Data Protection Statement

DATA PROTECTION STATEMENT

We are delighted that you are interested in our company. Data protection is of particular importance for the management of Edelman GmbH. In general, it is possible to use the webpages of Edelman GmbH without providing any personal data. However, if an individual wishes to use special services of our company, personal data processing may be required. If the processing of personal data is required and there is no legal basis for such processing, we will generally seek the consent of the data subject.

The processing of personal data, such as the name, address, email address or telephone number of a data subject, is always in accordance with the General Data Protection Regulation and in accordance with the country-specific data protection provisions applicable to Edelman GmbH. Through this privacy policy, our company seeks to inform the public about the nature, scope and purpose of the personal information we collect, use and process. Furthermore, data subjects are informed of their rights under this privacy policy.

Edelman GmbH, as controller of the processing, has implemented numerous technical and organizational measures to ensure the most complete protection possible for personal data processed through this website and in its work. Nevertheless, Internet-based data transmissions can in principle have security gaps meaning that absolute protection cannot be guaranteed. For this reason, every data subject is free to submit personal data to us in alternative ways, for example, by telephone.

I DEFINITIONS

The data protection statement of Edelman GmbH is based on the terminology used by the European directive and regulatory authority in the adoption of the General Data Protection Regulation (GDPR). Our data protection statement should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would first like to explain the terminology used.

The terms we use in this data protection statement include, but are not limited to, the following:

a) Personal data
Personal data is all information relating to an identified or identifiable natural person ("the data subject"). A natural person is considered to be identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features which indicate the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.

b) Data subject
The data subject is any identified or identifiable natural person whose personal data are processed by the controller.

c) Processing
Processing means any process or series of operations performed with or without the aid of automated processes in relation to personal data such as the collection, recording, organization, filing, storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or other form of provision, matching or linking, restriction, erasure or destruction.

d) Restriction of processing
Restriction of processing is the marking of stored personal data with the purpose of limiting their future processing.

e) Profiling
Profiling is any type of automated processing of personal data which involves the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular in order to analyze or predict aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behavior, place of residence or change in the place of residence of this natural person.

f) Pseudonymization
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data is not assigned to an identified or identifiable natural person.

g) Controller or controller of processing
The controller is the natural or legal person, public authority, agency or other body that, alone or together with others, decides on the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union law or the law of the Member States, the controller or the specific criteria for its designation may be provided for under Union or national law.

h) Order processor
The order processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

i) Recipient
The recipient is a natural or legal person, public authority, agency or other entity to whom personal data is disclosed, whether or not it is a third party. However, authorities which may receive personal data under Union or national law in connection with a particular mission are not considered to be recipients.

j) Third party
A third party is a natural or legal person, public authority, institution or body other than the data subject, the controller, the processor and the persons authorized under the direct responsibility of the controller or processor to process the personal data.

k) Consent
Consent is any expression of will voluntarily given by the data subject in an informed and unambiguous manner in the form of a statement or other unambiguous affirmative act by which the data subject indicates that they agree to the processing of the relevant personal data.

II OVERVIEW

1. Scope
Data processing by Edelman GmbH can essentially be divided into two categories:

- For the purpose of contract execution, all data necessary for the execution of a contract with Edelman GmbH will be processed. If external service providers are also involved in the processing of the contract, for example, logistics companies or payment service providers or others, your data will be passed on within the relevant scope required.

- When you call up the Edelman GmbH website / application various items of information are exchanged between your device and our server. This can also be personal data. The information collected in this way is used, among other things, to optimize our website or to display advertising in the browser of your device

This data protections statement applies to the following offers:

- our online offer is available at www.edelman.de;

- whenever one of our offers (for example, websites, subdomains, mobile applications, web services or third-party affiliations) otherwise refers to this data protection statement, regardless of the way in which you access or use it.

All these offers are collectively referred to as "Services".

2. Name and address of the controller
The controller in the meaning of the General Data Protection Regulation, other data protection laws in the Member States of the European Union, and other provisions related to data protection is:

Edelman GmbH
St. Martin Tower, Franklinstraße 61-63
60487 Frankfurt am Main
Germany
Tel .: 069 / 509546-320
Email: legal.germany(at)edelman.com
Website: www.edelman.de

3. Name and address of the data protection officer
The data protection officer for the controller is:

intersoft consulting services AG
Beim Strohhause 17
20097 Hamburg

Any data subject can contact our data protection officer at any time with any questions or suggestions regarding data protection.

4. Data security
In order to develop the measures required by Art. 32 GDPR and thus achieve a level of protection commensurate with the risk, we take all reasonable and appropriate measures to protect the personal information we store against misuse, loss or unauthorized access.

To do this, we apply a series of technical and organizational measures. In doing so, we adhere to the information security standard VdS 3473 of VdS Schadenverhütung GmbH.

III THE DATA PROCESSING IN DETAIL

In this section of the data protection statement we will inform you in detail about the processing of personal data as part of our services. For better clarity, we have divided this information in accordance with certain functionalities of our services. During the normal use of the services, different functionalities and thus also different processing operations may be used successively or simultaneously.

General information about the data processing

The following applies to all processing operations described below, unless otherwise stated:

a) Legal basis of processing
Art. 6 I lit. A GDPR serves our company as the legal basis for processing operations where we obtain consent for a particular processing purpose. If the processing of personal data is necessary to fulfill a contract to which the data subject is a party, as is the case, for example, in processing operations necessary for the supply of goods or the provision of any other service or consideration, processing shall be based on Art. 6 I lit. b GDPR. The same applies to processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries regarding our products or services. If our company is subject to a legal obligation which requires the processing of personal data, such as the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be required to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our premises were injured and his or her name, age, health insurance or other vital information needed to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d GDPR. Ultimately, processing operations could be based on Art. 6 I lit. f GDPR. This is the legal basis for processing operations that are not covered by any of the above legal bases but which are required if processing is necessary to safeguard the legitimate interests of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the person concerned prevail. Such processing operations are particularly permitted to us because they have been specifically mentioned by the European legislator. In that regard, it is considered that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47, Clause 2, GDPR).

b) Legitimate interests in the processing pursued by the controller or a third party
If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is in conducting our business for the benefit of all of our employees and shareholders.

c) No provision obligation
There is no contractual or legal obligation to provide personal data. You are not required to provide data.

d) Consequences of non-provision
In the case of required data (data marked as mandatory when entering data), failure to provide it means that the service in question cannot be provided. Otherwise, failure to provide data may mean that our services cannot be provided in the same form and to the same quality.

e) Consent
In various cases, you may also give us your consent to further processing in connection with the processing described below (if necessary, for a portion of the data). In this case, we will separately inform you in connection with the submission of the respective declaration of consent of all modalities and the scope of the consent and the purposes that we pursue with these processing operations.

f) Transfer of personal data to third countries
If we transfer data to third countries, i.e. countries outside the European Union, then the transmission takes place only in compliance with the statutory admissibility requirements.

The admissibility requirements are regulated by Art. 44-49 GDPR.

g) Hosting with external service providers
Our data processing is carried out to a large extent with the involvement of so-called hosting service providers who provide us with storage space and processing capacities in their data centers and process personal data on our behalf in accordance with our instructions. These service providers process data either exclusively in the EU or we have guaranteed an appropriate level of data protection using EU standard data protection clauses.

h) Legal or contractual provisions for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision

We clarify that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions (for example, information about the contracting party). Occasionally it may be necessary for a contract to be concluded that a data subject provides us with personal data that must subsequently be processed by us. For example, the data subject is required to provide us with personal information when our company enters into a contract with him/her. Failure to provide the personal data would mean that the contract with the person concerned could not be concluded. Prior to any personal data being provided by the person concerned, the person concerned must contact one of our employees. Our employee will inform the individual on a case-by-case basis whether the provision of the personal data is required by law or contract or is required for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of the non-provision of the personal data.

i) Submission to Government Authorities
We provide personal data to governmental authorities (including law enforcement agencies) when necessary to fulfill a legal obligation to which we are subject (legal basis: Art. 6 (1) c) GDPR) or it is necessary for the assertion, exercise or defense of legal claims (legal basis Art. 6 (1) f) GDPR).

j) Duration for which the personal information is stored
We do not store your data longer than we need for the respective processing purposes. If the data is no longer required for the fulfillment of contractual or legal obligations, this data will be deleted on a regular basis, unless its temporary storage is still necessary. Reasons for this can be, for example:

- The fulfillment of commercial and tax retention obligations
- The receipt of evidence for legal disputes within the framework of the statutory limitation regulations

Likewise, it is possible for us to store your data for a further period, if you have expressly given your consent for us to do so.

k) Data categories
Account data: Login / User ID and password
Personal master data: Title, salutation / gender, first name, surname, date of birth, if necessary, professional background
Address data: Street, house number, if necessary, contact information, postal code, city, country Contact: Telephone number(s), fax number(s), email address(es)
Credentials: Information about the service you have signed up for; dates and technical information on registration, confirmation and de-registration; information you provide upon registration
Payment details: Account information, credit card details, other payment services like Paypal
Access data: Date and time of visit to our service; the page from which the accessing system came to our site; pages accessed during use; session identification data; and the following information about the accessing computer system: Internet Protocol address (IP address) used, browser type and version, device type, operating system and similar technical information.
Application data: Curriculum vitae, certificates, evidence, work samples, certificates, images
Data as per Art. 9 GDPR: Data showing racial and ethnic origin, political opinions, religious or ideological beliefs or trade union affiliation, as well as genetic data, biometric data to uniquely identify a natural person, health or sex life or sexual orientation data of a natural person.

1. CALLING UP THE WEBSITE / APPLICATION

Here's how we process your personal data when you visit our services.

Information about processing
Data category: Access data
Data purpose: Establishing a connection, presentation of the contents of the service, detection of attacks on our site due to unusual activities, fault diagnosis
Legal basis: Art. 6 para. 1 f) GDPR
If applicable, legitimate interest: proper functioning of services, security of data and business processes, prevention of misuse, prevention of damage through interference in information systems 7 days

a) Cookies
The webpages of Edelman GmbH use cookies. Cookies are text files that are filed and stored on a computer system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a character sequence through which webpages and servers can be assigned to the specific Internet browser in which the cookie has been stored. This allows websites and servers visited to distinguish the individual's browser from other internet browsers that contain other cookies. A specific web browser can be recognized and identified by the unique cookie ID.

By using cookies, Edelman GmbH can provide users of this website with more user-friendly services than would be possible without the cookie setting.

A cookie enables the information and offers on our website to be optimized for the user. Cookies allow us, as already mentioned, to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies need not re-enter their credentials each time they visit the website, as this is done by the website and the cookie stored on the user's computer system.

The data subject can prevent the setting of cookies through our website at any time by means of a corresponding setting of the Internet browser used and thus permanently prevent the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

Tracking off/on

b) Collection of general data and information
The Edelman GmbH website collects a series of general data and information each time the website is accessed by a data subject or an automated system. This general data and information is stored in the server's log files. The (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrers), (4) the sub-web pages which are directed to our website via an accessing system (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information used in the event of attacks on our information technology systems.

When using this general data and information Edelman GmbH does not make references back to the data subject. Rather, this information is required to (1) correctly deliver the contents of our website, (2) to optimize the content of our website and to advertise it, (3) to ensure the continued functioning of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information necessary for law enforcement in the event of a cyber attack. Edelman GmbH evaluates this anonymously collected data and information, statistically, on the one hand, and, further, with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data from the server log files is stored separately from all personal data provided by a data subject.

c) Privacy policy on the application and use of Facebook Pixel
The controller has integrated into this website conversion pixels or visitor action pixels from the company Facebook.

The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. The controller for the processing of personal data, if a data subject lives outside the US or Canada, is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.

By calling up this pixel from your browser, Facebook can subsequently see whether a Facebook ad was successful through, for example, having led to an online purchase. For this we receive exclusively statistical data from Facebook without reference to a specific person. This allows us to track the effectiveness of Facebook ads for statistical and market research purposes. For more information on the collection and use of data by Facebook, as well as your rights in this regard and ways to protect your privacy, please refer to the Facebook's privacy policy at https://www.facebook.com/about/privacy/.

d) Privacy policy on the application and use of Facebook
The controller has integrated into this website components from the company Facebook. Facebook is a social network.

A social network is an Internet-based social meeting place, an online community that typically allows users to communicate with each other and interact in virtual space. A social network can serve as a platform to exchange views and experiences, or allow the Internet community to provide personal or business information. Facebook allows social network users to create private profiles, upload photos and create networks via friend requests.

Upon each visit to one of the individual pages of this website, which is operated by the controller and on which a Facebook component (Facebook plugin) has been integrated, the Internet browser on the data subject's information technology system is automatically triggered to download a representation of the corresponding Facebook component from Facebook via the respective Facebook component. An overview of all Facebook plugins can be found at developers.facebook.com/docs/plugins/. As part of this technical process, Facebook receives information about which specific sub-page of our website the data subject visits.

If the data subject is simultaneously logged into Facebook, with each visit to our website by the data subject and during the entire duration of the respective stay on our website, Facebook can recognize which specific sub-page of our website the data subject visits. This information is collected through the Facebook component and assigned by Facebook to the data subject's respective Facebook account. If the data subject activates one of the Facebook buttons integrated into our website, for example the "Like" button, or if the data subject makes a comment, Facebook assigns this information to the personal Facebook user account of the data subject and saves this personal data.

Facebook always receives information via the Facebook component that the data subject has visited our website if the data subject is logged into Facebook at the same time as accessing our website; this happens regardless of whether the data subject clicks on the Facebook component or not. If such a transfer of this information to Facebook is not wanted by the data subject, the data subject can prevent the transfer by logging out of his/her Facebook account before calling up our website.

The data policy published by Facebook, which can be accessed at www.facebook.com/about/privacy/, provides information on the collection, processing and use of personal data by Facebook. It also explains which options Facebook offers to protect the data subject's privacy. In addition, different applications are available, which make it possible to suppress data transmission to Facebook. Such applications can be used by the data subject to suppress data transmission to Facebook.

e) Privacy Policy on the application and use of Google Analytics (with anonymization function)
The controller has integrated the Google Analytics component (with anonymization function) into this website. Google Analytics is a web analytics service. Web analysis is the collection, gathering and analysis of data about the behavior of visitors to websites. Among other things, a web analysis service collects data on the website from which a data subject has come to a website (so-called referrers), which sub-pages of the website were accessed or how often and for which length of time a sub-page was viewed. Web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.

The operating company of Google Analytics component is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The controller uses the addition _gat._anonymizeIp for web analysis via Google Analytics. By means of this addition, the IP address of the data subject's Internet collection will be shortened and anonymized by Google if the access to our website is from a Member State of the European Union or from another state party to the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyze visitor flows on our website. Among other things, Google uses the data and information obtained to evaluate the use of our website, to compile for us online reports showing the activities on our websites, and to provide other services related to the use of our website.

Google Analytics uses a cookie on the data subject’s information technology system. What cookies are has already been explained above. By using this cookie Google is able to analyze the usage of our website. Each time one of the individual pages of this website operated by the controller and into which a Google Analytics component has been integrated is accessed, the Internet browser on the data subject's information technology system is automatically triggered by the respective Google Analytics component to submit data to Google for online analysis purposes. As part of this technical process, Google will be aware of personal data, such as the IP address of the data subject, which, among other things, serve Google to track the origin of the visitors and clicks, and subsequently make commission settlements possible.

The cookie stores personally identifiable information, such as access time, the location from which access was made, and the frequency of site visits by the data subject. Upon each visit to our website, this personal information, including the IP address of the Internet connection used by the data subject, is transferred to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer such personal data collected through the technical process to third parties.

The data subject can prevent the setting of cookies through our website, as shown above, at any time, by means of a corresponding setting of the Internet browser used and thus permanently prevent the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the data subject's information technology system. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the option of objecting to and preventing the collection of the data generated by Google Analytics for the use of this website and the processing of this data by Google. To do this, the person must download and install a browser add-on from tools.google.com/dlpage/gaoptout . This browser add-on informs Google Analytics via JavaScript that no data and information about website visits may be transmitted to Google Analytics. The installation of the browser add-on is considered by Google to be an objection. If the data subject's information technology system is later deleted, formatted or reinstalled, the data subject must re-install the browser add-on to disable Google Analytics. If the browser add-on is uninstalled or disabled by the data subject or any other person within their sphere of control, it is possible to reinstall or reactivate the browser add-on.

Additional information and Google's privacy policy can be found at www.google.com/intl/en/policies/privacy/ and at www.google.com/analytics/terms/en.html. Google Analytics is explained in more detail under this link www.google.comanalytics/.

f) Privacy policy on the application and use of Google Remarketing
The controller has integrated Google Remarketing services into this website. Google Remarketing is a feature of Google AdWords that allows a business to show advertisements to those Internet users who have previously been on the company's website. The integration of Google Remarketing therefore allows a company to create user-friendly advertising and thus to display interest-based ads to Internet users.

The operating company for Google Remarketing is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google Remarketing is to show interest-based advertising. Google Remarketing allows us to display ads through the Google network or view them on other websites tailored to the individual needs and interests of Internet users.

Google Remarketing places a cookie on the data subject's information technology system. What cookies are has already been explained above. By setting the cookie, Google will be able to recognize the visitor to our website if he/she subsequently calls up websites that are also members of the Google ad network. With each visit to a website on which Google Remarketing's service has been integrated, the data subject's Internet browser automatically identifies itself to Google. As part of this technical process, Google receives information about personal data, such as the IP address or the surfing behavior of the user, which Google uses to, among other things, display interest-relevant advertising.

The cookie is used to store personal information, such as the websites visited by the data subject. Upon each visit to our website, personal information, including the IP address of the Internet connection used by the data subject, will be transferred to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer any such personal data collected through the technical process to third parties.

The data subject can prevent the setting of cookies through our website, as shown above, at any time by means of a corresponding setting of the Internet browser used and thus permanently prevent the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the data subject's information technology system. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the opportunity to object to Google's interest-based advertising. To do this, the person concerned must access the link www.google.com/settings/ads from each of the Internet browsers they use and configure the desired settings there.

Additional information and Google's privacy policy can be found at www.google.com/intl/en/policies/privacy/.

g) Privacy policy on the application and use of Google AdWords
The controller has integrated Google AdWords into this website. Google AdWords is an Internet advertising service that allows advertisers to display ads in both Google's search engine results and within the Google advertising network. Google AdWords allows an advertiser to pre-set keywords that will display an ad on Google's search engine results only when the search engine retrieves a keyword-related search result. In the Google advertising network, ads are distributed on topical web pages using an automated algorithm and according to pre-defined keywords.

The operating company for the services of Google AdWords is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to promote our website by displaying interest-based advertising on third-party websites and in the search engine results of Google's search engine and by displaying advertisements on our website.

If a data subject arrives on our website via a Google ad, a so-called conversion cookie will be stored on the data subject’s information technology system by Google. What cookies are has already been explained above. A conversion cookie expires after thirty days and is not used to identify the data subject. If the cookie has not yet expired, the conversion cookie can be used to trace whether certain sub-pages, such as the shopping cart from an online shop system, were called up on our website. The conversion cookie allows both us and Google to understand whether a data subject who came to our website via an AdWords ad generated revenue, i.e. completed or canceled a purchase.

The data and information collected through the use of the conversion cookie are used by Google to create visit statistics for our website. These visit statistics are then used by us to determine the total number of users who have been sent to us through AdWords ads, in order to determine the success or failure of each AdWords ad and to optimize our AdWords ads for the future. Neither our company nor any other Google AdWords advertiser receives any information from Google that could identify the data subject.

The conversion cookie stores personally identifiable information, such as the webpages visited by the data subject. Upon each visit to our website, personal information, including the IP address of the Internet connection used by the data subject, will be transferred to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer such personal data collected through the technical process to third parties.

The data subject can prevent the setting of cookies through our website, as shown above, at any time by means of a corresponding setting of the Internet browser used and thus permanently prevent the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a conversion cookie on the data subject's information technology system. In addition, a cookie already set by Google AdWords can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the option of objecting to Google's interest-based advertising. To do this, the person concerned must access the link www.google.com/settings/ads from each of the Internet browsers they use and configure the desired settings there.

Additional information and Google's privacy policy can be found at www.google.com/intl/en/policies/privacy/ .

h) Privacy policy on the application and use of Matomo
The controller has integrated the Matomo component into this website. Matomo is an open source software tool for web analysis. Web analysis is the collection, gathering and analysis of data about the behavior of visitors to websites. Among other things, a web analysis tool collects data on the website from which a data subject came to a website (so-called referrers), which sub-pages of the website were accessed or how often and for which length of time a sub-page was viewed. Web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.

The software is operated on the controller's server, the data-protection-sensitive log files are stored exclusively on this server.

The purpose of the Matomo component is to analyze visitor flows on our website. Among other things, the controller uses the data and information obtained to evaluate the use of this website in order to compile online reports showing the activities on our website.

Matomo sets a cookie on the data subject's information technology system. What cookies are has already been explained above. By setting the cookie, we are able to analyze the use of our website. Upon each visit to one of the individual pages on this website, the internet browser on the data subject's information technology system is automatically triggered by the Matomo component to transmit data to our server for the purpose of online analysis. In the course of this technical process, we gain knowledge of personal data, such as the IP address of the person concerned, which among other things serves to help us understand the origin of visitors and clicks.

The cookie stores personally identifiable information, such as access time, the location from which access was made, and the frequency of visits to our website. Upon each visit to our website, this personal information, including the IP address of the Internet connection used by the data subject, is transmitted to our server. This personal data is stored by us. We do not share this personal information with third parties.

The data subject can prevent the setting of cookies through our website, as already indicated above, at any time by means of a corresponding setting of the Internet browser used and thus permanently prevent the setting of cookies. Such a setting of the Internet browser used would also prevent Matomo from setting a cookie on the data subject's information technology system. In addition, a cookie already set by Matomo can be deleted at any time via an Internet browser or other software programs.

Furthermore, the data subject has the option of objecting to and preventing the recording of the data generated by Matomo on the use of this website. To do this, the data subject must set Do Not Track on his/her browser.

By setting the opt-out cookie, however, it is possible that the controller's website is no longer fully usable for the data subject.

Further information and Matomo's applicable privacy policy can be found at matomo.org/privacy/.

i) Privacy policy on the application and use of Twitter
The controller has integrated Twitter components into this website. Twitter is a multilingual publicly available microblogging service where users can post and distribute so-called tweets, which are limited to 280 characters. These short messages are available to anyone, including non-Twitter subscribers. The tweets are also displayed to the so-called followers of the respective user. Followers are other Twitter users who follow a user's tweets. Twitter also allows you to address a broad audience via hashtags, links or retweets.

The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

Each time one of the individual pages of this website, which is operated by the controller and into which a Twitter component (Twitter button) has been integrated, the Internet browser on the data subject's information technology system is automatically triggered to download a representation of the corresponding Twitter component from Twitter via the respective Twitter component. More information about the Twitter buttons is available at about.twitter.com/resources/buttons. As part of this technical process, Twitter receives information about which specific sub-page of our website the data subject visits. The purpose of the integration of the Twitter component is to allow our users to redistribute the contents of this website, to promote this website in the digital world, and to increase our visitor numbers.

If the data subject is simultaneously logged into Twitter, with each visit to our website by the data subject and during the entire duration of the respective stay on our website, Twitter can recognize which specific sub-page of our website the data subject visits. This information is collected through the Twitter component and assigned through Twitter to the data subject's Twitter account. If the data subject activates one of the Twitter buttons integrated into our website, the data and information transmitted with it are assigned to the personal Twitter user account of the data subject and stored and processed by Twitter.

Twitter always receives information via the Twitter component that the data subject has visited our website if the data subject is logged into Facebook at the same time as accessing our website; this happens regardless of whether the data subject clicks on the Twitter component or not. If such a transfer of this information to Twitter is not wanted by the data subject, the data subject can prevent the transfer by logging out of his/her Twitter account before calling up our website.

Twitter's applicable privacy policy is available at twitter.com/privacy.

j) Privacy policy on the application and use of Xing
The controller has integrated components from Xing into this website. Xing is an Internet-based social network that allows users to connect to existing business contacts and make new business contacts. The individual users can create a personal profile at Xing. Companies can, for example, create company profiles or publish job offers on Xing.

The operating company of Xing is XING SE, Dammtorstraße 30, 20354 Hamburg, Germany.

Each time one of the individual pages of this website, which is operated by the controller and into which a Xing component (Xing plugin) has been integrated, the Internet browser on the data subject's information technology system is automatically triggered to download a representation of the corresponding Xing component from Xing via the respective Xing component. More information about the Xing plugins can be found at dev.xing.com/plugins. As part of this technical process, Xing receives information about which specific sub-page of our website the data subject visits.

If the data subject is simultaneously logged into Xing, with each visit to our website by the data subject and during the entire duration of the respective stay on our website, Xing can recognize which specific sub-page of our website the data subject visits. This information is collected by the Xing component and assigned by Xing to the data subject's Xing account. If the data subject activates one of the Xing buttons integrated into our website, for example, the "Share" button, Xing assigns this information to the data subject's personal Xing user account and stores this personal data.

Xing always receives information from the Xing component that the data subject has visited our website if the data subject is simultaneously logged into Xing at the time of accessing our website; this happens regardless of whether or not the data subject clicks on the Xing component. If such a transfer of this information to Xing is not wanted by the data subject, the data subject can prevent the transfer by logging out of his/her Facebook account before calling up our website.

Xing's privacy policy, available at www.xing.com/privacy , provides information regarding the collection, processing and use of personal information by Xing. In addition, Xing has published its privacy policy for the XING Share button at www.xing.com/app/share.

k) Privacy policy on the application and use of YouTube
The controller has integrated YouTube components into this site. YouTube is an internet video portal that allows video publishers to freely watch video clips, and also allows other users free viewing, rating and comments. YouTube allows the publication of all types of videos, so that both complete film and television broadcasts, but also music videos, trailers or user-made videos are available via the Internet portal.

YouTube's operating company is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

Upon each visit to one of the individual pages of this website, which is operated by the controller and on which a YouTube component (YouTube Video) has been integrated, the Internet browser on the data subject's information technology system is automatically triggered to download a representation of the corresponding YouTube component from YouTube via the respective YouTube component. More information about YouTube can be found at www.youtube.com/yt/about/en/. As part of this technical process, YouTube and Google receive information about which specific sub-page of our website the data subject visits.

If the data subject is simultaneously logged into YouTube, YouTube can recognize which specific sub-page of our website the data subject visits upon the calling up of a sub-page containing a YouTube video. This information is collected by YouTube and Google and associated with the data subject's individual YouTube account.

YouTube and Google always receive information via the YouTube component that the data subject has visited our website if the data subject is logged into YouTube at the same time as accessing our website; this happens regardless of whether the data subject clicks on the YouTube video or not. If such a transfer of this information to YouTube and Google is not wanted by the data subject, the data subject can prevent the transfer by logging out of his/her YouTube account before calling up our website.

YouTube's privacy policy, available at www.google.com/intl/en/policies/privacy/, provides information on the collection, processing and use of personal information by YouTube and Google.

l) Privacy policy on the application and use of DoubleClick
The controller has integrated DoubleClick from Google components into this website. DoubleClick is a Google brand, via which mainly specific online marketing solutions are marketed to advertising agencies and publishers.

DoubleClick from Google's operating company is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

DoubleClick from Google transmits data to the DoubleClick server with every impression, click, or other activity. Each of these data transfers triggers a cookie request to the data subject's browser. If the browser accepts this request, DoubleClick sets a cookie on the data subject's information technology system. What cookies are has already been explained above. The purpose of the cookie is to optimize and display advertising. The cookie is used, among other things, to serve and display user-relevant advertisements, as well as to generate reports on advertising campaigns or to improve them. Furthermore, the cookie is used to avoid multiple integrations of the same adverts.

DoubleClick uses a cookie ID which is required to complete the technical process. The cookie ID is needed, for example, to display an ad in a browser. DoubleClick can also use the cookie ID to see which ads have already appeared in a browser to avoid duplication. DoubleClick also allows the cookie ID to track conversions. Conversions are captured, for example, when a user has previously been shown a DoubleClick ad and then, with the same Internet browser, makes a purchase on the advertiser's website.

A DoubleClick cookie does not contain any personally identifiable information. However, a DoubleClick cookie may contain additional campaign identifiers. A campaign identifier identifies the campaigns the user has already interacted with.

Upon each visit to one of the individual pages of this website, which is operated by the controller and on which a DoubleClick component has been integrated, the Internet browser on the data subject's information technology system is automatically triggered by the relevant DoubleClick component in order to transfer the online advertising and commission billing to Google. As part of this technical process, Google will be aware of data that Google uses to create commission billing. Google is able to see, among other things, that the data subject has clicked on certain links on our website.

The affected person can prevent the setting of cookies through our website, as shown above, at any time by means of a corresponding setting of the Internet browser used and thus permanently prevent the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the data subject's information technology system. In addition, cookies already set by Google can be deleted at any time via an Internet browser or other software programs.

Additional information and DoubleClick from Google's applicable privacy policy can be found at www.google.com/intl/en/policies/.

2. DATA PROTECTION IN APPLICATIONS AND DURING THE APPLICATION PROCEDURE

The controller collects and processes the personal data of applicants for the purpose of completing the application process. The processing can also be done electronically. This is particularly the case if an applicant submits corresponding application documents by electronic means, for example, by email to the controller. If the controller concludes a contract of employment with an applicant, the data transmitted will be stored for the purposes of the employment relationship in accordance with the law. If no contract of employment with the candidate is concluded by the controller, the application documents will be automatically deleted six months after the rejection decision has been announced, provided that deletion does not prejudice any other legitimate interests of the controller. Other legitimate interests in this sense include, for example, a burden of proof in a procedure under the Federal General Equal Treatment Act (AGG).

Information about processing

Data category: Address data, contact details
Purpose: Identification, establishment of contact, communication for contract initiation
Legal basis: Art. 6 (1) (b) GDPR
Storage period: 6 months

Data category: Personal master data
Purpose: Identification, establishment of contact, age verification
Legal basis: Art. 6 (1) (b) GDPR
Storage period: 6 months

Data category: Application data
Purpose: Candidate selection
Legal basis: Art. 6 (1) (b) GDPR
Storage period: 6 months

Personal applicant data may be shared with other business units, but not with third parties.

3. DATA PROTECTION IN RELATION TO CUSTOMER CONTACT / CUSTOMER RELATIONSHIP

The following information describes how your personal information is processed when you contact us as a customer:

Information about processing

Data category: Personal master data, address data, contact data, content of inquiries / complaints
Purpose: Processing of customer inquiries and user complaints
Legal basis: Art. 6 (1) b), f)
If necessary, legitimate interest: Customer loyalty, improving our service
Storage period: Processing the request

Recipient of personal data

Recipient category: Service provider for IT support and hosting
Affected data: Personal master data, address data, contact data, contents of inquiries / complaints
Legal basis: Art. 28 GDPR

4. DATA PROTECTION FOR THE PERFORMANCE OF COMPETITIONS

The following information describes how your personal information will be processed when you enter into a competition that we are conducting on behalf of our customers:

Information about processing

Data category: Personal master data, address data, contact details Purpose: Edelman carries out competitions on behalf of the customers. The technical basis is provided by the customers. The customer also determines how the competition is to be carried out, e.g. via postcards or web-based.
Legal basis: Art. 28 GDPR
Storage period: Usually until the end of the competition or, if applicable, in accordance with deviating instructions from the customer

Recipient of personal data

Recipient category: Customer
Affected data: Personal master data, address data, contact details
Legal basis: Art. 28 GDPR

5. PRIVACY POLICY FOR COOPERATION WITH JOURNALISTS / KEY OPINION LEADERS / INFLUENCERS / STAKEHOLDERS

The following information describes how your personal information is processed when you work for us as a journalist / key opinion leader / influencer or stakeholder:

Information about processing

Data category: Personal master data, address data, contact details, payment details
Purpose: Edelman carries out projects on behalf of the customer which require the cooperation of journalists, key opinion leaders / influencers.
Legal basis: Art. 6 (1) a), b), Art. 28 GDPR

Legitimate interest: Informing of press representatives, maintaining PR / journalist contacts

Storage period: Generally for the duration of the project, but longer if necessary and appropriate consent has been granted.

Recipient of personal data

Recipient category: possibly customer
Affected data: Personal master data, address data, contact details, payment details
Legal basis: Art. 28 GDPR

6. DATA PROTECTION FOR COOPERATION WITH PATIENTS

The following information describes how your personal information is processed when you collaborate on a project with us as a patient:

Information about processing

Data category: Personal master data, address data, contact details, payment details, data pursuant to Art. 9 GDPR (health data is relevant here)
Purpose: Edelman carries out projects on behalf of the customer - patient surveys can be relevant here
Legal basis: Art. 6 (1) a), Art. 28 GDPR
Storage period: Generally for the duration of the project, but longer if necessary and appropriate consent has been granted or as directed by the customer

Recipient of personal data

Recipient category: possibly customer
Affected data: Personal master data, address data, contact details, payment details, data pursuant to Art. 9 GDPR
Legal basis of the transfer: Art. 28 GDPR

7. EXISTENCE OF AN AUTOMATED DECISION FINDING

As a responsible company we refrain from automated decision-making or profiling.

IV RIGHTS OF THE DATA SUBJECT

a) Right to confirmation
Each data subject has the right, as granted by the European Directive and Regulation Givers, to require the controller to confirm whether personal data relating to him or her are being processed. If a data subject wishes to make use of this right to confirmation, he/she can contact an employee of the controller at any time.

b) Right to information
Each person affected by the processing of personal data has the right granted by the European Directive and Regulation Givers to obtain at any time free information from the data controller on the personal data stored about him/her and a copy of this information. Furthermore, the European Directive and Regulation Giver must provide the data subject with the following information:

- the processing purposes
- the categories of personal data being processed
- the recipients or categories of recipients to whom the personal data is or will be disclosed, in particular for beneficiaries in third countries or international organizations
- if possible, the planned duration for which the personal data is to be stored or, if that is not possible, the criteria for determining that duration
- the right to rectify or erase the personal data concerning them or to limit the processing or to refuse processing by the controller
- the existence of a right of appeal to a supervisory authority
- if the personal data is not collected from the data subject: All available information on the source of the data
- the existence of automated decision-making including profiling in accordance with Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing for the data subject

In addition, the data subject has a right to information in relation to whether personal data has been transmitted to a third country or to an international organization. If that is the case, then the data subject has the right to obtain information about the appropriate guarantees existing in connection with the transfer.

If a data subject wishes to exercise this right to information, he/she may at any time contact an employee of the controller.

c) Right to rectification
Any person affected by the processing of personal data has the right granted by the European Directive and Regulation Givers to demand the immediate correction of incorrect personal data concerning him/her. Furthermore, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.

If a data subject wishes to exercise this right of rectification, he/she may, at any time, contact an employee of the controller.

d) Right to deletion (right to be forgotten)
Any person affected by the processing of personal data shall have the right granted by the European Directive and Regulation Givers to require the controller to immediately delete the personal data concerning him/her, if any of the following reasons apply and if the processing is not required:

-The personal data has been collected or otherwise processed for purposes for which they are no longer necessary.
- The data subject withdraws the consent on which the processing was based as per Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR and there is no other legal basis for the processing.
- The data subject submits an objection to the processing in accordance with Art. 21 (1) GDPR, and there are no legitimate reasons for the processing, or the data subject submits an objection to the processing in accordance with Art. 21 (2) GDPR.
- The personal data was processed unlawfully.
- The deletion of personal data is required to fulfill a legal obligation under the law of the European Union or that of the Member State to which the controller is subject.
- The personal data was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

If one of the above reasons is correct and a data subject wishes to arrange for the deletion of personal data stored at Edelman GmbH, he/she may at any time contact an employee of the controller. The employee of the Edelman GmbH will arrange that the deletion request be fulfilled immediately.

If the personal data has been made public by Edelman GmbH and if our company is responsible for deleting personal data as the controller pursuant to Art. 17 (1) GDPR, Edelman GmbH shall take appropriate measures in consideration of the technology available and the implementation costs, including those of a technical nature, in order to inform other data controllers processing the personal data published that the data subject has requested these other data controllers to delete all links to this personal data or any copies or replicas of this personal data, insofar as the processing is not required. The employee of Edelman GmbH will arrange the necessary steps in individual cases.

e) Right to restrict processing
Any person affected by the processing of personal data shall have the right granted by the European Directive and Regulations Giver to require the controller to restrict the processing if one of the following conditions is met:

- The accuracy of the personal data is disputed by the data subject, with processing being restricted for a period of time that enables the controller to verify the accuracy of the personal data.
- The processing is unlawful, the data subject refuses to delete the personal data and instead requests the restriction of the use of the personal data.
- The controller no longer needs the personal data for the purposes of processing, but the data subject requires them to assert, exercise or defend legal claims.
- The data subject has objected to the processing as per Art. 21 (1) GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh those of the data subject.

If one of the above-mentioned conditions is met and a data subject wishes to request the restriction of personal data stored by Edelman GmbH, he/she may at any time contact an employee of the controller. The employee of Edelman GmbH will initiate the restriction of processing.

(f) Data transferability
Each person concerned by the processing of personal data has the right granted by the European Directive and Regulations Giver to receive the personal data concerning him or her provided to a controller by the data subject in a structured, common and machine-readable format , He/she also has the right to transfer this data to another controller without hindrance by the controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (1) (b) 2 (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and processing is carried out by means of automated processes, unless the processing is necessary for the performance of a task of public interest or in the exercise of public authority which has been assigned to the controller.

Furthermore, in exercising their right to data transferability under Article 20 (1) GDPR, the data subject has the right to demand that the personal data are transmitted directly from one controller to another, insofar as this is technically feasible and insofar as this does not affect the rights and freedoms of others.

To assert the right of data transferability, the data subject may at any time contact an employee of Edelman GmbH.

g) Right to objection
Any person concerned by the processing of personal data shall have the right granted by the European Directive and Regulations Giver at any time, for reasons arising from his/her particular situation, to lodge an objection against the processing of personal data relating to him/her under Art. 6 (1) (e) or (f) GDPR. This also applies to profiling based on these provisions.

Edelman GmbH will no longer process the personal data in the event of an objection, unless we can prove compelling reasons for processing which are worthy of protection, which outweigh the interests, rights and freedoms of the data subject, or if the processing serves the purpose of asserting, exercising or defending legal claims.

If Edelman GmbH processes personal data in order to operate direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling, insofar as it is associated with such direct marketing. If the data subject objects to Edelman GmbH processing data for the purposes of direct marketing, Edelman GmbH will no longer process the personal data for these purposes.

In addition, the data subject has the right, for reasons arising from his/her particular situation, to object to the processing of personal data concerning him/her, processed by Edelman GmbH for purposes of scientific or historical research or for statistical purposes pursuant to Art. 89 (1) GDPR, unless such processing is necessary to fulfill a task of public interest.

In order to exercise the right to objection, the data subject can directly contact any employee of Edelman GmbH or another employee. The data subject is also free, in the context of the use of information society services, notwithstanding Directive 2002/58/EC, to exercise his/her right to objection by means of automated procedures using technical specifications.

h) Automated decisions on a case-by-case basis, including profiling
Each person concerned by the processing of personal data has the right granted by the European Directive and Regulations Giver not to be subject to a decision based exclusively on automated processing, including profiling, which will have a legal effect on him/her or similarly significantly affect him/her, unless the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is permitted under the legislation of the European Union or of Member States to which the controller is subject and any such legislation contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject; or (3) with the express consent of the data subject.

If the decision (1) is required for the conclusion or performance of a contract between the person concerned and the person responsible or (2) it takes place with the express consent of the data subject, Edelman GmbH shall take appropriate measures to safeguard the rights and freedoms as well as to safeguard the legitimate interests of the data subject, including at least the right to obtain the intervention of a person on the side of the controller, who can express the data subject's position and to contest the decision.

If the data subject wishes to exercise his/her rights in relation to automated decision-making, they can contact an employee of the controller at any time.

i) Right to withdraw data protection consent
Any person affected by the processing of personal data shall have the right, granted by the European Directive and Regulations Giver, to withdraw consent to the processing of personal data at any time.

If the data subject wishes to assert his/her right to withdraw consent, he/she may, at any time, contact an employee of the controller.

Each person affected by the processing of personal data has the right granted by the European Directive and Regulation Givers to obtain at any time free information from the data controller on the personal data stored about him/her and a copy of this information. Furthermore, the European Directive and Regulation Giver must provide the data subject with the following information:

If a data subject wishes to exercise this right to information, he/she may at any time contact an employee of the controller.

c) Right to rectification
Any person affected by the processing of personal data has the right granted by the European Directive and Regulation Givers to demand the immediate correction of incorrect personal data concerning him/her. Furthermore, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing.

If the data subject wishes to assert his/her right to withdraw consent, he/she may, at any time, contact an employee of the controller.

j) Right to complain
You have the right to complain to a supervisory authority

8. DATA PROTECTION FOR FREE DOWNLOAD OFFERS

The following information describes how your personal data is processed when you take advantage of offers from our company to download free documents such as the Edelman Trust Barometer:

Processed information

Data category: personal master data, contact data

Purpose: Contact by email for the possible generation of new business in return for the free download of documents

Legal basis: Article 6(1)(a) GDPR

Storage period: Until you revoke your consent

Recipient of personal data

Your personal data will not be transferred to other parties.