Data Privacy

We are pleased that you are visiting our website and are interested in Quest One GmbH. With this privacy notice, we inform you about how, to what extent and for which purposes we process personal data when you use our website and beyond.

1. General Information

The controller responsible for the data is:

Quest One GmbH
Represented by the Management Board
Alois-Senefelder-Allee 1
86153 Augsburg
Germany
Phone: +49 (0) 821 507697-0
E-mail: info@questone.com

If you have any questions about this privacy notice or the exercise of your rights, you can contact our Data Protection Officer:

Data Protection Officer of Quest One GmbH
Alois-Senefelder-Allee 1
86153 Augsburg
Germany
E-mail: datenschutz@questone.com

2. Information About This Website

With this privacy notice, we inform you about how we handle personal data and which personal data we process when you visit this website.

“Personal data” means any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more specific characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

3. Data Collection on Our Website

When you use our website for informational purposes, for example without registering or otherwise transmitting information to us, we only collect the personal data that your browser transmits to our server. If you wish to visit our website, we collect the following data that is technically necessary for us to display our website to you and to ensure stability and security. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. As the website operator, we have a legitimate interest in the technically error-free presentation and optimization of our website.

For this purpose, the following server log files must be collected:

• IP address of the requesting computer;
• date and time of access;
• time zone difference to Greenwich Mean Time (GMT);
• content of the request (specific page);
• access status/HTTP status code;
• amount of data transferred in each case;
• name and URL of the retrieved file;
• website from which access is made (referrer URL);
• browser used and, where applicable, the operating system of your computer as well as the name of your access provider;
• operating system and its interface;
• language and version of the browser software.

In the event of obligations to permanently observe objections, we reserve the right to store your personal data (contact details such as e-mail address, telephone number, surname, first name, address, etc.) solely for this purpose in a blocklist, known as a “denylist”.

3.1 Cookies

We use cookies. Cookies are used to make our website more user-friendly and to enable the use of certain functions. Cookies are small text files that are placed on your device and stored by your browser.

Some of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us or our partner companies (third-party cookies) to recognize your browser the next time you visit our website, known as “persistent cookies”.

You can configure your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of our website may be restricted.

Where consent is required for the use of such technologies, we obtain this via our cookie consent tool. There you can make your selection, give or refuse consent, or withdraw your consent with effect for the future.

The legal basis for the use of cookies is Art. 6 para. 1 sentence 1 lit. f GDPR for technically necessary technologies. As the website operator, we have a legitimate interest in storing cookies for the technically error-free and optimized provision of our website. If other cookies are stored, for example cookies used to analyze your browsing behavior, for which we require your consent, processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR.

3.2 Cookie Consent Tool

We use the cookie consent tool Cookie_hint. This allows you to manage the use of cookies. It also enables us, as the website operator, to obtain your consent to store certain cookies in your browser and to document this in compliance with data protection requirements.

Cookie_hint displays a list of cookies categorized by function groups, explains the purpose of the function groups and the individual cookies, and states their storage duration. The use of Cookie_hint makes it technically necessary to store a cookie in your browser.

When you first access our website, the website displays the Cookie_hint cookie consent tool as a pop-up window. In it, you can activate or deactivate cookies categorized by function groups (statistics/marketing). Technically necessary cookies (functional) are already stored when the website is accessed. You can accept cookies either by clicking the “Accept All” button or the “Accept Selected” button. If technical cookies are deactivated, the use of the website or individual functions on the website may be restricted or impossible.

Cookie_hint is used to obtain and document legally required consent for the use of cookies. The legal basis is Art. 6 para. 1 sentence 1 lit. c GDPR.

3.3 Google Analytics

We use the analytics service Google Analytics for the statistical evaluation of our website. The service provider is Google Ireland Limited (Google), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies and other browser technologies to evaluate visitor behavior and recognize visitors. The evaluation includes, for example, the number of visits to our website, visited subpages and the time visitors spend on the website. We use this information to compile reports on website activity.

The information generated by the cookie about your browsing behavior is generally transmitted to servers of Google LLC. in the USA. Processing is carried out on the basis of your consent. You give your consent via the cookie consent tool. The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR and Art. 49 para. 1 sentence 1 lit. a GDPR. Data transmission to the USA is based on the standard contractual clauses of the European Commission. We have no influence on this processing activity.

Further information on data processing by Google can be found at: support.google.com/analytics/answer/6004245.

3.3.1 IP Anonymization

We use the IP anonymization function. This means that Google shortens your IP address within member states of the European Union (EU) or in other contracting states to the Agreement on the European Economic Area (EEA) before transmission to the USA.

However, it is possible that, in exceptional cases, your full IP address may be transmitted to servers of Google LLC. in the USA and shortened there. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

Google will use this information to evaluate your usage behavior, compile reports on activities and provide further services related to usage to the website operator.

Further information on terms of use and data protection can be found at marketingplatform.google.com/about/analytics/terms/de/ and policies.google.com.

3.3.2 Storage Period

Data stored as part of Google Analytics is anonymized or deleted after 14 months. Further information can be found at: support.google.com/analytics/answer/7667196.

3.4 Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tag management system that allows us to centrally manage and deploy tags and scripts on our website. Google Tag Manager itself primarily serves the technical integration and control of other services. However, other tools can be integrated via Google Tag Manager that may themselves process personal data.

Google Tag Manager is used exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Section 25 para. 1 TDDDG, insofar as services requiring consent are loaded via the Tag Manager or information is stored on or read from your device. You can withdraw your consent at any time with effect for the future.

3.5 External Link to Google Maps

On our website, we provide a link to Google Maps so that you can plan your route to us. Google Maps is not embedded in our website. Therefore, no data is transmitted to Google via this link when you merely visit our website.

Only when you click the “Plan Route” link do you leave our website and are redirected to Google Maps. From that point onward, Google’s privacy policy and terms of use apply. Further information on data processing by Google can be found at: https://policies.google.com/privacy?hl=en

3.6 YouTube

This website uses videos provided via YouTube by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google), to provide you with further information about our offering.

YouTube uses cookies and other browser technologies to recognize website visitors and analyze behavior on recorded websites. In addition, if you have an active Google account and are logged in, this data may be linked to your account.

We point out that by using the videos provided via YouTube, data, including data collected through cookies set by Google, may be transmitted to servers of Google LLC in the USA. This may pose risks for you because the enforcement of your rights could be more difficult.

You can find out which data is collected and what this data is used for by and through Google at: https://www.google.com/intl/en/policies/privacy/
Information on the cookies used by Google can be found at: https://policies.google.com/technologies/cookies?hl=en&gl=en

We have no influence on this processing activity.

The legal basis for this processing is Art. 6 para. 1 lit. a GDPR in the form of the consent you have given via our consent solution.

3.7 Bunny.net

We use Bunny.net to provide and stream videos on our website. The provider is BunnyWay d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia.

When accessing a page containing embedded videos, a connection to Bunny.net servers is established. In this process, technically required data such as the IP address, browser information, and information about the device used may be processed in order to provide video playback.

The processing is carried out on the basis of our legitimate interest in providing a performant, secure, and user-friendly presentation of video content pursuant to Art. 6 para. 1 lit. f GDPR.

Where possible, we use privacy-friendly settings such as European server locations and reduced logging.

Further information on data processing by Bunny.net can be found at:
https://bunny.net/privacy/

3.8 LinkedIn Insight Tag

We use the LinkedIn Insight Tag. The service provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (LinkedIn).

By using the LinkedIn Insight Tag, we receive statistical information about your interactions with our website and/or advertisements placed by us.

For this purpose, a cookie with a unique ID is placed on the device. According to LinkedIn, the following personal data is collected:

• IP address
• currently used website, if applicable the source website
• timestamp
• device information
• browser information

If you are registered with LinkedIn as a website visitor, we can analyze, among other things, your professional data such as career status, company size, country, location, industry and job title, and adapt our campaigns specifically to the respective target groups.

In addition, we can evaluate whether you as our website visitor perform an action (conversion measurement), which may also take place across devices. Furthermore, the use of the LinkedIn Insight Tag enables us to conduct retargeting, allowing us to use this data to show you targeted advertising outside this website without being able to identify you.

According to LinkedIn, LinkedIn members can adjust the use of their personal data for advertising purposes in their account settings. According to LinkedIn, the collected data is pseudonymized after 7 days and deleted after 180 days. We do not receive any information from LinkedIn that we can assign to a specific person.

Further information can be found at: https://business.linkedin.com/en-en/marketing-solutions/website-demographics.

We have no influence on possible further processing by LinkedIn. The legal basis for processing is Art. 6 para. 1 sentence 1 lit. a GDPR and Section 25 para. 1 TTDSG in the form of your consent given via our consent tool.

4. Hosting

Our website is created and hosted using Webflow. The provider is Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA.

Webflow processes technical usage and log data required for the delivery, display, security and stability of the website. This may include, in particular, IP addresses, access times, HTTP requests, browser and device information, as well as other technical metadata.

The use of Webflow is based on our legitimate interest in the secure, stable and efficient provision of our online offering pursuant to Art. 6 para. 1 lit. f GDPR. Where cookies or comparable technologies are used and are not strictly necessary, processing is carried out exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Section 25 para. 1 TDDDG.

Data transfers to the USA are based on the standard contractual clauses of the European Commission. Details can be found here: https://webflow.com/legal/eu-privacy-policy.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to complying with these data protection standards. Further information is available from the provider at: https://www.dataprivacyframework.gov/participant/5666

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required under data protection law that ensures the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

5. Volkswagen

Quest One is part of the Volkswagen Group.

It may therefore be necessary for us to process your personal data within the existing or future corporate group. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the efficient organization of business processes.

Your personal data may be processed within the existing or future corporate group insofar as this is necessary for the performance of a contract and the implementation of pre-contractual measures related thereto. The data processing is carried out at your request and is necessary for the mutual fulfillment of obligations arising from the contract. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.

6. Forms and Contact Requests

6.1 Contact by E-mail, Mail, Telephone or Social Media

If you contact us by e-mail, mail, telephone, fax, social media, etc., your personal data (e.g. name, inquiry) will be stored and used for the purpose of processing your request, contacting you and handling the related matter.

The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as your request is related to the performance of a contract or necessary for the implementation of pre-contractual measures.

In all other cases, processing is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR and/or on our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, as we have a legitimate interest in effectively handling inquiries addressed to us.

6.2 Forms via Tally

We use Tally for forms on our website. The provider is Tally BV, August Van Lokerenstraat 71, 9050 Ghent, Belgium.

If you complete and submit a form integrated on our website, we process the data you enter for the purpose of handling your inquiry, contacting you and, where applicable, carrying out pre-contractual measures.

Depending on the form, this may include in particular the following data:

• Name
• E-Mail adress
• Phone number
• Company
• Content of your message
• Other information voluntarily provided by you

Processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or the implementation of pre-contractual measures. In all other cases, processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR due to our legitimate interest in the efficient handling of inquiries.

6.3 Automated Further Processing via n8n

We use n8n for the structured and automated further processing of form inquiries and other processes.

n8n is used to automatically forward incoming data to internal systems, mailboxes or defined process steps. Personal data may be processed insofar as this is necessary for handling your request or organizing internal workflows.

Processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR insofar as it is necessary for carrying out pre-contractual measures or fulfilling a contract. Otherwise, processing is based on Art. 6 para. 1 lit. f GDPR due to our legitimate interest in efficient and reliable processes.

Where n8n is operated via external or cloud-based infrastructure and personal data is processed by external service providers, this is done on the basis of appropriate contractual and data protection safeguards.

7. Direct Marketing

We process your personal data for advertising purposes in order to inform you, for example by e-mail, mail, telephone (e.g. telephone marketing), digital or printed media, about products, services, events, trade fairs, etc., if you have given your consent to such processing.

The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR.

In addition, we process your personal data for advertising purposes within the scope of our legitimate interests (by postal mail). Our legitimate interest therefore lies in carrying out advertising measures. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

8. E-Mail Newsletter

You can subscribe to the “Quest One News” newsletter on our website.

For this purpose, we collect and store the data you enter in the registration form (e.g. first name, surname, e-mail address). We also record recipient reactions (opening of mailings, clicks, etc.) and store them anonymously for statistical purposes. It is not possible to draw conclusions about individual users from the stored data.

You will only receive an e-mail newsletter if you have given us your consent using the double opt-in procedure. After registration, you will receive a confirmation e-mail asking you to confirm by clicking a corresponding link that you wish to receive newsletters from us in the future.

You can withdraw your consent at any time and unsubscribe from the newsletter by clicking the link provided in the footer of each newsletter or by sending an e-mail to marketing@questone.com.

The legal basis for this processing is Art. 6 para. 1 lit. a GDPR.

9. Visiting Our Social Media Profiles

We operate social media profiles with the aim of informing visitors about our services and communicating with you.

When you visit social networks such as LinkedIn or websites with integrated social media content (e.g. like buttons or advertising banners), social networks may analyze your browsing behavior. Social networks may, for example, associate your visit to our social media profile with your user account, provided that you are logged into your social media account.

Regardless of this, your personal data may also be collected if you do not have a social media account. Data collection may take place via cookies stored on your device or through the collection of your IP address.

As a rule, your personal data is processed for market research and advertising purposes. Based on your browsing behavior and resulting interests, social networks can create user profiles which may, for example, be used to display corresponding advertisements within and outside the social network.

Please note that your data may be processed outside the EU or EEA, for example in the USA. This may result in risks for you because, among other things, the enforcement of your data subject rights may be more difficult. Please also refer to our information on data transfers to countries outside the EU or EEA.

We cannot track all processing activities of the social networks, particularly whether further processing activities are carried out. Further information can be found in the terms of use or privacy policies of the respective social network (see below).

With our social media profiles, we aim to ensure a broad presence on the internet. Our legitimate interest lies in effectively informing users and communicating with users. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

If corresponding consent has been obtained (e.g. consent to the storage of cookies), processing is carried out exclusively on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR and Art. 49 para. 1 sentence 1 lit. a GDPR.

9.1 Controller and Assertion of Data Subject Rights

We are jointly responsible with the operator of the social network for the data processing triggered during your visit.

In principle, you can assert your data subject rights both against us and against the social network. However, we point out that despite joint responsibility with the social networks, we do not have full influence over the data processing activities. Our ability to influence these processes depends on the corporate policies of the respective social network.

9.2 Storage Duration

We delete data collected directly by us via the social media profile as soon as the purpose for its storage no longer applies, you request deletion or revoke your consent to storage. Mandatory legal provisions, such as statutory retention periods, remain unaffected.

We have no influence on the storage duration of your data stored by the social networks for their own purposes.

9.3 Social Networks in Detail

LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)

Further information on data processing:
www.linkedin.com/legal/privacy-policy

Opt-out:
www.linkedin.com/psettings/guest-controls/retargeting-opt-out/

10. Data Processing of Business Partners

10.1 Processing of Prospective Customer, Customer and Contract Data

We process your personal data for the performance of the contract concluded between you and us and for the implementation of pre-contractual measures related thereto (e.g. for the preparation and transmission of an offer) or for the termination of our contract.

The data processing is necessary for the performance of the contract. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.

10.2 Data Processing of Contact Details of Contact Persons etc.

We process contact details of contact persons, employees, service providers or vicarious agents of our contractual partners.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Processing pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR may only take place insofar as this is necessary to safeguard our legitimate interests or those of a third party and does not override the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.

Our legitimate interest lies in the smooth handling of the business relationship and outweighs the interests of the contact persons, employees, service providers or vicarious agents.

10.3 Data Processing of Business Contacts, Trade Fairs, Events etc.

We process your personal data that we receive from you, for example in the context of business contacts, trade fairs, events etc. (e.g. handing over your business card and other data), for the performance of a contract and the implementation of pre-contractual measures related thereto (e.g. preparation of an offer).

The data processing is carried out at your request and is necessary for the mutual fulfillment of obligations arising from the contract for the aforementioned purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.

10.4 Invitations to Events, Trade Fairs etc.

We process your personal data in order to invite you to events, trade fairs etc. by e-mail or postal mail.

The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR insofar as we have obtained your consent.

In all other cases, processing is based on our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, as we have a legitimate interest in maintaining relationships with our contacts and business partners as well as in carrying out advertising measures.

10.5 Data Processing for the Fulfillment of Legal Obligations

We also process your personal data to fulfill legal obligations, in particular to comply with retention obligations and ensure compliance requirements through verification measures (e.g. sanctions list screening, anti-money laundering checks).

The legal basis is Art. 6 para. 1 sentence 1 lit. c GDPR.

11. Application Process

We process the data you provide to us in connection with your application in order to assess your suitability for the position or possible other vacant positions, for the purpose of contacting you and carrying out the application process.

This applies both to applications relating to a specific job advertisement and to unsolicited applications.

To carry out the application process, we use the applicant management system of softgarden e-Recruiting GmbH (softgarden), Tauentzienstr. 14, 10789 Berlin, Germany. We have concluded a data processing agreement with softgarden pursuant to Art. 28 GDPR.

11.1 Collection and Processing of Personal Data

Your personal data is collected directly from you as part of the application process. In addition, we may receive personal data from third parties, e.g. recruitment agencies or social platforms.

As part of the application process, we process in particular the following categories of personal data:‍

• Contact data (first name, surname, e-mail address, telephone number, address etc.);
• CV/résumé information (details regarding your qualifications, skills, experience and professional background etc.);
• Nationality and authorization to work in the country for which you are applying;
• Where applicable, application photo and driver’s license information.

If we make you an offer to conclude an employment contract, we may also process the following personal data:

• Bank account information;
• Emergency contact details;
• Where applicable and legally permissible, health information.

Applicants are not obliged to provide their personal data. However, the provision of personal data is necessary for the decision regarding an application. Applicants should therefore only provide personal data that is necessary for the initiation and execution of the application process. If applicants do not provide personal data as part of an application, we cannot make a selection decision. There are no further consequences for you.

11.2 Purpose and Legal Basis of the Processing of Your Personal Data

If you submit an application to us, we process your associated personal data in order to assess your suitability for a position for which you have applied.

We process your application data exclusively for the application process for the position for which you have applied. We only use your applicant data for other job vacancies (talent pool) if you have expressly consented to this.

The legal basis for processing your personal data in this application process is Section 26 BDSG (German Federal Data Protection Act). According to Section 26 BDSG, the processing of data necessary in connection with the decision on establishing an employment relationship is permissible.

Should the data be required after completion of the application process for legal enforcement purposes, data processing may be carried out pursuant to Art. 6 GDPR, in particular for the protection of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. The legitimate interest then consists in asserting or defending claims, for example in proceedings under the German General Equal Treatment Act (“AGG”).

If corresponding consent has been obtained (e.g. for the use of your data for future vacancies), processing is carried out exclusively on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR.

Within our company, your personal data will only be passed on to persons involved in processing your application.

If the application is successful, the personal data you submitted will be stored in our data processing systems on the basis of Section 26 BDSG for the purpose of carrying out the employment relationship.

11.3 Storage and Deletion of Your Personal Data

If your application is unsuccessful, your personal data will be deleted within 180 days after completion of the application process.

In this respect, we rely on our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR to retain the personal data transmitted by you for up to 180 days after rejection. Retention serves in particular evidentiary purposes in the event of legal disputes.

If it becomes apparent that the personal data will still be required after the expiry of the above-mentioned period (e.g. due to impending or ongoing legal disputes), deletion will only take place once the purpose for further retention no longer applies.

If we do not make you a job offer, there is the possibility of including you in our talent pool. In the event of inclusion, all documents and information from your application will be transferred to the talent pool in order to contact you in the event of suitable vacancies.

Inclusion in the talent pool takes place exclusively on the basis of your express consent (Art. 6 para. 1 sentence 1 lit. a GDPR). Giving consent is voluntary and unrelated to the ongoing application process.

You may withdraw your consent at any time with effect for the future. In this case, the data from the talent pool will be irrevocably deleted unless statutory retention obligations apply.

The data from the talent pool will be irrevocably deleted no later than 180 days after consent has been granted.

If your application is successful, your personal data from the application will be transferred to your personnel file and deleted after termination of the employment relationship unless we are legally obliged to retain it for longer periods (e.g. Section 147 para. 1 no. 1 German Fiscal Code – 10 years for tax purposes after termination of the employment relationship).

For further information, please contact our HR department.

12. Corporate Transactions

As part of a corporate transaction, it may be necessary to transfer your personal data to a third party. This is at least the case in an asset deal.

As part of due diligence, anonymized or pseudonymized data is generally processed. However, in individual cases it may be necessary to process personal data without anonymization or pseudonymization.

The legal basis for the processing of your personal data in this case is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in carrying out the corporate transaction.

13. Sources (Collection from Third Parties)

We also process personal data obtained from publicly accessible sources, e.g. from the internet or social media, where legally permissible, or received from third parties such as credit agencies.

14. Recipients or Categories of Recipients

In some cases, we use external service providers to process your data. These providers have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.

As a rule, this takes place on the basis of a data processing agreement pursuant to Art. 28 GDPR.

In addition, we only disclose or transfer personal data to third parties if there is a legal basis for doing so or if you have previously consented.

Disclosure or transfer of your personal data takes place exclusively within the scope of the purposes stated above to the following recipients or categories of recipients:

• IT service providers;
• banks and financial institutions for payment processing;
• insurance companies in the context of claims settlement;
• debt collection agencies and lawyers, e.g. to collect claims and enforce legal claims in court;
• lawyers, notaries, banks, tax advisors etc.;
• potential buyers/interested parties in corporate transactions;
• controllers and processors;
• other authorized parties (e.g. authorities and courts), insofar as there is a legal obligation or authorization to do so;
• depending on the assignment, further recipients that may be coordinated with you.

15. Transfers to Countries Outside the EU or EEA

Where we process data outside the EU or EEA, or where this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this is carried out only if it is necessary for the fulfillment of our (pre-)contractual obligations, based on your consent, due to a legal obligation or based on our legitimate interests.

We will only transfer your personal data to third countries insofar as this is permissible pursuant to Art. 44–49 GDPR.

Where we rely on an adequacy decision pursuant to Art. 45 GDPR (e.g. the EU-U.S. Data Privacy Framework) or on appropriate safeguards pursuant to Art. 46 para. 2 GDPR (e.g. standard contractual clauses or binding corporate rules) for transfers to third countries, we will, where necessary to maintain an adequate level of protection for your personal data, implement additional technical and/or organizational measures.

16. Duration of Storage

Your personal data will be stored for the purposes stated above for as long as this is necessary to fulfill those purposes.

Thereafter (e.g. after completion of the processing of your request; once the relevant matter has been conclusively clarified; after completion of the assignment or termination of the business relationship etc.), your personal data will be deleted unless we are legally obliged to store it for a longer period due to statutory provisions (e.g. retention obligations under commercial or tax law).

In this case, your personal data will initially be blocked and deleted after expiry of the retention period.

Storage may also continue if this is provided for by European or national legislators in EU regulations, laws or other provisions to which our company is subject. Blocking or deletion of the data will then take place when a storage period prescribed by the aforementioned regulations expires, unless further storage of the data is necessary.

In addition, storage may continue if you have consented pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.

In the event of obligations to permanently observe objections, we reserve the right to store your personal data (contact details such as e-mail address, telephone number, surname, first name, address etc.) solely for this purpose in a blocklist (“denylist”).

Further information on the duration of storage and deletion of your personal data may be provided within the respective privacy notices of this privacy notice.

17. Rights of Data Subjects

You may assert the following rights against us:

• Information regarding the processing of personal data (Art. 15 GDPR);
• Correction of your personal data if it is inaccurate (Art. 16 GDPR);
• Deletion of your personal data where there is no longer any justification or retention obligation for processing (Art. 17 GDPR);
• Restriction of processing if one of the conditions listed in Art. 18 para. 1 lit. a–d GDPR applies (Art. 18 GDPR);
• Data portability of your personal data in a structured, commonly used and machine-readable format (Art. 20 GDPR);
• Complaint to a supervisory authority (Art. 77 GDPR).

Where the processing of your personal data is based on your consent, you have the right pursuant to Art. 7 para. 3 GDPR to withdraw your consent at any time, with the consequence that the processing of your personal data becomes unlawful for the future.

This does not affect the lawfulness of the processing carried out on the basis of your consent until the withdrawal.

Withdrawal of consent may be communicated informally by e-mail to datenschutz@questone.com or by post to the postal address stated at the beginning of this privacy notice.

In addition, pursuant to Art. 21 GDPR, you may object to processing based on a legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Except in the case of direct marketing, you must provide reasons arising from your particular situation.

The objection may be communicated informally by e-mail to datenschutz@questone.com or by post to the postal address stated at the beginning of this privacy notice.

18. Obligation or Requirement to Provide Data

In the context of the performance of a contract and the implementation of pre-contractual measures relating to contracts with you, it is necessary for you to provide those personal data that are required for the establishment and execution of the contract and thus for the fulfillment of the contractual obligations.

You are not obliged to provide your personal data. However, if you do not provide it, the establishment and execution of the contractual relationship will not be possible.

19. No Automated Decision-Making Including Profiling

We do not process your personal data for the purpose of automated decision-making, including profiling, pursuant to Art. 22 para. 1 and 4 GDPR.

20. Links to Other Websites

Our website contains links to other websites. Please note that our privacy notice does not apply to these other websites unless expressly indicated otherwise.

21. Data Security

We have implemented the necessary technical and organizational measures to protect the personal data you provide against loss, destruction, manipulation and unauthorized access.

All our employees and all persons involved in data processing are obliged to comply with the GDPR, the BDSG and other data protection laws and to handle personal data confidentially. Our employees are appropriately trained.

Both internal and external audits ensure compliance with all data protection-related processes.

To protect the personal data of our users, we use a secure online transmission procedure, namely “Secure Socket Layer” (SSL) or “Transport Layer Security” (TLS) encryption.

You can recognize this by the fact that an “s” is added to the address component “http://” (“https://”) or by the display of a green closed lock symbol in the browser.

By clicking on the symbol, you can obtain information about the SSL certificate used. The display of the symbol depends on the browser version you are using.

SSL encryption ensures the secure and complete transmission of your data.

22. Changes to This Privacy Notice

New legal requirements, business decisions or technical developments may require changes to our privacy notice. The privacy notice will then be updated accordingly.

The latest version can always be found on our website.

Status: May 2026