Data protection information according to Art. 13,14 GDPR

Against the background of constant technical change and the ongoing development and improvement of our processes, this information is regularly adapted. We therefore recommend that you read our information and notes on data processing again at regular intervals. You can access the current privacy policy at any time on the website at www.dje.de and www.solidvest.de. You can find the latest data protection information on our website at: https://www.dje.de/datenschutzhinweise/

Responsible party (for data processing)

DJE Kapital AG

Pullacher Straße 24
82049 Pullach
Phone: +49 89 790453-0
Email: info@dje.de

Represented by the Management Board: Dr. Jens Ehrhardt (Chairman), Dr. Jan Ehrhardt (Deputy Chairman), Dr. Ulrich Kaffarnik, Peter Schmitz, Thorsten Schrieber

This data protection information clarifies the nature, scope and purpose of the processing of personal data by the controller, which is represented by the management.

The legal basis of data protection in relation to the territorial scope of application in Germany can be found in particular in the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG-new) and the Telecommunications and Telemedia Data Protection Act (TT-DSG).

Personal data is information that relates to an identified or identifiable natural person (data subject).

The processing of such data is only lawful if at least one of the following conditions is met:

• the data subject has consented to the processing of personal data relating to them for one or more purposes (e.g. declaration of consent for advertising communication),

• the processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract (e.g. concluded contract, performance of services, provision of products)

• processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. disclosure of data to public authorities)

• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests of the data subject (e.g. disclosure of data to debt collection agencies and lawyers, video surveillance).

If we have not received the data directly from you, we will receive your personal data (first name, surname, telephone number, mobile number, e-mail address and your message) from intermediaries, tipsters or other financial institutions for the purpose of establishing contact and initiating a contract in accordance with Art. 6 para. 1 lit. b GDPR.

As a rule, personal data is not transferred to a third country. Should this nevertheless be the case, the data transfer is regulated on the basis of an adequacy decision (e.g. Canada), consent, binding corporate rules or standard EU data protection clauses with suitable technical and organizational measures (so-called "supplementary measures").

The deletion of personal data takes place after expiry of the statutory and contractual retention periods in accordance with Section 257 of the German Commercial Code and Section 147 of the German Fiscal Code. We are obliged to carry out this type of data processing in accordance with Art. 6 para. 1 lit. c GDPR.

If personal data is not subject to any retention periods, it will be deleted as soon as the stated purposes no longer apply. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, the deletion will take place after these reasons no longer apply.

We have appointed a data protection officer who works for the company in accordance with Art. 37 et seq. GDPR is active:

Carolin Bauer
aigner business solutions GmbH
Goldener Steig 42
94116 Hutthurm
Phone: +49 8505 91927-0
Email: carolin.bauer@aigner-business-solutions.com
Website: www.aigner-business-solutions.com

You have the right to request information from the controller as to whether and which of your personal data is being processed.

For this purpose, the controller shall provide an overview of the processing purposes, the categories of personal data processed and the respective recipients or categories of recipients in accordance with Art. 15 GDPR.

In accordance with Art. 16 GDPR, you have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data.

In accordance with Art. 17 GDPR, you have the right to obtain from the controller the erasure of personal data concerning you without undue delay, unless there is another legal requirement to the contrary.

In accordance with Art. 18 GDPR, you have the right to request the restriction of processing if

• the accuracy of the personal data is contested

• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead

• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims

• you object to the processing pursuant to Art. 21 GDPR.

You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

In accordance with Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you. The controller will then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. This also applies to profiling insofar as it is associated with direct advertising. If you object, your personal data will subsequently no longer be processed for direct marketing purposes (Art. 21 (2) GDPR).

You have the right to have data which the controller processes automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible.

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes this Regulation.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

• Identity information (e.g. first and last name, identity card or passport number, nationality, place and date of birth, gender, photograph, IP address)

• Contact information (address, e-mail address and telephone number)

• Tax information (tax identification number, tax status)

• Bank, financial and transaction data (e.g. bank details (IBAN))

• Money transfers from and to your account/deposit

• assets

• notified investor profile, investment behavior

• Financial situation (income and expenditure)

• Client contact information in the context of the business initiation phase and during the business relationship, in particular through personal, telephone or written contacts initiated by you or by DJE Kapital AG, further personal data, e.g. information on contact channel, date, occasion and result, (electronic) copies of correspondence and information on participation in direct marketing measures as well as information on your wishes that you have expressed to us.

• Audiovisual data (information from the video legitimation procedure, recordings of calls)

• Information on knowledge and / or experience with securities (MiFID status)

• Investment behavior/strategy (period, scope, frequency of the customer's transactions with financial instruments, customer's risk appetite)

• Information on education and occupation (e.g. level of education, occupation, name of employer)

• Income (e.g. earnings)

• financial situation

  • Assets, liabilities, income, e.g. from employment/self-employment/business; expenses

  • Foreseeable changes in financial circumstances (e.g. retirement age)

  • Specific goals / major concerns for the future (e.g. planned purchases, repayment of liabilities)

  • Marital status, matrimonial property regime and maintenance obligations

  • Tax information (e.g. information on church tax liability), documentation data (e.g. declarations of suitability)

• Information on knowledge and / or experience with interest rate / currency products / investments

• MiFID client classification

• Investment behavior/strategy (period, scope, frequency of the customer's transactions with financial instruments, customer's risk appetite)

• Education, professional qualifications, profession practiced, position in the company, industry affiliation

• financial situation

  • (assets, liabilities, income, e.g. from employment/self-employment/business; expenses)

  • Foreseeable changes in financial circumstances (e.g. retirement age)

  • specific goals / significant concerns in the future (e.g. planned purchases, repayment of liabilities)

  • Tax information (e.g. information on church tax liability), documentation data (e.g. consultation minutes)

Where requested by customers, we also collect personal data from children. In doing so, we ensure that the holders of parental responsibility consent to the processing of personal data or, in certain cases, agree to the child's consent.

Personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data concerning sex life or sexual orientation will only be processed by us if we are legally entitled to do so.

Contract initiation and performance pursuant to Art. 6 para. 1 lit. b GDPR

If you make use of our products and services, we provide you with our financial services or you make specific inquiries in this regard, we process your data in the context of contract initiation or contract performance. The purposes of data processing depend primarily on the specific product and may include needs analyses, advice, asset management and support as well as the execution of transactions. The processing of your data is necessary if, for example, it is used for invoicing in the context of contract processing or to be able to send you an offer that you have requested.

Consent pursuant to Art. 6 para. 1 lit. a GDPR and Art. 9 para. 2 lit. a GDPR

If you have given us your consent to process personal data for specific purposes (e.g. transfer of data within the association / group or to use your data for specific advertising purposes), this processing is lawful on the basis of your consent. Data processing for the purpose of contacting us is based on your voluntarily given consent, for example if you use the contact form or newsletter registration on our websites www.dje.de and www.solidvest.de or send us a business card. You can withdraw your consent at any time. This also applies to the revocation of declarations of consent given to us before the EU General Data Protection Regulation came into force, i.e. before May 25, 2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected. If we wish to use your personal data for purposes other than those mentioned above, we will inform you accordingly and, if necessary, obtain your consent.

Legal obligations pursuant to Art. 6 para. 1 lit. c GDPR

As a financial services institution, we are subject to various legal obligations, i.e. legal requirements (e.g. EU Financial Markets Directive and Regulation, Securities Institutions Act, Money Laundering Act, Securities Trading Act, tax laws; distance selling law, general civil law obligations) and banking supervisory requirements (e.g. European supervision, Deutsche Bundesbank and the Federal Financial Supervisory Authority (BaFin)). The purposes of processing include, among other things, the obligations under the German Securities Trading Act (WpHG) to record the knowledge and experience of the respective client with investment services and financial instruments, the financial circumstances and investment objectives of the client, identity and age verification, fraud and money laundering prevention, compliance with sanction and embargo regulations, to respond to official inquiries from a competent government agency or judicial authority, the fulfillment of tax control and reporting obligations and the assessment and management of risks of DJE Kapital AG.

Legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR

We may also process your personal data in our legitimate interest. This consists, for example, in being able to process your inquiries to us. In contrast, your rights and freedoms are not to be regarded as predominant, as the request was made by you. We also pursue our legitimate interests when we transfer your data to a lawyer or debt collection agency in order to recover outstanding debts or enforce our rights. By contrast, your rights and freedoms are not to be regarded as overriding, as it is the reasonable expectation of a data subject that lawyers or debt collection agencies will also be used in the event of legal or debt collection disputes.

In addition, we process your data, where necessary, beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties, e.g. in the following cases

• Examination and optimization of procedures for needs analysis and direct customer approach; incl. customer segmentation and calculation of probabilities of conclusion

• Advertising or market and opinion research, provided you consent to the use of your data

• Assertion of legal claims and defense in legal disputes

• Ensuring the IT security and IT operations of DJE Kapital AG

• Prevention of criminal offenses, in particular fraud prevention

• Measures for building and system security (e.g. access controls)

• Other measures to safeguard domiciliary rights

• Measures for business management and further development of services and products

In principle, we collect data from you personally. In some cases, we also receive your data from third parties. For example, if you are supported by an intermediary or tipster, your personal data will be transmitted to us by your advisor as part of the application process. We may also receive your data from banks, financial portals, Deutsche Post AG (POSTIDENT) and service providers for risk assessments in accordance with the GwG. Furthermore, in some cases we obtain information from various public registers.

Within DJE Kapital AG, those departments that need your data to fulfill our contractual and legal obligations will have access to it. Service providers and vicarious agents employed by us may also receive data for these purposes if they maintain banking secrecy and comply with our written instructions under data protection law. We may only pass on information about you if this is required by law, if you have given your consent or if processors commissioned by us guarantee compliance with the requirements of the GDPR or the BDSG in the same way. Under these conditions, recipients of personal data may be, for example

• Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority (BaFin), European Supervisory Authority, tax authorities, Federal Central Tax Office) in the event of a legal or official obligation.

• Other credit and financial services institutions, comparable institutions and processors to whom we transfer personal data in order to conduct the business relationship with you. These companies are also legally or contractually obliged to handle personal data with the necessary care. In particular, we work with IT service providers, financial service providers and custodian banks.

• Intermediaries, tipsters and service providers who support us in the following activities:

  • Support / maintenance of EDP/IT applications

  • archiving

  • Document processing

  • Call center services

  • Compliance services

  • controlling

  • Data screening for anti-money laundering purposes

  • Data destruction

  • Purchasing / Procurement

  • Space management

  • Real estate appraisals

  • Credit processing service

  • Collateral management

  • Collection

  • Customer administration and support

  • Lettershops

  • marketing

  • Dispatch of customer gifts

  • Media technology

  • Reporting

  • research

  • Risk controlling

  • Expense accounting

  • Telephony

  • Video legitimation

  • Website management

  • Securities services

  • Share register

  • Fund administration

  • Auditing services

  • Payment transactions

  • Members of certain regulated professions such as lawyers, notaries or auditors

  • Other data recipients may be those bodies for which you have given your consent to the transfer of data or for which you have released us in accordance with an agreement or consent.

We process your personal data in digital form (digital application process) as part of the preparatory activities and when opening a custody account and the associated data exchange with the custodian bank.

As a rule, we collect the information directly from you or receive it from your tipster.

This includes the following information:

• Personal master data: First name, surname, date of birth, place of birth, nationality

• Address data: Address

• Contact details: Telephone number, cell phone number, e-mail address

• Asset data: Deposit balance, asset overviews

• Contract data: Transaction data, information on the asset management contract

We do not process special categories of personal data in accordance with Art. 9 GDPR.

We use a service provider with whom we have concluded an agreement on order processing in accordance with Art. 28 GDPR for the processing of a digital application process and the associated faster opening of a securities account.

A contractual relationship is also possible without the use of the digital application route. However, even with analog processing, data transmission of your personal data is necessary for the fulfillment of the contract.

Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of your orders (e.g. payment and securities orders) or is required by law (e.g. reporting obligations under tax law), if you have given us your consent or as part of order processing. If service providers are used in a third country, they are obliged to comply with the level of data protection in Europe in addition to written instructions by agreeing the EU standard contractual clauses. If you require a printout of these provisions or information on their availability, you can contact us in writing using the contact details provided.

As part of our business relationship, you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfillment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it. In particular, we are obliged under money laundering regulations to identify you before establishing the business relationship, for example by means of your identity card, and to collect and record your name, place of birth, date of birth, nationality, residential address and identification data. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with Section 11 (6) of the German Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue the business relationship requested by you.

We process and store your personal data for as long as is necessary to fulfill our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation that is intended to last for several years. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its - temporary - further processing is required for the following purposes:

• Compliance with retention periods under commercial and tax law for the fulfillment of legal obligations (Art. 6 para. 1 lit. c GDPR): These include the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The retention and documentation periods specified there are two to ten years.

• Preservation of evidence within the framework of the statute of limitations in the overriding legitimate interest (Art. 6 para. 1 lit. f GDPR). According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years. A retention period of six months applies to applicants without subsequent conclusion of a contract. In contrast, your rights and freedoms are not to be regarded as predominant, as it is the reasonable expectation of a data subject that their data will be retained for a certain period of time to preserve evidence in the event of any disputes. Data processing is strictly earmarked.

• Defense and prosecution of rights and claims in the overriding legitimate interest (Art. 6 para. 1 lit. f GDPR): In order to pursue and defend our rights and claims, it may be necessary to continue to store your personal data in the event of a dispute. In contrast, your rights and freedoms are not to be regarded as predominant, as it is the reasonable expectation of a data subject that their data will be retained for a certain period of time to preserve evidence in the event of a dispute. Data processing is strictly earmarked.

• Preservation of backups: In our overriding legitimate interest (Art. 6 para. 1 lit. f GDPR) in protecting our business processes and ensuring data protection and information security, we create backup copies at regular intervals. In contrast, your rights and freedoms are not to be regarded as predominant, as it is the reasonable expectation of a data subject that backup copies will be made. Data processing is strictly earmarked.

As soon as none of the above-mentioned purposes for further processing of your data apply, we will delete your data.

In cases where you are referred to us for our services / products by your advisor, our tipster, we may exchange personal data with your advisor. This concerns the following data of yours:

• Name

• your address

• contact details

• securities account balance

• Asset overviews

• Transaction data

• Information on the asset management agreement

We receive your data from the tipster by way of contract initiation in accordance with Art. 6 para. 1 lit. b GDPR when we receive your application to conclude a contract.

If you have given us your consent in accordance with Art. 6 para. 1 lit. a GDPR, we will also transmit your data to the tipster so that he can provide you with high-quality support and we can settle accounts with the tipster via his commission. Consent is voluntary and can be revoked at any time with effect for the future. You will not suffer any disadvantages if you do not give your consent or revoke your consent at a later date. However, if you do not give your consent or withdraw your consent, the support provided by your advisor may be impaired because we will then no longer be able to send him any further information.

Among other things, we use online conferencing tools to communicate and conduct informative webinars with our customers. The individual tools we use are listed below. If you communicate with us by video or audio conference via the Internet or take advantage of one of our webinar offers online, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). The conference tools also process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other "context information" in connection with the communication process (metadata).

Furthermore, the provider of the tool processes all technical data that is required to process the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

If content is exchanged, uploaded or provided in any other way within the tool, this is also stored on the tool provider's servers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.

Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the company policy of the respective provider. Further information on data processing by the conference tools can be found in the privacy policies of the tools used, which we have listed below this text.

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company and to conduct webinars and information events (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Insofar as consent has been requested, the tools in question are used on the basis of this consent (Art. 6 para. 1 lit. a GDPR); consent can be revoked at any time with effect for the future.

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory retention periods remain unaffected by this.

We have no influence on the storage period of your data that is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

We use the following conference tools:

Zoom

We use Zoom. The provider of this service is Zoom Communications Inc, San Jose, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. Details on data processing can be found in Zoom's privacy policy: https://zoom.us/de-de/privacy.html.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://zoom.us/de-de/privacy.html.

GoToWebinar

We use GoToWebinar. The provider is LogMeIn, Inc, 320 Summer Street Boston, MA 02210, USA. Details on data processing can be found in GoToMeeting's privacy policy: https://www.goto.com/de/company/legal/privacy.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://logmeincdn.azureedge.net/legal/lmi-customer-dpa-2020v1-de.pdf

The legal basis for this is either your consent within the meaning of Art. 6 para. 1 lit. a GDPR, Section 7 UWG or our legitimate interest in direct advertising pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 UWG.

Data processing for these purposes includes the processing of your lawfully stored data in connection with the respective information on your financial circumstances, your risk appetite and custody account data for individualized advertising and market research, statistics and analyses. It also includes the use of this data to uniquely identify you in order to offer you the best possible services and customer experience and to avoid any inconsistencies in connection with the above-mentioned purposes of advertising communication.

For this purpose, automated processes are used to match and merge data in order to identify potential matches in two or more data sets from different sources and systems with the aim of generating a unique, correct and always up-to-date customer master data set.

If you give us your consent, we base the above-mentioned data processing on your consent in accordance with Art. 6 para. 1 lit. a GDPR/§ 7 UWG. The following provisions apply to data processing in the context of the submission of this declaration of consent:

Contact channels

In order to comply with your personal rights to the greatest possible extent, we offer you the choice between different communication channels (telephone, e-mail, post, mobile phone/SMS) wherever possible. We will therefore only use those channels to which you have consented.

Processing of data for verification purposes

We will store your declaration of consent and the personal data it contains in our company for verification purposes and to comply with our accountability obligations under Art. 5 GDPR until the purpose of storage no longer applies. Accordingly, your declaration of consent will be deleted 5 years after revocation of your advertising consent in accordance with data protection regulations.

Consequences of non-submission and revocation

Your consent is always voluntary. You are free at any time to revoke a declaration of consent once given with effect for the future or not to submit a declaration of consent offered. This procedure has no negative consequences for you. Please note, however, that if you withdraw your consent or do not provide it, we will no longer be able to provide you with information and offers from our company.

If you have provided us with personal data as part of a competition or event, we will only process it for the purpose of advertising communication if you have given us your express and voluntary consent within the meaning of Art. 6 para. 1 lit. a GDPR.

In some cases, we also process your personal data for the above-mentioned purposes on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in non-harassing direct advertising and your rights and freedoms are not to be regarded as predominant in comparison.

If we send you advertising via electronic mail (e-mail), we only use e-mail addresses that we have collected as part of a sale of goods or services, only send direct advertising for our own similar goods or services and only use your e-mail address as long as you have not objected to the sending of direct advertising.

If we send you direct advertising by post on the basis of our legitimate interest, we will use your data for this purpose until you have objected to this form of direct advertising.

In the case of this form of direct marketing, you have the right to object at any time in accordance with Art. 21 para. 2 GDPR, which can be exercised without giving reasons.

If this is necessary to pursue our legitimate interests, we will process the declaration of consent or the data stored therein or in this context, insofar as we are authorized to do so. This may also include the disclosure of this information to legal advisors or state authorities in accordance with Art. 6 para. 1 lit. f GDPR.

If the contact data is not personally identifiable and the addressee of the direct advertising is not a consumer in accordance with Section 13 of the German Civil Code (BGB), we also use this data for direct advertising by telephone, provided we can assume that the addressee has given their presumed consent. Furthermore, we also collect contact data from third parties for the purposes of advertising communication, insofar as this is permitted by law.

Contact details of persons who are not registered in a customer account with us and who have exercised their right to object to direct marketing within the meaning of Art. 21 (2) GDPR or Section 7 UWG are stored by us in a blacklist/robin list. The purpose of this data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the administration and proper consideration of objections to direct advertising. In contrast, the interests or fundamental rights and freedoms of the data subjects are not to be regarded as overriding, as the data processing is necessary to safeguard the rights and freedoms of the data subjects, since without this list the objections to advertising could not be taken into account when sending advertising.

DJE will process personal data as the organizer of a competition insofar as this is necessary to establish the legal relationship with the participant and for the subsequent implementation and processing of the competition (Art. 6 para. 1 lit. b GDPR). This also includes checking the conditions of participation and determining the winner. The data of the winners will be stored within the statutory retention periods (in particular according to HGB; AO and WpHG) in accordance with Art. 6 para. 1 lit. c GDPR.

DJE will also send all participants the e-mail newsletter with information about DJE offers and services on the basis of their consent in accordance with Art. 6 para. 1 lit. a GDPR. Participation in the competition is not possible without granting this consent. Consent can be revoked at any time with effect for the future.

Should legal disputes arise in the course of the implementation of the competition or beyond, we will retain the data of the participants concerned for as long as we need them to defend our rights in accordance with Art. 6 para. 1 lit. f GDPR.

The data of the competition participants is collected. This is usually the title, name, company to which the participant belongs, e-mail address, telephone number and postal address.

Winners' data will be stored in accordance with the statutory retention obligations under Section 257 of the German Commercial Code and Section 147 of the German Fiscal Code. The data of all participants will be processed after completion of the competition until their declaration of consent is revoked and for a further five years to prove that the declaration of consent was given.

Data will not be passed on to third parties without your prior consent. DJE uses the services of processors to send the newsletter. In accordance with Art. 28 GDPR, these processors are obliged to process the data only on the instructions of DJE and to treat it confidentially.

You are not obliged to provide DJE with your data. However, if you do not provide your data and do not give your consent to receive the newsletter, you will not be able to take part in the competition.

When we process personal data of our business partners, this is primarily data of our business partners' employees or contact persons. We process the data that is necessary to fulfill the purpose. These are in particular

• Identity information (e.g. first and last name, gender, company affiliation, job title/professional title)

• Contact information (address, e-mail address and telephone number)

• Communication data (content and time of communication, details of recipient and sender of communication)

• Contract information (contract details, contract content, contract status)

On the one hand, this is done in the context of contract initiation and contract fulfillment in accordance with Art. 6 para. 1 lit. b GDPR, in order to process existing contracts or to negotiate the conclusion of contracts.

Furthermore, we process your personal data in our legitimate interest to safeguard and pursue our legal claims in accordance with Art. 6 para. 1 lit. f GDPR.

If we are legally obliged to process your personal data, we process your data in accordance with Art. 6 para. 1 lit. c GDPR.

Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of your orders (e.g. payment and securities orders) or is required by law (e.g. reporting obligations under tax law), if you have given us your consent or as part of order processing. If service providers are used in a third country, they are obliged to comply with the level of data protection in Europe in addition to written instructions by agreeing the EU standard contractual clauses. If you require a printout of these provisions or information, you can contact us in writing using the contact details provided.

As part of our business relationship, you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfillment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it.

In particular, we are obliged under money laundering regulations to identify you before establishing the business relationship, for example by means of your identity card, and to collect and record your name, place of birth, date of birth, nationality, residential address and identification data. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with Section 11 (6) of the German Money Laundering Act and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue the business relationship requested by you.

We process and store your personal data for as long as is necessary to fulfill our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation that is intended to last for several years. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its - temporary - further processing is required for the following purposes:

• Compliance with retention periods under commercial and tax law for the fulfillment of legal obligations (Art. 6 para. 1 lit. c GDPR): These include the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The retention and documentation periods specified there are two to ten years.

• Preservation of evidence within the framework of the statute of limitations in the overriding legitimate interest (Art. 6 para. 1 lit. f GDPR). According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years. A retention period of six months applies to applicants without subsequent conclusion of a contract. In contrast, your rights and freedoms are not to be regarded as predominant, as it is the reasonable expectation of a data subject that their data will be retained for a certain period of time to preserve evidence in the event of any disputes. Data processing is strictly earmarked.

• Defense and prosecution of rights and claims in the overriding legitimate interest (Art. 6 para. 1 lit. f GDPR): In order to pursue and defend our rights and claims, it may be necessary to continue to store your personal data in the event of a dispute. In contrast, your rights and freedoms are not to be regarded as predominant, as it is the reasonable expectation of a data subject that their data will be retained for a certain period of time to preserve evidence in the event of a dispute. Data processing is strictly earmarked.

• Preservation of backups: In our overriding legitimate interest (Art. 6 para. 1 lit. f GDPR) in protecting our business processes and ensuring data protection and information security, we create backup copies at regular intervals. In contrast, your rights and freedoms are not to be regarded as predominant, as it is the reasonable expectation of a data subject that backup copies will be made. Data processing is strictly earmarked.

As soon as none of the above-mentioned purposes for further processing of your data apply, we will delete your data.

Within DJE Kapital AG, access to your data is granted to those departments that need it to fulfill our contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they maintain banking secrecy and comply with our written instructions under data protection law. We may only pass on information about you if this is required by law, if you have given your consent or if processors commissioned by us guarantee compliance with the provisions of the GDPR or the BDSG in particular. Under these conditions, recipients of personal data may be, for example

• Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority (BaFin), European Supervisory Authority, tax authorities, Federal Central Tax Office) in the event of a legal or official obligation.

• Other credit and financial services institutions, comparable institutions and processors to whom we transfer personal data in order to conduct the business relationship with you. These companies are also legally or contractually obliged to handle personal data with the necessary care. In particular, we work with IT service providers, financial service providers and custodian banks.

• Intermediaries, tipsters and service providers who support us in the following activities:

  • Support / maintenance of EDP/IT applications

  • archiving

  • Document processing

  • Call center services

  • Compliance services

  • controlling

  • Data screening for anti-money laundering purposes

  • Data destruction

  • Purchasing / Procurement

  • Space management

  • Real estate appraisals

  • Credit processing service

  • Collateral management

  • Collection

  • Customer administration and support

  • Lettershops

  • marketing

  • Dispatch of customer gifts

  • Media technology

  • Reporting

  • research

  • Risk controlling

  • Expense accounting

  • Telephony

  • Video legitimation

  • Website management

  • Securities services

  • Share register

  • Fund administration

  • Auditing services

  • Payment transactions

  • Members of certain regulated professions such as lawyers, notaries or auditors

  • Other data recipients may be those bodies for which you have given your consent to the transfer of data or for which you have released us in accordance with an agreement or consent.

We design the application process in our company digitally. We therefore offer you the opportunity to apply online on our website using software. You can access the online platform via our advertised vacancies on the website. There you have the option of registering yourself with a user profile and uploading, managing and deleting your information yourself.

You can use the platform to apply directly for an advertised position or send us an unsolicited application. You can also view and manage your open applications in your profile.

We also use the software for internal administration and processing of applications received. Only DJE Kapital has access to this applicant platform.

We base the processing in the context of the provision and use of an online application platform on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Our legitimate interest in the use of such an application platform predominates and lies in particular in the rapid, confidential processing of your application documents and an application process that is as simple as possible for you. In addition, the provision of the software gives you the opportunity to easily apply for several positions.

If we receive applications via vasb@qwr.qr, they will not be considered and will be deleted from your inbox immediately.

For the provision of the application software, we work together with a service provider in accordance with Art. 28 GDPR as part of order processing. The necessary agreement for order processing has been concluded.

If you have given your consent in the context of an application, whether for an advertised position or on your own initiative, in accordance with Art. 6 para. 1 lit. a GDPR, this applies to the inclusion in our applicant pool and the associated longer storage of your documents for up to one year. You will only be included in our pool with your data transmitted to us once you have given your consent.

The applicant pool is accessed for the following purpose: A position within our company needs to be filled. The job profile is therefore compared with your data and you are included in the application process. This data processing is carried out on the basis of Section 26 BDSG in conjunction with Art. 88 GDPR for the purpose of establishing an employment relationship.

Furthermore, we process your data in accordance with Art. 6 para. 1 lit. f GDPR if this is necessary for a legitimate interest and your rights do not outweigh this interest. This applies in particular to the retention of your application documents as evidence in the event of a legal dispute in connection with the application process.

The processing of your data in our company may also be necessary to fulfill a legal obligation to which we are subject in accordance with Art. 6 para. 1 lit. c GDPR. An example of this is the fulfillment of statutory retention periods.

We store and process all data that you transmit to us during the application process. This includes both the data from your application documents and the information that you provide to us in a telephone interview or in a personal interview.

The data processed includes your contact details such as surname, first name, address, telephone number, e-mail address, as well as all data relating to your professional and educational qualifications and degrees.

In addition, special categories of personal data within the meaning of Art. 9 GDPR may also be included in the processing. This may include, in particular, data relating to health, religious or philosophical beliefs, party or trade union membership. In addition, submitted application photos may contain personal data that is covered by the special categories of personal data. For example, information on racial and ethnic origin and health status. The sole purpose of processing this special data is to be able to use your application documents for the purpose of recruitment. Our company will not include this special information in decisions unless there is a legal obligation to do so. If you do not wish this data to be processed, you are free to submit new application documents that have been cleansed of this data. This procedure has no consequences for the prospects of your application.

1. data transfer to our company

In some cases, we also receive application documents and other information from recruitment service providers. If necessary, we will process the personal data contained therein in the manner described here as part of our application process.

2 Data transfer by our company

Data may be passed on by our company to fulfill legal obligations in accordance with Art. 6 para. 1 lit. c GDPR (e.g. to authorities, police, etc.). In addition, on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR (e.g. to lawyers, tax consultants, authorities, etc.).

You are under no legal or contractual obligation to provide us with your data. However, the transmission of your data is necessary in order to be considered for a vacant position.

There is no obligation to grant permission for permanent storage. Without this consent, however, we cannot consider your data for placement beyond the application process for a specific position or unsolicited application.

Your personal data will be deleted after the statutory and contractual retention periods have expired.

If personal data is not subject to any retention periods, it will be deleted as soon as the stated purposes no longer apply.

If you have signed a declaration of consent for inclusion in our applicant pool, we will process your information until you withdraw your consent, but for a maximum of one year.

If your application is unsuccessful, your data will be irretrievably anonymized four months after the end of the application process.

If you are employed by our company, your application documents will be transferred to your personnel file and will remain with you at least until you leave the company.

Personal data is generally not transferred to a third country. Should this still be the case, the data transfer is regulated on the basis of an adequacy decision (e.g. Canada), consent, binding corporate rules or concluded EU standard data protection clauses.