Legal Notice

1 Introduction

We appreciate your interest in our company and our handling of data protection. In this privacy policy, we explain to you how we handle data protection at our company. Here we explain how we collect, use and process your personal data and how we fulfill our legal obligations towards you. In doing so, we also refer to the rights to which you are entitled in accordance with the current legal situation. The protection of your data is very important to us and we are committed to protecting and safeguarding your data protection rights and complying with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) and our national laws. Any processing of your personal data will always be in accordance with the General Data Protection Regulation (hereinafter referred to as DS-GVO). In principle, you can use our website without providing any personal data. In the further processing of your inquiry or use of our services, a processing of your personal data may become necessary. If this is necessary and we have no legal basis for this that authorizes us to do so, we will always obtain consent from you as the data subject (hereinafter referred to as "data subject(s)*). (*For simplicity, we use the term "data subject.") Basically, we process personal data such as your name, address, and contact information such as email or phone number. In relation to our business purpose, the processing of further personal data may be necessary. We have documented this in our registers of processing activities. We have created a data protection concept for our company for the implementation of data protection and security (GDPR Art. 34) and implemented it in a risk-based manner on the basis of data protection impact assessments (GDPR Art. 35) by means of technical and organisational measures (TOM). In this way, we also secure web- or internet-based data transmission. Nevertheless, this can be compromised by security gaps for which we are not responsible, so that we leave you free to transmit personal data to us by other means such as telephone, fax or post. Important: This privacy policy will be amended as necessary.

2 Terms of data protection

Our Data Protection Policy is based on the terms and their explanations documented by the European Directive and Regulation Maker when enacting the General Data Protection Regulation (DS-GVO). Our Data Protection Policy is intended to explain the implementation of data protection in our company in an easily readable and understandable manner to all possible recipients, in particular our customers, suppliers and data subjects. You will find the definitions of terms in the appendix to the Data Protection Policy. They have been taken from the legal text and provided with sources.

3 Controller for the processing

Responsible person in the sense of the Data Protection Regulation Art. 24 is:

Company: Capital Bay GmbH
Street: Sachsendamm 4-5
Postal Code: 10829
Town: Berlin
Town: Berlin
Country: Germany
Phone Number: +0049 30 1208662 0
E-Mail: info@capitalbay.de
Website: www.capitalbay.de

Our business purpose is: purchase and sale, brokerage, management and exploitation of real estate, as well as economic management consulting in relation to real estate transactions. The company also develops, plans and supervises technical construction projects; it carries out construction projects as a general contractor. Transactions requiring approval pursuant to § 34e GewO or KWG are excluded. Furthermore, the object of the company includes the provision of advice on the acquisition and sale of shareholdings and companies of all kinds, the participation as a personally liable partner in companies and the assumption of the administration and management of other companies. The aforementioned activities are only carried out in the company's own name and for its own account. For this purpose, we process tenant, customer and supplier data, applicant data as well as any data provided by third parties for the business processes which we receive directly from you, which we receive from other sources or which we may collect automatically.

4 Contact possibility via our website

On our website, the information according to legal requirements has been stored in the imprint. This also includes the possibility of sending an e-mail or, if applicable, the use by the person concerned by means of a contact form. In this type of transmission on a voluntary basis, the personal data is automatically stored for the purpose of processing or contacting. Personal data will not be passed on to third parties.

5 How we collect data and information

When you access our website, a series of data and information is collected. This data is not used by us to draw conclusions about data subjects, but is rather required in order to: provide or ensure the correct content and functionality of our website, optimize this content, in the event of attacks on our information technology systems to meet the legal obligation in the context of criminal prosecution, When using our websites, we collect, among other things. When you use our website, we record, among other things, the browser type and version, the operating system used, the website and subpages (referrers) from which you access our website, the date and time of access and the Internet protocol address (IP address), the provider of the accessing system, as well as other similar data and information that serve to protect us in the event of attacks on our IT systems. Furthermore, we process personal data which is made available to us by means other than the Internet (e.g. by post) and which we need to fulfill our business purpose. These are processed by us in automated as well as manual procedures. Our company does not use automatic decision-making or profiling.

6 Data protection in the application procedure

Our company collects and processes personal data from applicants for the purpose of processing the application procedure. The processing may also take place electronically, for example application by e-mail or web form. If an employment contract is concluded between the data subject (applicant) and our company, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions (see the annex "Country-Specific Feature of the Data Protection Policy - Employment Data"). If no employment relationship is concluded with the applicant, the application documents are deleted two months after notification of the rejection decision, provided that no other legitimate interests on the part of the person responsible or legal requirements prevent deletion. Another legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

7 Legal basis of the processing

The legal basis for processing operations in which we obtain consent for a specific processing purpose is Art. 6 I lit. a DS-GVOfor our company. If personal data must be processed for the performance of a contract to which the data subject is a party (e.g. delivery of goods/services or other performance or consideration for which personal data are necessary), the processing is based on Art. 6 I lit. a DS-GVO. 6 lit. b DS-GVO, as well as for processing operations which are necessary for pre-contractual measures (e.g. offers, processing of enquiries about products, services or services). If our company has a legal obligation (e.g. due to tax laws), by which the processing of personal data is required, this is done in accordance with Art. 6 of the Data Protection Act. I lit. c DS-GVO. The processing of personal data in order to safeguard the vital interests of the data subject (e.g. in the event of a medical emergency) is carried out by us on the basis of Art. 6 I lit. d DS-GVO. Processing operations that are not covered by any of the aforementioned legal powers, but for which processing is necessary to safeguard a legitimate interest of our company or a third party (provided that the interests, fundamental rights and freedoms of the data subject are not overridden), are permitted because they are described in recital 47 sentence 2 DS-GVO in conjunction with Art. If the processing of personal data is based on Article 6 I lit. f DS-GVO, our legitimate interest is the implementation of our business purpose and our business activities for the benefit of our company.

8 Deletion and blocking of personal data

The basis for the storage period of personal data is the respective legally prescribed retention period. After expiry of the legal requirement for storage, the corresponding data is deleted or - if this is possible with unreasonable effort - blocked. Our company processes and stores personal data of the persons concerned only for the period of time necessary for the purpose of the processing within the meaning of the GDPR or any other applicable national or international law or regulation which the controller has to implement.

9 Rights of the data subject

a.) Transparent information and communication with the data subject Our company shall take appropriate measures to provide the data subject with all information pursuant to Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and Article 34 of the GDPR which relate to the processing in a precise, transparent, comprehensible and easily accessible form in plain and simple language; this applies in particular to information specifically addressed to children. The information shall be provided in writing or in another form, including, where appropriate, by electronic means. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been proven in another form. We facilitate the exercise of the data subject's rights under Articles 15 to 22 of the GDPR. In the cases referred to in Article 11(2) of the GDPR, we may only refuse to act on the data subject's request to exercise his or her rights under Articles 15 to 22 of the GDPR if we credibly demonstrate that we are unable to identify the data subject. Our company shall provide the data subject with information on the action taken upon request pursuant to Articles 15 to 22 of the GDPR without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months if necessary, taking into account the complexity and number of requests. We will inform the data subject of any extension of the time limit, together with the reasons for the delay, within one month of receipt of the request. If the data subject makes the request electronically, we will respond to the data subject electronically where possible. If we have not acted on the data subject's request, we will inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for this and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy. We will provide information pursuant to Articles 13 and 14 of the GDPR and all notifications and measures pursuant to Articles 15 to 22 and Article 34 of the GDPR free of charge. In the case of manifestly unfounded or excessive requests by a data subject, in particular in the case of frequent repetition, we may either charge an appropriate fee taking into account the administrative costs of providing the information or notification or of implementing the requested measure, or we may refuse to act on the request. In this case, we will require evidence of the manifestly unfounded or excessive nature of the request. Without prejudice to Article 11 of the GDPR, where we have reasonable doubts about the identity of the natural person making the request under Articles 15 to 21 of the GDPR, we will request additional information necessary to confirm the identity of the data subject. The information to be provided to data subjects pursuant to Articles 13 and 14 of the GDPR may be provided in combination with standardised icons in order to provide a meaningful overview of the intended processing in an easily perceivable, understandable and clearly comprehensible form. If the image symbols are presented in electronic form, we will make them available in machine-readable form (Art. 12 (1) DS-GVO). b. ) Duty to provide information when collecting personal data from the data subject If our company collects personal data from the data subject, we will inform the data subject of the following at the time of collection: The name and contact details of the data controller and, if applicable, his representative, the contact details of the data protection officer, if applicable, the purposes for which the personal data are to be processed and the legal basis for the processing if the processing is based on Article 6(1)(f) DS-GVO, the legitimate interests pursued by the data controller or a third party, if applicable, the recipients or categories of recipients of the personal data and, if applicable, the intention of our company, transfer the personal data to a third country or an international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1) of the GDPR, a reference to the appropriate or adequate safeguards and how to obtain a copy of them or where they are available. In addition to the information referred to in paragraph 1, we shall provide the data subject with the following further information at the time of collection of such data, which is necessary to ensure fair and transparent processing: the duration for which the personal data will be stored or, if that is not possible, the criteria for determining that duration;the existence of a right of access on the part of the controller to the personal data concerned and to rectification or erasure or to restriction of processing or a right to object to processing and the right to data portability; where the processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the existence of a right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until withdrawal; the existence of a right of appeal to a supervisory authority;whether the provision of the personal data is required by law or by contract or necessary for the conclusion of a contract, whether the data subject is under an obligation to provide the personal data and what the possible consequences of not providing it would be; andthe existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject. Where we intend to further process the personal data for a purpose other than that for which the personal data were collected, we shall provide the data subject with information about that other purpose and any other relevant information in accordance with paragraph 2 prior to such further processing. Paragraphs 1, 2 and 3 do not apply if and to the extent that the data subject already has the information (Art. 13(1) GDPR). c.) Duty to provide information if personal data have not been collected from the data subject If personal data are not collected from the data subject, our company shall inform the data subject of the following: the name and contact details of the data controller and, where applicable, his representative;in addition, the contact details of the data protection officer;the purposes for which the personal data are to be processed and the legal basis for the processing;the categories of personal data being processed;where applicable, the recipients or categories of recipients of the personal data; where applicable, the controller's intention to transfer the personal data to a recipient in a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or Article 47 or Article 49(1), second subparagraph, of the GDPR, a reference to the appropriate or adequate safeguards and the possibility to obtain a copy of them or where they are available. In addition to the information referred to in paragraph 1, we shall provide the data subject with the following information necessary to ensure fair and transparent processing vis-à-vis the data subject:the period for which the personal data will be stored or, where this is not possible, the criteria for determining that period;where the processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or a third party;the existence of a right of access by the controller to the personal data concerned, as well as the right to rectification or erasure or to restriction of processing and a right to object to processing, as well as the right to data portability; where the processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the existence of a right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until withdrawal;the existence of a right of appeal to a supervisory authority;the source of the personal data and, where applicable, whether they come from publicly available sources;the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject. Our company shall provide the information referred to in paragraphs 1 and 2, taking into account the specific circumstances of the processing of the personal data, within a reasonable period of time after obtaining the personal data, but no later than one month,if the personal data are to be used to communicate with the data subject, no later than the time of the first communication to him or,if disclosure to another recipient is intended, no later than the time of first disclosure.Where our company intends to further process the personal data for a purpose other than that for which the personal data were obtained, we shall provide the data subject with information about that other purpose and any other relevant information in accordance with paragraph 2 prior to such further processing. Paragraphs 1 to 4 shall not apply if and to the extent that the data subject already has the information,the provision of such information proves impossible or would involve a disproportionate effort; this applies in particular to processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR, or insofar as the obligation referred to in paragraph 1 of this Section is likely to render impossible or seriously prejudice the achievement of the purposes of such processing In such cases, the controller shall take appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, including making such information available to the public,the obtaining or disclosure is expressly regulated by European Union or Member State law to which the controller is subject and which provides for appropriate measures to protect the data subject's legitimate interests, orthe personal data are subject to professional secrecy, including a statutory duty of confidentiality, in accordance with Union or Member State law and must therefore be treated confidentially (Art. d) Right of confirmation Every data subject has the right to obtain confirmation from the controller as to whether the controller is processing personal data relating to him or her. If this is the case, the data subject has a right of access (Art. 15(1) GDPR) e) Right of access If personal data are processed by the data subject, the data subject has the right of access to these personal data and to the following information (Art. 15(1) GDPR). 1 GDPR)the purposes of the processing,the categories of personal data processed,the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations,if possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining this duration,the existence of a right to rectify or erase the personal data concerning them or to have the processing restricted by the controller or to object to such processing,the existence of a right of appeal to a supervisory authority,if the personal data are not collected from the data subject: Any available information about the origin of the data,the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed about the appropriate safeguards pursuant to Article 46 in connection with the transfer (Article 15(2) of the GDPR). We will provide a copy of the personal data that is the subject of the processing. For any further copies requested from us by the data subject, we will charge a reasonable fee based on the administrative costs. If the request is made electronically, we will provide the information in a commonly used electronic format, unless otherwise requested in the request (Art. 15(3) GDPR) f) Right of rectification The data subject has the right to obtain from the controller the rectification without undue delay of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration (Art. 16 DS-GVO). g) Right to erasure (right to be forgotten) The data subject has the right to request that the controller erases personal data concerning him or her without undue delay, and the controller is obliged to erase personal data without undue delay, if one of the following reasons applies:the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,the data subject revokes his or her consent on which the processing was based pursuant to Art. 6(1)(a) DS-GVO or Art. 9(2)(a) DS-GVO and there is no other legal basis for the processing,the data subject objects to the processing pursuant to Art. 21(1) DS-GVO and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) DS-GVO. 2 DS-GVO,the personal data have been processed unlawfully,erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject,the personal data have been collected in relation to information society services offered pursuant to Article 8(1) DS-GVO. If our company has made the personal data public and we are obliged to erase it pursuant to paragraph 1, we shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested that they erase all links to, or copies or replications of, such personal data. (Art. 17 DS-GVO). h) Right to restriction of processing The data subject has the right to obtain from the controller the restriction of processing where one of the following conditions is met: The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify whether the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data, whether the controller no longer needs the personal data for the purposes of the processing but the data subject needs them for the establishment, exercise or defence of legal claims; or,whether the data subject has objected to the processing pursuant to Article 21(1) as long as it is not yet established whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted in accordance with paragraph 1, such personal data may be processed, apart from being stored, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the European Union or a Member State. A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted (Art. 18 GDPR). i.) Notification obligation in connection with the rectification or erasure of personal data or the restriction of processing As the controller, we notify all recipients to whom personal data have been disclosed of any rectification or erasure of the personal data or restriction of processing pursuant to Article 16, Article 17(1) and Article 18 of the GDPR, unless this proves impossible or involves a disproportionate effort. We will inform the data subject of these recipients if the data subject so requests (Article 19 DS-GVO). j) Right to data portability The data subject has the right to receive the personal data concerning him or her that he or she has provided to our company in a structured, commonly used and machine-readable format, and has the right to transmit this data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) of the GDPR and that the processing is carried out using automated means. When exercising the right to data portability under paragraph 1, the data subject shall have the right to obtain that the personal data be transferred directly from our undertaking to another controller, where technically feasible. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the GDPR. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right referred to in paragraph 1 shall not affect the rights and freedoms of other persons (Article 20 GDPR). k) Right to object The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her carried out on the basis of Article 6(1)(e) or (f) of the GDPR, including any profiling based on those provisions. Our company shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defence of legal claims. If we process personal data for the purpose of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This also applies to profiling, insofar as it is related to such direct marketing. If the data subject objects to us to the processing for direct marketing purposes, we will no longer process the personal data for this purpose. We will expressly inform the data subject of the right referred to in paragraphs 1 and 2 at the latest at the time of the first communication with him or her; we will carry out this information in a comprehensible form that is separate from other information. In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by means of automated procedures using technical specifications. In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by our company for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out in the public interest (Article 21 of the GDPR). The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Paragraph 1 shall not apply if the decisiona) is necessary for the conclusion or performance of a contract between the data subject and the controller,b) is authorised by legal provisions of the European Union or the Member States to which the controller is subject and those legal provisions contain adequate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, orc) is made with the explicit consent of the data subject. In the cases referred to in paragraph 2(a) and (c), we will take reasonable steps to safeguard the data subject's rights and freedoms and legitimate interests, which include at least the right to obtain the data subject's involvement on the part of the controller, to express his or her point of view and contest the decision. Decisions under paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as the legitimate interests of the data subject (Article 22 of the GDPR). m) Right to withdraw consent to the processing of personal data The data subject has the right to withdraw consent to the processing of personal data at any time. Any data subject may exercise these rights. To do so, they should contact our data protection officer directly (datenschutz@capitalbay.de).

10 Disclosure of personal data

We may, and are required to, disclose your personal information to the following recipients, as appropriate and in accordance with local laws and regulations, in numerous ways and for numerous purposes:tax, audit or other authorities if we have a good faith belief that we are required by law or other regulation to disclose such information (for example, because there is a request from a tax authority or in connection with anticipated litigation),health care institutions, such as Health insurance companies,External service providers who provide services on our behalf (including external consultants, business partners and professional advisors such as lawyers, auditors and accountants, technical support functions and IT consultants who carry out development and testing work on our company's technological systems),Outsourced IT service providers and storage providers where there is a relevant processing agreement (or comparable safeguard),Where there is a processing operation, this is based on a contract for processing as defined in the GDPR Chapter 4.

11 Provision of personal data for legal or contractual reasons

The provision of your personal data is required by law for our company (e.g. due to tax laws and requirements) or due to contractual regulations (e.g. information on the contractual partner or subcontractor). It may be necessary for the data subject to provide us with personal data in order to fulfil the contract. This is therefore a basis for our performance of the contract. If the data subject does not provide the personal data, no contract could be concluded. If the data subject is unclear about this, he or she can contact the data protection officer, who can explain to him or her whether this is a legal or contractual obligation and what effect the failure to provide the personal data would have on the conclusion of a contract. Annex I: Our contact detailsCountry in which we receive services from or provide services to companies: Federal Republic of Germany Company responsible for processing personal data of visitors to our website: Capital Bay GmbH The company responsible for processing the personal data of data subjects, customers, suppliers and the employees of our company: Capital Bay GmbH, Sachsendamm 4-5, 10829 Berlin How to contact us:to access and amend or withdraw personal information you have provided to us,if you suspect that your personal information has been misused, lost or accessed without authorisation,to withdraw your consent for the processing of your personal information (where consent is the legal basis for the processing of your personal information),for comments or suggestions about this privacy policy. Postal address: Capital Bay GmbH, Data Protection Officer, Sachsendamm 4-5, 10829 Berlin Alternatively, you can contact our data protection officer by e-mail at: datenschutz@capitalbay.de This is how you can reach us if you would like to update your advertising settings: Send us an e-mail to: info@capitalbay.de Attachment II – Contact details of the competent local supervisory authorityCountry in which we receive services from or provide services to companies:Federal Republic of Germany Contact details of the competent local supervisory authority: For our company based in Berlin: The Berlin Commissioner for Data Protection and Freedom of Information Post: Friedrichstr. 219, 10969 BerlinEmail: mailbox@datenschutz-berlin.deTelephone: 030/138 89-0Fax: 030/215 50 50Attachment III – Country-specific special feature of the Data Protection DirectiveLegal system: Federal Republic of Germany Country-specific legal regulation:Requests to delete your data If your data is not processed automatically, unless your data is processed unlawfully, we are not obliged to delete your data if deletion would be impossible or would require a disproportionate effort because of the storage method used, provided that we consider that your interest in deletion is minimal. If your data is processed automatically, we are also entitled to refuse to erase your data if we have reason to believe that erasure would be contrary to your legitimate interests or if erasure would put us in breach of legal obligations to store your data for a certain period of time. Instead, the processing of your data in these circumstances will be restricted in the manner provided for in the DSG-VO. Employee data The provisions applicable to employment relationships permit the processing of employees' personal data for purposes related to the employment relationship if this is necessary for recruitment decisions or, after recruitment, for the performance or termination of the employment contract or in order to comply with and satisfy the rights and obligations of employees' representatives provided for by law or by collective or other agreements between the employer and a collective bargaining organisation. For more information, see section 26 of the new Federal Data Protection Act. In Germany, we collect data on employees' affiliation to a religious community to facilitate our employee compensation processes. Because this is required by law, we do not ask our employees for your explicit consent to process this information. Appendix IV - Definition of Data ProtectionIn our Privacy Policy, the following terms, among others, are used: a) "personal data" and data subject" Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) GDPR). Data subject means any identified or identifiable natural person whose personal data are processed by the controller. (c) 'processing' means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4(2) GDPR). d) "Restriction of processing" Restriction of processing means the marking of stored personal data with the aim of limiting their future processing (Art. 4(3) GDPR). e) "Profiling" Profiling is any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location (Art. 4(4) GDPR). (f) 'pseudonymisation' means the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person (Art. 4 Abs. 5 DS-GVO). g) „File system“ A filing system is any structured collection of personal data accessible according to specified criteria, whether that collection is maintained centrally, decentrally or on a functional or geographical basis (Art. 4(6) GDPR). (h) 'controller' or 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law (Art. 4(7) GDPR). (i) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) GDPR). (j) 'recipient' means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients (Art. 4(9) GDPR). k) 'Third party' means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor (Art. 4(10) GDPR). (l) 'Consent' means any freely given specific and informed indication of his or her wishes, in the form of a statement or other unambiguous affirmative act, by which the data subject signifies his or her agreement to personal data relating to him or her being processed (Art. 4(11) GDPR). (m) 'personal data breach' means a breach of security leading to the destruction, loss or alteration, whether accidental or unlawful, or to the unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (Art. 4(12) GDPR). (n) 'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which have been obtained, in particular, from the analysis of a biological sample from that natural person (Art. 4(13) GDPR). (o) 'biometric data' means personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained by means of specific technical procedures, which enable or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Art. 4(14) GDPR). (p) 'health data' means personal data relating to the physical or mental health of a natural person, including the provision of health services, revealing information about his or her state of health (Art. 4(15) GDPR). (q) 'main establishment' 1. main establishment means, in the case of a controller with establishments in more than one Member State, the place of its main administration in the European Union, unless decisions regarding the purposes and means of the processing of personal data are taken in another establishment of the controller in the European Union and that establishment has the power to have those decisions implemented, in which case the establishment taking such decisions shall be considered the main establishment; 2. means, in the case of a processor with establishments in more than one Member State, the place of its head office in the Union or, where the processor does not have a head office in the Union, the establishment of the processor in the European Union where the processing activities in the context of the activities of an establishment of a processor mainly take place, to the extent that the processor is subject to specific obligations under this Regulation (Article 4(16) GDPR). (r) 'representative' means a natural or legal person established in the European Union who has been appointed in writing by the controller or processor pursuant to Article 27 GDPR and represents the controller or processor in relation to their respective obligations under this Regulation (Art. 4(17) GDPR). (s) 'undertaking' means a natural and legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity (Art. 4(18) GDPR). t) "group of undertakings" A group of undertakings means a group consisting of a controlling undertaking and its dependent undertakings (Art. 4(19) GDPR). (t) 'binding internal data protection rules' means measures for the protection of personal data with which a controller or processor established in the territory of a Member State undertakes to comply in respect of data transfers or a set of data transfers of personal data to a controller or processor belonging to the same group of undertakings or to the same group of undertakings engaged in a joint economic activity in one or more third countries (Article 4(20) GDPR). 4(20) GDPR). u) "supervisory authority" A supervisory authority is an independent governmental body established by a Member State pursuant to Article 51 GDPR (Art. 4(21) GDPR). v) "supervisory authority concerned" A supervisory authority concerned is a supervisory authority which is affected by the processing of personal data because 1. the controller or processor is established in the territory of the Member State of that supervisory authority, 2. that processing has or is likely to have a significant impact on data subjects residing in the Member State of that supervisory authority, or 3. a complaint has been lodged with that supervisory authority (Art. 4(22) GDPR), w) "cross-border processing" Cross-border processing means either 1. Processing of personal data carried out in the context of the activities of an establishment of a controller or a processor in the European Union in more than one Member State, where the controller or processor is established in more than one Member State, or 2. Processing of personal data carried out in the context of the activities of a single establishment of a controller or a processor in the European Union which has or is likely to have a significant impact on data subjects in more than one Member State. (Art. 4 para. 23 DS-GVO). x) 'relevant and reasoned objection' means an objection as to whether or not there is a breach of the GDPR or whether the intended measure against the controller or processor is in compliance with the GDPR, clearly indicating the scope of the risks posed by the draft decision in relation to the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data in the European Union (Art. 4(24) GDPR). (y) 'information society service' means an information society service within the meaning of Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (Art. 4(25) GDPR) (z) 'international organisation' means an organisation governed by international law and its subordinate bodies or any other body established by, or on the basis of, an agreement concluded between two or more countries (Art. 4(26) GDPR).

12 COOKIE Policy

Capital Bay GmbH would like to thank you for your interest in our homepage and our company.. Despite careful and regular monitoring of the content, we cannot accept any liability for external links to third-party content. The protection of your personal data during the collection, processing and use on the occasion of your visit to our homepage is an important concern for us and we would like you to feel safe when visiting our internet pages. It goes without saying that we comply with the legal provisions of the General Data Protection Regulation (DS-GVO), the Data Protection Act (BDSG), the Telemedia Act (TMG) and other data protection regulations. At this point, we would therefore like to inform you about the use of cookies in our company.

13 What is a cookie?

A "cookie" is a piece of information stored on your computer's hard drive that records your navigation on a website. This allows you to be offered tailored options based on the information stored about your last visit. Cookies can also be used to analyse traffic and for advertising and marketing purposes.Cookies are used by almost all websites and do not harm your system. If you want to check or change which types of cookies are accepted, you can usually do this in your browser settings.

14 How do we use cookies?

In general, it is not necessary for you to provide personal data in order to use our website.However, in order for us to actually provide our services, we may require your personal data.This applies both when sending information material and when answering individual enquiries.Further personal data is only collected if you provide this information voluntarily, for example as part of an enquiry or to register to receive our customer magazine. For this purpose, it may be necessary to pass on your personal data to companies that we use to provide services. If we perform any of the actions or services described below or otherwise, we would like to collect and store your personal data and will ask for your express consent at the relevant point on our website:Sending the newsletter and press releasesParticipation in competitionsPersonalisation of our websiteOther services and offers for which your express consent is required for the collection of data. If you have registered for our newsletter with your e-mail address, we will continue to use your e-mail address for our own advertising purposes beyond the execution of the contract until you unsubscribe from the newsletter.

15 This website uses Google Analytics

a web analytics service provided by Google, Inc. (Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site.The information generated by the cookie about your use of this website will be transmitted to and stored by Google on servers in the United States. However, if IP anonymisation is activated on this website, Google will truncate your IP address beforehand within member states of the European Union or in other states that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services to the website operator relating to website activity and internet usage.The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data..

16 Cookies settings

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can prevent Google Analytics from collecting your data by clicking on the following link: Disable Google Analytics. An opt-out cookie will be set, which prevents the future collection of your data when visiting this website. The cookie must be set again when the browser data is deleted.You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link. The current link is http://tools.google.com/dlpage/gaoptout?hl=de.Google uses the DoubleClick DART cookie. Users can deactivate the use of the DART cookie by accessing the privacy policy of Google's advertising network and content advertising network. This information is used to automatically recognise you the next time you visit our websites and to make it easier for you to navigate.Cookies allow us, for example, to customise a website to your interests or to store your password so that you do not have to re-enter it each time.Of course, you can also view our websites without cookies. If you do not want us to recognise your computer, you can prevent cookies from being stored on your hard drive by selecting "do not accept cookies" in your browser settings. Please refer to your browser manufacturer's instructions for details of how this works. If you do not accept cookies, however, this may lead to functional limitations of our offers.you can prevent the installation of cookies by setting your internet user programme (browser) accordingly. To do this, you must switch off the storage of cookies in your Internet browser.Every access to our homepage and every retrieval of a file stored on the homepage is logged. The storage serves system-related and statistical purposes. The following data is logged: Date and time of the visit, duration of your visit, name of the retrieved file, amount of data transferred, notification of successful retrieval, web browser and requesting domain.This data is stored without personally identifying the user of the site. If necessary, user profiles are created by means of a pseudonym. Here, too, there is no connection between the natural person behind the pseudonym and the collected usage data. We also use cookies to collect and store usage data. These are small text files that are stored on your computer in order to identify you as a user when you return to the site. Further information on how cookies work can be obtained from the German Federal Office for Information Security (BSI): https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/GefahrenRisiken/Cookies/cookies.html. We collect this data exclusively to further optimise our website and to make our internet services even more attractive.