The following data protection declaration is intended to explain to you in an understandable, transparent and clear manner how your personal data is processed by ROTHENBERGER AG (hereinafter "ROTHENBERGER", "we", or "us").

Responsible person

The responsible party within the meaning of the data protection laws, in particular the EU General Data Protection Regulation (DSGVO), is the

ROTHENBERGER AG Spessartstrasse 2-4 65779 Kelkheim

in most cases with one or more of its subsidiaries.

Data protection officer

If you have any questions about this data protection declaration and other data protection topics, please contact our data protection officer:

Rudolf Fiedler Data Protection Officer DDP Data Protection GmbH Zum Gottschalkhof 2 60594 Frankfurt am Main.

What is personal data?

Personal data is any information relating to an identified or identifiable natural person ("data subject").

What data is processed on our website?

Collection of general information when visiting our website

When you visit our website, a so-called protocol data record (so-called server log files) is collected, stored and processed temporarily and anonymously on our web server. This consists of:

§ the page from which the page was requested (so-called referrer URL),

§ the name and URL of the requested page,

§ the date and time of the request,

§ the description of the type, language and version of the web browser used,

§ the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established,

§ the amount of data transmitted,

§ the operating system,

§ the message whether a call was successful (access status/ttp status code),

§ the GMT time zone difference.

The processing of the log data serves the following purposes:

§ to ensure a smooth connection of the website,

§ Ensuring a smooth use of our website,

§ evaluation of system security and stability, and

§ to optimise our website.

The legal basis for the processing of this log data is Art. 6 para. 1 p. 1 lit. f DSGVO. The above-mentioned purposes also represent our legitimate interest in data processing.

We do not use your data to draw conclusions about your person. Information of this kind is statistically analysed anonymously, if necessary, in order to optimise our website and the technology behind it.

Registration on our website

For registration on our website, we require general "personal data" which are transmitted to us via an input mask. These consist of:

§ First and last name,

§ date of birth,

§ Address,

§ e-mail address and

§ Time of transmission.

This data is processed for the purpose of creating a customer profile and on the basis of your consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO.

Contact form

When using our contact form, the "contact form data" transmitted through it are collected, stored and processed: These include in particular:

§ First and last name,

§ address,

§ Client group,

§ Telephone number,

§ e-mail address and

§ time of transmission.

Contact form data is processed for the purpose of handling customer enquiries. The legal basis for data processing is Art. 6 (1) sentence 1 lit. f DSGVO, whereby the purpose of the contact form data processing corresponds to our legitimate interest in data processing. If you contact us to request an offer, the legal basis is Art. 6 para. 1 p. 1 lit. b DSGVO and the contact form data processing is carried out to implement pre-contractual measures.

Newsletter

If you register for our newsletter, the following "newsletter data" will be collected, stored and processed by us:

§ the page from which the page was requested (so-called referrer URL),

§ the date and time of the call,

§ the description of the type of web browser used,

§ the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established,

§ the e-mail address,

§ the date and time of registration, confirmation email and confirmation.

We would like to point out that we evaluate your user behaviour when sending the newsletter. For the evaluation, the e-mails sent contain so-called web bearcons or tracking pixels, which are single-pixel image files stored on our website. For the evaluation, we link the web bearcons with your e-mail address to form an individual ID. Links contained in the newsletter also contain this ID. The data is only collected pseudonymously, i.e. the IDs are not linked to your other personal data, a direct personal reference is excluded.

The newsletter data is processed for the purpose of delivering the subscribed newsletter by e-mail. When registering, you consent to the processing of your personal data in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO. We use the so-called double opt-in procedure to register for the newsletter. This means that after your registration, we will send you an e-mail to the specified e-mail address in which we ask you to confirm that you wish to receive the newsletter. The purpose of this procedure is to enable us to verify your registration and, if necessary, to clarify any possible misuse of your personal data. You can revoke your consent to the sending of the newsletter at any time with effect for the future and unsubscribe from the newsletter. You can declare the revocation by clicking on the link provided in every newsletter e-mail or by sending a message to the contact option given below.

Application form

If you apply via our application form on our website, we collect, store and process your "applicant data". These are in particular:

§ First and last names,

§ address,

§ E-mail address,

§ Telephone number,

§ mobile phone number and

§ Attachments enclosed with the application (e.g. CV, cover letter, certificates).

The data processing is carried out on the legal basis of Art. 6 para. 1 p. 1 lit. a DSGVO as well as Art. 88 para. 1 DSGVO in conjunction with. § SECTION 26 BDSG. The purpose of the data processing is the internal processing of applications. If you are under 16 years of age, we require the consent of your legal guardian.

If your application cannot be considered for a specific job advertisement, it is possible that we will include your application in the applicant pool and consider it for subsequent vacancies. The legal basis for this is also Art. 6 para. 1 p. 1 lit. a DSGVO as well as Art. 88 para. 1 DSGVO in conjunction with Art. 26 BDSG. § 26 BDSG.

You can request information about the scope, origin and recipients of the stored data and its correction free of charge at any time. After the end of your application process, your applicant data will be deleted by us immediately, unless you have given us your express consent to include you in our applicant pool. Should your applicant data be included in our applicant pool, we will store your data for a period of two (2) years and will then delete it without being asked after the expiry of this period. Earlier deletion is possible at your request at any time. Further information on data protection is available at https://karriere.rothenberger.com/jsp/bms/forms/privacy/PrivacyFormDyn.jsp?syssnbrlk=.

How long do we store your data?

All data that you provide to us is deleted as soon as it is no longer required for the purpose for which it was collected. This is generally the case for the data used to provide the website when the respective session has ended.

In the case of storage of data in log files, this is the case after 14 days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are anonymised so that it is no longer possible to assign the calling user.

How do we guarantee data security?

We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties (e.g. TSL encryption on our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

We will be happy to provide you with more detailed information on request. Please contact our data protection officer.

Who do we share your data with?

The protection of your data is important to us. For this reason, we do not sell, exchange or rent your data. For certain technical processes of data processing, we use the support of external service providers who act for us as processors according to Art. 28 DSGVO. They are bound to strict confidentiality and only process data on our behalf and according to our instructions.

Insofar as personal data from you is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.

Processors used

The following organisations, companies or persons have been commissioned by the operator of this website to process data:

• YUM GmbH, Stephanstraße 1, 60313 Frankfurt am Main, Germany.

• InfoTip Service GmbH, Technologie-Quartier, Konrad-Zuse-Str. 16, 44801 Bochum, Germany

• Synergy Consultants CRM + Prozesse GmbH, Am Hohenstein 3-5, 65779 Kelkheim, Germany

• entergon GmbH & Co. KG, Wilhelmstraße 14a, 61381 Friedrichsdorf, Germany

• The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

• Y1 Digital AG, Tullastr. 58, 76131 Karlsruhe.

• Heroes GmbH, Welfenstr. 22, 81541 Munich.

• Connex Marketing GmbH, Dr. Schauer Straße 26, 4600 Wels, Austria.

• nexMart GmbH & Co. KG, Gropiusplatz 10, 70563 Stuttgart.

• Auth0 Inc, 10800 NE 8th Street, Suite 700, Bellevue, Washington 98004, USA.

• Cloudinary Ltd, 20 Aharon Bart St Building C, Petach Tikva 49541448, Israel.

• Storyblok GmbH, Peter-Behrens-Platz 2, Linz 4020, Austria.

• Algolia SAS, 55 Rue d'Amsterdam, 75008 Paris, France.

• 123FormBuilder, Flavia Palace, Vladimirescu n° 10 Ground Floor, 300195 Timisoara, Romania.

• scireum GmbH, Eisenbahnstr. 24, 73630 Remshalden.

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Except in the cases explained in this privacy policy, we will only disclose personal data to third parties without your express consent if we are obliged to do so by law or by an official or judicial order, Art. 6 para. 1 p. 1 lit. c DSGVO.

Which cookies do we use?

We use so-called "cookies" on our website. Cookies are small text files that are stored on your end device (laptop, tablet, smartphone or similar) when you visit our website. Cookies cannot execute programs or transfer viruses to your end device and therefore cannot cause any damage. With the help of cookies, we can make our website more user-friendly, more effective and safer for you.

A distinction is made between "session cookies" and "permanent cookies". "Session cookies" are deleted automatically at the end of your browser session. In contrast, "permanent cookies" remain permanently on your end device until you delete them. "Permanent cookies help us to recognise you when you return to our website.

With a modern web browser, you can monitor, restrict or prevent the setting of cookies. Many web browsers can be configured so that cookies are deleted automatically when you close the program.

However, we would like to point out that the deactivation of cookies can have the consequence that you can only use our website in a restricted manner.

Technically necessary cookies

The technical structure of our website requires that we use cookies. Without these cookies, our website cannot be displayed (completely correctly) or the support functions cannot be enabled. These are basically "session cookies" that are deleted after the end of your website visit, but at the latest when you close your browser. You cannot deselect these cookies if you wish to use our website. The individual cookies can be seen in the Consent Manager. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f DSGVO. The aforementioned purpose of the data processing also represents our legitimate interest in the data processing.

Technically not necessary cookies

We only use technically unnecessary cookies with your consent. You can select these cookies via the so-called cookie consent tool during your first visit to our website. The functions are only activated in the event of your consent and may serve in particular to enable us to analyse and improve visits to our website, to make it easier for you to use our website via different browsers or terminal devices, to recognise you when you visit us again or to serve advertising (possibly also in order to tailor advertising to interests, to measure the effectiveness of advertisements or to show interest-oriented advertising). The legal basis for this processing is Art. 6 para. 1 p. 1 lit. a DSGVO. Revocation of your consent is possible at any time without affecting the permissibility of the data processing until revocation.

Please refer to the information below on the display, tracking, remarketing and web analysis technologies used to find out which providers use cookies.

Profiling

To what extent we analyse the behaviour of website visitors with pseudonymised user profiles, please refer to the information below on the display, tracking, remarketing and web analysis technologies used.

Use of Google Analytics

Where you have consented, we use the functions of the Google Analytics web analysis service on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies for its services. The personal data collected by the cookies (in particular the IP address) is anonymised and then usually transferred to a Google server in the USA. The data is stored there for 14 months. Deletion takes place automatically once a month after this period has expired.

The purpose of using Google Analytics is to analyse the behaviour of our users on our website and to make appropriate adjustments. The legal basis for the data processing is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO.

For more information on terms of use and data protection, please see Privacy Policy - Privacy Policy & Terms of Use - Google.

You can also prevent the storage of cookies by selecting the appropriate settings in your browser software. However, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent.

Of course, you are free to revoke the use of cookies at any time in accordance with Art. 7 Para. 3 DSGVO. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by setting your browser accordingly. Google provides a deactivation add-on for the most common browsers for this purpose. You can find this under the following link: Browser Add On to deactivate Google Analytics. However, we would like to point out that in this case you may not be able to use all the functions of our website.

Use of Google Maps

On our website, we use the map service of Google Maps via an API. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Maps offers us the possibility to implement interactive maps on our website. These serve to display our location. In order to use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google LLC server in the USA and stored there. The provider of this site has no influence on this data transmission.

The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website. This represents an overriding legitimate interest on our part within the meaning of Art. 6 (1) sentence 1 lit. f DSGVO.

More information on the handling of user data can be found in Google's privacy policy: Privacy Policy - Privacy Policy & Terms of Use - Google.

Embedded YouTube videos

On our website, we use embedded videos from the video platform YouTube, which is operated by YouTube, LLC, 901 Cherry Ave. San Bruno, CA 94066, USA ("YouTube"). YouTube is a platform that enables the playback of audio and video files.

When you call up a corresponding page on our website, the embedded YouTube player establishes a connection to YouTube so that the video or audio file can be transmitted and played. In the process, data is also transferred to YouTube as the responsible party. We are not responsible for the processing of this data by YouTube.

Further information on the scope and purpose of the data collected, on the further processing and use of the data by YouTube, on your rights and the data protection options you can select can be found in YouTube's privacy policy. YouTube refers to Google's privacy policy for data protection. You can find this under the following link: Privacy Policy - Privacy Policy & Terms of Use - Google.

Social media plugins

We use so-called social media plugins of various social networks on our website. When using the plugins, your internet browser establishes a direct connection to the servers of the respective social network. This provides the respective provider with the information that your internet browser has accessed the corresponding page of our online offer, even if you do not have a user account with the provider or are not currently logged in to it. Log files (including the IP address) are transmitted by your internet browser directly to a server of the respective provider and may be stored there. The provider or its server may be located outside the EU or the EEA (e.g. in the USA).

The plugins are independent extensions of the social network providers. We therefore have no influence on the scope of the data collected and stored by the providers of the social networks via the plugins.

For the purpose and scope of the collection, further processing and use of the data by the social network, as well as your rights in this regard and setting options for protecting your privacy, please refer to the privacy policy of the respective social network.

Instagram: Meta Data Policy - How Meta Collects and Uses User Data - Privacy Center (instagram.com).

Facebook: Meta Data Policy - How Meta User Data is Collected and Used | Privacy Center (facebook.com).

Twitter: Twitter privacy policy.

YouTube: Privacy Policy - Privacy Policy & Terms of Use - Google.

LinkedIn: LinkedIn Privacy Policy.

Xing: Privacy Policy at XING.

If you do not want the providers of the social networks to receive data about this online offer and possibly store or further use it, you should not use the respective plugins.

Facebook Pixel

We use the Facebook Pixel on our website. We have implemented a code for this on our website. The Facebook Pixel is a snippet of JavaScript code that loads a collection of functions that allow Facebook to track your user actions if you have come to our website via Facebook Ads.

For example, when you view a product on our website, the Facebook pixel is triggered and stores your actions on our website in one or more cookies. These cookies allow Facebook to match your user data (customer data such as IP address, user ID) with your Facebook account data. Facebook then deletes this data again. The collected data is anonymous and not visible to us and can only be used in the context of ad placements. If you are a Facebook user and are logged in, your visit to our website is automatically assigned to your Facebook user account. We only want to show our services and products to people who are really interested in them. With the help of Facebook pixels, our advertising measures can be better tailored to your wishes and interests. In this way, Facebook users (provided they have allowed personalised advertising) see suitable advertising. Furthermore, Facebook uses the collected data for analysis purposes and its own advertisements.

Google Tag Manager

For our website we use the Google Tag Manager of the company Google Inc. For the European area the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. This tag manager is one of many helpful marketing products from Google. Via the Google Tag Manager, we can centrally integrate and manage code sections of various tracking tools that we use on our website.

In this privacy policy, we would like to explain in more detail what the Google Tag Manager does, why we use it and in what form data is processed.

What is the Google Tag Manager?

The Google Tag Manager is an organisational tool with which we can integrate and manage website tags centrally and via a user interface. Tags are small sections of code that, for example, record (track) your activities on our website. For this purpose, JavaScript code sections are inserted into the source code of our page. The tags often come from Google-internal products such as Google Ads or Google Analytics, but tags from other companies can also be integrated and managed via the manager. Such tags perform different tasks. They can collect browser data, feed marketing tools with data, embed buttons, set cookies and also track users across multiple websites.

Why do we use the Google Tag Manager for our website?

As the saying goes: organisation is half the battle! And of course this also applies to the maintenance of our website. In order to make our website as good as possible for you and all the people who are interested in our products and services, we need various tracking tools such as Google Analytics. The data collected by these tools shows us what you are most interested in, where we can improve our services and which people we should still show our offers to. And for this tracking to work, we need to embed appropriate JavaScript codes into our website. In principle, we could include each code section of the individual tracking tools separately in our source code. However, this takes a lot of time and it is easy to lose track. That's why we use the Google Tag Manager. We can easily integrate the necessary scripts and manage them from one place. In addition, the Google Tag Manager offers an easy-to-use user interface and no programming knowledge is required. This is how we manage to keep order in our tag jungle.

What data is stored by the Google Tag Manager?

The Tag Manager itself is a domain that does not set any cookies and does not store any data. It acts as a mere "administrator" of the implemented tags. The data is collected by the individual tags of the various web analysis tools. The data is virtually passed through to the individual tracking tools in the Google Tag Manager and is not stored.

However, the situation is completely different with the integrated tags of the various web analysis tools, such as Google Analytics. Depending on the analysis tool, various data about your web behaviour is usually collected, stored and processed with the help of cookies. For this, please read our data protection texts on the individual analysis and tracking tools that we use on our website.

In the account settings of the Tag Manager, we have allowed Google to receive anonymised data from us. However, this is only about the use and usage of our Tag Manager and not your data stored via the code sections. We allow Google and others to receive selected data in anonymised form. We thus consent to the anonymous sharing of our website data. Which summarised and anonymous data is forwarded exactly, we could not find out - despite long research. In any case, Google deletes all information that could identify our website. Google combines the data with hundreds of other anonymous website data and creates user trends within the framework of benchmarking measures. Benchmarking compares our own results with those of our competitors. Processes can be optimised on the basis of the information collected.

SSL encryption

To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g. SSL) via HTTPS.

What are your rights?

You have the following rights with regard to your personal data vis-à-vis ROTHENBERGER:

• Information about your data stored by us and its processing (Art. 15 DSGVO),
• Correction of incorrect personal data (Art. 16 DSGVO),
• Deletion of your data stored by us (Art. 17 DSGVO),
• Restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 DSGVO),
• objection to the processing of your data by us (Art. 21 DSGVO),
• Data portability, provided you have consented to the data processing or have concluded a contract with us (Art. 20 DSGVO) and
• Revocation of consent to data processing given once (also before the DSGVO applies) (Art. 7 (3) DSGVO).

You can assert all of the data subject rights described above against ROTHENBERGER if you address your specific request to the following contact details:

Rudolf Fiedler Data Protection Officer DDP Data Protection GmbH Zum Gottschalkhof 2 60594 Frankfurt am Main.

Right of appeal to a data protection supervisory authority

You can lodge a complaint with a data protection supervisory authority at any time if you are of the opinion that we are in breach of the General Data Protection Regulation when processing your personal data. As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or our company.

You can find a list of the supervisory authorities (for the non-public sector) with addresses at: BfDI - Addresses and Links - Addresses and Links (bund.de).

Which individual right of objection do you have?

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(1)(f) of the GDPR; this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR.

If you object, we will no longer process your personal data unless:

§ we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or

§ the processing serves the assertion, exercise or defence of legal claims.

The objection can be made form-free and should preferably be addressed to our data protection officer:

Rudolf Fiedler Data Protection Officer DDP Data Protection GmbH Zum Gottschalkhof 2 60594 Frankfurt am Main.

Change of our privacy policy

We reserve the right to adapt this data protection declaration so that it always complies with the current legal requirements or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection declaration will then apply to your next visit.

This data protection declaration is valid as of July 2022.