Privacy Notice regarding Visits to our Website pursuant to Articles 13, 14, and 21 of the EU General Data Protection Regulation (GDPR)

1. What personal data do we collect from you?

1.1 When visiting our website

If you do not register or provide us with any other information, we only collect the personal data that your browser transmits to our server (so-called log files). If you wish to view our website, we collect the following data, which is technically necessary for us to display our website, to establish a connection, and to guarantee system stability and security:

• The IP address of the computer/device with which you access the Internet;
• The date and time of the request;
• Time zone difference to Greenwich Mean Time (GMT);
• The website/application from which the request comes;
• The access status/HTTP status code;
• Respectively transferred data volumes;
• The browser used;
• The operating system used together with its user interface;
• Language and version of the browser software;

This is necessary for us to display our website and to guarantee stability and security. This is in our legitimate interest within the meaning of Article 6 (1) lit. f GDPR.
During contract processing, the aforementioned data is stored on the servers of Lapp Service GmbH, Oskar-Lapp-Str. 2, 70565 Stuttgart, Germany. The servers are located in Germany.
Data is stored until the end of the following year and then erased automatically.
Collection of such data for the provision of the website and storage of data in log files is strictly necessary for proper operation of the website. As a result, the user does not have the option to object.

1.2 Phone and video conferencing as well as contact via 'Microsoft Teams'

We use Microsoft Teams as a tool to hold phone and/or video conferences and to accept calls to the phone numbers communicated to you (hereinafter collectively referred to as 'online meetings'). The service provider is Microsoft Ireland Operations, Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland, which processes the data on our behalf within the meaning of Article 28 GDPR.

Please note that this Privacy Notice only informs you about the processing of your personal data by ourselves if you hold online meetings with us. If you access the Microsoft Teams website, the Microsoft Teams provider is the controller responsible for data processing. If you wish to receive information about the processing of your personal data by Microsoft, we kindly ask that you access the relevant statement at Microsoft.

Various types of data are processed when using Microsoft Teams. The scope of said data is, among other things, dependent on your data choices before and during your participation in an online meeting.

The following personal data is processed:

• The IP address of the computer/device with which you access the Internet;
• Information on you as a user: e.g. display name, email address, if applicable, profile picture (optional), preferred language;
• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location;
• Text, audio and video data: you may have the option to use the chat feature in an online meeting. To this extent, any text entries you make are processed to display these in the online meeting. To make sure that video and audio can be accessed, the data of your device's microphone and any video camera are processed accordingly for the duration of your meeting. You always have the option of disabling your camera or muting your microphone through relevant settings in the Microsoft Teams applications.

The legal basis for data processing when holding online meetings is Article 6 (1) lit. b GDPR, to the extent that said meetings were conducted within the context of a contractual relationship.

If the processing of personal data is a key requisite for the use of Microsoft Teams, the legal basis for processing users' personal data is Article 6 (1) lit. f GDPR. Our legitimate interest is in this case effectively conducting online meetings.

If there is no contractual relationship, the legal basis is still Article 6 (1) lit. f GDPR. Here, too, our legitimate interest is the effective conduct of online meetings.

Personal data processed in connection with participation in online meetings will not be disclosed to third parties as a matter of principle, unless it is specifically intended to be disclosed. Please note that the content of both online meetings and face-to-face meetings is often used to communicate information with customers, interested parties, and third parties, and is therefore intended to be disclosed.

The Microsoft Teams provider obtains knowledge of the aforementioned data as necessary insofar as this is provided in the context of our data processing agreement with Microsoft Teams.

Data processing outside of the European Union (EU) is not carried out as a matter of principle, as we have restricted our storage location to data centres in the European Union. However, we cannot guarantee that data is not routed via Internet servers located outside the EU. One particular instance of such routing is whenever participants participate in online meetings in a non-Member State.

However, the data is encrypted during transport over the Internet and therefore protected against unauthorised access by third parties.

2. Cookies

In order to design our website in the most user-friendly way possible and to display more relevant advertisements to visitors of our website, we and our partners use so-called cookies. Cookies are small files stored on a user's device. They allow information to be retained for a certain period of time and identify the visitor's terminal device. This is sometimes also done using tracking pixels, which are not stored on the hard drives of users, but can also help in identifying visitors in a similar way as cookies. In the following, the word cookie covers both cookies in the technical sense as well as tracking pixels and similar technical methods.

2.1 Cookie consent tool of CookiePro by OneTrust

When visiting our website for the first time, you will be shown a banner by CookiePro by OneTrust on our homepage with a cookie consent text. If you provide consent here or in our cookie settings, said consent will be stored in your browser via a selection cookie. This way, we do not have to display this notice every time you visit any page. If said reference no longer appears in your browser (e.g. after erasing the browsing history), this notice will once again be displayed when revisiting our website.

In this context, the collected data will not be passed on to the provider of CookiePro and will only be stored by us up until you erase the selection cookie yourself or until the original purpose for data storage no longer applies. Any mandatory statutory retention periods remain unaffected.

CookiePro Consent technology is used to obtain the statutory consents for the use of cookies. The legal basis is Article 6 (1) lit. c GDPR.

2.2 Cookie list

Below we give you an overview of which cookies we generally use and how we divide them into categories. For technical reasons, this list contains terms that are automatically generated and inserted by the software. This ensures that the presentation is always up-to-date and correct.

2.2.1 Strictly necessary cookies

These cookies are required for the website to function and cannot be deactivated in your system. These cookies are generally only set in response to actions you have carried out that correspond to a service request, such as setting your data protection settings, logging in, or completing forms. You can configure your browser to block these cookies or to receive a notification whenever such a cookie is set. However, some sections of the website will not work in this case. These cookies do not store any personal data.

2.2.2 Performance cookies

These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website. They also help us to answer the questions as to which pages are most popular, which are less used, and how visitors navigate the website. All information collected by these cookies is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our website.

3. Website optimisation

3.1 Econda

In order to tailor our website to needs and for the optimisation of this website, solutions and technologies of econda GmbH, Zimmerstr. 6, 76137 Karlsruhe, Germany, are used to collect and store pseudonymised data and usage profiles are created from this data using pseudonyms.

econda anonymises the data when it is recorded by truncating the IP address, meaning that it is not possible to assign it to a specific user when used according to its intended purpose. The anonymised data remains on the econda servers and can only be accessed there by us. This aggregated data enables us to analyse visitor flows and click paths, for example, without being able to assign them to a specific user. The servers are exclusively located in Germany.

For this purpose, cookies can be used, cf. Chapter 4, which enable the recognition of a browser. However, user profiles are not compiled with data of the person behind the pseudonym without the express permission of the visitor. IP addresses in particular are made unrecognisable immediately after the user has accessed the website, making it impossible to assign user profiles to IP addresses. Visitors to this website can object here to the recording and storage of this data for the future at any time.

The data is stored for a period of ten (10) years.

3.2 Google Tag Manager

We use Google Tag Manager on our website. Google Tag Manager is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google).

With Google Tag Manager, we can integrate various codes and services on our website in an orderly and simplified manner. Google Tag Manager implements the tags or 'triggers' the integrated tags. When a tag is triggered, Google may collect information (including personal data) and process it. It cannot be ruled out that Google will also transmit the information to a server in a third country.

In particular, the following personal data is processed by Google Tag Manager:

• Online identifiers (including cookie identifiers);
• IP address.

The legal basis for using Google Tag Manager is Article 6 (1) lit. a GDPR, provided you have consented to its use via the cookie consent tool or the cookie settings.

You can find more detailed information about Google Tag Manager on the websites https://www.google.de/tagmanager/use-policy.html and under https://www.google.com/intl/de/policies/privacy/index.html under the section 'Data that we receive as a result of your use of our services'.

Furthermore, we have concluded an order processing contract with Google for the use of Google Tag Manager pursuant to Article 28 GDPR. Google processes the data on our behalf in order to trigger the stored tags and to display the services on our website. Google may transmit this information to third parties if this is legally required or if third parties process this data on behalf of Google.

By integrating Google Tag Manager, we are pursuing the purpose of being able to integrate various services in a simplified and clear manner. In addition, the integration of Google Tag Manager optimises the loading times of the various services.

3.3 Google Ads

We have integrated Google Ads on our website. The operator of the Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google).

Google Ads is an Internet advertising tool, which allows us to show ads in both Google search engine results as well as within the Google advertising network. Google Ads allows us to predefine keywords that ensure that ads are shown in the Google search engine results if you use a search word that is related to the keyword. Within the Google advertising network, the ads are distributed to topically relevant websites by means of an automatic algorithm, taking into consideration the predefined keywords.

Google uses the collected data and information to create visitor statistics for our website. We, in turn, use these visitor statistics to determine the total number of users mediated to us through Ads advertisements, i.e. to assess the success or failure of the corresponding Ads advertisements and thus optimise our Ads advertisements in future. Neither LAPP nor other Google Ads customers receive information from Google that can help identify data subjects.

If you still wish to object to Google Ads, you can generally disable it by making the necessary settings at www.google.com/settings/ads.

You can find further information on Google Ads and the Google Privacy Policy at: www.google.com/privacy/ads/

3.4 Google retargeting

Through our cookie consent tool, a so-called conversion cookie can be stored on your IT system. Refer to Chapter 4 of this Privacy Notice for an explanation of what cookies are. The retargeting function of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google) can be used with the help of this conversion cookie.

This feature generally aims to present interest-based ads to visitors of a website within the Google advertising network. If you visit our website and then visit a website within Google's advertising network, you may be shown advertisements from LAPP. The purpose behind Google Retargeting is thus to advertise our website by displaying advertising that is tailored to interests on the websites of third-party companies and in the Google search engine results.

The legal basis for data processing when using Google Retargeting is Article 6 (1) lit. a GDPR, if you consented to the use of conversion cookies through the cookie consent tool or in the cookie settings. A conversion cookie lapses after thirty (30) days.

The conversion cookie is used to store personal information, such as websites visited by the data subject. Whenever you visit our website, personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States. Google stores this personal data in the US. Google may under some circumstances share the personal data collected through this technical process with third parties.

If you wish to object to the use of Google Retargeting, you can generally disable conversion cookies at any time, by making the necessary configurations in our cookie settings or at www.google.com/settings/ads.

You can find further information on Google Retargeting and the Google Privacy Policy at: www.google.com/privacy/ads/

4. Law enforcement and legal defence

We may process your personal data in order to assert our rights and to be able to enforce our legal claims and/or to be able to defend ourselves against legal claims and/or to the extent necessary to prevent or prosecute criminal offences.

The legal basis for the processing is Article 17 (3) lit. e GDPR and Article 6 (1) lit. c GDPR. Our legitimate interest lies in law enforcement and legal defence.

5. Recipients of personal data

We share your data to the extent necessary with service providers we use which support us in providing our services.

5.1 Recipient categories

The categories of recipients of your data are stated below. These are, in particular:

• IT service providers which, inter alia, store data and support the administration and maintenance of IT systems;
• Public bodies and institutions, to the extent that we are legally obligated to do so.

Furthermore, your personal data will also be passed on to our affiliated companies within our global group, to the extent that they work for us as processors and, for example, provide IT services or insofar as such is necessary for the provision of our services. The transfer takes place to the extent that this data is lawful for the fulfilment of our contractual and legal obligations or on the basis of our legitimate interests in accordance with Article 6 (1) lit. f GDPR. This can be for economic, administrative or other internal business management purposes; this only applies if such are not overridden by your interests or fundamental rights and freedoms which require the protection of personal data.

5.2 Third-country transfer

As part of the use of certain tools stated, your personal data will also be transmitted to a third country in compliance with the requirements of Article 44 et seqq. GDPR. If third-country service providers are used, they are usually obligated to comply with the data protection level of the European Union through the agreement of the EU standard data protection clauses (if necessary in connection with additional guarantees) adopted by the European Commission. The standard data protection clauses are freely available on the Internet on the website of the European Commission.

Despite these contractual and technical measures, it may arise that the level of data protection in the third country does not correspond to that of the European Union. The legal basis for the international data transfer that then takes place is your consent pursuant to Article 49 (1) sentence 1 lit. a GDPR, which you provide by granting consent in the cookie banner (or other forms, registrations, etc.). Above all, there is a risk – especially in the case of data transfer to the US – that your personal data may possibly be processed by authorities for control and monitoring purposes, even without sufficient legal remedies being available, without us as the data exporter or you as the data subject being aware of such.

In the context of any data transfers to the USA, we would like to inform you that on 10 July 2023, the European Commission adopted an implementing decision based on Regulation (EU) 2016/679 of the European Parliament and of the Council, in which an adequate level of protection for personal data is determined in the context of data protection between the EU and the USA. This decision governs the lawfulness of transfers of personal data from the EU to US-based organisations that are self-certified under the Data Privacy Framework program and listed by the US Department of Commerce. In this case, the legal basis for the transfer of personal data to an entity with an active DPF certificate is Art. 45 GDPR. If the entity is not in possession of a certificate, the legal basis for the data transfer is still Art. 46 GDPR or Art. 49 GDPR, as described above. The current status of a US-based service provider can be checked at any time on the Internet on the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/participant-search/. The new Data Privacy Framework introduces a number of safeguards related to personal data being accessed by US intelligence agencies and other safeguards in order to ensure a level of data protection equivalent to that of the EU, including the establishment of a dedicated, impartial US court of appeal (Data Protection Review Court), where EU citizens can request the release of their personal data.

6. Security

Both we and our service providers take the necessary technical and organisational security precautions to protect your personal data under our control against both accidental and intentional manipulation, loss, and destruction, as well as against access by unauthorised parties. Our data processes and security measures are continuously improved to keep up with technological advancements.

Personal data that is exchanged between you and us or other involved companies is generally transmitted via encrypted connections that correspond with the state-of-the-art.

Our employees and any commissioned service providers are – of course – bound to confidentiality.

7. Links to other Internet websites

Our website contains links to other websites. We have no influence over operators of these websites complying with data protection regulations, including the GDPR. Even after carefully reviewing the content, we cannot assume any liability for external links to third-party content, either. For more information on the data processing procedures on these pages, we kindly ask you to review the privacy notices on the respective websites.

8. Data storage period

Unless you request erasure of the data (cf. point 14), it will be stored by us for as long as it is needed for the purpose for which it was collected. In addition, storage may take place, in particular if a contractual relationship exists or existed, for the purpose of fulfilling retention obligations under commercial and tax law (e.g. two to ten years), ensuring proper disaster recovery (e.g. up to three years), receivables and evidence management (e.g. three years from the end of the year) or for the preservation of evidence within the scope of statutory limitation provisions (e.g. up to thirty years).

9. Your rights

Every natural person whose personal data we process generally (i.e. depending on the respective conditions) has the following rights vis-à-vis us:

• If you have any questions about the ways in which we process your personal data, we would be happy to provide you with information about your personal data we store, free-of-charge and at any time (Article 15 GDPR).
• You have the right to rectification of incorrect and completion of incomplete data (Article 16 GDPR).
• You have a right to block/restrict processing or erase your personal data that is no longer required or stored due to legal obligations (Articles 17 and 18 GDPR).
• You have the right to data portability in a structured, commonly used, and machine-readable format, if you have provided us said data based on consent or a contract concluded between us (Article 20 GDPR).
• You have the right to object to the processing of your data for direct marketing purposes at any time (Article 21 (2) and (3) GDPR).
• You have the right to object to the processing of personal data on the basis of a legitimate interest, with us having the opportunity to demonstrate compelling legitimate grounds for the processing (Article 21 (1) GDPR). Please refer to earlier sections of this Notice to find out when such grounds exist.
• If you have given your consent to data processing, you can withdraw said consent at any time with effect for the future. In other words, the lawfulness of data processing up to the time of withdrawal shall remain unaffected. After withdrawing your consent, you may no longer be able to use our services.

You additionally have the right to lodge a complaint with a supervisory authority (Article 77 GDPR). We do, however, recommend you first direct your complaint to us.

You may exercise your rights against any of the controllers mentioned at the beginning of this Privacy Notice. Please submit your request in writing (using the keyword: data protection) or by email, using the likewise specified contact details. We reserve the right to verify your identity so that your personal data does not become known to unauthorised persons.

Note on your right to object to the processing of your personal data at any time

If the data processing is based on Article 6 (1) lit. f GDPR, you have the right to object to the processing of your personal data at any time for reasons that arise from your particular situation. The respective legal basis on which processing is based can be found in this Privacy Notice.

You are welcome to send such an objection to the addresses mentioned at the beginning of this Privacy Notice.

We will check without undue delay, but at the latest within one month of receiving your objection, whether we are obligated to erase your data on the basis of the grounds specified or whether further processing of your data by us is necessary to protect overriding interests worthy of protection or to assert, exercise or defend legal claims. We will inform you of the result of our assessment in writing or another text form.

10. Changes

Occasionally, we need to make changes to this Privacy Notice. We reserve the right to do so at any time. The updated version of the Privacy Notice will be published here. Whenever you visit us, you should therefore read through this Privacy Notice again.