DR. HENGSTER
LOESCH
&
KOLLEGEN

Investment Agents for Long Term Return

DATA PROTECTION INFORMATION

Our handling of your data and your rights
- Information pursuant to Articles 13, 14 and 21 of the Basic Data Protection Regulation (GDPR) -

Dear customer,

In the following we inform you about the processing of your personal data by us and the claims and rights to which you are entitled according to the data protection regulations.

Which data is processed in detail and how it is used depends largely on the services requested or agreed.

1. Who is responsible for data processing and who can I contact?

The responsible body is:

DR. HENGSTER, LOESCH & KOLLEGEN GMBH
Rathenauplatz 1A
60313 Frankfurt am Main, Germany
T +49 69 9288497-0
F +49 69 9288497-28
Email: info@hengsterloesch.de

You can reach our appointed company data protection officer at:

Thomas Gutte Datenschutzberatung
Hochstraße 2
65195 Wiesbaden, Germany
Phone: +49 611 - 71186990
Email: thomas.gutte@gutte-datenschutz.de

2. What sources and data do we use?

We process personal data that we receive from you within the framework of our business relationship. In addition, we process - insofar as necessary for the provision of our services - personal data that we have received from other companies (e.g. SCHUFA) permissibly (e.g. for the execution of orders, for the fulfilment of contracts or on the basis of your consent). On the other hand, we process personal data which we have obtained and are permitted to process from publicly accessible sources (e.g. BaFin register, annual reports of company websites).

Relevant personal data are personal data (name, address and other contact data, date and place of birth and nationality), identification data (e.g. ID card data) and authentication data (e.g. signature specimen). Furthermore, this may also include order data (e.g. payment order, securities order), data from the performance of our contractual obligations (e.g. turnover data in payment transactions, credit lines, product data (e.g. deposit, credit and custody business), information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g. consultation protocol), register data, data on your use of our offered telemedia (e.g. time of access to our websites, apps or newsletters, pages clicked on by us or entries) and other data comparable with the categories mentioned.

3. Why do we process your data (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European Data Protection Basic Regulation (GDPR) and the Federal Data Protection Act (BDSG):

3.1 For the fulfilment of contractual obligations (Article 6, 1b GDPR)

The processing of personal data (Article 4, 2 GDPR) is carried out for the provision and mediation of our services, in particular for the execution of our contracts or pre-contractual measures with you and the execution of your orders, as well as all activities necessary for the operation and administration of a company.

The purposes of data processing depend primarily on the specific product (e.g. placement) and may include needs analyses, advice, asset management and support as well as the execution of transactions.

Further details for the purpose of data processing can be found in the respective contract documents and terms and conditions.

3.2 In the context of balancing interests (Article 6, 1f GDPR)

If necessary, we process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties such as in the following cases:

- Guarantee of IT security and IT operation;
- Examination and optimization of procedures for needs analysis and direct customer contact;
- Advertising or market and opinion research, insofar as they have not objected to the use of your data;
- Assertion of legal claims and defence in legal disputes;
- Measures for building and plant security (e.g. access controls);
- Measures to ensure the right of domicile;
- Measures for business management and further development of services and products;
- Consultation and data exchange with credit agencies (e.g. SCHUFA) to determine creditworthiness and default risks;
- Prevention and investigation of criminal offences.

3.3 Based on your consent (Article 6, 1a GDPR)

If you have given us permission to process personal data for specific purposes (e.g. passing on data, evaluation of user data for marketing purposes), the lawfulness of this processing is given on the basis of your consent. Your consent can be revoked at any time. This also applies to the revocation of declarations of consent which - such as the SCHUFA clause - were issued to us before the GDPR came into force, i.e. before 25 May 2018.

Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this.

3.4 Based on legal requirements (Article 6, 1c GDPR) or in the public interest (Article 6, 1e GDPR)

As a bank, we are also subject to various legal obligations, i.e. legal requirements (e.g. German Banking Act, Money Laundering Act, Securities Trading Act, Tax Acts) as well as banking supervisory requirements (e.g. European Central Bank, European Banking Supervision, Deutsche Bundesbank and Federal Financial Supervisory Authority). The purposes of processing include, among others, creditworthiness checks, identity and age checks, fraud and money laundering prevention, compliance with control and reporting obligations under tax law, and the assessment and management of risks.

4. Who gets my data?

Within our company, those departments that need your data to fulfil our contractual and legal obligations will have access to it. Contract processors used by us (Article 28 GDPR) may also receive data on these two areas. These are companies in the category "liability umbrella".

With regard to the transfer of data to recipients outside our company, it should be noted that we only pass on information about you if this is required by law, if you have consented or if we are authorised to provide information.

Under these conditions, recipients of personal data may be, for example:

- Public bodies and institutions (e.g. Deutsche Bundesbank, Bundesanstalt für Finanzdienstleistungsaufsicht, European Banking Supervisory Authority, European Central Bank, tax authorities) where there is a legal or official obligation.

- Other credit and financial service institutions or comparable institutions to which we transmit personal data for the purpose of conducting the business relationship with you (depending on the contract: e.g. correspondent banks, custodian banks, stock exchanges, credit agencies).

Other data recipients may be those entities for which you have given us your consent to the transfer of data or for which you have released us from banking secrecy in accordance with the agreement or consent.

5. How long will my data be stored?

If necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract.

In addition, we are subject to various storage and documentation obligations, including those arising from the German Commercial Code (HGB) and the Fiscal Code (AO). The time limits for storage and documentation specified there are between two and ten years.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB) can generally be three years, but in certain cases also up to thirty years.

6. Are data transferred to a third country or to an international organisation?

Data will only be transferred to third countries (countries outside the European Economic Area - EEA) if this is necessary, legally required or if you have given us your consent. We will inform you separately about details if legally required.

7. What data protection rights do I have?

Every data subject has the right to information pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to deletion pursuant to Article 17 GDPR, the right to limitation of processing pursuant to Article 18 GDPR and the right to data transfer pursuant to Article 20 GDPR. The restrictions under §§ 34 and 35 BDSG apply to the right of access and the right of cancellation. In addition, there is a right of appeal to a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).

8. Is there an obligation to provide data?

As part of our business relationship, you must only provide personal data that is required for the establishment, performance and termination of a business relationship or which we are legally obliged to collect. Without this data we will normally have to refuse the conclusion of the contract or the execution of the order or will no longer be able to execute an existing contract and may have to terminate it.

In particular, we are obliged under the provisions of money laundering law to identify you by means of your identity card, for example, before establishing a business relationship and to collect your name, place of birth, date of birth, nationality and residential address. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, the business relationship you have requested will not be accepted.

9. To what extent is there automated decision-making in individual cases?

As a matter of principle, we do not use fully automated decision-making pursuant to Article 22 GDPR for the establishment and implementation of the business relationship. Should we use these procedures in individual cases, we will inform you separately if this is legally required.

10. To what extent is my data used for scoring?

We do not use profiles according to article 22 GDPR. Should we use this procedure in individual cases, we will inform you of this separately if this is required by law.

Data protection information for applicants

Our handling of your data and your rights
- Information pursuant to Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) -

Dear applicant,

In the following we inform you about the processing of your personal data by us and the claims and rights to which you are entitled according to the data protection regulations.

1. Who is responsible for data processing and who can I contact?

The responsible body is:

DR. HENGSTER, LOESCH & KOLLEGEN GMBH
Rathenauplatz 1A
60313 Frankfurt am Main, Germany
T +49 69 9288497-0
F +49 69 9288497-28
Email: info@hengsterloesch.de

You can reach our company data protection officer at:

Thomas Gutte Datenschutzberatung
Hochstraße 2
65195 Wiesbaden, Germany
Phone: +49 611 - 71186990
Email: info@gutte-datenschutz.de

2. What sources and categories of data do we use?

We process personal data that we receive from you as part of your application. This is the data that you make available to us by transmitting the application documents and your details in job interviews.

We also visit profiles of applicants on professionally oriented social networks, if such are available. We do not visit profiles in private social networks.

It is also possible for us to receive data from recruiters to whom you have provided your application documents and who you propose to us as candidates for a position. If references from previous employers are to be requested, this will be discussed separately with the applicant.

Relevant personal data are e.g. name, address and other contact data, birthday, academic and professional background, references, certificates, etc.

3. Why do we process your data (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European Data Protection General Regulation (GDPR) and the Federal Data Protection Act (BDSG), processing takes place exclusively if it is permitted by law or if we have received your consent to data processing.

3.1 Processing your data for the purposes of filling vacancies (Article 6 Paragraph 1b DSG-VO)

Data processing is carried out for the purpose of selecting personnel to fill vacant positions. These are pre-contractual measures that serve to initiate employment contracts.

3.2 Processing of your data on the basis of legitimate interests within the scope of weighing up interests (Article 6, 1f GDPR)

If necessary, we process your data beyond the actual initiation or performance of the contract to protect the legitimate interests of us or third parties - provided that your interests would not outweigh - such as in the following cases:

Background research of applicants for positions with special compliance relevance: We have a legitimate interest in researching whether an applicant for certain fields of activity may be shortlisted on the basis of his details.
Improving our application process and applicant satisfaction surveys: We use findings from surveys or individual interviews on applicant satisfaction to identify improvement potential and make the application process more effective. Where possible, we process your data in pseudonymised form, i.e. in such a way that you cannot be identified directly.

Defence against and assertion of legal claims: Furthermore, we store data of applicants in order to be able to defend ourselves against asserted claims, e.g. from the AGG, if necessary. We disclose personal data to public authorities and courts if this is necessary to defend ourselves in legal disputes or to assert legal claims.

3.3 Processing of your data on the basis of your consent (Article 6, 1a GDPR)

We also process your personal data if and to the extent that you have consented to data processing for specific purposes in accordance with Art. 6, 1a GDPR. The purposes for which data processing is carried out within the scope of this are determined by the respective consent.
A given consent can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force, i.e. before 25 May 2018.

Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this.

3.4 Processing of your data based on legal requirements (Article 6, 1c GDPR)

We process your personal data even if we are obliged to do so by law. This includes, for example, feedback to the Employment Agency as well as information to public offices, authorities and courts if we are obliged to do so.

4. Who gets my data?

We treat the fact that you apply to us as well as your personal data confidentially. Within our company, only those departments and employees who need your data to fulfil the above-mentioned requirements will have access to it. As a rule, these are employees of the personnel department as well as the specialist department within which the position is to be filled, e.g. the manager in whose team the position is located.

With regard to the transfer of data to recipients outside our company, please note that we only disclose information about you if required to do so by law, if you have consented to this or if we are authorized to provide information.
Under these circumstances, recipients of personal data may be, for example, public bodies and institutions (e.g. authorities) if there is a legal or statutory obligation.

In addition, we cooperate with service providers who support us. We only transmit your personal data to our service providers and cooperation partners if there is a legal basis for doing so. These are service providers in the following areas:

Personnel consultants and recruiters
headhunters
Service provider for checking the applicant qualification

Other data recipients may be those entities for which you have given us your consent to the transfer of data or to which we are authorised to transfer personal data on the basis of a weighing of interests.

5. How long will my data be stored?

If necessary, we process and store your personal data as long as it is necessary for the realisation of the processing purposes and/or for the fulfilment of legal storage obligations.

If you have not been selected for the position for which you have applied, we will delete your data for six months from the date of rejection.

If an employment contract is concluded between you and us, your application documents will be included in the personnel file and stored at least for the duration of the employment relationship and any subsequent storage obligations.

If and to the extent that you have given us your consent to data processing for specific purposes, such as for example to continue to store your data and to contact you in order to offer you further vacancies, the processing time results from the purpose of the consent given.

Finally, the storage period is also judged according to the statutory limitation periods, which, for example, according to §§ 195 ff. of the German Civil Code (BGB) can generally be three years, but in certain cases also up to thirty years.

6. Are data transferred to a third country or to an international organisation?

Data will only be transferred to third countries (countries outside the European Economic Area - EEA) if this is necessary, legally required or if you have given us your consent. In such cases, data will only be accessed if either a Commission adequacy decision exists for the respective country, if we have agreed with the service providers the standard contractual clauses provided by the EU Commission for these cases or if the respective company has drawn up its own internal binding data protection regulations which have been recognised by the data protection supervisory authorities. We will inform you separately about the details if required by law.

7. Which data protection rights do I have?

Each data subject has
The right of access under Article 15 GDPR,
the right to rectification under Article 16 GDPR,
the right to cancellation under Article 17 GDPR,
the right to limit the processing pursuant to Article 18 GDPR
and the right to data transfer under Article 20 GDPR.

The restrictions in §§ 34 and 35 BDSG apply to the right to information and the right to cancellation.

In addition, there is a right of appeal to a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us prior to the application of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected by this.

8. Is there an obligation to provide data?

An application to our company is voluntary. However, it is necessary to provide your personal data regarding your previous professional and/or educational background, your qualifications, your abilities and personal details as well as your contact details so that we can find out whether you as an applicant are suitable for the vacant position and so that we can make an appropriate personnel selection. Without the provision of this data by you as an applicant, no personnel selection can take place in the application process. As a result, failure to provide personal information will mean that you will not be considered as a candidate for the position.

9. To what extent is there automated decision-making in individual cases?

We do not use fully automated decision-making pursuant to Article 22 GDPR. If we are to use these procedures in individual cases, we will inform you of this and of your rights in this regard separately, insofar as this is prescribed by law.

10. To what extent will my data be used for scoring?

As a matter of principle, we do not use profiles in accordance with Article 22 GDPR. Should we use this procedure in individual cases, we will inform you of this separately if this is required by law.

Information about your right of objection
pursuant to Article 21 of the Basic Data Protection Regulation (GDPR)

1. You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you carried out on the basis of Article 6, 1e GDPR (data processing in the public interest) and Article 6, 1f GDPR (data processing on the basis of a weighing of interests); this also applies to profiling based on this provision within the meaning of Article 4, 4 GDPR, which we use for bonus assessment or for advertising purposes.

If you file an objection, we will no longer process your personal data unless we can prove compelling reasons for processing worthy of protection, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

The objection can be made without form and should be addressed to:

DR. HENGSTER, LOESCH & KOLLEGEN GMBH
Rathenauplatz 1A
60313 Frankfurt am Main, Germany
Email: info@hengsterloesch.de