Privacy statement

We are legally required to publish the following privacy statement. It contains information on who we are, what type of data we store and for what purposes. The privacy statement also contains information on the initial data transfer and the type of transmitted data.

1. Subject of privacy

Privacy is about personal data. Personal data are details related to the personal environment of an identified or identifiable individual. Examples are name, postal address, email address but also user data such as a computer's IP address.

2. Automatic anonymous collection, processing and use of data / use of cookies

Every time you visit our website, information is automatically transmitted to the server of our website by the internet browser installed on your device (computer, laptop, tablet, smartphone). This information is temporarily stored in a log file. The following data is collected without your intervention and stored until automated deletion:

• Browser type and version
• Operating system of your device
• Referrer URL (source of a link) or requesting domain,
• IP address (host name of the computer being used), device ID or individual device ID and device type, and name of the access provider
• Time of server request
• Name of the retrieved file and the amount of data transferred, together with the date and time of retrieval and the message indicating successful retrieval
• Your browser history and default weblog information

This data cannot be assigned to specific persons. This data is not merged with other data sources.

We use this data to analyse and eliminate possible technical faults and/or abuses of our website.

The legal basis for this is Article 6 para. 1 lit. f of the GDPR (weighing of interests - based on our legitimate interest in being able to operate this website as far as possible without technical or other disturbances, being able to guarantee you a smooth connection setup and the comfortable use of our website and being able to carry out evaluations of system security and stability).

A cookie is a small text file that is placed on your hard disk by a website. First of all, a cookie is used to store information about your visit. For example, whether you agreed to see videos or online maps. This ensures that you don't have to make these settings every time.

The cookies of our websites do not collect any personal data about you. You can deactivate the use of cookies at any time via the settings of your browser.

In most browsers, you can configure the browser to reject new cookies or disable cookies that were already accepted. To do so, open the Settings menu from the menu bar and select the appropriate setting. This may, however, impair certain website functions. If you still choose to limit the use of cookies, make sure that your preferred security level has been set on each computer and browser that you work with.

2.1 We distinguish between the following cookie types and functions

• Temporary cookies (also known as session cookies): After closing your browser, these cookies will be deleted.
• Permanent cookies: These cookies remain stored even after you close your browser. This enables us, for example, to recognise for our statistics when you visit our website again.
• First-party cookies: These cookies are set by ourselves.
• Third-party cookies: These are cookies that are set by third parties.
• Necessary cookies: You need these cookies for technical reasons, for example for reasons of security, so that you can browse our website.
• Customer Login: You need these cookies in order to be able to log into the protected area on our website and to be able to use the DAT online applications.
• Statistics: We need these cookies to measure the reach of or website and for website analysis - they enable us to recognise which content is most popular and most interesting for you.
• Comfort: You must agree to these cookies in order to be able to use special services on our website without restriction. For example, if you want to watch the videos embedded on our website or if you want to view the online maps.

2.2 Legal basis of the use of cookies

If you are browsing our website for the first time, we ask you to consent to the use of cookies. You can decide which cookies you accept and whether you want to extend this setting in the future individually in the cookie box that opens on your first visit. If you consent to the use of cookies, this consent is the legal basis in Art. 6 para. 1 sent. 1 lit. a GDPR in the processing of your data. Furthermore, we have a legitimate interest according to Art. 6 para. 1 sent. 1 lit. f. GDPR in the economic operation of our online offer and its continuous improvement.

You have the possibility to revoke your consent at any time. For example, by making appropriate browser settings to deactivate the cookies or by opting out of the statistical cookies via the corresponding section in this privacy policy.

2.3 Reach analysis / Statistics

We evaluate the use of our website statistically. We collect visitor flows, frequently used content, clicked links, entry and exit points on the website and the length of stay on our pages. This allows us to see where we need to adjust in order to be able to provide you with an attractive website in the future, where you can reach your destination with as few clicks as possible and where you will find many services that are useful to you. No matter which device you use - our aim is that all pages are displayed in a reader-friendly manner on all devices. Statistical analysis enables us to tailor the content of our website even better to your personal interests.

In the course of the reach analysis, the IP addresses of the users are also stored, but in anonymised form, or more precisely: pseudonymised. That is, under a random identification number.

Matomo

All information we collect about your usage behaviour is only stored on our own servers ("self-hosting") and does not reach third parties. We use the collected data only for the purpose of tracking. The server location is Germany. The cookies used to track your visits have a maximum storage period of 13 months.

We usually record your visits to our site via cookies. If you do not agree to the collection of data by cookies, we will first save your visit using a so-called "digital fingerprint", which is stored anonymously. Your digital fingerprint is composed of the anonymised and pseudonymised IP address in combination with your browser setting. We are not able to draw conclusions about your identity. In addition, your digital fingerprint changes every 24 hours. Thus, we are not able to analyse your surfing behaviour on our pages over several days. Also, we can't create user profiles in this way. Furthermore, your surfing behaviour is not recorded across several different websites of third-party providers.

Specific notes – SilverDat myClaim

We use Matomo to analyse our customers' usage behaviour and draw conclusions about how often individual components are used. During this process it is not possible for us to establish the identity of individuals or to analyse behaviour with our application over multiple days. The following data is gathered when using Matomo:

• Customer's role (e.g. workshop, manufacturer, insurance company)
• The myClaim network used (e.g. SD3)
• How often individual components (e.g. Geo-Tool, address book, partner management) are used in myClaim
• Use of other DAT services in myClaim (VIN request, valuation, calculation)

Revoke your consent to tracking / objection / opt-out: Do you wish to be excluded from Matomo tracking in the future? Then please click the link below and your visits to our website will no longer be recorded:

2.5 Other embedded services and functions

The Internet thrives on connections. For this reason, you will not only find our own content on our website. We have also included various third-party content that either improves the technical functionality or the content attractiveness of our website: video material, postcode-based queries, online maps.

When you visit one of our pages with such third-party content, your browser establishes a direct connection to the servers of the respective provider and retrieves the content there to display it to you.

Whenever you access such embedded content, it is necessary to provide your IP address to this third party provider. This is the only way to transfer the content directly to your browser. We always consider very carefully which third-party services we use.

Your consent is required before using these services. Either by accepting cookies in the so-called cookie box when you first visit our website ("Comfort" category) or individually if you want to use a service (e.g. opening a video).

Here you can see at a glance what data is passed on to the corresponding service providers for what purpose and on what legal basis in the course of the embedded services:

• Types of data processed: Usage data (e.g. websites visited, access times), meta/communication data (e.g. device information, IP addresses), content data (e.g. text entries of post codes).
• Affected persons: Visitors to our website
• Purpose of data processing: Legitimate interest according to Art. 6 para. 1 sent. 1 lit. f. GDPR on an economically operated, user-friendly website with information relevant to the visitor. Consent by accepting the cookies is requested, so that there is consent in accordance with Art. 6 para. 1 sent. 1 lit. a GDPR.

Google Maps

From the provider Google, we use embedded online maps as well as functionalities to make inquiries based on entered post codes. Google mainly processes IP addresses and location data of our website visitors. However, they usually only do so if settings have been made on the respective devices and you as a user have consented.

Service provider information: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Its parent company is Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
Website: https://maps.google.de Privacy statement available at https://policies.google.com/privacy. Google ensures a certain level of data protection when processing data in the USA. You can object (opt-out option) using the following link: https://tools.google.com/dlpage/gaoptout?hl=de.  If you wish to revise the appearance of advertisements, please navigate to the following page: https://adssettings.google.com/authenticated.

YouTube

On our website we have embedded videos from YouTube. We use a special domain for this purpose (you can recognise this by the URL component youtube-nocookie) in order to carry out the linking in the data-saving Extended data protection mode. This means that no cookies are tracked for your activities as a user in order to personalise the playback of the video. However, information about your interaction with the video (e.g. YouTube remembers the position of the last playback) can be saved.

Service provider information: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. Mutterunternehmen ist die Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Website: https://www.youtube.com. Privacy statement available at https://policies.google.com/privacy. Google ensures a certain level of data protection when processing data in the USA. You can object (opt-out option) using the following link: https://tools.google.com/dlpage/gaoptout?hl=de.  If you wish to revise the appearance of advertisements, please navigate to the following page: https://adssettings.google.com/authenticated.

Kameleoon

We use the services of Kameleoon to gain a better understanding of how you use our website. For this purpose, we export website content in a slightly varied form (so-called A/B testing) and analyse the use. Personalised versions of our website can also be displayed for different user groups. Based on this user feedback or on these click-tracking results, we can optimise our website, program our online forms even more clearly and make them even more exciting and interesting for you as a user of our pages. This is our legitimate interest according to Art. 6 para. 1 sent. 1 lit. f. GDPR.

Kameleoon does not store any personal data. Likewise, no IP addresses are stored, but instead an ID is generated by random numbers. This complete anonymisation and pseudonymisation ensures a higher level of data protection. Kameleoon undertakes not to pass on or otherwise use the data collected on our website to third parties.

Information on the service provider and address: Kameleoon GmbH, Beim Alten Ausbesserungswerk 4, 77654 Offenburg. Server location is Germany. Information on the GDPR compliance of the Kameleoon service can be found here: https://www.kameleoon.com/de/compliance/dsgvo.

Legal basis of the use of Kameleoon according to GDPR: When you visit our website for the first time, we ask you in the cookie box whether you accept the corresponding cookies for the use of Kameleoon. If you consent, we have consent in accordance with Art. 6 para. 1 sent. 1 lit. a GDPR. Furthermore, we invoke our legitimate interests under Art. 6 para. 1 sent. 1 lit. f. GDPR.

Your right to be forgotten: Kameleoon allows the deletion of all personal data within 72 hours.

Revoke your consent to collect your feedback by Kameleoon / objection / opt-out: Would you like to be excluded from the collection of your data by Kameleoon? Then please click on the following link:

In the event of your withdrawal of consent, a cookie is automatically created, which disables the collection of information by Kameleoon and which deactivates this solution. You will be excluded from future testing by Kameleoon. Please note: If you delete your cookies in the browser, you must click the above link a second time.

Good to know: If your consent is revoked, your personal data will not be processed in connection with the use of the Kameleoon software; also not on the basis of a possible balancing of interests between your consent pursuant to Art. 6 para. 1 sent. 1 lit. a and our legitimate interest pursuant to Art. 6 para. 1 sent. 1 lit. f GDPR.

Mouseflow

This website uses Mouseflow, a web analysis tool of Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. The data processing serves the purpose of analysing this website and its visitors.

For this purpose, data is collected and stored for marketing and optimisation purposes. Use profiles can be created from this data under a pseudonym. Cookies can be used for this purpose. The web analysis tool Mouseflow records randomly selected individual visits (only with anonymised IP address). This results in a log of mouse movements and clicks with the intention of replaying individual website visits on a random basis and deriving potential improvements for the website. Without the user's explicit consent, the data collected by Mouseflow is not used to identify the visitor of this website, and the data is not merged with personal data about the pseudonym owner.

The processing is carried out on the basis of Art. 6 (1) f GDPR out of the legitimate interest in direct customer communication, in the website analysis and in the needs-based design of the website and/or in the improvement of the website. You have the right to object at any time, for reasons arising from your particular situation, to this processing of personal data concerning you based on Art. 6 (1) f GDPR. To do this, you can disable a record on all websites that use Mouseflow globally for your browser currently in use at the following link: https://mouseflow.de/opt-out/

A contract for data processing between DAT and Mouseflow has been concluded.

Information on the service provider and address: Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. Information on the GDPR compliance of Mouseflow's service can be found here: https://mouseflow.com/de/gdpr/.

Legal basis of the use of Mouseflow according to GDPR: When you visit our website for the first time, we ask you in the cookie box whether you accept the corresponding cookies for the use of Mouseflow. If you consent, we have consent in accordance with Art. 6 para. 1 sent. 1 lit. a GDPR. Furthermore, we invoke our legitimate interests under Art. 6 para. 1 sent. 1 lit. f. GDPR.

Revoke your consent to collect your feedback by Mouseflow / Opposition / Opt-out: Would you like to be excluded from the collection of your data by Mouseflow? Then please click on the following link: https://mouseflow.de/opt-out/

CrossEngage

This website uses the tool CrossEngage, a Customer Data Platform (CDP) of CrossEngage GmbH, Bertha-Benz-Straße 5, 10557 Berlin. The data processing serves the purpose of analysing and tracking this website and its visitors, event tracking and to create tailor-made offers for our website visitors.

For example, by using CrossEngage, we can show you individualised content and offers. CrossEngage is a cross-channel marketing platform with the goal of providing a personalised, real-time approach to customers through different channels.

If you have consented to the use of CrossEngage, user data from all relevant data sources will be consolidated and made available for the design and execution of effective campaigns. Among other things, your e-mail address will be passed on to CrossEngage in order to be able to send you e-mails based on the behaviour.

In order to be able to design and display this content, various cookies are set when using this website, which are regularly deleted after 15 months. The data determined via the cookies are pseudonymised for us by our order processor CrossEngage.

The following data is collected for marketing purposes: information about browsers, date and time of the visit, reference URL, IP address, operating system, information about the visited pages.

Data processing takes place in Europe. The data is not passed on to third parties. For more information, see https://www.crossengage.io/de/datenschutzerklaerung/.

A contract for data processing between DAT and CrossEngage has been concluded.

Legal basis of the use of CrossEngage according to GDPR: When you visit our website for the first time, we ask you in the cookie box whether you accept the corresponding cookies for the use of CrossEngage. If you consent, we have consent in accordance with Art. 6 para. 1 sent. 1 lit. a GDPR. Furthermore, we invoke our legitimate interests under Art. 6 para. 1 sent. 1 lit. f. GDPR. More precisely, it is justified by the legitimate interest in direct customer communication.

Revoke your consent to collect your feedback through CrossEngage / Opposition / Opt-out: Do you want to be exempted from CrossEngage collecting your data? Then please click on the following link:

2.6 Your currently selected cookie settings

You can review and change your currently selected cookie settings for this website by clicking the following link:

3. Requested collection, processing and use of personal data

Basically, using the website does not require any personal data to be collected, processed or used. We consequently do not engage in such collection, processing or use of data.

We will only collect, process and use personal data if you provide your personal data voluntarily to us. This may be necessary in the following cases:

3.1. Registration

The conclusion of a contract requires prior registration. For this purpose, it is necessary to provide personal data. The following personal data are requested during this process:

• Last name, first name
• Address
• E-mail address
• Phone number

If you submit your data in the course of a contact request, we assume that you have obtained consent in accordance with Article 6 para. 1 lit. a and Article 7 GDPR. If we can infer from your contact request that it is aiming for a business relationship, we assume a contract initiation in accordance with Article 6 para. 1 lit. b GDPR.

3.2.1 Newsletters and necessary e-mails from DAT

If you choose to receive our newsletter, we will need a current e-mail address assigned to you as well as other personal data that enable us to validate you as the owner of the provided e-mail address. You can revoke your consent to the storage of personal data, the e-mail address and their use for sending the newsletter at any time.

Occasionally, you also receive necessary e-mails from us. Unlike newsletters, you cannot unsubscribe from them. Please read the background to these necessary e-mails from DAT here.

3.2.2 SilverDAT Newsletter

In the SilverDAT Newsletter, you receive information about DAT and DAT products as well as the used-car market and regular surveys on current topics. The newsletter is free of charge and is aimed at people over the age of 16.

Newsletter registration and double opt-in procedure

When you register for the SilverDAT Newsletter, we collect your first name, last name and form of address in addition to your personal e-mail address (mandatory field) in the registration form. These are the so-called master data. This is the only way we are able to address you personally in the newsletter. Of course, you will also receive the SilverDAT Newsletter if you leave these optional fields empty. We do not share this information with third parties.

We are required by law to be able to prove that you have actually registered yourself for our newsletter. In other words, it is a matter of proving effective consent.

We verify this by sending you a confirmation e-mail after you have sent us the registration form. If you are the legitimate e-mail owner, click the confirmation link. You thus give a second consent (double opt-in) to register for the newsletter. It is impossible for someone else to sign you up for the newsletter.

Your registration for the newsletter will be stored by us; these are the so-called registration data: time of registration, IP address, e-mail address, click on the confirmation link.

Legitimate consent according to the General Data Protection Regulation, Article 6 para. 1 lit. a is thus ensured. Logging of the registration data corresponds to our legitimate interest for the purpose of a proper procedure and the interest in providing an efficient and secure newsletter dispatch platform.

To protect the registration form from bot spam, we use the service of the company Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany, via the dispatch service provider Inxmail GmbH. Their data protection regulations for end users can be viewed here: https://friendlycaptcha.com/de/legal/privacy-end-users/. The use of this service is a legitimate interest, the legal basis is therefore Art. 6 para. 1 lit. f of the GDPR.

Newsletter dispatch provider

We send the newsletter via the service provider Inxmail GmbH, Wentzingerstraße 17, 79106 Freiburg. Website: www.inxmail.de.
The data protection regulations can be found here: www.inxmail.de/datenschutz.
DAT has concluded a contract with Inxmail GmbH for order data processing in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).

Evaluation of usage behaviour

We use so-called newsletter tracking in our newsletter. Receiver reactions (opening a mailing, clicking on text and picture links, downloading pictures with an e-mail program) are recorded and stored anonymously for statistical purposes. It is not possible to draw conclusions about individual users from the stored data.

If you as a user have expressly consented beforehand, the aforementioned recipient responses (usage data) are recorded and stored in a personalised manner. With the help of this usage data, we can better align the content of the newsletter with your personal interests. You also have the possibility to revoke your consent to the collection and evaluation of personal usage behaviour at any time separately from your consent to receive the newsletter via the revocation link contained in each newsletter.

As a legal basis for our newsletter tracking, we see a legitimate interest under the General Data Protection Regulation, Art. 6 para. 1 lit. f. On the one hand, there is an interest to be able to design a newsletter that is useful to you, relevant and reader-friendly. On the other hand, there is a legitimate business interest in improving efficiency from a business point of view.

Storage period of your data / deletion of your data

As long as you receive the newsletter, we store master data, registration data and usage data. If you unsubscribe from the newsletter, we delete master data and usage data immediately. However, we may store your e-mail addresses for up to three years based on our legitimate interest before deleting them: If necessary, we must prove and document your prior consent with the purpose of possible defence against claims.

Termination / Revocation

To unsubscribe from the newsletter or to terminate the registration and evaluation of the personal user behaviour, you will find a corresponding link at the end of the newsletter. You can terminate the contract at any time yourself using this unsubscribe link.

In general, you can also revoke your consent to use your data at any time via: info@dat.de

Your basic rights

Of course, your basic rights also apply to you with regard to the newsletter.

• Right to object: You have the right to object at any time to the processing of your personal data.
• Right of withdrawal for consents: You can revoke your consent at any time
• Right to information: You can ask us at any time for information about which of your data we have stored. You will receive a copy of the data. This information is free of charge for you.
• Right to rectification: Did we make a mistake in the storage or processing of your personal data? Has anything changed and you want to correct it immediately? Do you want to add incomplete data?
• Right to restriction of data processing and deletion / Your "right to be forgotten": You have the right to demand that relevant data be deleted without delay, taking into account the legal requirements. Likewise, you can demand a restriction of the processing of the data, also according to legal requirements.
• Right to data portability: You have the right to receive all personal data that you have provided to us in a structured, common format that you can also read.
• Right to complain to a supervisory authority: You have the right to complain to a supervisory authority if you believe that the processing of your personal data violates the GDPR.

If you would like to exercise any of these rights, please contact the contact person below or simply by e-mail info@dat.de

3.3. Collection of the e-mail address for the free-of-charge used-vehicle valuation ("What is my car worth?")

When you visit the free-of-charge used vehicle valuation at https://www.dat.de/gebrauchtfahrzeugwerte/, you can optionally enter your e-mail address. This is not a prerequisite for the use of the free-of-charge used-vehicle valuation.

Your e-mail address will not be passed on to third parties. By providing your e-mail address you will be able to optionally benefit from further services in connection with the used-vehicle values in the future and we draw your attention to interesting offers in direct relation to the used-vehicle valuation. Likewise, when booking further services in connection with the used-vehicle values, you avoid multiple entry of your e-mail address, because your e-mail address remains stored in your browser for the duration of your current website visit and is retrieved if necessary.

If you decide to book an expert service after the used-vehicle valuation, we will only send your e-mail address to this expert office so that it can clarify with you the details of the booked appointment. This is done within the scope of contract initiation pursuant to Art. 6 para. 1 lit. b GDPR.

The processing of your e-mail address is carried out on the legal basis of Article 6 para. 1 sent. 1 lit. f GDPR out of the legitimate interest in direct customer communication, the optimisation of our website as well as a more comfortable use of our used-vehicle values and booking functionality.

You would like to object to the use of your e-mail address in connection with the used-vehicle values? In the event that you receive an automated e-mail from us with regard to the used-vehicle values, you have the option in each individual e-mail to revoke further e-mails via the unsubscribe link. In general, you can also revoke your consent to use your data at any time via: info@dat.de.

Storage period: If you do not opt for further services in connection with the used-vehicle values or use the vehicle value request repeatedly, we will delete your e-mail address from the system after three months.

3.4. Applicant management with SAP Recruiting (as of April 4, 2022)

With the following information, we would like to give you an overview of how we process your personal data as an applicant and your rights under the General Data Protection Regulation (Regulation (EU) 2016/679 - "DSGVO") and the Federal Data Protection Act ("BDSG").

3.4.1. Responsible persons and Data Protection Officer

Due to the structure of our group of companies, some of the business functions that entail the processing of applicant data are performed centrally through the head office for the employment company and the other affiliated companies. Against this background, a large part of the data processing concerning you is also carried out centrally by the head office of Deutschen Automobil Treuhand GmbH, Hellmuth-Hirth-Str. 1, 73760 Ostfildern.

The sole controller for these centralised data processing activities within the meaning of the GDPR is the

Deutsche Automobil Treuhand GmbH
Hellmuth Hirth Str. 1, 73760 Ostfildern
Phone: +49 711 4503-0
Fax: +49 711 4586340
E-mail: info@dat.de

Our Data Protection Officer can be reached at:

Philipp Beck
External Data Protection Officer of Deutsche Automobil Treuhand GmbH
Moltkestraße 3, 72622 Nürtingen
Phone: +49 151 27120663
E-mail: philippbeck-ext@dat.de

3.4.2. Sources and types of personal data

3.4.2.1. We receive your personal data in various ways:

• Data provided by you yourself, which you give us in the context of your application;
• Data collected when you log in to one of our systems or applications;
• Data received from other affiliated companies, e.g. if you apply directly there or if you apply for a different job within our group of companies.

3.4.2.2. What data do we process?

We process different types of personal data from you for each individual process and purpose. These may include in particular:

• Personnel master data, such as names (e.g. first names, last name, maiden name, title);
• Identification code (e.g. user name and password);
• Personal details (e.g. date and place of birth, marital status, sex);
• Address and contact details (e.g. street, house number, post code, place of residence, e-mail address);
• Where applicable, details of your family members or life partners;
• Bank details (e.g. IBAN, BIC, account number, bank name);
• Data on insurance policies that you have taken out as an employee and for which we provide a grant or direct deduction (e.g. health insurance, pension insurance and the amount of each contribution);
• Qualifications (e.g. certificates, work certificates, references, patent holder information);
• Data on previous employment contracts (e.g. previous employers, date of entry/exit, certificates);
• Wage tax classification, religious group;
• Remuneration data (e.g. salary requests);
• Data from the execution of the application relationship including IT application and usage data (e.g. system and device passwords or the IP address of a computer you use);
• System and device logs and electronic content (e-mails, documents, etc.) generated by you through our enterprise systems and devices;
• Travel Information

3.4.3. Processing purposes and legal bases

3.4.3.1. Processing purposes/processing methods

3.4.3.1.1. Employer's sole responsibilitys

The employer processes your personal data for the following purposes:

• Human resources planning and management (including transfer and promotion);
• Organisation of your (business) travel and reimbursement of your (travel) expenses as well as other business-related expenses;
• Management of employee levies and social security contributions;
• Organisation and implementation of applicant events;
• Health and safety measures at work (including contacting your family in emergencies, checking workplaces for health and safety at work to meet health requirements).

3.4.3.1.2. Sole responsibility of the head office

The head office processes your personal data for the following purposes:

• Managing general application processes (including quality and regulatory management, internal audits);
• Keeping internal contact records;
• Managing access rights to systems and applications and authentication, e.g. when entering a building or a car park using an access card;
• Administration of user accounts and authorisation;
• IT security (including logging of IT usage and cyber defence).

3.4.3.2. Legal bases for processing

We process your personal data on the basis of the provisions of the GDPR, the Federal Data Protection Act (BDSG) and all other relevant laws (e.g. ArbZG, etc.).

First and foremost, the data processing serves the selection for an employment relationship as well as for its establishment. The legal basis for this is Art. 6 para. 1 lit. b GDPR in conjunction with §26 para. 1 BDSG.

Insofar as special categories of personal data are processed in accordance with Article 9 para. 1 GDPR, this is used in the application process for the execution of rights or the fulfillment of legal obligations under labour law, social security law and social protection (e.g. provision of health data to the health insurance, registration of the severely disabled due to additional leave and determination of the severely disabled levy). This is done on the basis of Art. 9 para. 2 lit. b GDPR in conjunction with §26 para. 3 BDSG. In addition, the processing of health data for the assessment of your work ability in accordance with Art. 9 para. 2 lit. h GDPR in conjunction with §22 para. 1 lit. b of the BDSG can be required.

In addition, the processing of special categories of personal data may be subject to a consent pursuant to Art. 9 para. 2 lit. a GDPR in conjunction with §26 para. 2 sent. 2 para. 2 of the BDSG (e.g. occupational health management).

3.4.4. Recipients of personal data

Your personal data will be passed on to the following recipients:

• To public service providers, such as health insurance funds and social security funds;
• Occasionally, we rely on affiliated third-party companies and external service providers, such as logistics companies, IT service providers, economic advisors, insurance companies, personnel service providers, training institutes, travel agencies, credit card companies and financial institutions, to fulfil the purposes described in this privacy statement. In such cases, information is passed on to these companies or individuals to enable them to process it further. These external service providers are carefully selected by us and regularly checked to ensure that your data is used exclusively for the purposes set by us and in accordance with applicable data protection laws.

Any transfer of personal data to third parties to the extent described above will be carried out in accordance with this privacy statement and the relevant data protection laws.

Collected data are generally not transferred abroad.

3.4.5. Processing period

We or the head office will process your personal data for the duration of your application with us and delete them as soon as they are no longer required for the above-mentioned purposes. Upon completion of the application process, your personal data will be retained for the period during which claims can be made against us.

3.4.6. Why we need your personal data

As described above, we need your data for the purpose of possibly establishing an employment relationship. The same applies insofar as we process your data in order to be able to fulfil our legal obligations as a potential employer, in particular in the area of tax and social security law as well as from labour law, social security law and social protection. Without your data, we are not able to establish an employment relationship with you.

3.4.7. Rights of persons concerned

3.4.7.1. You have the right to receive information about the data stored about you at any time. If the respective requirements are met, you are also entitled to the following rights:

• Right to rectification: You have a right to rectification of incorrect personal data concerning you.
• Right to erasure: You can also request the erasure of your personal data, for example if your data is no longer necessary for the purposes for which it was collected or otherwise processed.
• Right to restriction of processing: You also have the right to request the restriction of processing of your personal data; in such a case, the data will be blocked for any processing. This right exists in particular if the accuracy of the personal data is disputed between you and us.
• Right to data portability: If we process your personal data for the fulfillment of a contract with you or on the basis of your consent, you also have the right to receive your personal data in a structured, common and machine-readable format, if and to the extent that you have provided us with the data.
• Right to revoke consent: If you have given us consent to the processing of your personal data, you can revoke it at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of consent until the revocation. The revocation shall be addressed to:
  Deutsche Automobil Treuhand GmbH
  Hellmuth Hirth Str. 1, 73760 Ostfildern
  Tel.: +49 711 4503-0
  Fax: +49 711 4586340
  E-Mail: info@dat.de
• In addition, you may object to data processing for reasons arising from your particular situation. However, this only applies in cases where we process data for the fulfillment of a legitimate interest. If you are able to present such a reason and we cannot assert a compelling, legitimate interest in the further processing, we will not process this data further for the respective purpose.

3.4.7.2. If you wish to receive information about the data stored about you, wish to assert your other rights or have questions about our measures of data protection, you can contact us using the above-mentioned contact details.

3.4.7.3. You also have the right to lodge a complaint with a supervisory authority at any time, in particular with a supervisory authority in the EU member state of your place of residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of personal data relating to you violates data protection provisions.

3.4.8. Technical and operational measures

We will implement the technical and operational measures required to ensure that the data privacy provisions are complied with as long as the ratio of undertaken efforts and intended privacy purpose is reasonable.

3.4.9. Amendment of this privacy statement

The further development of our company may also affect the handling of personal data. We therefore reserve the right to amend this privacy statement in future within the scope of the applicable data protection laws and to adapt it if necessary to changed data processing realities. We will notify you separately of any significant changes in content.

3.5. Contract processing

It may be necessary to transfer the personal data that we need for delivering our services or fulfilling our contracts to other businesses, like for example interface partners or other service providers. Your personal data will only be transferred to third parties if this is required for business reasons.

3.6. Forwarding of appointment requests to our DAT Expert Partners

On the Expert Partner finders page, we send appointment requests to the selected DAT Expert Partners.

When appointment requests are made, we gather, store and process the following categories of personal data:

• E-mail address
• Surname und first name
• Entry in free text box ("message")
• Channel for the request (What is my car worth? / BAFA grants / initial call with Expert partner finders)
• If available: vehicle model and guide value calculated online for the vehicle, which was requested at What is my car worth?.
• Desired appointment (date and time))

Provision of the telephone number is optional.

This data is processed for booking, performance and handling of an appointment with a DAT Expert Partner, including customer care. We share the data stated above with the DAT Expert Partner.

The legal basis for this is the request prior to entering into a contract pursuant to Article 6 para. 1 sent. 1 lit. f GDPR and legitimate interest (Article 6 para. 1 sent. 1 lit. f GDPR) to ensure a high level of customer service.

3.7. Transfer to third parties and government agencies

In other cases, we will only transfer your personal data to third parties if you have given your consent to do so before (Art. 6 para. 1 sent. 1 lit. a GDPR). You have the right to revoke your consent at any time with effect for the future.

We will disclose your personal data to government agencies only if we are required by law to do so (Art. 6 para. 1 lit. c GDPR).

Furthermore, we will only disclose your data to third parties if this is necessary for the assertion, exercise or defence of legal claims and if there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data (Art. 6 para. 1 sent. 1 lit. f GDPR). However, in such cases, the volume of data transmitted is limited to the minimum necessary.

3.8. Advertising

We only use your personal data for advertising purposes after we have received your consent to do so.

3.9. Data transfer abroad

Collected data are generally not transferred abroad.

3.10. Using telecommunications and media services

We collect and use personal data to enable the use of telecommunications and media services (usage data). Among these usage data are specific characteristics related to your identification, start and end dates of the usage period, scope of usage and information on the telecommunications and media services you have used.

3.11. Processing usage data for invoicing

We process usage data beyond the end of the usage process, insofar as the data are necessary for the purposes of invoicing (invoicing data). In doing so, we combine usage data on the use of various media services, insofar as this is necessary and possible for invoicing purposes. To fulfil existing legal, statutory or contractual retention periods, we may block the data.

3.12. Disclosure to third parties

Invoicing data are transferred to other service providers or third parties as long as this is required for determining the price and for billing your charges to you. In case we have signed a contract on collecting the charges with a third party, we may transfer invoicing data to the contracting party if this is required for this purpose. Anonymised usage data may be transmitted for the purpose of market research by other service providers.

3.13. Advertising, market research, customised telecommunications and media services

In order to customise our telecommunications and media services we create aliased usage profiles. Usage profiles are not merged with data on the alias owner.

4. Right to information

At any time you have the right to request information on the data stored in relation to yourself, their origin and source, the recipients or recipient categories to which this data is transferred as well as the purposes for storing the data.

To request free information on the personal data we have stored in relation to you, please send an email to  datenschutz@dat.de.

5. Deletion and locking

We undertake to delete personal data processed for our own purposes as soon as this data is no longer needed to fulfil the purposes the data was saved for. If legal, statutory or contractual retention terms prohibit the deletion of this data, if there is reason to assume that deleting the data will impair any legitimate interest of the person concerned or if deleting the data would require unreasonable efforts due to the specific way the data was saved, we will instead lock the data.

Furthermore, you can have the data we have collected blocked, corrected or deleted at any time. A deletion also takes place if you revoke your consent to the collection, processing and use of the personal data. If the revocation takes place during an ongoing business transaction, the deletion takes place immediately after its completion.

Further legal provisions regarding the deletion or locking of data remain unchanged.

6. Technical and operational measures

We will implement the technical and operational measures required to ensure that the data privacy provisions are complied with as long as the ratio of undertaken efforts and intended privacy purpose is reasonable. For email communication, we cannot guarantee secure data transmission. Therefore, we recommend sending confidential information only via the postal service.

7. Your rights at a glance

As a data subject, you are entitled to various rights under the GDPR, which we will outline again here.

• Right to object: You have the right to object at any time to the processing of your personal data. Likewise, you can object in the case of direct advertising. Please address your objection to this to datenschutz@dat.de or to the data protection officer indicated below.
• Your right of revocation: If you have given us your consent to the processing of your personal data, you can of course revoke it at any time.
• Right of information: To request free information on the personal data we have stored in relation to you, please send an e-mail to datenschutz@dat.de.
• Your right to rectification: Did we make a mistake in the storage of your personal data? Is there a change that you want to correct immediately? Do you want to add incomplete data? Please immediately refer to the contact person mentioned below or send an e-mail to datenschutz@dat.de.
• Your right to erasure (also: right to be forgotten) and restriction of processing: If the legal requirements apply, you can demand that we delete the data concerned immediately. You can also request a restriction with regard to the processing of your personal data.
• Right to data portability: You also have the right to receive the data that you have provided to us in a structured, common and machine-readable format from us; you can transmit or have this data transmitted to other locations.
• Right of complain to supervisory authorities: You can lodge a complaint with the competent data protection supervisory authority.

8. Data controller

Data controller in terms of privacy laws:

Deutsche Automobil Treuhand GmbH
Hellmuth Hirth Str. 1, 73760 Ostfildern
Phone: +49 711 4503-0
Fax: +49 711 4586340
E-mail: info@dat.de

9. Data Protection Officer

We have appointed a data protection officer. You can reach him at the following contact options:

Philipp Beck
Data Protection Officer of Deutsche Automobil Treuhand GmbH
Moltkestraße 3
72622 Nürtingen

Phone: +49 151 27120663
E-mail: datenschutz@dat.de

10. Withdrawal of consent

You may withdraw your consent to collect, process or use your data at any time. Withdrawals must be sent to:

Deutsche Automobil Treuhand GmbH
Hellmuth Hirth Str. 1, 73760 Ostfildern
Phone: +49 711 4503-0
Fax: +49 711 4586340
E-mail: info@dat.de