PRIVACY POLICY

for the website www.ktv.gmbh

§ 1 Information on the collection of personal data

(1) This policy provides information on the collection of personal
data when you use our website. Personal data is all data that relates to
you personally, e.g. name, address, email addresses and user behaviour.

(2) When you contact us by telephone, email or via a contact form, the
data you provide in this way (including your email address, name and
telephone number) will be stored by us in order to answer your
questions. We delete the data collected in this context once storage is
no longer necessary or restrict processing if there are statutory
retention obligations.

The data is processed on the basis of Article 6 (1) point (b) GDPR,
provided that your enquiry is related to the performance of a contract
or is necessary for the implementation of pre-contractual measures.

In all other cases, processing is based on our legitimate interest in
the effective processing of enquiries addressed to us (Article 6 (1)
point (f) GDPR).

(3) You can look up vacancies in our company on our website and then
apply for them via the job board and/or by email and/or by post.

The legal basis for this is Section 26 (1) of the German Federal Data
Protection Act (BDSG). We will store the documents you send us for the
duration of the application process. If your application is
unsuccessful, this shall be the case no later than six months after the
completion of the application process. As soon as we intend to store the
documents you send us beyond the duration of the application process,
e.g. because we are considering your application for another vacancy, we
will ask for your express consent. We use the digital recruitment
service provided by heroes GmbH to manage job advertisements and
applications; see Section 10.

(4) We are obliged partly under commercial and tax law to store your
address, payment and order data for a period of ten years. However, we
restrict processing after two years, i.e. your data will only be used to
comply with legal obligations.

(5) We encrypt your personal data using SSL technology to prevent
unauthorised third-party access.

(6) The controller pursuant to Article 4 (7) of the European
General Data Protection Regulation (GDPR) is KTV Speditionsgesellschaft
mbH, Monplaisierstrasse 11, 39249 Barby, Germany, tel.: +49 (0)39298 299
20, email: info@ktv.gmbh. You can contact our data protection officer
at datenschutzbeauftragter@greiwing.de

§ 2 Your rights

(1) You have the following rights with regard to your personal data:

To exercise your rights, please contact us using the contact details
listed in Section 1.

(2) You also have the right to lodge a complaint with a supervisory
authority about the processing of your personal data by us. The
competent authority for us is the State Commissioner for Data Protection
of Saxony-Anhalt, Leiterstrasse 9, 39104 Magdeburg, Germany.

§ 3 Collection of personal data when you visit our website

(1) When you use the website, we only collect the personal data that
your browser transmits to our server. If you wish to view our website,
we collect the following data, which is technically necessary for us to
display our website to you and to ensure stability and security (the
legal basis is Article 6 (1) point (f) GDPR):

(2) In addition to the aforementioned data, cookies are stored on your
computer when you use our website. Cookies are small text files that are
stored on the hard drive assigned to the browser you are using and
through which certain information is sent to the entity that provided
the cookie (in this case, us). Cookies cannot run programs or install
viruses on your computer. They make the website more user-friendly and
effective overall.

(3) Use of cookies:

a) This website uses the following types of cookies, the scope and
functionality of which are explained below: technically necessary
cookies and transient cookies (see b).

b) Technically necessary cookies are essential in order to navigate the
website, use basic functions and ensure the security of the website;
they neither collect information about you for marketing purposes nor
store which websites you have visited. Transient cookies are
automatically deleted when you close the browser. These include, in
particular, session cookies. These store a so-called session ID, which
can be used to assign various requests from your browser to the joint
session. This allows your computer to be recognised when you return to
our website. For example, the following data is stored and transmitted
during a session: Storage of a login status, filling in multi-page
forms, temporary storage of user entries, search parameters, display
status of controls. Session cookies are deleted when you log out or
close the browser.

c) The legal basis for cookies that are absolutely necessary in order
to provide you with the expressly requested service is Section 25 (2)
no. 2 of the German Telecommunications Digital Services Data Protection
Act (TDDDG). Any use of cookies that is not absolutely technically
necessary constitutes data processing that is only permitted with your
explicit and active consent in accordance with Section 25 (1) TDDDG in
conjunction with Article 6 (1) point (a) GDPR. This applies, in
particular, to the use of performance, advertising, targeting or sharing
cookies. Furthermore, we will only pass on your personal data processed
by cookies to third parties if you have given your express consent in
accordance with Article 6 (1) point (a) GDPR.

(d) Further information on which cookies we use can be found under
Section 10 of this policy.

(4) If it is necessary for data processing to store information on
your device or access information already stored on the device, Section
25 (1) and (2) TDDDG are the legal basis for this.

§ 4 Additional functions and services offered on our website

(1) In addition to the purely informational use of our website, we
offer various services that you can use if you are interested. As a
rule, you must provide further personal data, which we use to provide
the service in question and to which the aforementioned data processing
principles apply.

(2) In some cases, we use external service providers to process your
data. These have been carefully selected and commissioned by us, are
bound by our instructions and are regularly audited.

The following categories of recipients, who are usually processors, may
have access to your personal data:

Furthermore, we will only pass on your personal data to third parties if
you have given your express consent in accordance with Article 6 (1)
point (a) GDPR.

(3) Within the scope of our business relationships, your personal data
may be passed on or disclosed to third parties. These may also be
located outside the European Economic Area (EEA), i.e. in third
countries. Such processing takes place solely for the purposes of
fulfilling contractual and business obligations and maintaining your
business relationship with us (the legal basis is Article 6 (1) point
(b) or (f) in conjunction with Article 44 et seq. GDPR). This policy
provides details of each disclosure at the relevant points below.

In some third countries, the European Commission certifies that the
level of data protection is comparable to the EEA standard by means of
so-called adequacy decisions (a list of these countries and a copy of
the adequacy decisions are available at
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
However, in other third countries to which personal data may be
transferred, there may not be a consistently high level of data
protection due to a lack of legal provisions. Insofar as this is the
case, we ensure that sufficient guarantees are in place to ensure the
protection of data. This is possible via standard contractual clauses of
the European Commission for the protection of personal data in
accordance with Article 46 (1) and (2) point (c) GDPR (the standard
contractual clauses from 2021 are available at
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en),
certificates or recognised codes of conduct. Please refer to the contact
information provided in Section 1 if you would like more information on
this.

§ 5 Objection or withdrawal of consent to the processing of your
data

(1) If you have given your consent to the processing of your data, you
may revoke this consent at any time. Such a withdrawal affects the
permissibility of the processing of your personal data after your
withdrawal of consent.

(2) Insofar as we base the processing of your personal data on a
weighing of interests, you may object to the processing. This is the
case, in particular, if the processing is not necessary for the
performance of a contract with you, which is explained by us in each
case in the description of the functions below. If you raise such an
objection, we will ask you to explain the reasons why we should not
process your personal data in the way we do. If your objection is
justified, we will examine the situation and either cease or adapt the
data processing or explain our compelling legitimate reasons for
continuing to process the data.

(3) You can, of course, object to the processing of your personal data
for advertising and data analysis purposes at any time. You can inform
us of your objection to advertising via the contact details provided in
Section 1.

§ 6 Use of social media

(1) We currently use the following social media channels: Facebook,
Instagram and LinkedIn.

(2) We operate an official Facebook page and an Instagram page in
order to connect with interested parties and provide information. We are
jointly responsible with Meta Platforms Ireland Limited (Merrion Road,
Dublin 4, D04 X2K5, Ireland; hereinafter: Meta) for processing the data
collected when you use our Facebook and Instagram pages. This means that
we and Meta jointly determine the purposes and means of data processing
on our Facebook and Instagram pages. This is based on the Terms of Use
of Facebook and the Terms of Use of Instagram as well as Meta’s
agreement on joint responsibility.

When you visit our Facebook and Instagram pages, Meta automatically
collects data such as your IP address, information about your device,
your interactions on Instagram (e.g. likes, comments) and, if
applicable, other information that Meta stores using cookies and similar
technologies. This data is used by Meta to create usage profiles and
display personalised advertising. We ourselves receive anonymised
statistics from Meta on the use of our Facebook and Instagram pages
(known as ‘Insights’), which enable us to analyse the reach and
interactions of our content. However, this data cannot be traced back to
individual persons.

Meta may also process your data for these purposes outside the European
Union, in particular in the USA. The transfer is based on the EU-U.S.
Data Privacy Framework (DPF), an adequacy decision by the Commission to
ensure an adequate level of data protection. Nevertheless, we would like
to point out that if US authorities access your data, there is a risk
that you will not be informed of this and will not have sufficient legal
protection. The processing of data by Meta on our Facebook and Instagram
pages is subject to the Meta Privacy Policy.

Your data is processed on the basis of our legitimate interest pursuant
to Article 6 (1) point (f) GDPR in effective communication with you and
the provision of up-to-date information.

You have the right to information, correction, deletion and restriction
of the processing of your personal data as well as the right to data
portability and objection to data processing. Due to the agreement on
joint responsibility (see above), it follows that the rights of data
subjects with regard to processing in the context of Instagram should be
asserted against Meta. The relevant form is available at
https://www.facebook.com/help/contact/612141586937373. If you need
assistance in asserting your rights, you can contact us via the contact
details given above.

(3) We also operate an official LinkedIn page in order to connect with
interested parties and provide information. We are jointly responsible
with LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place,
Dublin 2, Ireland; hereinafter: LinkedIn) for the processing of data
collected in connection with the use of our LinkedIn page. This means
that we and LinkedIn jointly determine the purposes and means of data
processing on our LinkedIn page. This is based on the joint
responsibility agreement in accordance with the user agreement and the
LinkedIn Pages Joint Controller Addendum from LinkedIn.

When you visit our LinkedIn page, LinkedIn automatically collects data
such as your IP address, information about your device, your
interactions with our LinkedIn page (e.g. likes, comments, messages) and
other information that LinkedIn stores using cookies and similar
technologies. This data is used by LinkedIn to create usage profiles and
display personalised advertising. We ourselves receive anonymised
statistics from LinkedIn on the use of our LinkedIn page (known as ‘Page
Insights’), which enable us to analyse the reach and interactions of our
content.

LinkedIn may also process your data outside the European Union, in
particular in the USA. The transfer is based on the EU-U.S. Data Privacy
Framework (DPF) or other appropriate safeguards to ensure an adequate
level of data protection. Nevertheless, we would like to point out that
if US authorities access your data, there is a risk that you will not be
informed of this and will not have sufficient legal protection. The
processing of data by LinkedIn on our LinkedIn page is subject to
LinkedIn’s privacy policy, which is available at
https://www.linkedin.com/legal/privacy-policy.

Your data is processed on the basis of our legitimate interest pursuant
to Article 6 (1) point (f) GDPR in effective communication with you and
the provision of up-to-date information.

You have the right to information, correction, deletion and restriction
of the processing of your personal data as well as the right to data
portability and objection to data processing. Due to the agreement on
joint responsibility (see above), it follows that the rights of data
subjects with regard to processing in the context of LinkedIn should be
asserted against LinkedIn. LinkedIn provides a form for this purpose
which is available at https://www.linkedin.com/help/linkedin/ask/PPQ.
If you need assistance in asserting your rights, you can contact us
using the contact details above.

§ 7 Google services

Our website uses various services provided by Google Ireland Limited
(Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter: Google) to
improve website functionality, provide services, analyse user behaviour
and optimise our advertising measures.

When you visit our website, Google receives the information described
below. This occurs regardless of whether Google provides a user account
through which you are logged in or whether there is no user account. If
you are logged into Google, your data will be assigned directly to your
account. If you do not wish this data to be assigned to your Google
profile, you must log out before activating the button. Google stores
your data in a usage profile and uses it for the purposes of
advertising, market research and/or website personalisation. Such an
evaluation is carried out in particular (even for users who are not
logged in) to display interest-based advertising. You have the right to
object to the creation of these user profiles. To do so, you must
contact Google.

Specifically, we use the following Google services:

The processing of the above-mentioned data for the use of the respective
services is based on your consent in accordance with Section 25 (1)
TDDDG and Article 6 (1) point (a) GDPR, which you can give individually
via our cookie banner.

Please note that when using the above-mentioned services, your personal
data may be transferred by Google to the USA. The data transfer to the
USA is based on the EU-U.S. Data Privacy Framework (DPF). Google is
certified under the DPF and undertakes to ensure a level of data
protection that complies with EU standards. Nevertheless, we would like
to point out that national security laws in the USA may result in a
lower level of data protection and that US authorities may have access
to your data. For more information about data processing by Google and
DPF certification, please refer to Google’s Privacy Policy.

§ 8 Hosting

This website is hosted by an external service provider (a host). The
personal data collected on this website is stored on the host’s servers.
This may include, in particular, IP addresses, contact requests, meta
and communication data, contract data, contact data, names, website
accesses and other data generated through a website.

The host is used for the purpose of fulfilling a contract vis-à-vis our
potential and existing customers (Article 6 (1) point (b) GDPR) and in
the interest of the secure, fast and efficient provision of our online
services by a professional provider (Article 6 (1) point (f) GDPR).

Our host will only process your data to the extent necessary to fulfil
its performance obligations and follow our instructions in relation to
this data.

We use the following host:

Andreas Pielage
a.p. marketing consulting germany
Sandstrasse 20
48268 Greven, Germany

9. hCaptcha

We use hCaptcha on this website. The provider is Intuition Machines,
Inc., 350 Alabama St, San Francisco, CA 94110, USA (hereinafter:
hCaptcha).

The purpose of hCaptcha is to check whether data is being entered on
this website (e.g. in a contact form) by a human or an automated
program. For this purpose, hCaptcha analyses the behaviour of the
website visitor on the basis of various characteristics. This analysis
begins automatically as soon as the visitor accesses the website. For
the purposes of analysis, hCaptcha evaluates various information (e.g.
the data mentioned under Section 3 of this policy, the length of time
the visitor stays on the website or mouse movements made by the user).
The data collected during the analysis is usually transmitted to
hCaptcha’s servers and processed there; this may also involve
transmission to the USA.

The hCaptcha analyses run entirely in the background. Website visitors
are not specifically informed that an analysis is taking place.

Data is stored and analysed on the basis of Article 6 (1) point (a) GDPR
and Section 25 (1) TDDDG, insofar as the consent includes the storage of
cookies or access to information on the user’s device (e.g. device
fingerprinting) within the meaning of the TDDDG. Consent can be
withdrawn at any time.

Further information can be found in the privacy
policy (https://www.hcaptcha.com/privacy) and the terms of use
(https://www.hcaptcha.com/terms) of hCaptcha.

10. heroes e-recruiting

(1) We use the heroes e-recruitment service on this website for
application purposes. If you click on a job advertisement on our
website, you will be redirected to our recruitment portal with your
consent. In this case, a connection is established with the servers of
heroes GmbH. The technical operator is heroes GmbH, Welfenstrasse 22,
81541 Munich, Germany. In the course of this, the following data is
transmitted to heroes:

The legal basis for processing is Article 6 (1) point (a) GDPR.

(2) Data collected on our recruitment portal
(https://greiwing.recruiting-portal.com/) will be processed
exclusively for the purposes of your application. This includes your
email address, first and last name, date of birth, telephone number and
other application documents submitted by you. We will store the
documents you send us for the duration of the application process. If
your application is unsuccessful, we will delete the documents you
uploaded no later than six months after the end of the application
process. If we intend to retain the documents you sent us beyond the
duration of the application process (e.g. to consider your application
for another vacancy), we will ask for your express consent for this. The
legal basis for processing is Article 6 (1) point (a) GDPR and Section
26 BDSG.

(3) Further information on the purpose and scope of data collection
and processing by heroes, including how to object, can be found in the
privacy policy of heroes: https://heroes.eu/datenschutzerkl%C3%A4rung

Information about the cookies we use

Below you will find a detailed list of all cookies used and the
corresponding data protection information from the respective providers.

Technically necessary

Publisher: KTV Speditionsgesellschaft mbH

Name Lifespan Description
kirby_session Session Identifies users during the session.
silktideCookieBanner_InitialChoice Persistent Stores whether an initial cookie banner decision has already been made.
silktideCookieChoice_advertising Persistent Stores whether advertising cookies are allowed.
silktideCookieChoice_analytics Persistent Stores whether analytics cookies are allowed.
silktideCookieChoice_necessary Persistent Stores whether technically necessary cookies are allowed.

hCaptcha

Publisher: Intuition Machines, Inc. Description: These cookies are set
to provide the hCaptcha on the contact page. hCaptcha is a service that
attempts to distinguish between humans and bots in order to prevent fake
contact requests (spam). More details:

Name Lifespan Description
cf_bm Variable; up to 1 day Provision of the captcha for the contact form. Used for strictly necessary technical purposes: security features.
INGRESSCOOKIE, cfduid, cflb Various; up to 30 days Provision of the captcha for the contact form. Used for strictly necessary technical purposes: load balancing and routing.
hc_accessibility Various; up to 30 days Provision of the captcha for the contact form. Used for strictly necessary technical purposes: enables accessibility features for the user.
hmt_id 30 days Provision of the captcha for the contact form. Used for strictly necessary anonymous service-related statistics and other technical purposes such as accessibility support.

greiwing.recruiting-portal.com

Publisher: heroes GmbH Description: These cookies are used by heroes GmbH to provide the job listings on the jobs page.

More details: https://heroes.eu/datenschutz and
https://greiwing.recruiting-portal.com/main.do

Name Lifespan Description
JSESSIONID Session Providing job listings with filter functionality.
LBSESSIONID Session Providing job listings with filter functionality.
firstcontact Session Providing job listings with filter functionality.
he-consent 6 months Providing job listings with filter functionality. Stores the user's cookie consent preferences.

Google Analytics/Tag Manager

Publisher: Google Inc. Description: These cookies are set by
Google Inc. to provide tracking information in Google Analytics.

More details: https://policies.google.com/privacy

Name Lifespan Description
gcl_ls 90 days Google Tracking
gcl_au 4 months Google Tracking
AEC 6 months Google Tracking
DV 10 minutes Google Tracking
IDE 6 months Google Tracking
SOCS 6 months Google Tracking
Secure-BUCKET 6 months Google Tracking
Secure-ENID 6 months Google Tracking