
date of birth, telephone number, email address, etc.), resumes, bank data (account number, etc.),
and data issued by authorities (e.g. driver's license number, ID card number, passport number),
value judgements (e.g. school and job references, etc.), online data (IP address, date, time and
duration of use, location data, etc.), customer data, and supplier data, etc.

2.1 PROCESSING YOUR PERSONAL DATA

Data privacy is very important to us. Therefore, when processing your personal data, we strictly
adhere to the legal provisions of the European General Data Protection Regulation (GDPR), the
German Federal Data Protection Act (new), the German Telemedia Act and – where applicable –
the other data protection laws in the European Economic Area (EEA) and in Switzerland.

OSB is an engineering service provider operating Germany-wide. Data processing at OSB is carried
out in order to provide consulting and development services to OSB customers and affiliated
companies as well as to all related ancillary operations.

Your personal data will only be used for advertising/market research purposes if you have given us
your express consent to do so.

2.2.1 DESCRIPTION OF THE DATA SUBJECTS

Essentially, the personal data of the following data subjects is collected, processed and used:

* Customer data: Personal identification and communication data is processed for the purpose of
communicating with the customer, conducting our relevant business with the customer and,
furthermore, for initiating business contacts and informing customers.
* Supplier data: Personal identification, communication and performance data, as well as economic
and financial information, payment and bank details are processed for the purpose of
communicating with suppliers and for conducting our relevant business with the suppliers.

* Employee data: Personal identification and performance data (certificates, etc.), contract master
data, insurance data, absence period data, payment and bank details, tax and social security data,
login data, communication data, travel booking data, and vehicle booking data are processed for
the purpose of implementing and handling the relevant employment relationship, fulfilling legal
obligations, and in our legitimate corporate interest of managing, organizing and conducting our
business activities.

* Applicant data: Personal identification data, performance data (certificates, etc.), payment and
bank details, as well as travel booking data (when booking through OSB) are processed for the
purpose of initiating employment relationships, fulfilling legal obligations, and in our legitimate
corporate interest of managing, organizing and conducting our business activities, as well as for
the further development of our internal systems.

* Website visitors: Usage data is processed for providing our services, for statistical purposes and
for improving the information on our website (pseudonymized profiles in accordance with § 15 (3)
TMG – German Telemedia Act).

* Interested parties: Personal identification data, communication data and, where applicable,
economic and financial information of parties interested in OSB are processed for the purpose of
fulfilling the business objective.

* Other personal data: The personal data of other business partners (e.g. system partners,
chambers, associations, banks and authorities) is processed within the context of the respective
collaboration and thus for fulfilling our business objective.

2.2.2 DATA RECIPIENTS OR CATEGORIES OF DATA RECIPIENTS

Only the data necessary to fulfil the purpose of the company as well as the contractual agreements
will be passed on. The following are the main recipients:

* Service providers who are commissioned to ensure proper business operations (e.g. service
providers for delivering website and marketing content, suppliers for supporting administrative
processes, including travel service providers for handling employee business trips, landlords for
employee apartments, the Employer’s Liability Insurance Association for the administrative sector
(VBG) and the company physician within the context of occupational healthcare and occupational
safety, insurance companies for damages within the context of the employment relationship). The
legal basis for this is either Art. 28 GDPR in the case of contracted processing services or, if
applicable, § 26 BDSG – German Federal Data Protection Act (in conjunction with Art. 88 GDPR)
for the purposes of initiating or implementing an employment relationship with you

* External bodies for fulfilling the purposes mentioned under Section 2 (e.g. customers or affiliated
companies of OSB within the meaning of §§ 15 ff. AktG – German Stock Corporation Act, where
the employee is employed, or where the employee or applicant is to be employed within the scope
of the employment relationship, customers and suppliers for handling projects, credit institutions
for salary payments, tax consultants and auditors). The legal basis is generally § 26 BDSG –
German Federal Data Protection Act (in conjunction with Art. 88 GDPR) for establishing or
implementing an employment relationship with the employees, or Art. 6 (1) (f) GDPR with regard
to general operational obligations such as tax returns, audits, etc. Furthermore, this personal data
is processed for the purpose of compliance with statutory provisions and regulations, such as labor
law, tax and social law, the Money Laundering Act and international sanctions regulations (e.g. EU
Directive on combating terrorism). The legal basis is Art. 6 (1) (c) GDPR in conjunction with the
relevant provision of national law.

* Public bodies in the case of overriding legal provisions (e.g. social insurance institutions, financial
authorities). The legal basis for this is Art. 6 (1) (c) GDPR in conjunction with the relevant legal
provisions, in particular labor and social law.

* When processing data for the purposes named in Section 2.5, we partly draw on the services of
companies acting on our behalf (contracted processing services according to Art. 28 GDPR), which
have headquarters within or beyond the EU, for providing IT services, outsourcing data processing,
etc. The data is forwarded on the basis of appropriate safeguards by way of the standard
contractual clauses approved by the EU Commission (according to Art. 46 (2) (c) GDPR). However,
in this case, too, the data is processed according to our high data privacy standards, and is stored
and processed only on servers in Germany.

2.3 PROCESSING OF DATA WHEN VISITING OUR WEBSITE

When you access our website, we automatically process information (server log files) such as the
type of web browser, the operating system used, the domain name of your Internet service
provider, among other things. This data is limited to information that does not allow any direct
conclusions to be drawn about your person. This information is necessary from a technical
standpoint in order to correctly deliver the content of the web pages requested by you and is
mandatory when using the Internet. Anonymous information is statistically analyzed by us in order
to optimize our website and the technology behind it. The legal basis is the provision of a service
requested by the user according to Art. 6 (1) (b) GDPR or our legitimate interest in providing the
services of our website in accordance with Art. 6 (1) (f) GDPR.

2.4 CONTACT FORM

If you contact us by email or our contact form, the information you provide will be processed for
the purpose of handling the inquiry and for possible follow-up questions. The legal basis is our
legitimate interest in providing the services of our website in accordance with Art. 6 (1) (f) GDPR,
or the fulfilment of an inquiry you have made within the meaning of Art. 6 (1) (b) GDPR.

2.5 DATA PRIVACY INFORMATION FOR APPLICANTS

If you apply to OSB in order to enter into an employment relationship with OSB, OSB will process
your personal data that you provide to us as part of your application for the purpose of initiating a
contract – and, if applicable, for executing a contract. The legal basis for this is, in each case, § 26
BDSG – German Federal Data Protection Act (in conjunction with Art. 88 GDPR) for the
establishment and implementation of an employment relationship.
The data involved is that which must necessarily be provided by you, such as your title, name,
address and email address, telephone number as well as information on your education and
training, professional experience, knowledge in the sense of additional qualifications, as well as
preferences with regard to the type of employment at OSB – with information on the professional
field, preferred place of work and working hours, etc.

The following categories of data are collected:

• Personal identification and contract master data (e.g. name, postal address, email,
telephone number)
• (Work) preferences (e.g. occupational field, type of employment)
• Education, professional experience, skills
• Application documents (e.g. certificates, references, resume, photo)
• Usage or inventory data (e.g. IP address, name of the retrieved file, date and time of
retrieval, data volume transferred, notification of successful retrieval, web browser,
originating domain)

Furthermore, we use your email address to contact you in case we conduct internal company
surveys to the improve the quality of OSB. Participation in the surveys is voluntary and the results
are used purely anonymously.

Details:

2.5.1 ONLINE APPLICATION FORM

If you apply via our online form, you will be asked for the personal data outlined above. The data
you provide will be processed only within the scope of the application process and in our applicant
database set up for this purpose. Other statements not strictly required but made voluntarily by
you will only be processed if you expressly and voluntarily provide them to us.

2.5.2 APPLICATION OR CONTACT AT TRADE FAIRS

If you approach us personally with your application at trade fairs and provide us with your
personal data in your application documents for this purpose, we will process the data you provide
only within the scope of the application process and only then in our applicant database.

2.5.3 APPLICATION BY OTHER MEANS (e.g. BY EMAIL):

If you use any other means (e.g. email) to contact us with your application and provide us with
personal data in your application documents for this purpose, we will process the data you supply
only within the scope of the application process.

2.6 DATA PRIVACY INFORMATION FOR CUSTOMERS & SUPPLIERS

Personal data will be processed within the scope of the business relationship with customers &
suppliers or future customers/suppliers. If you are in a business relationship with OSB or in
negotiations about a potential business relationship with OSB, OSB will process your personal data
for the purpose of initiating and, if applicable, executing contracts and the agreed business
activities.
The data categories that are processed are listed in the following. These may relate to you or the
company which your work for:

• Personal identification and contract master data (e.g. name, postal address, email,
telephone number) of business partners and their contact persons
• Order and billing data
• Payment and bank details
• Communication
• Information for and about advertising and direct marketing

Furthermore, the processing of data serves the purposes of invoicing, financial reporting, project
management, and maintaining the ongoing business relationship. This includes advertising and
direct marketing. The legal basis for this is, in each case, Art. 6 (1) (b) GDPR with regard to the
conclusion, execution and processing of contracts, insofar as you yourself are a contractual
partner, and otherwise also Art. 6 (1) (f) GDPR with regard to the processing of contracts as well
as to our other legitimate interests, such as accounting or direct marketing.

3. 2.1 DISCLOSURE OF YOUR PERSONAL DATA TO THIRD PARTIES

OSB processes the data itself. Your data will not be sold nor made available to other non-
authorized third parties. OSB ensures that the data is only disclosed within companies affiliated
with OSB within the meaning of §§ 15 ff. AktG – German Stock Corporation Act, as well as to
customers, service providers and legal recipients. In each case, this data is only disclosed to the
extent necessary for achieving the purpose:

3.1 FOR CONTRACT INITIATION

Your personal data will be transferred to customers and affiliated companies of OSB within the
meaning of §§ 15 ff. AktG – German Stock Corporation Act, insofar as this is necessary – in
particular to the hirers within the framework of employee leasing for the acquisition of activities.
Applications in the areas of back office and business management are not affected by this.

3.2 FOR EXECUTION OF THE CONTRACT

Insofar as it is essential for the purpose of implementing your employment relationship with OSB,
your personal data will be transferred to the third parties necessarily involved in the execution of
the contract (customers, suppliers, affiliated companies of OSB within the meaning of §§ 15 ff.
AktG – German Stock Corporation Act).

3.3 WITHIN THE CONTEXT OF OUR BUSINESS OBJECTIVES OR IF PERMITTED OR REQUIRED BY

LAW
We may disclose information about you to third parties for business purposes, or when disclosure
is permitted or required by law. Similarly, information will be disclosed to government institutions
and authorities entitled to receive such data only as required by law or if OSB is obliged to provide
such information by a court order.
4. SSL ENCRYPTION
In order to protect the security of your data during transmission, we use state-of-the-art
encryption procedures (e.g. SSL) via HTTPS for the provision of our web pages and for the services
made available by them.

5. DELETING OR BLOCKING YOUR DATA

We adhere to the principles of data avoidance and data economy. We therefore only store your
personal data for as long as is necessary to achieve the purposes stated here or as stipulated by
the various storage periods provided for by law. After the respective purpose has ceased to exist
or these periods have expired, the corresponding data will be routinely blocked or deleted in
accordance with the statutory provisions.

6. WHICH RIGHTS DO YOU HAVE?

You have the right to receive information at any time about your personal data stored by us (Art.
15 GDPR). Likewise, you have the right to have your personal data corrected, blocked or – aside
from mandatory data storage for business transactions or for the fulfillment of legal or contractual
obligations – deleted (Art. 16, 17, 18 GDPR). Furthermore, you have the right to have the data
transferred in a structured, common and machine-readable format, insofar as you have provided
us with the data on the basis of consent or on the basis of a contract between OSB and yourself
(Art. 22 GDPR). You have the right to object to processing on the basis of a legitimate interest, in
which case we can state our compelling reasons (Art. 21 (1) GDPR), as well as to object to the use
of your personal data for the purposes of direct advertising (Art. 21 (2) GDPR).

To ensure that data blocking can be taken into account at any time, this data must be kept in a
blocking file for monitoring purposes. You can make changes or revoke consent with effect for the
future by notifying us accordingly.

Purely automated decision-making within the meaning of Art. 22 GDPR does not take place.

Please contact us using the contact details listed in Section 1 if you wish to exercise these rights. If
you would like to request detailed information on all the personal data that OSB has stored about
you, you must provide proof of identity that includes a photo.

7. 2.1 HOW DO WE PROTECT YOUR PERSONAL DATA?

We carry out physical, technical and administrative security measures in order to ensure that your
personal data is suitably protected against loss, misuse, unauthorized access, disclosure and
alteration. These security measures include firewalls, data encryption, physical access restrictions
to our data centers, and authorization controls for access to data.

8. HOW DO WE USE COOKIES?

8.1 WHAT ARE COOKIES?

Like many other websites, we also use what are referred to as “cookies”. Cookies are small text
files that are transferred from a website server to your hard drive. Through this, we automatically
obtain certain data via your computer and your connection to the Internet, such as the IP address,
the browser used and the operating system.
Cookies cannot be used to run programs or transmit viruses to a computer. Based on the
information contained in cookies, we can simplify the navigation of our website and enable the
correct display of our web pages.

Under no circumstances will the data we collect be passed on to third parties or linked to personal
data without your consent.

Of course, you can also view our website without cookies. Internet browsers are regularly set to
accept cookies. You can disable the use of cookies at any time via your browser settings. Please
use the help function of your Internet browser to find out how you can change these settings.
Please note that individual functions of our website may not work if you have disabled the use of
cookies.

8.2 WHICH COOKIES DO WE USE?

On this website we use various categories of cookies: technically necessary cookies, without which
the functionality of our website would be limited, as well as optional analysis, functional and
marketing cookies that come from third-party providers:

8.3 TECHNICALLY NECESSARY COOKIES

These cookies are essential to enable you to navigate our web pages, use their features and view
designs. They also store, for example, whether you agree to the use of cookies as well as your
selected cookie settings. These cookies do not collect any information about you for marketing
purposes nor do they store where you have been on the Internet. These cookies are usually
session-specific and expire after your visit to the website (session), unless the relevant functions
require storage beyond this (e.g. saving the cookie setting). The legal basis for the use of
technically necessary cookies and the processing of your data via these cookies is our legitimate
interest in displaying the functions of our website and making them available for use, Art. 6 (1) (f)
GDPR.

In this context we use, for example:

8.3.1 GOOGLE WEBFONTS

To present our content across different browsers correctly and in a visually attractive way, we use
script libraries and font libraries, such as Google Web Fonts, on this website
(https://www.google.com/webfonts/). Google Web Fonts are transferred into your browser cache
to avoid multiple loading. If the browser does not support Google Web Fonts or prevents access,
the contents will be shown in a standard font. When script libraries or font libraries are called up, a
connection is automatically triggered to the operator of the library. To do this, the browser used by
you must take up contact to the servers of Google. In this way, Google is informed that our
website has been called up by your IP address. We use Google Web Fonts to ensure that our online
presence has a consistent and attractive appearance. This represents a legitimate interest within
the meaning of Art. 6 (1) (f) GDPR.
If your browser does not support Web Fonts, a standard font will be used by your computer.
Further information on Google Web Fonts may be found at developers.google.com/fonts/faq and in
the privacy policy of Google: https://www.google.com/policies/privacy/.

8.4 ANALYSIS COOKIES

Analysis cookies collect information on how visitors use a website overall, for instance which pages
they visit most often and if they receive error messages from our web pages. All the information
collected using these cookies is used solely to understand and improve the functionality and
service of the website.

The legal basis for the use of analysis cookies and the processing of your data by the provider of
these cookies is your prior consent (Art. 6 (1) (a) GDPR).

We use the analysis cookies described in the following:

8.4.1 GOOGLE ANALYTICS

This website uses Google Analytics, a web analysis service of Google Ireland Limited, Gordon
House, Barrow Street, Dublin 4, Ireland (hereinafter: Google). The information about your use of
this website generated by Google Analytics is usually transmitted to a Google server in the US and
saved there. However, due to the activation of IP anonymization on these web pages, your IP
address will first be shortened by Google within member states of the European Union or in other
states which are party to the agreement on the European Economic Area. Only in exceptional
cases will the complete IP address be transmitted to a Google server in the US and shortened
there. On behalf of the operator of these web pages, Google will use this information to evaluate
your use of the website in order to compile reports on website activities and to render additional
services to the website operator regarding website and Internet use. The IP address transmitted
from your browser within the context of Google Analytics will not be collated with other data from
Google.

8.5 FUNCTIONAL COOKIES

We use functional cookies to improve and simplify the use and performance of our website.

The legal basis for the use of functional cookies and the processing of your data by the provider of
these cookies is your prior consent (Art. 6 (1) (a) GDPR).

We use the functional cookies and tools described in the following:

8.6 MARKETING COOKIES

Marketing cookies are used to better target advertising to you and your interests. They are also
used to limit how often you see the same advertisement, to gauge the effectiveness of an
advertising campaign, and to understand people’s behavior after viewing an advertisement. These
cookies are typically placed by advertising networks on the pages of the website operator with the
consent of the website operator (i.e. in this case, us). They recognize that a user has visited a
website and pass this information on to others, e.g. advertising companies, or adapt
advertisements themselves accordingly. Often they are linked to a website functionality provided
by that company. We thus use these cookies to link to social networks, which can then further use
the information about your visit to target advertising to you on other websites, and to provide
information about your visit to the advertising networks we use, so that you can later be presented
with exactly the advertising that you are potentially really interested in, based on your browsing
behavior. Again, we do not merge the data collected via these cookies with other information
about our visitors.

The legal basis for the use of marketing cookies and the processing of your data by the provider of
these cookies is your prior consent (Art. 6 (1) (a) GDPR).

We use the marketing cookies described in the following:

8.6.1 YOUTUBE

We use the YouTube.com platform to post our own videos and make them publicly available.
YouTube is offered by a third party not affiliated with us, namely YouTube LLC.

We also directly integrate videos stored on YouTube on some of our Internet pages. This
integration allows content from the YouTube website to be displayed in parts of a browser window.
However, the YouTube videos are only called up by clicking on them separately. This technology is
also referred to as “framing”.

When calling up YouTube videos, the IP address as well as other data relating to your browser are
transmitted, thereby providing certain information – in particular about which of our web pages
you have visited. For more information on data processing carried out via YouTube, please refer to
the data privacy policy of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland,
at: https://policies.google.com/privacy.

8.7 HOW CAN I DECLARE OR REVOKE MY CONSENT TO COOKIES?

If you visit our website for the first time, you will be shown the data privacy notice on the start
page, with the consent text for optional cookies. By clicking on the individual categories and then
confirming this selection by clicking on “Accept all”, you agree to these cookie settings. You can
adjust and change these cookie settings at any time by clicking on the blue cookie logo at the
bottom right of the website pages.

9. USE OF SOCIAL PLUGINS

On our website we use the “social media plugins” of the social networks Facebook, Xing, LinkedIn
and Twitter. The social media plugins are recognizable by the logo of the relevant social network.

Facebook Inc. (1601 S. California Ave – Palo Alto – CA 94304 – USA)

XING AG (Gänsemarkt 43 – 20354 Hamburg – Germany)

LinkedIn Corp. (2029 Stierlin Court – Mountain View – CA 94043 – USA)

Twitter (One Cumberland Place – Fenian Street – Dublin 2 – D02 AX07 – Ireland)

The social media plugins on our website are disabled by default. To use the social media plugins,
you must activate them by clicking on the corresponding button. As long as the social media plugin
is not activated, no data will be transmitted to the social network. After activation, the social
media plugin generates a connection to the servers of the social network and remains active until
you deactivate it again or delete your corresponding cookies. Activation establishes a direct
connection with the server of the relevant social network. The content of the social media plugin is
transmitted by the social network directly to your browser, which embeds it in the website visited.
We therefore have no influence on the scope of the data collected by the social media plugin.

Please refer to the data privacy policies of the social networks for more information on the purpose
and scope of data collection, as well as on the further processing and use of the data by the
respective social networks, your rights in this regard, and the setting options for protecting your
privacy.

Facebook: https://www.facebook.com/policy.php

XING: https://www.xing.com/privacy

LinkedIn: https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-join-privacy-policy

twitter: https://twitter.com/de/privacy