DATA PROTECTION POLICY ACCORDING TO THE GDPR NAME AND ADDRESS OF THE PERSON RESPONSIBLE

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

MOUNTAIN SOFTWARE GMBH
Odenwaldstraße 19
63263 Neu-Isenburg
Germany
Tel.: +49 6102 81680-11
Email: info@mountain-software.de

Name and address of the data protection officer
The data protection officer of the person responsible is:
Michael Priester
GNC TCS Technologie, Cards & Services GmbH
Odenwaldstraße 19
63263 Neu-Isenburg
Germany

General information about data processing
Scope of processing personal data
We only process personal data to the extent that this is necessary to provide a functional website and our content and services. The processing of personal data only takes place with your consent. An exception applies in cases in which obtaining prior consent is not possible for actual reasons and the processing of the data is permitted by legal regulations.

Legal basis for the processing of personal data
If we obtain the consent of the data subject for processing personal data, Article 6 Paragraph 1 Letter a of the EU General Data Protection Regulation (GDPR) serves as the legal basis. When processing personal data that is necessary to fulfill a contract to which the data subject is a party, Art. 6 Para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures. If the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Article 6 Paragraph 1 Letter c GDPR serves as the legal basis. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6 Paragraph 1 Letter d GDPR serves as the legal basis. If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 Para. 1 lit. f GDPR serves as the legal basis for the processing.

Data deletion and storage period
Personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data to conclude or fulfill a contract.

Provision of the website and creation of log files

Description and scope of data processing
As a rule, no personal data is collected when you visit our website. Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

• Full IP address of the requesting computer
• Date and time of the request
• The page from which the visitor came to the current website or file (referrer)
• Name or URI of the file or page that was requested
• Web browser and operating system used by the visitor
• Access status (page/file transferred, page/file not found, etc.)
• Protocol version
• Access type (e.g. GET/HEAD/POST)
• Amount of data transferred

The data is stored in the log files of our system. This data is not stored together with other personal data of the user.

Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6 (1) (f) GDPR.

Purpose of data processing
The temporary storage of the IP address by the system is necessary to ensure the functionality of the website. To do this, the user's IP address must remain stored for the duration of the session. The storage takes place in log files. There is a legitimate interest in data processing in accordance with Article 6 (1) (f) GDPR.

Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. If the data is collected to provide the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the users' IP addresses are deleted or altered so that it is no longer possible to assign the calling client.

Possibility of objection and removal
The collection of data to provide the website and the storage of the data in log files is absolutely necessary for the operation of the website. There is therefore no possibility for the user to object.

Use of cookies

Description and scope of data processing
Our website only uses cookies that are necessary to use the website. Cookies are text files that are stored on your computer system by the internet browser. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is accessed again. The data is not stored together with other personal data of the users.

Legal basis for data processing
The legal basis for the processing of personal data using cookies is Article 6 (1) (f) GDPR.

Purpose of data processing through cookies
The use of technically necessary cookies serves to simplify the use of websites. Some functions of our website cannot be offered without the use of cookies.

Duration of storage, possibility of objection and deletion
Cookies are stored on your computer and transmitted from it to our site. Therefore, you have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all functions of the website.

Google reCAPTCHA
We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our website. The provider is Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). The purpose of reCAPTCHA is to check whether data entry (e.g. in a contact form) is done by a human or by an automated program. To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For analysis, reCAPTCHA evaluates various information (e.g. IP address, length of time the website visitor stays on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. The reCAPTCHA analyzes run completely in the background. Website visitors are not informed that an analysis is taking place. Data processing is carried out on the basis of Article 6 Paragraph 1 Letter f of the GDPR. We have a legitimate interest in protecting our web offerings from abusive automated spying and SPAM. Further information about Google reCAPTCHA and Google's privacy policy can be found at the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android. html.

Third-party plugins and modules

Google WebFonts
This website uses so-called web fonts provided by Google for the uniform display of fonts. When you access a page, your browser loads the required WebFonts into your browser cache in order to display texts and fonts correctly. For this purpose, the browser you use must connect to Google's servers. This gives Google knowledge that our website was accessed via your IP address. The use of Google WebFonts is in the interest of a uniform and attractive presentation of our online offerings. This represents a legitimate interest within the meaning of Article 6 Paragraph 1 Letter f of the GDPR. If your browser does not support WebFonts, a standard font will be used by your computer. Further information about Google WebFonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://www.google.com/policies/privacy/ .

Google Maps
This website uses Google Maps API to display maps visually. When using Google Maps, Google also collects, processes and uses data about the use of the Maps functions by visitors to the websites. Further information about data processing by Google can be found in Google's data protection information. There you can also change the settings in the data protection center so that you can protect and manage your data. Here you will find further instructions on managing your own data in connection with Google products. The use of Google Maps is in the interest of a good presentation of site plans. This represents a legitimate interest within the meaning of Article 6 Paragraph 1 Letter f GDPR.

Links to other websites

Our offer contains links to external third-party websites over whose content we have no influence. We therefore cannot accept any liability for this external content. The respective provider or operator of the pages is always responsible for the content of the linked pages. The linked pages were checked for possible legal violations at the time of linking.

Contact/application form and email contact

Description and scope of data processing
There is a contact or application form on our website that can be used for electronic contact. If you take advantage of this option, all the data you enter in the input mask will be transmitted to us and stored. At the time the message is sent, the following data is also stored:

• Your IP address
• Your email address
• Your username
• Your access password (required to ensure login, you can change the password at any time)
• Date and time of registration

For the processing of the data, your consent is given by pressing the send button as part of the sending process and reference is made to the data protection declaration. Alternatively, you can contact us using the email address provided. In this case, the user's personal data transmitted with the email will be stored. In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

Legal basis for data processing
The legal basis for processing the data, if the user has given his consent, is Article 6 (1) (a) GDPR. The legal basis for the processing of data transmitted in the course of sending an email is Article 6 (1) (f) GDPR. If the email contact is aimed at concluding a contract, the additional legal basis for the processing is Article 6 Paragraph 1 Letter b GDPR.

Purpose of data processing
The processing of personal data from the input mask serves us solely to process the contact. If you contact us via email, this also represents the necessary legitimate interest in processing the data. GNC TCS TECHNOLOGIE, CARDS & SERVICES GMBH Status 2021 The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those that were sent by email, this is the case when the respective conversation with the user has ended. The conversation ends when it can be seen from the circumstances that the matter in question has been finally clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

Option to object and remove data
You have the option to revoke your consent to the processing of personal data at any time. If you contact us by email, you can object to the storage of your personal data at any time. In such a case, the conversation cannot continue. You can object to the storage of the data by contacting the controller at the above address. In this case, all data stored during contact will be deleted.

Security
We have taken technical and organizational security measures to protect your personal data from loss, destruction, manipulation and unauthorized access. Our employees have been instructed in the aspects of data protection that must be observed and are obliged to maintain data secrecy in accordance with the Federal Data Protection Act as well as the proper, confidential handling of personal data in accordance with the requirements of the EU General Data Protection Regulation.

Your rights

If your personal data is processed, you are the data subject within the meaning of the GDPR and you have the following rights towards the person responsible:

Right to information
You can request confirmation as to whether and how personal data concerning you is processed by us. To do this, please contact the person responsible at the above address.

Right to rectification
You have the right to request rectification and/or completion from the person responsible if the personal data processed concerning you is incorrect or incomplete. The person responsible must make the correction immediately.

Right to restriction of processing
You can request the restriction of the processing of personal data concerning you under the following conditions:

• if you contest the accuracy of the personal data relating to you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you refuse the deletion of the personal data and instead request the restriction of the use of the personal data;
• the controller no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims;
• if you have lodged an objection to the processing in accordance with Article 21 Para. 1 GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is lifted.

Right to deletion
You can request that the person responsible delete the personal data concerning you immediately. The person responsible is obliged to delete this data immediately if one of the following reasons applies:

• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent on which the processing was based in accordance with Article 6 Paragraph 1 Letter a or Article 9 Paragraph 2 Letter a GDPR and there is no other legal basis for the processing.
• You object to the processing in accordance with Art. 21 Para. 1 GDPR and there are no overriding legitimate reasons for the processing or you object to the processing in accordance with Art. 21 Para. 2 GDPR.
• Your personal data has been processed unlawfully.

Information to third parties
If the person responsible has made the personal data concerning you public and is also obliged to delete it in accordance with Article 17 (1) GDPR. This means that he takes appropriate measures, including technical measures, taking into account the available technologies and the implementation costs, to inform those responsible for data processing that you, as the data subject, request the deletion of all links to this personal data or copies and replications of this data have requested.

Right to information
If you have asserted the right to rectification, deletion or restriction of processing against the person responsible, the controller is obliged to inform all recipients to whom personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing. Unless this proves to be impossible or involves disproportionate effort. You have the right to be informed about these recipients by the person responsible.

Right to data portability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. You also have the right to transmit this data to another person responsible without hindrance from the person responsible to whom the personal data was provided, provided that the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (1). 2 lit. a GDPR or on a contract in accordance with Article 6 Paragraph 1 lit. In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, to the extent that this is technically feasible. The freedoms and rights of other people must not be impaired by this. The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is carried out on the basis of Article 6 (1) (e) or (f) of the GDPR. To do this, please contact the address of the person responsible above.

Right to revoke your data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent before its revocation. To do this, please contact the address of the person responsible above.

Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority. This applies in particular in the member state of your residence, your place of work or the place of the alleged violation if you believe that the processing of personal data concerning you violates the GDPR. The supervisory authority to which the complaint was submitted will inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.

Prohibition of the use of contact data published here
We prohibit the use of all contact data published on this website, such as postal addresses, telephone and fax numbers as well as email addresses, for advertising purposes and for evaluation for market and opinion research. We expressly reserve the right to take legal action against senders of so-called spam emails if they violate this ban.

We reserve the right to make changes to this privacy policy at any time as required by law.