Privacy policy for website user

Thank you for visiting the websites of Horváth Group (hereinafter "Horváth" or "We").¹ We take the protection of your personal data during processing in accordance with the statutory data protection regulations very seriously.

The following Policy provides you (hereinafter also called "Customer", "Data Subject" or "User") with an overview of how We ensure this protection, what type of data are collected and for what purpose.

¹ Horváth Group maintains the following websites: www.horvath-partners.com, www.horvath-partners.at, www.horvath-partners.ch, www.horvath-partners.it, www.horvath-partners.ae, www.horvath.sa, www.horvath-partners.dk, www.horvath.cn, https://www.horvath-usa.com, www.evolvens-consulting.com, www.horvath-wpg.com

I. Name and Address of the Controllers

The following entities are controllers within the meaning of the EU General Data Protection Regulation (hereinafter "GDPR") and other national data protection laws (in Germany: Federal Data Protection Act (Bundesdatenschutzgesetz), hereinafter "BDSG") passed by the Member States as well as other data protection provisions:

Principal controller

Horváth AG
Rotebühlstraße 100
70178 Stuttgart, Germany
Telephone: +49 711 66919-0
e-mail: info@horvath-partners.com

Detailed contact information on our other companies within the Horváth Group can be found here by clicking on the respective company:

• Horváth & Partner GmbH
• Horvath & Partner Management Consulting GmbH
• Horváth & Partners Management Consulting SRL
• Horváth & Partner AG
• IFUA Horváth & Partners Kft.
• Horvath & Partner Middle East GmbH
• Horvath Saudi Arabia LLC
• Horvath & Partners Management Consulting Corporation
• Horváth Italia S.r.l.
• Horváth Denmark ApS
• Interim Excellence GmbH
• Horváth 4G Beteiligungs GmbH
• evolvens GmbH
• Horvath Gulf FZE
• Horvath Regional HQ
• Horváth Accounting & Tax Solutions GmbH WPG

II. Contact Information for the Data Protection Officer

Grant Thornton AG 
Wirtschaftsprüfungsgesellschaft
Sebastian Barg
Johannstraße 39
40476 Düsseldorf
Telephone: +49 211 95248548

You can reach our data protection officer at datenschutz@horvath-partners.com or via our mailing address (as stated in section 1. above); in the latter case, please address the envelope to the "data protection officer".

III. Terms and Definitions

The terms and definitions are based on the GDPR, the German Federal Data Protection Act (BDSG) and other provisions of data protection law. In particular, the definitions of Articles 4 and 9 GDPR apply.

IV. General Principles and Rights of Data Subjects

1. Scope of processing of personal data

We generally process your personal data only to the following extent, where this is required for the provision of our web and online services, including functional websites:

• Users of our websites, Customers, interested parties, applicants, participants in (online) events
• Conferences, symposia, download of publications, newsletter, contact requests, study participation, assessments
• Memberships, other events, online orders

2. Legal bases

Where personal data are processed on the basis of the data subject's consent, point (a) of Article 6(1) GDPR is the legal basis for processing.

Processing of personal data for the performance of a contract where the data subject is a party is based on point (b) of Article 6(1) GDPR; this also applies to any processing required for the performance of pre-contractual measures.

If personal data are processed for compliance with a legal obligation to which We are subject, the legal basis to do so is point (c) of Article 6(1) GDPR.

In the event that vital interests of the data subject or another natural person require the processing of personal data, the legal basis is point (d) of Article 6(1) GDPR.

If processing is necessary to protect our legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, the basis for processing is point (f) of Article 6(1) GDPR.

3. Possible recipients of personal data

In some instances, in order to provide our web and online offerings as well as for the general provision of our services, We may use IT service providers, IT developers, external consultants, or cloud or archiving service providers, who may act on our behalf and according to instructions in the context of the provision of services (so-called processors). These service providers may receive personal data or come into contact with personal data in the course of providing their services and constitute third parties or recipients as defined in the GDPR.

In such a case, We ensure that our service providers provide sufficient security measures, that appropriate technical and organizational measures are implemented and that processing is carried out in a manner that meets the relevant data protection requirements and ensures the protection of the rights of data subjects (cf. Article 28 GDPR).

We furthermore process your personal data within various Horváth departments involved in the execution of the respective business processes; where permitted, We also process data for advertising purposes outside the execution of the business. In addition, We may be obligated by statutory requirements to make our collected data available to public authorities (e.g., tax authorities, state offices of criminal investigation, social security authorities). To the extent permitted by law, We process personal data with cooperation partners, sponsors and business conference participants.

4. Processing of personal data in third countries

Your personal data generally will be processed within the European Union (hereinafter "EU") or the European Economic Area (hereinafter "EEA"). Information may be transferred to third countries only in exceptional cases (e.g., where service providers are engaged to provide web analytics services or personal data are disclosed within Horváth). Third countries are countries outside the EU and/or EEA where an adequate level of data protection in line with European requirements cannot be readily assumed.

If the transferred information also includes personal data and is not transmitted in pseudonymized or anonymized form, We ensure prior to such transfer that an appropriate level of data protection is guaranteed in the respective third country or by the respective recipient in the third country. This may follow from an "adequacy decision" of the European Commission or may be ensured by using the so-called "EU standard contractual clauses".

5. Data erasure and storage period

Personal data of the data subjects will be erased once the data are no longer required for the respective processing purposes or if the legal basis for the storage ceases to apply. Instead of erasing them, the data may be stored with processing restrictions if this is required by European or EU Member State law in Union regulations, laws or other provisions, in particular, e.g.,

• to comply with statutory retention obligations (e.g., the German Fiscal Code (Section 147 AO) or the German Commercial Code (Section 257 HGB), currently between 6 and 10 years), and/or
• in the case of legitimate interests in storing data (e.g., during limitation periods, for the purpose of a possible legal defense (Sections 195 et seqq. of the German Civil Code (BGB), at present between 3 and 30 years)).

At the very latest, the data will be erased once a storage period prescribed by the aforementioned provisions expires, unless further storage by us is necessary and a legal basis to do so exists.

6. Categories of data

As regards the type of personal data concerned, We mainly distinguish between the following categories:

a) Master data: Master data are data that you provide to us about your company and / or about you personally. They include, in particular, company name, first name, last name, e-mail address and telephone number.

b) Event and marketing data: These are data that We receive from you in the context of, for example, webinars, (online) events, trade fair events, studies, conferences, or specialist events. They include, among other things, meta and log files, IP addresses and session IDs.

c) Meta and log files: Meta and log files include, for example, IP addresses, session IDs, browser types, information on operating system and time of request.

7. Rights of data subjects

The GDPR grants certain rights to persons affected by the processing of personal data (so-called data subject rights, in particular Articles 12 to 22 GDPR). If you would like to exercise one or several of these rights listed below, you may contact us at any time. In particular, as a data subject, you have the following rights:

a) Right of access pursuant to Article 15 GDPR

You have the right to obtain from the controller information as to whether and to what extent personal data concerning you were or are being processed by us.

b) Right to rectification pursuant to Article 16 GDPR

You have the right to demand from the controller the rectification and/or completion of inaccurate or incomplete personal data concerning you. The controller is obligated to make such rectification without undue delay.

c) Right to erasure pursuant to Article 17 GDPR

You have the right to request from the controller the erasure of personal data concerning you without undue delay and the controller is obligated to erase such data without undue delay except if one of the exceptions provided for in the GDPR applies or other statutory retention obligations require the controller to keep the data in question.

d) Right to restriction of processing pursuant to Article 18 GDPR

Under the conditions set forth in the GDPR, you may demand the restriction of processing of the personal data pertaining to you.

e) Right to data portability pursuant to Article 20 GDPR

You have the right to receive personal data concerning you that you have provided to the controller and the processing of which is based on your consent or on an agreement with you (including e.g. the requested agreement preparation, point (b) alternative 2 of Article 6(1) GDPR), in a structured, commonly used and machine-readable format. Under the conditions governed by the GDPR, you also have the right to transmit those data to another controller without hindrance from the controller to which the personal data was provided. In exercising this right, you furthermore have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This right must not adversely affect the rights and freedoms of others.

f) Right to object pursuant to Article 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on points (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of the personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the event of an objection, the personal data concerning you will no longer be processed for such purposes.

g) Right to withdraw consent pursuant to Article 7(3) GDPR

You have the right to withdraw your declaration of consent under data processing law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

This also applies to the withdrawal of consent granted to us before the GDPR came into force, i.e. before 25 May 2018. You may withdraw your consent at any time here.

h) Right to lodge a complaint pursuant to Article 77 GDPR

In the event of allegedly or actually committed violations of data protection regulations, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work or in which the alleged violation took place. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies.

Our competent data protection supervisory authority for the principal controller (see section I.) is:

State Commissioner for Data Protection and Freedom of Information for the State of Baden-Württemberg
Dr. Stefan Brink
Street address: Königstrasse 10a, 70173 Stuttgart
Mailing address: 10 29 32, 70025 Stuttgart
Telephone (switchboard): 0711 61 55 41 0
e-mail: poststelle@lfdi.bwl.de

However, you may also lodge your complaint with any other supervisory authority. The contact details of other data protection supervisory authorities are available at the following link:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

8. No obligation to provide personal data

The conclusion of contracts or performance of our online offerings with us does not depend on you first providing us with personal data. You, as a Customer, interested party, website visitor, applicant or other participant, furthermore generally are under no statutory or contractual obligation to provide us with your personal data; however, We may be able to provide certain services only with limitations or not at all if you do not provide the data required for such purpose.

9. Use of artificial intelligence

Horváth uses the capacity of artificial intelligence (hereinafter referred to as “AI”) in many scenarios, such as in various internal processes or as support in the provision of services. The use of AI by Horváth as well as the collection and use of personal data by Horváth when using AI applications are subject to data protection requirements and AI principles, in particular corresponding to the GDPR and the Artificial Intelligence Act (AI Act).
 
Horváth only uses AI within the framework of lawful data processing with the purpose of optimizing internal processes, increasing customer satisfaction and supporting business interest. Where possible, personal data will be processed in anonymised form.

V. Data Collection through Informational Use of our Websites

1. Description and scope of data processing

Each time you access our website, our systems automatically collect data and information from the accessing computer's system. The following log files are processed:

• browser type and version
• operating system used
• referrer URL
• accessing computer's host name
• date and time of the server request
• IP addresses for backend log, IP ban, and domain factory log

For information on the processing of other meta and log files through the use of, for example, Google Analytics, YouTube, Google Maps or our social media channels etc. please refer to section IX onward.

These data are not aggregated with other data sources.

2. Purpose and legal basis of processing

IP address and, if applicable, other log files must be temporarily stored by the systems each time our websites are visited to allow for the provision of the websites to your computer. This is necessary to address the communication traffic between the User and our web and/or online offering or is required to use our web and/or online offering. The legal basis for this data processing – i.e., for the duration of your visit to the website – are point (b) or (f) of Article 6(1) GDPR and Section 169 of the German Telecommunications Act (TKG).

Processing and storage of the address and log files beyond the communication process is carried out for the purpose of ensuring the functionality of our web and online offerings, for the purpose of optimizing these offerings, and also to ensure the security of our information technology systems. The legal basis for storing the IP address for these purposes beyond the communication process is point (f) of Article 6(1) GDPR or Section 109 TKG.

3. Storage period

The data will be stored for as long as this is required to realize the aforementioned purposes of processing. This is the case when collecting data for the provision of the websites, if the respective session – i.e., the website visit – has ended. Log files, including the IP address, are stored longer for the purposes of system security and optimization of our web and online offerings for a maximum period of seven days from the end of the User's access to the site.

4. Option to reject

The collection of log files for the provision of our websites, including their storage within the aforementioned limits, is absolutely necessary for the operation of the websites and the individual functions stored there. Accordingly, website Users do not have the option to reject. The situation is different when it comes to the processing of log files for analytical purposes. The option to reject here – depending on the respective web analytics tools used and the type of data analysis (personal / anonymous / pseudonymous) – is subject to section IV. 7. f) of this Privacy Policy.

VI. E-mail Contact and Contact Form

1. Description and scope of data processing

You may contact us by either using the e-mail addresses provided on our websites or our contact forms. If you make use of these options, personal data will be processed and stored by us for the purpose of answering the inquiry. In this context, We process in particular first name, last name and e-mail address. We do not disclose these data without your consent.

2. Purpose and legal basis of processing

The processing of these data is based on point (b) of Article 6(1) GDPR and / or on our legitimate interests pursuant to point (f) of Article 6(1) GDPR. The processing of data transmitted in the course of an inquiry is based on point (a) of Article 6(1) GDPR.

3. Storage period

The data are generally erased once they are no longer required to achieve the purpose for which they were collected.

Data are regularly erased where they are no longer required to perform contractual or statutory obligations, including retention obligations under commercial and tax law, as well as for the pursuit of legitimate interests, i.e., to preserve evidence within the framework of the statutory provisions on limitation.

VII. Registrations, Downloading Studies, Registering for (Online) Events

1. Description and scope of data processing

In some instances, user registration is required to use some of the services on our websites (e.g., downloading studies or white papers, as well as registering for (online) events). In so doing, among other things, We process the following data:

• salutation, last name and first name
• company name, address or P.O. Box
• e-mail address

2. Purpose and legal basis of processing

The processing of these data is based on your consent pursuant to point (a) of Article 6(1), point (b) of Article 6(1) GDPR and / or point (f) of Article 6(1) GDPR. You may withdraw your consent at any time here.

3. Storage period

If you register on our websites for a service requiring registration, after the consent procedure has been completed, personal data will be stored in our Customer Relationship Management System (CRM). Your personal data will be stored by us until you withdraw your consent or until We update our master data in the CRM.

VIII. Data Processing for the Purpose of Newsletters, Advertising, Marketing and Press Work

In addition to the purely informational use of our website, personal data may be processed for the purpose of advertising and/or marketing measures (e.g., newsletters), to conduct customer satisfaction surveys, or for the purposes of press work and public relations (hereinafter collectively called "marketing").

1. Newsletter

Our website provides the option of subscribing to a newsletter. Subscription to our newsletter is free of charge and voluntary. If you would like to take advantage of the newsletter offered by us, the following "newsletter data" will be processed by us:

• a valid e-mail address
• date and time of registration and confirmation
• the IP address used (collectively: "registration confirmation details")
• anonymized performance data such as click and open rates

To verify whether you are the owner of the specified e-mail address or whether its owner agrees to receive the newsletter, after the first registration step, We will send an automated e-mail to the specified e-mail address (so-called double opt-in). We will include the specified e-mail address in our distribution list only once the newsletter registration has been confirmed via a link in the confirmation e-mail. We do not collect any further data other than the e-mail address and information to confirm the registration.

Unless you confirm your registration within 48 hours, your information will be blocked and automatically erased after one week. In addition, We will store your IP addresses used as well as the times of registration and confirmation.

Your data will be processed exclusively for the purpose of sending you the requested newsletter. The legal basis for this processing is point (a) of Article 6(1) GDPR or Section 7 of the German Act against Unfair Competition (UWG; see below for details).

The data will be erased once they are no longer required to achieve the purpose for which they were collected. This means that your e-mail address as well as other "newsletter data" will be stored for as long as your newsletter subscription is active. Your consent and newsletter order as well as your withdrawal of consent or unsubscription will be stored for evidence purposes for a period of two years after the withdrawal of consent becomes effective. Moreover, We store personal data only to assert or defend against legal claims or for as long as statutory obligations to store them apply.

You may at any time withdraw your consent to receive the newsletter and unsubscribe. You may withdraw your consent by clicking on the link provided in every newsletter e-mail, via this form on the website, by e-mail to mcs@horvath-partners.com, or by sending a message to the contact details given in the imprint.

2. Use of personal data for advertising and marketing purposes / customer surveys

The use of your personal data for advertising and / or marketing messages as well as to conduct customer satisfaction surveys is subject to you having given your consent or there being another legal basis permitting us to contact you for marketing and/or direct marketing purposes even without having obtained your consent. Where legally permitted, We also reserve the right to contact clients for marketing purposes on the basis of publicly accessible data and/or third-party address data extracted by such third parties from publicly accessible sources (e.g., data from directory media, the Internet, company homepages, public registers, etc.). Details on the information notices required to be provided by us, together with the instruction on rejecting data use for marketing purposes and direct marketing are available here.

The following data are processed within the scope of data transmission for advertising and marketing messages / customer surveys:

• salutation, last name and first name
• company name, address or P.O. Box
• e-mail address and telephone number
• position

a) The legal basis for advertising and/or marketing measures based on express consent is point (a) of Article 6(1) GDPR; the statements regarding consent under section IV. 7. g) apply accordingly.

b) The legal basis for the use of personal data for the purpose of direct marketing by conventional mail is point (f) of Article 6(1) GDPR (legitimate interests); the legitimate interest here is to approach potential customers for the purpose of direct marketing of our products and services.

c) The legal basis for advertising and/or marketing measures by telephone call is Section 7 (2) no. 2 UWG; in the case of consumers, this requires express consent, and at least presumed consent in the case of other market participants; regarding the requirement of express consent see above as well as section IV. 7. g).

d) The legal basis for advertising and/or marketing measures via e-mail for the purpose of direct marketing of our own similar goods or services is Section 7 (3) UWG, provided that We

(i) have received your e-mail address in connection with the provision of a service,

(ii) you have not objected to the use of your e-mail address for the purpose of direct marketing, and

(iii) when collecting the e-mail address and whenever using it, We will clearly inform you that you may at any time object to such use of your e-mail address (regarding the right to object, see section IV. 7 f)).

Depending on the respective legal basis of the marketing measure (consent or legitimate interests), personal data will be stored and used for marketing purposes for an indefinite period until you have objected or withdrawn your consent to the processing of your data for marketing purposes.

You may withdraw your consent to the processing of personal data at any time with effect for the future without providing reasons. Withdrawal may be made by telephone, in writing or by e-mail (e.g., to dataprotection@horvath-partners.com, or using the provided e-mail addresses of the advertising company).

You may at any time object to processing on the basis of legitimate interests; a right to object exists in particular in the case of profiling in accordance with Article 21 GDPR.

In case of a withdrawal and/or objection, the personal data will no longer be processed for the respective purposes concerned; in any case, this does not include the processing of data that are still required for the purpose of performance of a contract (point (b) of Article 6(1) GDPR), including statutory retention obligations, and/or if the data are still required in the context of legitimate interests (point (f) of Article 6(1) GDPR) (e.g., in the case of objection to marketing, the processing of data in a so-called blacklist in order to prevent future advertising messages).

Upon request, We will provide you with further information on how We handle data in the area of marketing and/or on the sources of our data; please contact our data protection officer, whose contact details can be found in section II.

3. Press work and public relations

In the area of press work and public relations, We collect and process master data, contract execution data or third-party data from journalists and/or press representatives for the purpose of press work and public relations. This may include, in particular, the provision of press information, the handling of press inquiries, addressing press representatives, or organizing and invitations to (press) events. The legal basis for such data processing is point (b) of Article 6(1) GDPR (performance of contract / taking steps prior to entering into a contract), provided this is done to fulfill a corresponding agreement and/or in the context of a specific inquiry. Moreover, data processing is carried out in the context of legitimate interests according to point (f) of Article 6(1) GDPR; the legitimate interest here lies in the organization of press work and public relations for the benefit of Horváth.

Moreover, data processing is carried out on the basis of appropriate consent. Such consent may also be withdrawn by the data subject for the future at any time and without giving reasons. Moreover, the data subject is entitled to the rights specified in section IV. (7.).

IX. Layout, Social Media and Direct Links

1. Layout – web fonts

For the uniform display of fonts, We use so-called "web fonts", which are provided by Monotype GmbH (fonts.com). When you visit our page, your browser will load the required web fonts into your browser cache in order to correctly display the content of the page (e.g., texts and fonts). To do so, your browser must establish a connection to the servers of Monotype GmbH. This allows Monotype GmbH to learn that your IP address has accessed our websites. Fonts.com web fonts are used in the interest of a uniform presentation of our online offerings. This constitutes a legitimate interest as defined in point (f) of Article 6(1) GDPR. If your browser does not support web fonts and/or if you block web fonts via your browser, a standard font will be used by your computer.

For further information on these web fonts visit: www.fonts.com/info/legal and the privacy policy of Fonts.com: www.fonts.com/info/legal/privacy/ and the Privacy Policy of Monotype GmbH: www.monotype.com/legal/privacy-policy/

2. Social media and direct links via "Shariff"

We have integrated buttons of a range of social networks on our websites. These buttons provide you with various functions which you may use to share information on the respective third-party portal with your contacts. Their subject matter and scope is determined by the social network operators.

To better protect your personal data, We use the c't project "Shariff" for the technical and graphical implementation of the following social media platforms and direct links. Shariff replaces the usual (share) buttons of social networks, thus protecting surfing behavior. Shariff integrates these social network (share) buttons on our websites only as a graphic which contains a link to the corresponding social network. By clicking on the corresponding graphic, you will be redirected to the service of the respective network. The Shariff button establishes direct contact between the social network and our visitors only when the visitor actively clicks on the Share button. Only then will your data be transmitted to the respective social network. By contrast, if the Shariff button is not clicked, no exchange takes place between you and the social networks. Shariff supports the following browser types: Firefox, Google Chrome, Internet Explorer/Edge and Safari.

The basis of processing such data is points (a) and (f) of Article 6(1) GDPR, to enable us to offer you the opportunity to interact with the social networks and other Users, improve our offering and make it more interesting for you as a User.

Please note that We are not the provider of the social networks and have no influence on the data processing by the respective providers. We also have no knowledge of the content of the transmitted data or its use by the respective provider. More information on how your data are handled is available in the respective privacy notices of the social network providers:

a) Facebook

Our websites have integrated the social network Facebook, Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland and 1601 South California Avenue, Palo Alto, CA 94304, USA. You can recognize the link to Facebook by the Facebook logo or the "Like" button on our website. An overview of the Facebook plugins is available here: developers.facebook.com/docs/plugins/.

If you activate the Facebook button, a direct connection is established via the button between your browser and the Facebook server. Facebook thereby receives the information that you have visited our websites with your IP address. If you are logged in to Facebook, Facebook can associate the visit with your Facebook account. The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and options to select settings to protect your privacy, can be found in Facebook's privacy policy.

More information is available in Facebook's privacy policy at http://de-de.facebook.com/policy.php.

b) Instagram

Our website has integrated the social network Instagram. Instagram is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland and 1601 South California Avenue, Palo Alto, CA 94304, USA. If you activate the Instagram button, a direct connection is established via the button between your browser and the Facebook server. Facebook thereby receives the information that you have visited our websites with your IP address. If you are logged in to Instagram, Instagram can associate the visit with your Instagram account. The purpose and scope of the data collection and the further processing and use of the data by Instagram, as well as your rights in this regard and options to select settings to protect your privacy, can be found in Instagram's privacy policy.

More information is available in the privacy policy of Instagram and Facebook at https://help.instagram.com/519522125107875.

c) YouTube

Our websites have integrated the services of YouTube. This function is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you activate and use the button, your browser establishes a direct connection with YouTube's servers. By activating the button, YouTube receives the information that you have accessed the corresponding page of our website. If you are logged in to YouTube, YouTube can associate your visit with your YouTube account. The purpose and scope of the data collection and the further processing and use of the data by YouTube, as well as your rights in this regard and options to select settings to protect your privacy, can be found in YouTube's privacy policy.

More information is available in YouTube's privacy policy at https://www.google.de/intl/de/policies/privacy.

d) LinkedIn

Our websites have integrated the function of the social network LinkedIn. This function is offered by LinkedIn Ireland Limited, 77 Sir John Rogerson’s Quay, Dublin 2, Ireland. It also involves the transmission of data to LinkedIn. Please note that as the provider of the pages, We have no knowledge of the content of the transmitted data or its use by LinkedIn. If you are logged in to LinkedIn, LinkedIn can associate your visit with your LinkedIn account. The purpose and scope of the data collection and the further processing and use of the data by LinkedIn, as well as your rights in this regard and options to select settings to protect your privacy, can be found in LinkedIn's privacy policy. More information is available in LinkedIn's privacy policy at          

http://www.linkedin.com/static?key=privacy_policy.

e) Xing

Our websites have integrated the function of the Xing service, operated by XING AG, Gänsemarkt 43, 20354 Hamburg, Germany. When you activate and use the button, your browser establishes a direct connection with Xing's servers. The content of the button is transmitted by Xing directly to your browser and integrated into the website by your browser. By activating the button, Xing receives the information that you have accessed the corresponding page of our website. If you are logged in to Xing, Xing can associate your visit with your Xing account. The purpose and scope of the data collection and the further processing and use of the data by Xing, as well as your rights in this regard and options to select settings to protect your privacy, can be found in Xing's privacy policy. More information is available in Xing's privacy policy at https://privacy.xing.com/de/datenschutzerklaerung.

X. Integration of YouTube and Google Maps

We have embedded the video platform YouTube and the web map service Google Maps on our website to display videos, additional information, and an interactive map function. The consent to processing your personal data for YouTube and Google Maps is technically covered by our cookie query. If you reject our cookies, you will not be able to use the services of YouTube and Google Maps. For more information about our cookies, please refer to section XI. and our .

Integration of YouTube videos

1. Description and scope of data processing

Our website has integrated YouTube videos, which are stored on www.YouTube.com and can be viewed directly on our website. All of these are integrated in "extended data protection mode", i.e., no data about you as a User are transmitted to YouTube unless you play the videos. Data will be transmitted only when you play the videos; We have no control over such data. When you visit the websites, YouTube receives the information that you have accessed the corresponding sub-page of our websites. Your data are transmitted irrespective of whether you have a YouTube user account and are logged in or whether you do not have a user account. If you are logged in to Google, your data will be directly associated with your account. If you do not wish to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or demand-driven design of its website. Such analysis is carried out in particular (even for users not logged in) to provide demand-driven advertising and to inform other users of the social network about your activities on our websites. You have a right to object to the creation of these user profiles; to exercise this right, you need to contact YouTube.

2. Purpose and legal basis of processing

The processing of these data is based on your consent pursuant to point (a) of Article 6(1) GDPR.

3. Storage period

More information on the purpose, scope and storage period of the data collection and on the processing of such data by YouTube is available in the privacy policy. There you will also find more information on your rights and options to select settings to protect your privacy: https://www.google.de/intl/de/policies/privacy.

Integration of Google Maps

1. Description and scope of data processing

We use the services of Google Maps. GoogleMaps enables us to show you interactive maps directly on our websites and allows you to use the convenient map function. When you visit the websites, Google receives the information that you have accessed the corresponding sub-page of our websites.

2. Purpose and legal basis of processing

The processing of these data is based on your consent pursuant to point (a) of Article 6(1) GDPR. We request your consent via "cookies". If you reject our cookies, Google's web map service will not be available to you.

3. Storage period

More information on purpose, scope and storage period of the data collection and on the processing of such data by Google is available in the privacy policy. There you will also find more information on your rights and options to select settings to protect your privacy: https://www.google.de/intl/de/policies/privacy.

4. Disclosure of your data

Your data are disclosed irrespective of whether you have a Google user account and are logged in or whether you do not have a user account. If you are logged in to Google, your data will be directly associated with your account. If you do not wish to be associated with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or demand-driven design of its website. Such analysis is carried out in particular (even for users not logged in) to provide demand-driven advertising and to inform other users of the social network about your activities on our websites. You have a right to object to the creation of these user profiles; to exercise this right, you need to contact Google.

XI. Third-party Cookies and Analytics Tools

Cookies

1. Description and scope of data processing

We use "cookies" on our websites. Cookies are small text files that your Internet browser places and stores on your computer and which transmit certain information to the body placing the cookie. The purpose of cookies is to optimize our website and our offerings.

They mostly are "session cookies", which are deleted again when you leave the site. However, some cookies generate information in order to recognize you automatically. While this recognition is based on the IP address stored in the cookies, they cannot directly identify a user.

We also use web analysis tools ("performance cookies") to analyze the online platform. In so doing, with the help of cookies, We are able to process usage data of the online platform and thus obtain insights about the use of our online platform (e.g., number of visits, number of users).

Advertising cookies or targeting cookies are used to offer website users demand-driven advertising on the website or third-party offers and to gauge the effectiveness of such offerings. Sharing cookies are used to improve our website's interactivity with other services (e.g., social networks).

Any use of cookies that is not strictly technically necessary constitutes data processing that is only permitted with your explicit and active consent pursuant to point (a) of Article 6(1) GDPR. This applies, in particular, to the use of advertising, targeting, or sharing cookies. In addition, We disclose your personal data that have been processed via cookies to third parties only if you have given your explicit consent to do so in accordance with point (a) of Article 6(1) GDPR.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do so, you may not be able to use the full functionality of our websites.

Our websites use transient (e.g., "session cookies"), persistent, and third-party cookies; below, We will explain their storage periods. For more information, We refer to our .

2. Storage period

Transient cookies are automatically deleted when you close the browser. These include, in particular, the session cookies. They store a so-called session ID, which can be used to associate various requests from your browser to the joint session. In this way, your computer can be recognized when you return to our websites. The session cookies are deleted when you log out or close the browser. Persistent cookies are automatically deleted after a predefined period of time, which may differ depending on the cookie. You can delete the cookies at any time in your browser's security settings.

A summary and additional information on the cookies used by us, together with details on the provider, the purpose of data processing, technology used, data collected, legal basis, processing location, retention period, data recipient, data protection officer and transfer to third countries is available in our cookie settings.

Third-party analytics tools

Our websites use third-party analytics tools such as Google Analytics with anonymization function. Analytics tools commonly use cookies to be able to create evaluations.

Analytics cookies are used for the purpose of improving the quality of our websites and their content. We use analytics cookies to learn how the websites are used. This enables us to constantly optimize our offering. Analytics cookies are used only where the User has granted the relevant consent; the legal basis for processing personal data using analytics cookies thus is point (a) of Article 6(1) GDPR. You may independently withdraw your consent at any time by rejecting or deleting our cookies. A summary and additional information on the third-party analytics tools used by us, together with details on the provider, the purpose of data processing, technology used, data collected, legal basis, processing location, retention period, data recipient, data protection officer and transfer to third countries is available in our .

XII. Further Information

Your trust is important to us. We therefore aim to be available at any time to answer your questions regarding the processing of your personal data. If you have any questions that have not been answered by this Privacy Policy or if you would like to learn more on any issue, please contact us at any time by e-mail at: dataprotection@horvath-partners.com.

We reserve the right to amend this Privacy Policy at non-regular intervals as data protection law develops and as technological or organizational changes require, and We will inform you about any major changes affecting the use of your personal data. This Privacy Notice is current as of September 2021.

Data protection information for customers of Horváth & Partner GmbH     

How we handle your data and your rights  

Information obligation pursuant to Art. 13 EU General Data Protection Regulation  

Horváth & Partner GmbH (hereinafter referred to as "Horváth" or "we") is delighted that you have entered into a business relationship with us. Data protection and data security in the context of our business relationship are very important to us. We would therefore like to take this opportunity to inform you about which of your personal data we collect, for what purposes it is used, and what data protection rights you have. This information will be updated as necessary and made available to you on our website.  

Where the masculine form is used in this privacy policy, the masculine form represents a female, non-binary, intersex, and transgender person.  

1. Who is responsible for data processing and who can I contact?  

The controller within the meaning of the EU General Data Protection Regulation (hereinafter "GDPR") and other national data protection laws (in Germany, the Federal Data Protection Act, hereinafter  

"BDSG") of the member states and other data protection regulations is:  

Horváth & Partner GmbH 
Rotebühlstraße 100
70178 Stuttgart 

Tel.: +49 711 66919-0
Email: info@horvath-partners.com  

Contact details of the data protection officer  

Grant Thornton AG Wirtschaftsprüfungsgesellschaft 
Sebastian Barg (Commercial lawyer | DSB-TÜV) 
Johannstraße 39 
40476 Düsseldorf 
Tel.: +49 711 66919-0 
Email:dataprotection@horvath-partners.com  

2. What sources and data do we use?  

We process personal data that we receive from you in the course of initiating a contract and conducting business with you. We receive this data directly from you, in particular in the context of consulting services in the areas of management consulting, strategy, innovation, sales, corporate management, transformation, and training.  

This includes the following personal data, among other things:  

• Master data, such as first and last name and date of birth  

• Contact details, such as address, email address, and telephone number  

• Billing data, such as bank details  

• Order-related data along with contract and company data 

• Data in the context of business email communication (conversation history)   

• Other data that you have provided to us voluntarily or due to legal obligations   

• Image and video recordings  

• Data that you provide to us in connection with your participation in events, such as registration data and image and video recordings  

• Transcription and recording data when activating recordings/transcriptions when using Microsoft Teams  

3. Why do we process your data (purpose of processing) and on what legal basis?  

Below, we inform you about why and on what legal basis we process your data. Insofar as the specific purpose permits, we process your personal data in a pseudonymized or anonymized form.   

3.1 To fulfill contractual obligations (Art. 6 (1) (b) GDPR)  

The processing of your personal data is necessary for the performance of a contract or for the implementation of pre-contractual measures. The purposes of data processing are determined in detail by the specific order and the contract documents. For example, your business email communication data is made available and processed as part of internal processes for authorizing Outlook mailboxes in order to provide our services in accordance with the contract.    

3.2 Within the scope of balancing interests (Art. 6 (1) (f) GDPR)  

We process your data on the basis of a balancing of interests to protect our legitimate interests or those of third parties. This is done for the following purposes, among others:  

• General business management and further development of services and products (business development) 

• Advertising, market and opinion research  

• Event organization, implementation of (online) events on site or via Microsoft Teams, and reporting  

• Assertion of legal claims and defense in legal disputes  

• Prevention and investigation of criminal offenses  

• Ensuring IT security and IT operations  

• Reviewing independence and conflicts of interest for accepting assignments  

Our interest in the respective processing arises from the respective purposes and is always of an economic nature (efficient task fulfillment, sales, avoidance of legal risks).  

3.3 Based on your consent (Art. 6 (1) (a) GDPR)  

If you have given us your consent to process personal data, the respective consent is the legal basis for the processing specified therein.  

This applies in particular to your consent to recording/transcription during a meeting via Teams, your participation in surveys, and voluntary additional services such as subscribing to our newsletter. 

You may revoke your consent at any time with effect for the future. This also applies to declarations of consent that you gave us before the GDPR came into force. To do so, please contact the controller or the data protection officer using the contact details in section 1.  

3.4 Due to legal requirements (Art. 6 (1) (c) GDPR)  

We are subject to various legal obligations arising from legal requirements, such as the German Commercial Code (hereinafter "HGB"), the EU Market Abuse Regulation (hereinafter "MAR") and the German Fiscal Code (hereinafter "AO"), as well as from regulatory requirements, such as those of the Federal Financial Supervisory Authority and tax authorities.  

4. Who receives my data?  

Your data will only be passed in compliance with confidentiality requirements and only to the extent permitted by law.  

Within Horváth, your data will be received by those departments that need it to fulfill our contractual and legal obligations or to perform their respective tasks (e.g., accounting, sales, and marketing).  

In addition, the following departments may receive your data:  

• Processors employed by us (Art. 28 GDPR), in particular external consultants (experts, financial mathematicians), translation agencies, and IT service providers who process your data for us in accordance with our instructions 
• Public authorities and institutions (e.g., Federal Financial Supervisory Authority, tax authorities) in the event of a legal or official obligation 
• Other entities for which you have given us your consent to transfer data or for which you have released us from confidentiality in accordance with a separate agreement or consent 
• Member firms of the international Horváth Global Network¹ as part of the order acceptance process, for order fulfillment, to ensure network-wide independence, and for the further development of services and products (business development) 

5. How long will my data be stored?  

Where necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract. In addition, we are subject to various storage and documentation obligations arising from the German Commercial Code (HGB), the German Fiscal Code (AO) or other tax laws.   

Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to Sections 195 ff. of the German Civil Code (hereinafter "BGB"), are generally three years, but in certain cases can also be up to thirty years.  

6. Will my data be transferred to third countries?   

Your personal data is generally processed within the European Union (hereinafter referred to as "EU") or the European Economic Area (hereinafter referred to as "EEA"). Only in exceptional cases (e.g., for the transfer of personal data within the Horváth Global Network) may information be transferred to third countries, provided that this is necessary for the execution of orders, is required by law, the data subject has given us their consent, or is permissible for the further development of services and products (business development). Third countries are countries outside the EU and/or the EEA where it cannot be assumed that an adequate level of data protection in accordance with European requirements is in place.  

If the information transferred also includes personal data and is not transferred in pseudonymized or anonymized form, we ensure prior to such transfer that an adequate level of data protection is guaranteed in the respective third country or by the respective recipient in the third country. This may result from a so-called adequacy decision by the EU Commission, be ensured by the use of the so-called EU Standard Contractual Clauses or be guaranteed by the conclusion of an INTER-COMPANY DATA SHARING AGREEMENT with strict regulations within the Horváth Global Network.  

7. Am I obliged to provide data?  

Within the scope of our business relationship, you only have to provide the personal data that is necessary for the establishment, implementation, and termination of a business relationship or that we are legally obliged to collect. This includes, for example, information on legal representatives, beneficial owners, contractual partners, and related entities/persons, in order to ensure network-wide independence. If you do not provide us with the information and documents required in individual cases, we will not be able to enter into the business relationship you desire.  

8. Will my data be used for automated decision-making and profiling?  

As a matter of principle, we do not use automated decision-making in accordance with Art. 22 GDPR to establish and implement the business relationship. If we use this procedure in individual cases, we will inform you separately if this is required by law. We do not process your data automatically with the aim of evaluating certain personal aspects (so-called "profiling" in accordance with Art. 4 No. 4 GDPR). We do not use profiling.    

9. Use of artificial intelligence?   

We only use artificial intelligence (hereinafter "AI") within the scope of lawful data processing for the purpose of optimizing internal processes, increasing customer satisfaction, and promoting business interests. The use of AI and the collection and use of personal data when using AI applications are subject to data protection requirements and AI principles, in particular in accordance with the GDPR and the Regulation on Artificial Intelligence (AI Act). Where possible, personal data is processed anonymously.  

10. What other data protection rights do I have?  

You have the right to obtain information about your stored personal data free of charge at any time (Art. 15 GDPR, Section 34 BDSG). In addition, you have the right to request the correction (Art. 16 GDPR) or deletion (Art. 17 GDPR, Section 35 BDSG) of your data at any time, provided that this does not conflict with any legal regulations or retention periods. You can request the restriction of the processing (Art. 18 GDPR) of your data and object to the processing of your data (Art. 21 GDPR). You also have the right to data portability (Art. 20 GDPR). Furthermore, you can complain to the competent state data protection supervisory authority about our processing of your personal data (Art. 77 GDPR, Section 19 BDSG).    

You also have the right to withdraw your declaration of consent under data protection law at any time (Art. 7 (3) GDPR). Withdrawal of consent does not affect the lawfulness of processing based on consent until revocation. This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force. In this case, all personal data stored on the basis of the consent given will be deleted, unless there is another legal basis for further storage in accordance with the law.    

11. Security  

Horváth protects your data through technical and organizational security measures to prevent accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures, such as data encryption, are regularly improved in line with technological developments. In addition, our employees and service providers are obliged to maintain confidentiality when handling personal data.  

12. Further information  

Your trust is important to us. Therefore, we are always available to answer your questions regarding the processing of your personal data. If you have any questions that this privacy policy cannot answer or if you would like more detailed information on a specific point, please do not hesitate to contact us using the contact details provided in section 1. 

We reserve the right to change this privacy policy at irregular intervals in line with developments in data protection law and technological or organizational changes. 

The general privacy policy for our website can be found at www.horvath-partners.com/en/data-protection.