1

Data Protection Guide Data Protection Directive

valid for

Kremsmüller Beteiligungsgesellschaft m.b.H. Kremsmüller Industrieanlagenbau KG

Kremsmüller Industrieservice KG JobMeister Personaldienstleistungen GmbH

Kremsmüller Softwaretechnik GmbH Kremsmüller Industrieanlagenbau GmbH (Leipzig)

Kremsmüller Industrieanlagenbau GmbH (Sigmarszell) Kremsmüller Industrieanlagenbau AG (Ruggell)

Kremsmüller Industrieanlagenbau AG (Buchs SG) Kremsmüller Eingineering Anstalt S.C. Kremsmuller România S.R.L.

S.C. IMAG Servicii Profesionale S.R.L. Kremsmüller Nederland B.V.

Max Straube Industrierohrleitungsbau GmbH Saxs Tank GmbH

hereinafter referred to as Kremsmüller

Version: 1.0

2

Table of Contents

1. Objectives of Data Protection Directive ............................................................................................................... 6

1.1 Competences ............................................................................................................................................................ 6

2. Scope and modification of data protection directive ...................................................................................... 8

3. What are personal data ............................................................................................................................................... 8

4. What means processing .............................................................................................................................................. 8

5. Principles of personal data processing ................................................................................................................ 9

5.1 Correctness and legality ...................................................................................................................................... 9

5.2 Connection to a purpose ..................................................................................................................................... 9

5.3 Transparency ........................................................................................................................................................... 9

5.4 Avoidance and saving of data ........................................................................................................................... 9

5.5 Deletion and limitation of saving .................................................................................................................... 9

5.6 Professional correctness and data updating .............................................................................................. 9

5.7 Data confidentiality and security ................................................................................................................. 10

6. Admissibility of data processing .......................................................................................................................... 10

6.1 Data about clients, suppliers or partners.................................................................................................. 10

6.1.1 Data processing for a contractual relationship .............................................................................. 10

6.1.2 Data processing for publicity purposes ............................................................................................ 10

6.1.3 Data processing consent .......................................................................................................................... 10

6.1.4 Data processing based on legal permission .................................................................................... 10

6.1.5 Data processing based on legal interests ......................................................................................... 10

6.1.6 Processing of data worthy of special protection (data from special categories) ............. 10

6.1.7 Automated individual decisions (profiling) .................................................................................... 11

6.1.8 Homepage and internet user data ....................................................................................................... 11

6.2 Employee data ...................................................................................................................................................... 11

6.2.1 Data processing for the labor contract .............................................................................................. 11

6.2.2 Data processing based on legal permission .................................................................................... 12

6.2.3 Collective regulations for data processing ....................................................................................... 12

6.2.4 Data processing consent .......................................................................................................................... 12

6.2.5 Data processing based on legal interest............................................................................................ 12

6.2.6 Processing of data worthy of special protection (data from special categories) ............. 12

6.2.7 Automated decisions (profiling) .......................................................................................................... 13

3

6.2.8 Telecommunications and internet ...................................................................................................... 13

7. Transmission of personal data ............................................................................................................................. 14

8. Processing order data (service providers) ...................................................................................................... 15

9. Rights of the concerned person ............................................................................................................................ 16

10. Confidentiality of processing .............................................................................................................................. 17

11. Security of processing ............................................................................................................................................ 17

12. Control of data protection .................................................................................................................................... 17

13. Data protection incidents (data protection violations) ........................................................................... 18

14. Responsibilities and sanctions ........................................................................................................................... 18

14.1 Data protection coordinator ........................................................................................................................ 18

14.2 Data protection supervisor .......................................................................................................................... 18

15. Enforcement .............................................................................................................................................................. 19

4

History

Version Date Modification 1.0 25.05.2018 Version 1 of the Data Protection Guide and Directive

5

Foreword Dear KREMSMÜLLER employees, data protection and information security issues are becoming more and more important and significant in our commercial relations. As a producer and service provider, we enjoy the full trust of our customers and suppliers. However, trust includes also the responsibility for our own actions, for our work, for employees’, customers’ and partners’ systems and data. Our business partners entrust us with their personal and economic data, which includes all the information that is important for the company, as well as critical information. For us, at KREMSMÜLLER, it is highly important to use these data with the awareness of our own responsibility. This also means that in practice we take the issue of the legal protection of data very seriously and we organize our activity according to this concern. This guide should help clarify the significance and importance of the legal protection of data and their transparency for employees as well. KR Karl Strauß Mag. Gregor Kremsmüller /Signature/ /Signature/

6

1. Objectives of Data Protection Directive The scope of KREMSMÜLLER company’s commitment includes the compliance with the legal protection of data. This data protection directive applies for all KREMSMÜLLER units and locations and is based on the acceptance of the fundamental principles of data protection. The data protection compliance is the foundation of trustful business relations. In addition, we define our data protection objectives as our own commitment. They include the following:

• We take the issue of legal protection of data seriously • We make data protection a component of our company culture • We take the rights of the concerned persons seriously • We take the issue of data protection noncompliance seriously • We only collaborate with service providers that adapt to our data protection policy • We take our legal information obligation seriously and we collaborate with the necessary

transparency • We think data protection is a good opportunity to improve existing processes • We all collaborate actively to comply with the provisions we improve continuously

1.1 Competences

Data protection objective Competence Data protection provisions Mag. Gregor Kremsmüller

Management gregor.kremsmueller@kremsmueller.com +43 7242 630 - 1101

Rights of concerned persons Harald Michlmair HR Manager harald.michlmair@kremsmueller.com +43 7242 630 - 1225

Data protection violations Mag. Franz D. Roitinger RS Manager franz.roitinger@kremsmueller.com +43 7242 630 - 1430

Order processor Erich Zeindlhofer IT Manager erich.zeindlhofer@kremsmueller.com +43 7242 630 - 1130

Information obligation / transparency Mag. Gregor Kremsmüller Company communication gregor.kremsmueller@kremsmueller.com +43 7242 630 - 1101

7

Compliance with provisions (Int. audits DS / compliance)

Sebastian Wiesmayr Data protection coordinator sebastian.wiesmayr@kremsmueller.com +43 7242 630 - 1298

Data protection trainings KOMDAT - Ronald Kopecky Data protection supervisor kopecky@komdat.at +43 7243 54300

8

2. Scope and modification of data protection directive This data protection directive is based on the provisions of the EU data protection directive (EU 2016/679) and the related national laws. The up-to-date version of the KREMSMÜLLER data protection directive may be consulted on the internet under www.kremsmueller.com/datenschutz.

3. What are personal data Personal data are all information that identify a natural person or legal entity (Austria applies these provisions to include legal entities). The identifiability may direct, indirect or by attribution. It also includes all attributions that refer to one or several special characteristics that represent the expression of the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person or legal entity. Examples of personal data are:

• name (i. e. John Sampleman) - direct identifiability • „The administrator of the company KREMSMÜLLER Industrieanlagenbau KG” - indirect

identifiability • address • birth date • bank data • IP addresses • Identification numbers , online identities, peculiarities • location data • finger prints, iris information (biometric data) • uvm

4. What means processing Processing means any procedure executed with or without the assistance of automated methods or any string of such procedures executed with respect to personal data, such as the collection, registration, organization, ordering, saving, adaptation or modification, the reading, calling, usage, accessing by transmission, distribution or any other kind of making data available, collection or connection, delimitation, deletion or destruction. Deleting or destroying data means making data unavailable.

9

5. Principles of personal data processing

5.1 Correctness and legality

While processing personal data one must comply with the right of the concerned person to information self-determination. This means that the data owner may decide what happens with the personal data that concern him/her. Personal data must be legally collected and processed. Legality means that:

• The processing was approved by the data owner • The processing serves the fulfillment of a contract or a pre-contract measure • The processing is done based on a legal obligation • The processing is necessary for the protection of vital interests • The processing serves the public interest • The processing serves the compliance with the legal interests of KREMSMÜLLER

5.2 Connection to a purpose

Personal data must be collected for established, clear and legal purposes and the continued processing may not be undertaken without connection to the said purposes. At the moment of data collection, these purposes must be communicated to the data owner. Later changes of purposes are only possible in a limited manner and need a justification and a new approval from the data owner.

5.3 Transparency

The concerned person must be informed about the processing of their data. In principle, personal data must be collected by the concerned persons themselves. Upon the data collection, the concerned person must know or be informed at least with respect to the following:

• The identity of the responsible office (KREMSMÜLLER) • The purpose of data processing (i. e. client database etc.) • The registered storing period • If applicable, the third parties or categories of third parties with whom the data would be

shared

5.4 Avoidance and saving of data

Before the processing of personal data, one must verify whether and to which extent this is necessary to reach the objective envisaged by the processing. Personal data may not be saved as a reserve for potential future purposes.

5.5 Deletion and limitation of saving

Personal data that are no longer necessary after the expiration of the legal or process storage time must be deleted in a proactive manner.

5.6 Professional correctness and data updating

Personal data must be saved correctly, completely and - if possible - in the updated version. Proper measures must be taken to guarantee the deletion, correction, completion or updating of incorrect, incomplete or obsolete data.

10

5.7 Data confidentiality and security

Data secrecy is applied for personal data. These data must be protected by proper organizational and technical measures against unauthorized access, illegal processing or transmission, as well as against unintentional loss, modification or destruction. One must keep in mind that the processing of personal data should not cause damages to the data owners.

6. Admissibility of data processing The collection, processing and use of personal data is only admitted if one of the following authorizing facts are present. Such an authorizing fact is also necessary if the initial purpose for collecting, processing and using personal data is modified.

6.1 Data about clients, suppliers or partners

6.1.1 Data processing for a contractual relationship

If the processing of personal data serves the fulfillment of a contract or pre-contract measures, then the processing is admitted.

6.1.2 Data processing for publicity purposes

If the concerned person goes to KREMSMÜLLER with an information request (i. e. the wish to receive a product catalog), then the processing is admitted for the fulfillment of this wish. For other client loyalty or publicity measures, the data processing consent is applied (see 6.1.3).

6.1.3 Data processing consent

The processing of data may only take place based on a consent from the concerned person. For documentation purposes, the consent statement must be obtained on paper or electronically. In certain situations, i. e. in case of telephone consultancy, the consent may also be granted verbally. Such granting must be documented.

6.1.4 Data processing based on legal permission

The processing of personal data is also allowed when legal provisions require, presuppose or allow the processing of data.

6.1.5 Data processing based on legal interests

The processing of personal data may also take place when it is necessary to fulfill a legal interest of KREMSMÜLLER. Legal interests are usually juridical (i. e. the execution of open claims) or economic (i. e. the avoidance of contractual incidents).

6.1.6 Processing of data worthy of special protection (data from special categories)

The processing of data worthy of special protection may only be done if it necessary according to the law or if the concerned person has expressly given their consent. Data from special categories are:

• Information about the racial or ethnic origin • Information about the political opinions

11

• Information about the religious convictions or world views • Information about the industrial affiliation • Genetic and biometric data • Health data • Data about the sex life and sexual orientation

The processing of these data is also permitted when they are necessary for the recovery, execution or defense of legal rights owned against the concerned person.

6.1.7 Automated individual decisions (profiling)

The automated processing of personal data by which individual personal characteristics (i. e. reliability, creditworthiness etc.) are assessed may not represent the sole basis for decisions that have negative effects or seriously impact the concerned person. The concerned person must be informed about the fact and the result of an automated individual decision and must be given the opportunity to express his/her opinion. To avoid erroneous decisions, one must secure a plausibility control and verification made by an employee.

6.1.8 Homepage and internet user data

When one collects, processes or uses personal data on websites or in apps, the concerned persons must be informed about it in the data protection statements and, if necessary, in information about cookies. Data protection information and, if applicable, cookies information must be integrated so that they are easy to spot, directly accessible and permanently available for the concerned persons. If for the assessment of the website and app usage behavior they institute use profiles (tracking), then the concerned persons must always be informed about it in the data protection statements. If the tracking is done under a pseudonym, the concerned person must have in the data protection statement a possibility to oppose it (Opt-out).

6.2 Employee data

6.2.1 Data processing for the labor contract

For the labor contract one may process such personal data as are necessary for the establishment, the development and the termination of the labor contract. In case of a competition for a workplace, one may process the personal data of candidates. In case of failure, the candidate’s data must be deleted while complying with the legal deadlines, except for the situation when the candidate has consented to the saving of their data for a later selection process. A consent is also necessary for the usage of data for other employment processes or before sharing the candidate data with other company departments. In the existent labor contract, the data processing must also refer to the object of the labor contract, unless one of the following facts authorizing the data processing occurs. If during a competition for a workplace or in an existent labor contract it is necessary to collect other information about the candidate from a third party, the consent of the concerned person must be obtained. For the processing of personal data within the context of the labor contract, when such processing does not initially serve the fulfillment of the labor contract, there must always be a legal

12

justification. This may consist of legal requirements, collective regulations with the employees’ representatives, a consent from the employee or the legal interests of the company.

6.2.2 Data processing based on legal permission

The processing of the employees’ personal data is also permitted when legal provisions require, presuppose or allow it. If the law leaves some room for maneuver, one must consider the legal interests of the employee.

6.2.3 Collective regulations for data processing

If the processing goes beyond the contract scope, it is also admitted when it is allowed by a collective regulation. Collective regulations are i. e. agreements between the employer and the employees’ representatives within the possibilities offered by the labor legislation. The regulations must include the concrete scope of the wished processing and may be structured in the data processing legislation.

6.2.4 Data processing consent

The processing of employee data may be done based on a consent of the concerned person. The statements of consent must be given willingly. The consents that are not given willingly have no legal effect. For documentation purposes, in principle the consent statement must be obtained on paper or electronically. If by exception the circumstances make it impossible, the consent may also be granted verbally. The granting must be properly documented. In case of a willful indication of data by the concerned person, a consent may be accepted unless the national law provides for an explicit consent. Before the consent, the concerned person must be informed according to this data protection directive.

6.2.5 Data processing based on legal interest

The processing of employees’ personal data may also take place when it is necessary to fulfill a legal interest of KREMSMÜLLER. Legal interests are usually judicially (i. e. the recovery, the exercising or the defense of legal rights) or economically justified. The processing of personal data based on a legal interest cannot take place if in the specific case there is a clue that shows that the legal interests of the employee prevail over the interest offered by the processing. The existence of an interest worthy of protection must be proved for each processing. Control measures that require the processing of employee data may only be taken if in this respect there is a legal obligation or a justified permission. Even when there is a justified permission, one must check the proportionality of the control measure. The legal interests of the company for the execution of the control measure (i. e. the compliance with the legal provisions and the internal regulations of the company) must be confronted against a possible legal interest of the employee affected by the said measure, if the measure is excluded, and such measure may only be taken if these interests are reasonable. The legal interest of the company and the possible protection interests of the employees must be established and documented before each measure. In addition, if applicable, one must also take into account other legal requirements (i. e. the rights of the employees’ representatives to participate in making decisions and the rights to information of the concerned persons).

6.2.6 Processing of data worthy of special protection (data from special categories)

The personal data worthy of special protection may only be processed under certain conditions.

13

Data from special categories are:

• Information about the racial or ethnic origin • Information about the political opinions • Information about the religious convictions or world views • Information about the industrial affiliation • Genetic and biometric data • Health data • Data about the sex life and sexual orientation

Also, often the data concerning criminal deeds may only be processed under certain conditions listed by the law. The processing must be expressly permitted or provided by the law. In addition, the processing may be allowed if it is necessary for the responsible office to fulfill its rights and obligations under the labor law. The employee may also willingly give his/her consent for such processing.

6.2.7 Automated decisions (profiling)

If the labor contract includes automatically processed personal data by which they assess individual personal characteristics (i. e. for the selection of the staff or the assessment of skill profiles), then such automated processing may not be the sole basis of decisions that have negative effects or strongly impact the concerned employees. To avoid erroneous decisions, within the automated procedures one must secure the fact that a content assessment of facts is done by a natural person and that such assessment represents the basis of the decision. In addition, the concerned person must be informed about the fact and the result of an automated individual decision and must be given the opportunity to express his/her opinion.

6.2.8 Telecommunications and internet

Telephone appliances, email addresses, intranet and internet as well as internal social networks are made available by the company first of all for the fulfillment of business tasks. They are working means and company resources. They may be used according to the valid internal regulations of the company. There is no general monitoring of telephone and email communications or of the intranet and internet usage. For the protection against attacks on the IT infrastructure or the individual users, they have implemented protection measures at the KREMSMÜLLER network junctions, which block technical malware data or analyze attack samples. For security and verification reasons, the use of telephone appliances, email addresses, intranet and internet, as well as the internal social networks is logged. Personal assessments of such data are only made in the case of a concrete justified suspicion about the violation of laws or KREMSMÜLLER directives. Such controls may only be done while complying with the principle of proportionality. National laws must be complied with as well as the existing internal regulations of the company. These assessments are not used to evaluate productivity.

14

7. Transmission of personal data A transmission of personal data to recipients outside of KREMSMÜLLER or to recipients within KREMSMÜLLER is subjected to the admissibility conditions of the personal data processing. Transmissions of data within a company from the Kremsmüller group (from department A to department B) take place by means of a “responsible person” and so they need no special legal basis according to DSGVO (acc. pnt. 6.2 such as, i. e., legal permission, consent, legal interest). Data security measures must always be complied with. For transmissions to group companies - as well as for transmissions of data to external recipients - it is necessary to have a legal basis. Any transmission of data within the group is also a processing in the sense of DSGVO. According to item 48 from DSGVO, the responsibles that are part of a group of companies that were assigned to a central office may have a legal interest to transmit personal data within the group of companies for administrative purposes, including the processing of personal data. To transmit client data from a group company to another according to DSGVO, in most cases it is necessary to have the clients’ consent. The most significant legal basis in practice for the transmission of employee data is the prevailing legal interest of the responsibile or a third party (art. 6 par. 1 lit. f DSGVO). For this, the recipient of data must be obligated to only use them for the established purposes. This obligation must be setup in writing and must include the following points:

• The definition of the purposes of the processing • The guarantee of exclusive use by employees who have been contractually obligated to

comply with the confidentiality and secrecy • The guarantee of proper security according to art. 32 DSGVO • A regulation for persons subcontracted to process the data • The obligation to respect the rights of the concerned persons • The deletion or restitution of data after the termination of the order • A control right for KREMSMÜLLER or controllers appointed by KREMSMÜLLER

In case of a transmission of data to a recipient outside of KREMSMÜLLER situated in a third state, the latter must secure a level of data protection equivalent to the one from this data protection directive. This does not apply if the transmission is done based on a legal obligation. In case of a transmission of third party data to KREMSMÜLLER, it must be guaranteed that the data may be used for the provided purposes.

15

8. Processing order data (service providers) Order data processing takes place when a provider (i. e. an order processor or a service provider) is instructed to process personal data without giving it the responsibility for the related internal processes. In such cases, one must conclude with the external service provide a contract concerning the processing of order data. In this case, KREMSMÜLLER keeps the entire responsibility for the correct execution of the data processing. The service provider may only process personal data according to the indications of KREMSMÜLLER. Upon the transmission of the order, the following rules must be complied with; the instructed department must secure their application.

1. The service provider must be selected according to its capacity to secure the necessary technical and organizational protection measures.

2. The order must be placed in writing. For this purpose, the indications concerning the processing of data and the responsibilities of KREMSMÜLLER and of the service provider must be documented.

3. Before starting the data processing, KREMSMÜLLER must convince itself of the service provider’s compliance with its obligations. The compliance with data security requirements may be proved by the service provider by presenting a proper certification (i. e. ISO 27001). According to the risk of data processing, if necessary the control must be regularly repeated during the contract.

4. In case of data processing of international orders, one must comply with the national requirements concerning the transmission of personal data abroad. Especially the transmission of personal data from the European Economic Area to a third state may only be done if the service provider proves a level of data protection equivalent to the one presented in this data protection directive.

5. The recognition of the compulsory internal rules of the service provider for the creation of a level of data protection acceptable for the supervision institution competent for data protection.

16

9. Rights of the concerned person Every concerned person may benefit from the following rights. The application must be secured immediately by the responsible department and must have no disadvantage for the concerned person.

1. The concerned person may solicit information concerning the personal data, their source and the purpose for which they are saved. If the labor contract provides other rights to verification of employee files too (i. e. staff files) according to the labor legislation, they will not be impacted by this provision.

2. If personal data are transmitted to third parties, one must also provide information about the identity of the recipient and the categories of recipients.

3. If some of the personal data are incorrect or incomplete, the concerned person may ask for their correction or completion.

4. The concerned person may refuse the processing of their personal data for publicity purposes or for market or public opinion research. The data must then be blocked for these purposes.

5. The concerned person has the right to ask for the deletion of their data if the legal basis for data processing lacks or is invalidated. The same applies if the data processing has become obsolete by expiration or for other reasons. One must comply with the existent storage obligations and the worthy-of-protection interests that contrast the deletion.

6. The concerned person has basically a right to oppose the processing of their data, which must be taken into account if, according to their personal situation, their interest worthy of protection prevails over the processing interest. This does does apply if a legal provision compels the execution of the processing.

In case of fulfilling a right of the concerned person, one must immediately and fully inform the person competent in matters of rights of concerned persons - see the table of competences.

17

10. Confidentiality of processing Personal data are subject to data secrecy. It is forbidden for employees to collect, process or use data without authorization or illegally. By this data protection guide, employees expressly declare they are aware of the fact that according to conform § 6 DSG 2018 they must comply with data secrecy. Unauthorized is any processing made by an employee who is not properly entitled to do that as a part of their job and to whom this activity was not assigned. They apply the Need-to-know principle: Employees may only have access to personal data if and only to the extent to which this is necessary for the execution of their tasks. This necessitates the careful splitting and separation of roles and competences as well as their application and management within the framework of the authorization concepts. It is forbidden for employees to use personal data for private or economic purposes, to transmit them or to make them available in another fashion for unauthorized persons. Contraventions for which the employees are personally responsible may lead to sanctions according to the labor legislation.

11. Security of processing Personal data must be permanently protected against unauthorized access, processing or illegal transmission, as well as against loss, falsification or destruction. This applies irrespective of whether the processing of data is done electronically or on paper. Before the initiation of new procedures for data processing, especially new IT systems, one must setup and apply technical and organizational measures to protect personal data. These measures must take into consideration the state-of-the-art technology, the risks of the processing and the needed amount of data protection (established by the process of information classification). The technical organizational measures for the protection of personal data are a part of the company management in the domain of information security and data protection and must be continuously adapted to the technical developments and organizational changes. It is forbidden for employees to process personal data outside of the services (programs, deposits etc.) and the processes made available by KREMSMÜLLER and outside the verifiable and legal orders.

12. Control of data protection The compliance with the data protection directives and the legislation in force concerning data protection is verified periodically by data protection audits and other controls.

18

13. Data protection incidents (data protection violations) In case of violations of this data protection directive or other personal data protection provisions (data protection incidents), every employee must immediately and entirely inform the person competent for violations of data protection rules - see the table of competences. In cases of

• unauthorized or illegal processing • unintended or illegal destruction • unintended or illegal loss • unintended or illegal modification • unintended or illegal disclosure

14. Responsibilities and sanctions The company management accounts for the processing of personal data according to the ordinance. It also undertakes to secure the compliance with the data protection requirements included in the legislation and in the data protection directive (i. e. the national registration obligations). One of the company’s management tasks is, by means of organizational, personal and technical measures, to secure the legal processing of data, while complying with data protection rules. The implementation of these provisions is the responsibility of the competent employees. The company management guarantees that its employees are instructed to the necessary extent with respect to data protection. Contraventions for which the employees are personally responsible may lead to sanctions according to the labor legislation. Data protection coordinator The data protection coordinator as internal body of the company deals with the compliance with data protection provisions. Any concerned person may go to the data protection coordinator with requests, questions, solicitations of information or complaints concerning data protection and data security issues. Upon request, questions and complaints will be treated confidentially.

14.1 Data protection coordinator

Sebastian Wiesmayr Data protection coordinator +43 7242 630 - 1298 sebastian.wiesmayr@kremsmueller.com

14.2 Data protection supervisor

KOMDAT Datenschutz GmbH Mr. Ronald Kopecky Linzer Strasse 74 +43 / 7243 / 54300 kopecky@komdat.at

19

15. Enforcement The completeness and updated condition of this document should be checked once per year, as well as whenever necessary. Changes made to this document are the responsibility of the persons competent with respect to the data protection previsions. This document should be kept available for all employees. KR Karl Strauß Mag. Gregor Kremsmüller /Signature/ /Signature/ 25.05.2018