Privacy

Privacy Policy

Thank you for using our website and your interest in data protection matters.
Careful management of your personal data is of particular importance to us. Thus, we process your personal data solely in accordance with the EU General Data Protection Regulation (GDPR).
We have taken comprehensive technical and organizational protection measures to protect your data from incidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our safety procedures are regularly reviewed and adapted to technological advances.
In the below paragraphs, we would like to inform you comprehensively about the processing of the data of visitors of our website, customers, suppliers, interested parties, and job applicants taking into consideration the applicable statutory data protection regulations.
This privacy policy will address which data we process for which purposes and based on which legal foundations this is done. We would like to make you aware especially that we will inform you about your rights as the data subject pursuant to the GDPR, specifying to which entity you may direct your questions regarding data protection or regarding the exercise of your rights.
Note:
• Personal data are all data by means of which you can be personally identified.
• To make texts easier to read, the term data is used usually, even though personal data are meant. Statutory provisions without specification solely refer to those of the GDPR unless otherwise specified.
• Please note that the data transmission on the internet (e.g. e-mail communication) may always be subject to security vulnerabilities of any kind. Complete protection of data from access by third parties is hardly possible as a consequence.
• This privacy policy is adapted from time to time. The date of the last update is specified at the end of this policy.

A. Controller

The respective company responsible for the processing of your personal data is that company of the Doppelmayr/Garaventa Group with whom you have a business relationship or whom you have entrusted with your data.
The company responsible for the data collection on this website is LTW Intralogistics GmbH as specified in the site notice.
In the event that you have any questions regarding the protection and security of your data or wish to exercise your rights and claims relating to data protection, please send an e-mail to dataprotection@doppelmayr.com.

B. Processing of personal data, purpose of the processing and legal bases

Depending on whether a user visits our website, sends us a message through the contact form on our website, registers for our service portal, subscribes to a newsletter, applies for a job with us or is an interested party, customer or supplier, we collect and process different personal data of the user. Detailed information regarding the collected and processed data categories, the purpose of the processing, storage periods, and revocation options can be consulted by each user of our website in the below paragraphs of this privacy policy.

Legal bases for the data collection to GDPR
Insofar as we obtain consent of the data subject for the processing procedures relating to personal data, article 6(1) (a) GDPR serves as the legal basis.
For the processing of personal data that are required for the fulfilment of a contract one of whose contracting parties is the data subject, article 6(1) (b) GDPR serves as the legal basis. This also applies for the processing procedures that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is required for the fulfilment of a legal obligation that our company is subject to, article 6(1) (c) GDPR serves as the legal basis.
If the processing is required to preserve a legitimate interest of our company or a third party and the interests, fundamental rights, and fundamental freedoms of the data subject do not outweigh the first-mentioned interest, article 6(1) (f) GDPR serves as the legal basis for the processing.
If the processing of personal data is based on article 6(1) (f) GDPR, our legitimate interest in the processing is carefully evaluated and outlined in each case.
Pursuant to § 6(1) Data Protection Act, personal data of the user from the data processing are kept confidential irrespective of other statutory obligations to secrecy, insofar as there are no legally permissible reasons for the transmission of the personal data that were entrusted or became accessible.

1. Data processing on our website

The data processing on this website is carried out by LTW Intralogistics GmbH as specified in the imprint. If you have any questions regarding data protection, please contact dataprotection@doppelmayr.com.

Links to websites of other providers

Our website contains links to websites of other providers to whom this privacy policy does not extend.

Insofar as the collection, processing or use of personal data is related to the use of websites of other providers / companies, we kindly ask the user to observe the privacy policy of the websites in question.

How do we collect personal data of users?

For one thing, data are collected when the user provides them to us. Such data may be, for example, data entered into a contact form.

Other data are collected automatically by our IT systems when visiting the website. Such data are primarily technical data, such as the internet browser, operating system or time of access to the website. These data are collected automatically as soon as a user enters our website.

Cookies and analytical tools

When using our website, the user's surfing behavior may be analyzed statistically.

This is carried out primarily using cookies and so-called analytical programs. The analysis of the surfing behavior usually is anonymous; i.e. the surfing behavior cannot be traced back to the user. The user must consent to the use of cookies and analytical tools for the desired applications - with the exception of such cookies that are technically essential - by means of active confirmation. For detailed information regarding this matter, the user may refer to the below paragraphs of the privacy policy.

SSL or TLS encryption

This website uses SSL or TLS encryption for security reasons and as means of protection for the transmission of confidential content, such as inquiries a user sends to us as the site operator.

Irrespective of the browser used, the user can recognize an encrypted connection when the browser's address bar changes from "http://" into "https://" and the lock icon is displayed.
While the SSL or TLS encryption is activated, the data the user transmits to us cannot be read by third parties.

What do we use user's data for?

Part of the data that are collected automatically when accessing the website is used to ensure error-free provision of the website.

Other data can be used to analyze how visitors use the website.

Server location

20537 Hamburg, Deutschland

1.1. Data collection when visiting the website in detail

Below users can find data protection information relating to data that are collected automatically when visiting our website.

a. Cookies

Our website uses cookies. Cookies are text files that are stored in the browser or on the computer by the browser. When a user accesses a website, a cookie can be stored on their computer. This cookie contains a specific character string that allows clear identification of the browser when the website is accessed again.

Pursuant to CJEU in the case "Planet 49" (C‑673/17), setting cookies requires active consent of the user.
To this effect, when visiting our website for the first time, the user is given the option to select marketing and functional cookies in addition to the essentially necessary cookies.
Essentially necessary cookies are required to activate the core functionality of the website.
Each user can change the selected functions at any time via the cookie settings at the bottom right of the website.
The user's data that are collected are anonymized by means of technical provisions; allocating the data to the user is not possible. The data are not saved together with any other personal data of the users.

b. Server log files

We automatically collect and store information in so-called server log files the user's browser automatically transmits to us.

We automatically collect and store information in so-called server log files the user's browser automatically transmits to us.
This information is:
• Browser type and version
• Operating system used
• Referrer URL (When a website is accessed, the referrer species from which URL this visits comes.)
• Host name of the accessing computer (The host name is the unambiguous designation of the computer of the user of this website.)
• Date and time of the server request
• IP address (The IP address is an identification number for a device in a network.)
These data will not be combined with other data sources.
Legal basis of the data processing
The legal basis for the data processing is article 6(1) (f) GDPR. Server log data are important to analyze and remedy errors of the website or to automate certain processes.
Purpose of the processing
These data are processed to enable the use of the website (establishing the connection), for system security, technical administration of the network infrastructure, and optimization of the internet offer.
Duration of retention, revocation, and possibility of erasure
The last 14 files of the server log files are stored on the server. The collection of data for the provision of the website and the storage of the data in log files is imperative for the operation of the website.

c. Web analytics service Google Analytics

We have integrated the tool Google Analytics (with anonymization function) on this website. Google Analytics is a web analytics service. Web analytics is the compilation, collection, and evaluation of data relating to the behavior of visitors of websites.

Web analytics is the compilation, collection, and evaluation of data relating to the behavior of visitors of websites. A web analytics service, among other things, collects data on the website that lead a person to a website (so-called referrers), which subsites they accessed or how often and how long a subsite was viewed. Web analytics mainly are used to optimize a website and carry out cost-benefit analyses of internet advertisements.
Google Analytics is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

IP anonymization

We have implemented the function IP anonymization on this website.
Thanks to this function, Google shortens the IP address of the user before transmission to the USA.
Only in the following exceptional case, the complete IP address is transmitted to a Google server in the USA and shortened there: If, on behalf of the website, Google uses the information to evaluate the use of the website by a user, to compile reports relating to the website activities, and to provide other services relating to the website use and internet use to the website operator. The IP address transmitted by the browser as part of Google Analytics is not combined with other data of Google.

Demographic features of Google Analytics

This website uses the "Demographic features" function of Google Analytics. This allows creating reports that contain information on the age, gender, and interests of the users. These data come from interest-based advertising by Google as well as visitor data from third-party providers. These data cannot be correlated to a specific person.
Each user can deactivate this function at any time in the advertising settings of their Google account or generally refuse the collection of their data on this website by Google Analytics.
More information on how Google Analytics handles user data can be found in the privacy policy of Google: https://support.google.com/analytics/answer/6004245?hl=en

Legal basis

Processing by Google Analytics cookies is legally based on article 6(1) (a) GDPR.

Purpose of the processing

The purpose of the Google Analytics tools is the analysis of visitor flows on our website. Google uses the data and information obtained, among others things, to evaluate the use of our website, to compile online reports for us that represent the activities on our website, and to provide other services related to the use of our website.

Retention period

Data on the user and event level that are stored by Google and linked with cookies, user identifiers (e.g. user ID) or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) are deleted after 26 months. For details refer to the following link: https://support.google.com/analytics/answer/7667196?hl=en

Objecting to the collection of data

Furthermore, the user can object to the collection of data created by Google Analytics and related to the use of this website as well as the processing of those data by Google in the cookie banner and, consequently, prevent it.

d. Plugins and tools

YouTube plugin

Our website uses plugins from YouTube which is operated by Google. The operator of the websites is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.
When a user visits one of our sites equipped with a YouTube plugin, a connection to the YouTube servers is established. The YouTube server is informed which of our websites the user visited.
If the user is logged into their YouTube account, they allow YouTube to associate their surfing behavior with their personal profile. This can be prevented by logging out of the YouTube account.
YouTube is used in the interest of an appealing representation of our online offers and worldwide projects. The videos serve to present our group and our activities and work. This constitutes a legitimate interest pursuant to article 6(1) (f) GDPR.
More information on the handling of user data can be found in the privacy policy of YouTube: https://policies.google.com/privacy?hl=en.

YouTube with extended data protection

This website embeds YouTube videos. The operator of the websites is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in the extended data protection mode.

According to YouTube, this mode prevents YouTube from storing information on the user before they watch the video. However, the forwarding of data to YouTube is not excluded compulsorily. YouTube establishes a connection with the Google DoubleClick network, irrespective of whether the user watches a video.
As soon as a user starts a YouTube video on this website, a connection with the YouTube servers is established. The YouTube server is informed which of our websites
Page 7 / 19
the user visited. If the user is logged into their YouTube account, they allow YouTube to associate their surfing behavior with their personal profile. This can be prevented by logging out of the YouTube account.
Furthermore, YouTube can store different cookies on the device of the user after starting a video. YouTube can obtain information on the users of this website by means of these cookies. Among other things, this information is used to record video statistics, to improve the user-friendliness, and to prevent fraud attempts. The cookies remain on the user's device until the user deletes them.
Where applicable, additional data processing processes, which we have no influence on, may be triggered after starting a video. YouTube is used in the interest of an appealing representation of our online offers and worldwide projects. The videos serve to present our group and our activities and work.
This constitutes a legitimate interest pursuant to article 6(1) (f) GDPR. Insofar that corresponding consent has been retrieved, processing is carried out exclusively based on article 6(1) (a) GDPR; the consent can be revoked at any time.
More information regarding data protection at YouTube can be found in their privacy policy: https://policies.google.com/privacy?hl=en.

Vimeo

This website uses plugins of the Vimeo video portal. Those are provided by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.
When a user visits one of our sites equipped with a Vimeo plugin, a connection to the Vimeo servers is established. The Vimeo server is informed which of our websites the user visited. Furthermore, Vimeo learns the user's IP address. This also applies if the user is not logged into a Vimeo account or does not have a Vimeo account. The information collected by Vimeo is transmitted to the Vimeo server in the USA.
If the user is logged into their Vimeo account, they allow Vimeo to associate their surfing behavior with their personal profile. This can be prevented by logging out of the Vimeo account. Vimeo is used in the interest of an appealing representation of our online offers and worldwide projects. The videos serve to present our group and our activities and work.
This constitutes a legitimate interest pursuant to article 6(1) (f) GDPR. Insofar that corresponding consent has been retrieved, processing is carried out exclusively based on article 6(1) (a) GDPR; the consent can be revoked at any time.
For more information on the handling of user data the user can refer to the privacy policy of Vimeo: https://vimeo.com/privacy.

Google web fonts

For the uniform representation of fonts, this website uses so-called web fonts provided by Google. The Google fonts are installed locally. A connection with the Google servers in not established for this.
Page 8 / 19
For more information on Google web fonts the user may refer to https://developers.google.com/fonts/faq and to the privacy policy of Google: https://policies.google.com/privacy?hl=en .

Google Maps

This website uses the Google Maps service via an API. The service is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
To use the Google Maps functions it is necessary to store the user's IP address. This information is generally transmitted to a Goggle server in the USA and stored there. The controller of this website together with Google Inc. is deemed responsible for this data transmission in which it is specified that Doppelmayr Transport Technology GmbH is only responsible for the collection and transmission of the data.
Google Maps is used in the interest of an appealing representation of our online offers and worldwide projects as well as to facilitate locating the places specified by us on our website. This constitutes a legitimate interest pursuant to article 6(1) (f) GDPR.
More information regarding the handling of user data can be found in the privacy policy of Google: https://policies.google.com/privacy?hl=en

Google reCAPTCHA

We use "Google reCAPTCHA" (hereinafter referred to as "reCAPTCHA") on this website. The service is provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
reCAPTCHA shall serve to check if the data entry on this website (e.g. in a contact form) is carried out by a human user or an automated program. For this, reCAPTCHA analyzes the behavior of the website visitor based on different features. This analysis starts as soon as the user accesses the website. reCAPTCHA evaluates different information for the analysis (e.g. IP address, duration of visit to the website or mouse movements carried out by the user). The data collected as part of the analysis are transmitted to Google.
The reCAPTCHA analyses occur in the background. The user is not made aware of an analysis occurring.
The data are stored and analyzed based on article 6(1) (f) GDPR. We have a legitimate interest in protecting our web offers from fraudulent automated spying and spamming. Insofar that corresponding consent has been retrieved (e.g. consent for the storage of cookies), processing is carried out exclusively based on article 6(1) (a) GDPR; the consent can be revoked at any time.
For more information regarding Google reCAPTCHA the user may refer to the Google data protection provisions and the Google terms of use linked below:
https://policies.google.com/privacy?hl=en and https://policies.google.com/terms?hl=en.

Cookie consent with Usercentrics

This website uses the cookie consent technology of Usercentrics to obtain the consent of the user for the storage of certain cookies on their device and to document those in conformity with data protection regulations. This technology is provided by Usercentrics GmbH, Rosental 4, 80331 Munich, website: https://usercentrics.com/ (hereinafter referred to as "Usercentrics").
When a user accesses our website, the following personal data are transmitted to Usercentrics:
• The consent(s) or revocation of the consent(s) of the user
• The user's IP address
• Information on the user's browser
• Information on the user's device
• Time of the user's visit to the website
Furthermore, Usercentrics stores a cookie in the user's browser to be able to associate their consent or the revocation of the consent to the user. The data collected this way are stored until the user requests us to delete them, deletes the Usercentrics cookie themselves or the purpose for the data storage no longer applies. Mandatory legal retention obligations remain unaffected.
Usercentrics is used to obtain the statutory consent for the use of cookies. The legal basis for this is article 6(1) (c) GDPR.

1.2 Contact form

If a user sends us inquiries via the contact form, we store the data entered into the form including the contact details provided for the purpose of processing the inquiry and any possible follow-up questions. We will not share these data without the user's consent. The data are processed as part of the fulfilment of legal obligations from export control.

Thus, the processing of the data entered into the contact form is carried out solely based on consent (article 6(1) (a) GDPR). The user can revoke their consent at any time. An informal notification by e-mail to dataprotection@doppelmayr.com is sufficient for this. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation.
We retain the data the user entered into the contact form until the user requests their deletion from us, revokes their consent or the purpose for the data storage is no longer given. Any mandatory statutory provisions, in particular data retention periods, remain unaffected.

1.3 Newsletter

If a user wishes to receive the newsletter offered on the website, we require their e-mail address and other information (title, first name, last name, e-mail, language, optional: company, position) that allows us to verify that the user is the owner of the specified e-mail address and agrees to receiving the newsletter. Other data are not collected or only on a voluntary basis. We solely use these data for sending out the requested information and do not forward them to third parties..

The processing of the data entered into the newsletter subscription form is carried out solely on the basis of consent given (article 6(1) (a) GDPR) by the user. The consent given for the storage of the data, the e-mail address and their use for sending out the newsletter can be revoked at any time, e.g. through the unsubscribe link in the newsletter. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation.
The data the user provided to us for the purpose of receiving the newsletter are stored by us until the user unsubscribes from the newsletter and will be deleted after unsubscribing from the newsletter. Data that we have stored for other purposes (e.g. e-mail addresses for the member section) remain unaffected thereof.

MailChimp

This website uses the MailChimp services to send newsletters. The services are provided by Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.
MailChimp is a service that, among other things, can be used to organize and analyze the distribution of newsletters. When a user enters data for the purpose of subscribing to a newsletter (e.g. e-mail address), those data are stored on the MailChimp servers in the USA.

MailChimp is certified under the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG). The Privacy Shield is an agreement between the European Union (EU) and the USA that shall guarantee the compliance with the European privacy standards in the USA.
MailChimp allows us to analyze our newsletter campaigns. When a user opens an e-mail sent with MailChimp, a file contained in the e-mail (a so-called web beacon) connects with the MailChimp servers in the USA. This allows to determine whether a newsletter message was opened and which links were clicked. In addition, technical information is collected (e.g. time of retrieval, IP address, browser type, and operating system). This information solely serves for the statistical analysis of newsletter campaigns. The results of those analyses can be used to tailor future newsletters to better match the recipients' interests.
If a user does not want an analysis by MailChimp, they can unsubscribe from the newsletter. For this purpose, each newsletter contains a corresponding unsubscribe link.
Page 11 / 19
Data processing via MailChimp is carried out based on the user's consent (article 6(1) (a) GDPR). The consent can be revoked at any time by unsubscribing from the newsletter. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation.
The data the user provided to us for the purpose of receiving the newsletter are stored by us until the user unsubscribes from the newsletter. Data that we have stored for other purposes (e.g. e-mail addresses for the member section) remain unaffected thereof.
For more detailed information the user may refer to the privacy provisions of MailChimp: https://mailchimp.com/legal/privacy/.

1.4 Registration for the service portal

Customers can register on our website to use additional features on the site

We only use the data entered for the registration for the purposes of using the respective offer or service for which the user registered. The following data are collected as part of the registration process: gender, first name, last name, professional title, customer number, e-mail address, company, telephone number, street, postal code, city, country. The mandatory information requested for the registration must be provided completely. Otherwise, the registration cannot be completed. The data are processed as part of the fulfilment of legal obligations from export control.
In case of important changes, such as in the scope of products and services offered or technically necessary changes, we use the e-mail address provided during the registration to inform the user accordingly.
The data provided during the registration are processed based on the consent of the user (article 6(1) (a) GDPR). The user can revoke their consent at any time. An informal notification via e-mail to dataprotection@doppelmayr.com is sufficient for this. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation.
We store the data provided during the registration for as long as the user is registered on our website and delete them after deregistering by the user. If an account is inactive for one (1) year, the data are deleted automatically.

2. Information for customers and suppliers regarding the handling of their data

Below we provide information on the handling of personal of data of users that we process as part of our business relationship with them (hereinafter referred to as "data"); whereby those are only personal data to the extent that they allow identifying a natural person or make a natural person identifiable.

2.1 Categories of data processed

a. Interested parties

If a user is interested in purchasing our products, we process the following of their data:

• E-mail address or other information required for addressing that result from modern means of communication
• Data of our contact person with them:
Title, name, gender
Additional data for addressing with them including telephone numbers, mobile phone numbers and e-mail addresses or other information required for addressing that result from modern means of communication
• Position
• Scope of the power of representation
• Business transactions processed
• Bearbeitete Geschäftsfälle
• Possible key for data exchange
• Image data from marked video surveillance areas

b. Customer

If a user buys one of our products, we process the following of their data:

• Data of our contact person with them:
Title, name, gender
Additional data for addressing with them including telephone numbers, mobile phone numbers and e-mail addresses or other information required for addressing that result from modern means of communication
• Position
• Scope of the power of representation
• Business transactions processed
• Possible key for data exchange
• Image data from marked video surveillance areas

c. Suppliers / Sub-contractors

If a user is our supplier or sub-contractor, we process the following of their data:

• E-mail address or other information required for addressing that result from modern means of communication
• Data of our contact person with them:
Title, name, gender
Additional data for addressing with them including telephone numbers, mobile phone numbers and e-mail addresses or other information required for addressing that result from modern means of communication
• Position
• Scope of the power of representation
• Business transactions processed
• Possible key for data exchange
• Image data from marked video surveillance areas

2.2 Purpose of the processing and legal basis of the data processing

Depending on our business relationship with the user, we process data for different purposes and based on different legal provisions as is described below.

a. Interested parties

The purpose of the processing is the processing and transfer of the data for the initiation of a business relationship set in motion by the interest in one of our products, including automatically created and archived text documents (e.g. correspondence) in these matters.

The lawfulness of the data processing results from the necessity for the performance of pre-contractual measures in reaction to an inquiry or, if dealing with data of our contact person with the interested party, from our primarily legitimate interest in processing the inquiry and entering into a future business relationship with the interested party, pursuant to article 6(1) (f) GDPR. The data are processed as part of the fulfilment of legal obligations from export control, pursuant to article 6(1) (c) GDPR.

b. Customer

The purpose of the processing is the processing and transfer of data as part of the business relationship with the customer, including automatically created and archived text documents (e.g. correspondence) in these matters.
The lawfulness of the processing results from the necessity for the fulfilment of the contract entered into with the customer or, if dealing with data of our contact person with the customer, from our primarily legitimate interest in maintaining the business relationship with them and fulfilling their orders and/or the contracts with them, pursuant to article 6(1) (b) and (f) GDPR.

Apart from the processing of data to process inquiries and orders, we also use the data to carry out marketing measures, such as marketing campaigns with products and service recommendations, customer surveys, market analyses, and events, either by e-mail or postal services. The purpose of the processing of personal data in this context is informing the customer about current developments relating to our products. The legal basis for the processing results from our primarily legitimate interest in realizing this purpose.
The customer can object to the use of their personal data for advertising purposes at any time. A notice to dataprotection@doppelmayr.com is sufficient for this. Revoking the consent does not affect the lawfulness of the processing carried out based on the consent until the revocation.
The purpose of the processing of the image data from video surveillance systems is the surveillance of places that are subject to our householder's rights. The processing of these data is subject to our legitimate interest that results from guaranteeing safety standards (article 6(1) (f) GDPR). The data are processed as part of the fulfilment of legal obligations from export control, pursuant to article 6(1) (c) GDPR.

c. Sub-contractors / Suppliers

The purpose of the processing is the processing and transfer of data as part of the business relationship, including automatically created and archived text documents (e.g. correspondence) in these matters.

The lawfulness of the processing results from the necessity for the fulfilment of the contract entered into with the business partner or, if dealing with data of our contact person with the business partner, from our primarily legitimate interest in maintaining the business relationship with them and fulfilling orders or contracts with them, pursuant to article 6(1) (b) GDPR. The data are processed as part of the fulfilment of legal obligations from export control, pursuant to article 6(1) (c) GDPR.
The purpose of the processing of the image data from the video surveillance systems is the surveillance of places that are subject to our householder's rights. The processing of these data is subject to our legitimate interest that results from guaranteeing safety standards.

2.3 Recipients of the data

Depending on the business relationship we maintain with a potential or existing business partner, the data that are relevant in the individual cases are passed on to different recipients:

a. Interested parties

Where applicable, these data are transmitted to companies within the Doppelmayr/Garaventa Group,

if this is necessary to fulfil the purposes described above.

b. Customers

Customer data are communicated to the following recipients in the following cases:

• Companies within the Doppelmayr/Garaventa Group, insofar as this necessary to fulfil the purposes described above
• Our tax consultant and auditor, insofar as this becomes necessary for the fulfilment of their tasks
• Our sub-contractors / suppliers who contribute to the performance of our service, insofar is this becomes necessary to fulfil their respective task
• Administrative and financial authorities
• Our legal representatives in reminder and debt-collection matters, insofar as this becomes necessary for the fulfilment of their tasks
• Courts
• IT service providers

c. Sub-contractors / Suppliers

We pass on data of suppliers or sub-contractors to the following recipients if necessary:

• Companies within the Doppelmayr/Garaventa Group, insofar as this necessary to fulfil the purposes described above
• Banks for processing the payment transactions
Page 15 / 19
• Our tax consultant and auditor, insofar as this becomes necessary for the fulfilment of their tasks
• Our customers as the recipient of their services
• Administrative and financial authorities
• Our legal representatives in reminder and debt-collection matters, insofar as this becomes necessary for the fulfilment of their tasks
• Courts
• IT service providers

2.4. Data retention (retention period)

Depending on the business relationship we maintain with potential or existing business partners, the data are retained for different periods of time, which are as follows:

a. Interested parties

These data are deleted provided that they are no longer necessary to fulfil the purpose described above,

unless statutory retention obligations prevent the deletion.

b. Customers

These data are retained until the termination of the business relationship and until the expiration of the warranty, damages, limitation, and statutory retention periods we are subject to;

beyond that, until the termination of possible legal disputes for which the data are required as evidence.

c. Sub-contractors / Suppliers

These data are stored until the termination of the business relationship and until the expiration of the warranty, damages, limitation, and statutory retention periods we are subject to;

beyond that, until the termination of possible legal disputes for which the data are required as evidence.

d. Data that we process based on consent given as well as image data from marked video surveillance areas

Data that we process based on consent given are retained until receiving a revocation of said consent and, beyond that, for as long as statutory terms stipulate it.

Any consent given can be revoked at any time and independently of any consent given for other purposes without the lawfulness of the processing carried out based on the consent until the revocation being affected.
Image data from video surveillance systems are retained for a maximum period of two weeks. In the case of an incident covered by the purpose of the video surveillance, the image data are retained for as long as becomes necessary for evidence purposes.

3. Applicants

The measures, rights, and obligations pursuant to this information apply for both the application form on our website and unsolicited applications or applications submitted by other means to a company of the Doppelmayr/Garaventa Group.

3.1. Categories of data processed

We process those data of applicants that they enter into the application form or provide to us through their curriculum vitae and other documents, such as correspondence or certificates.
The provision of those data that are marked as mandatory fields in the application form (first name, last name, gender, date of birth, nationality, e-mail address, telephone number, street, postal code, city, country, cover letter, curriculum vitae) are necessary to process an application. These data are necessary to complete the application process.

3.2. Purpose of the processing and legal basis of the data processing

The purpose of the data processing is the processing of an application to a job posting.
The lawfulness of the data processing results from the express consent of the applicant pursuant to article 6(1) (a) GDPR and our legitimate interest in a positive conclusion of the application process pursuant to article 6(1) (f) GDPR.
The lawfulness of the transmission of data to the companies of the Doppelmayr/Garaventa Group specified under item I. results solely from the express consent of an applicant pursuant to article 6(1) (a) GDPR.

3.3. Recipients of the data

The application data may be communicated to other companies within the Doppelmayr/Garaventa Group to review the availability of other similar vacancies. However, the transfer is only carried with the express consent of the applicant (pursuant to article 6(1) (a) GDPR).
Some of the companies of the Doppelmayr/Garaventa Group specified above are located outside of the applicant's country or process their data there. The data protection level in other countries might not correspond with the protection level in the applicant's country. We only will transfer the personal data of the applicant to countries that are classified by the EU Commission as having an adequate data protection level or we take measures to ensure that all recipients have a suitable data protection level pursuant to article 4 ff GDPR.

3.4. Data retention (retention period)

If an application is not successful, we store the data for seven (7) months as from the date of the rejection letter to be able to answer any possible questions relating to an application and its rejection. Then, the data are deleted; unless continued retention would be necessary for the defense against claims or the applicant expressly gives their consent to further retention.

III. Rights of the user (rights of the data subject)

If personal data of natural persons are processed, the natural person is a data subject in line with the GDPR and has the following rights towards us as the controller:

1. Right of access by the data subject as per article 15 GDPR

The person affected can request written information on whether we process personal data concerning them.
If such processing is carried out, the person affected can request information regarding the following:
The purposes and categories of personal data that are processed, including the recipients and recipient categories to whom personal data have been disclosed or will be disclosed as well as the planned duration of the storage of the data concerning them. In the event that we apply profiling technologies, we must provide the person with conclusive information regarding the logic involved as well as the significance and intended effects of such processing for them. Furthermore, we must inform them about their right to file a complaint with the data protection authority. Moreover, they have the right to request information about whether their data are transferred to a third country or an international organization.

2. Right to rectification as per article 16 GDPR

The person, as the data subject, has the right to rectification and/or completion of their personal data, if the data processed are inaccurate or incomplete. If applicable, we will carry out the rectification without undue delay.

3. Right to erasure (right to be forgotten) as per article 17 GDPR

The person, as the data subjects, has the right to erasure of personal data concerning them. Prerequisite for the erasure is that one of the following reasons applies:
• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The consent to the data processing was revoked (and there is no other legal basis); this applies in particular for the data of a child that were collected in conjunction with a service of the information company offered to them;
• An objection to the processing was entered (and there are no overriding legitimate reasons for the processing);
Page 18 / 19
• The personal data have been unlawfully processed;
• The erasure of the personal data is required for the compliance with a legal obligation in Union or Member State law.
The right to erasure does not apply, if the data processing is necessary:
• For the compliance with a legal obligation that requires the processing (e.g. with regard to authorities and administrative bodies) or for the performance of a task that is in the public interest we were entrusted with;
• For the establishment, exercise or defense of legal claims.

4. Right to restriction of procession as per article 18 GDPR

A natural person, as the data subject, in line with the GDPR can request the restriction of the processing of their data subject to the following conditions:
• If they contest the accuracy of the data concerning them for a period enabling us to verify the accuracy of their data;
• If the processing is unlawful and they oppose the erasure of their data and request the restriction of their use instead;
• If we no longer need their data for the purpose of the processing but they need them for the establishment, exercise or defense of legal claims; or
• If they have entered an objection to the processing and the assessment whether our legitimate reasons outweigh their reasons is still pending.
If the processing of the person's data has been restricted, these data shall, with the exception of their storage, only be processed with consent of the person affected or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
If the processing has been restricted in accordance with the above conditions, we will inform the person before the restriction is lifted.

5. Right to data portability

A natural person, as the data subject, has the right to receive the data they provided to us and that have been processed pursuant to article 6(1) (a) or (b) or to have those data transmitted to a third party in a structured, commonly used and machine-readable format. A direct transmission of the data to a third person can only be carried out to the extent that it is technically possible.

6. Right to object as per article 21 GDPR

A natural person, as the data subject, has the right to object, on grounds relating to their particular situation, at any time to the processing of their data which is carried out based on article 6(1) (e) or (f) GDPR); this also applies to profiling based on those provisions.
In that case, we will no longer process those data, unless we have reasons for the processing that are compelling and worthy of protection and that override the interests,
Page 19 / 19
rights, and freedoms of the data subjects or if the processing serves for the establishment, exercise of defense of legal claims.
Where their data ate processed for direct marking purposes, the data subject has the right to object at any time to the processing of the data concerning them for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing.
If an objection to the processing for direct marketing purposes is entered, the data in question will no longer be processed for such purposes.

7. Right to withdraw the data protection declaration of consent

A natural person, as the data subject, has the right to withdraw at any time their declaration of consent relating to data protection. Revoking the consent does not affect the lawfulness of the processing carried out based on the consent until the revocation.

8. Right to file a complaint with the data protection authority

Without prejudice to any other administrative or judicial remedy, a natural person, as the data subject, has the right to file a complaint as per § 24 ff Data Protection Act with the Austrian data protection authority or another data protection supervisory body within the European Union, in particular in their place of residence or work, if they consider that the processing of their data violates the GDPR.
If data subjects wish to exercise their rights, they shall direct queries by e-mail to dataprotection@doppelmayr.com.

Wolfurt, im May 2020