DATA PROTECTION DECLARATION OF ERNE HOLDING AG, LAUFENBURG AND ITS SUBSIDIARIES AND GROUP COMPANIES

In this privacy policy, we, ERNE Holding AG Laufenburg and its subsidiaries and group companies (hereinafter "ERNE Group", "we", "us"), explain how we collect and process personal data. The "ERNE Group" refers to ERNE Holding AG, Bahnhofstrasse 8, 5080 Laufenburg and its subsidiaries and group companies. An overview of the subsidiaries and group companies of the "ERNE Group" can be found hereLocations.

The ERNE Group attaches great importance to the security of your data. We process your personal data exclusively in compliance with the data protection laws applicable to us. The ERNE Group obtains and processes personal data concerning you or "third parties". We use the term "data" synonymously with "personal data". The terms "process", "particularly sensitive personal data" and "personal data" used in this privacy policy correspond to the terms "process", "sensitive personal data" and "personal data" in the GDPR.

Personal data are all details and information relating to an identified or identifiable natural person. This includes your contact details such as name, telephone number, address or email address as well as other details. Particularly sensitive personal data, such as data relating to health or religious beliefs, is a category of personal data that enjoys special protection under applicable data protection law.

In this Privacy Policy, we describe what we do with your data when you use www.erne-gruppe.ch, other ERNE Group websites or our app (hereinafter referred to collectively as the "Website"), are in contact with us as part of a contract, purchase our services or products or are otherwise in contact with us or otherwise have dealings with us.

This Privacy Policy is designed to comply with the requirements of the Swiss Data Protection Act ("DPA") and the EU General Data Protection Regulation ("GDPR"), where applicable.

ERNE Management AG, Bahnhofstrasse 8, 5080 Laufenburg ("ERNE Management") is responsible for data processing within the meaning of the FADP and the GDPR, unless otherwise specified in individual agreements (forms or contracts). However, unless otherwise stated, this Privacy Policy also applies to cases in which ERNE Management is not the controller, but another ERNE Group company. This is particularly the case if you visit another website of a group company or a project website (you will find the controller in the legal notice of the website). This is also the case if your data is processed by such a group company in connection with its own legal obligations or contracts, if you share data with such a group company or if you interact with a group company in any other way. In these cases, this group company is the controller and if you share your data with other group companies for their own purposes (see section 5), these group companies become independent controllers or joint controllers.

You can find an overview of the companies under Locations.

Please send any data protection concerns by e-mail to: datenschutz@erne.ch for the attention of Dr. Michael Wyttenbach, General Counsel.

or by letter to:

ERNE Management AG
General Counsel
Bahnhofstrasse 8
5080 Laufenburg
SWITZERLAND

We process different types of data about you. The main categories are as follows:

Technical data: If you use our website or other electronic offerings (e.g. free WLAN on our company premises), we collect the IP address of your end device and other technical data to ensure the functionality and security of these offerings. This includes information about the browser type and version used, the operating system used, information about your device type and Internet service provider, the date, time and duration of access, as well as other websites accessed by the system via our website. To ensure the functionality of our offers, we can also assign an individual code to you or your end device (e.g. in the form of a cookie, see section 11). The technical data itself does not allow any conclusions to be drawn about your identity if the IP address is anonymized. However, in the context of user accounts, registrations, access controls or the processing of contracts, it can be linked to other data categories (and thus possibly to your person).

Registration data: Certain offers, such as our newsletter mailing service, can only be used with a user account or prior registration. In doing so, you must provide us with certain data and we collect data on the use of the offer. If we or one of our contractual partners invite you to an event or make you an offer, we may request certain data from you when you participate in the event or accept the offer, which we may share with the relevant contractual partner (see section5). Registration data may be required for access control systems to certain facilities.

Communication data: If you are in contact with us via the contact form, by e-mail, telephone, letter or other means of communication, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. If we record telephone conversations, we will inform you of this specifically and in advance. In addition, we may record (video) conferences via Microsoft Teams for knowledge retention, training and quality assurance purposes. You will always be informed in advance if and when such recordings take place, including a display during the relevant Teams (video) conference. If we want or need to establish your identity, e.g. in the event of a request for information from you, a request for media access, etc., we will collect data to identify you (e.g. a copy of an ID card).

Master data: We define master data as the basic data that we require in addition to the contract data (see below) for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information e.g. about your role, function and qualifications, your bank account(s) and credit card details, your gender, your date of birth, your nationality, details of associated persons (superiors, employees), websites, social media profiles, details of your relationship with us, details of your status with us, assignments, classifications and distribution lists, customer history, powers of attorney, signature authorizations, blocking notices and declarations of consent. We process your master data if you are a customer or other business contact or work for one (e.g. as a contact person of the business partner), or because we want to contact you for our own purposes or the purposes of a contractual partner (e.g. in the context of procurement, marketing and advertising, with invitations to events, with newsletters, etc.). We receive master data from you yourself (e.g. as part of a registration), from bodies for which you work, or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as the media, public registers or the Internet (websites, social media, etc.). As part of master data, we may also process information about third parties, e.g. contact persons, recipients of services, advertising recipients or representatives. We may also collect master data from our shareholders and investors.

Master data is not collected comprehensively for all contacts. Which data we collect in detail depends in particular on the purpose of the processing.

Financial data: Financial data is information on creditworthiness (i.e. information that allows conclusions to be drawn about the likelihood of claims being settled), on reminders and on debt collection. We receive some of this data from you (e.g. when you make payments), but also from credit agencies and debt collection agencies and from publicly accessible sources (e.g. a commercial register).

Contract data is data that arises in connection with a legal transaction, e.g. information on contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract, the information required or used for processing and information on reactions (e.g. complaints or information on satisfaction, etc.). This also includes health data and information about third parties, e.g. medically relevant information relating to health and safety in the workplace.

Behavioral and preference data: Depending on the relationship we have with you, we try to get to know you as well as possible and better tailor our products, services and offers to you. To do this, we collect and use pseudonymized data about your behavior and preferences. We do this by evaluating information about your behavior in our area, and we can also supplement this information with data from third parties - including from publicly accessible sources. Based on this, we can, for example, calculate the probability that you will use certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g. when you use our services), or we obtain this data by recording your behavior (e.g. how you navigate our website). We anonymize this data and delete it when it is no longer relevant for the purposes pursued. We describe how tracking works on our website in section 11.

Other data: We also collect data from you in other situations. In connection with official or judicial proceedings, for example, data is collected (such as files, evidence, etc.) that may also relate to you. We may also collect data for health protection reasons (e.g. as part of protection concepts). We may receive or produce photos, videos and audio recordings in which you may be recognizable (e.g. at events, on our construction sites through security cameras, etc.). We may also collect data about who enters certain buildings or has access rights to them and when (including during access controls, based on registration data or visitor lists, etc.), who attends events and when, or who uses our infrastructure and systems and when. Finally, we collect and process data about our shareholders and other investors; in addition to master data, this includes information for the relevant registers, regarding the exercise of their rights and the holding of events (e.g. general meetings).

You provide us with much of the data mentioned in this section yourself (e.g. via forms, as part of communication with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, subject to individual cases, e.g. as part of binding protection concepts (legal obligations). If you wish to conclude contracts with us or make use of services, you must also provide us with data as part of your contractual obligation in accordance with the relevant contract, in particular master data, contract data and registration data. When using our website, the processing of technical data is unavoidable. If you wish to gain access to certain systems or buildings, you must provide us with registration data. In the case of behavioral and preference data, however, you generally have the option of objecting or not giving your consent.

Insofar as this is not prohibited, we also obtain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, media or the Internet, including social media) or receive data from other companies within our group, from authorities and from other third parties (such as credit agencies, address dealers, suppliers, associations, contractual partners, Internet analysis services, etc.).

We use the data we collect to initiate, conclude and process contracts with you, in particular in the context of the provision of construction and real estate services, the purchase of products and the provision of services by our subcontractors. In particular, we process master data, contract data and communication data and, depending on the circumstances, registration data as well as data to check the creditworthiness of the customer or the persons to whom the customer provides a service. The enforcement of legal claims arising from contracts (debt collection, legal proceedings, etc.) is also part of processing, as are accounting, termination of contracts and public communication.

We process your data for purposes related to communication with you, in particular to respond to inquiries and assert your rights (section 9) and to contact you in the event of queries. In particular, we use communication data and master data for this purpose and, in connection with offers and services used by you, also registration data. We retain this data in order to document our communication with you, for training purposes, for quality assurance and for follow-up questions.

We process data for marketing purposes and to maintain relationships, e.g. to send our customers and other contractual partners personalized advertising about our products and services and those of third parties (e.g. advertising contractual partners). For example, with your consent, we will send you information, advertising and product offers from us and from third parties within and outside the Group (e.g. advertising contract partners), in printed form, electronically or by telephone. For this purpose, we primarily process communication and registration data. Relationship management also includes addressing existing customers and their contacts on a personalized basis, if necessary, based on behavioral and preference data. As part of relationship management, we may also operate a customer relationship management system ("CRM"), in which we store the data on customers, suppliers and other business partners necessary for the relationship management, e.g. about contact persons, relationship history (e.g. about products and services purchased or supplied, interactions, etc.), interests, wishes, marketing measures (newsletters, invitations to events, etc.) and other information. We also process your data for market research, to improve our services and operations and for product development. For this purpose, we analyze, for example, how you navigate through our website or which products are used by which groups of people and in what way (for further details, see section 11). In particular, we process master data, behavioral data and preference data, but also communication data and information from customer surveys, polls and studies and other information, e.g. from the media, social media, the internet and other public sources.

We may also process your data for security purposes and for access control.

We also process your data for the purposes of our risk management and in the context of prudent corporate governance, including business organization and corporate development. For these purposes, we process in particular master data, contract data, registration data and technical data, as well as behavioral and communication data.

Finally and primarily, we process personal data to comply with laws, directives and recommendations from authorities and internal regulations ("compliance") and may process your data for other purposes, e.g. as part of our internal processes and administration or for training and quality assurance purposes.

If we ask for your consent for certain processing (e.g. for the processing of particularly sensitive personal data, for marketing mailings and for advertising control and behavioral analysis on the website), we will inform you separately about the corresponding purposes of the processing. You can revoke your consent at any time in writing by e-mail or letter to us with effect for the future; our contact details can be found above. For the revocation of your consent in the case of online tracking, see Section 11. If you have a user account, revocation or contact with us can also be carried out via the relevant website or other service. Once we have received notification of the withdrawal of your consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. The withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal.

Where we do not ask for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the initiation or execution of a contract with you (or the entity you represent) or that we or third parties have a legitimate interest in it, in particular in order to pursue the purposes and associated objectives described above under section 3 and to be able to carry out corresponding measures. This also includes compliance with statutory provisions, insofar as this is not already recognized as a legal basis by the applicable data protection law (e.g. in the case of the GDPR, the law in the EEA and Switzerland). However, this also includes the marketing of our products and services, the interest in better understanding our markets and the secure and efficient management and further development of our company, including its operations.

If we receive particularly sensitive personal data (e.g. health data, information on political, religious or ideological views or biometric data for identification purposes), we may also process your data on the basis of other legal grounds, e.g. in the event of disputes due to the necessity of processing for any legal proceedings or the enforcement of or defense against legal claims. In individual cases, other legal grounds may apply, which we will communicate to you separately if necessary.

We only disclose your personal data if you have expressly consented to this, if we are required to do so by law or if this seems necessary in the context of using the website, for the performance or initiation of a contract or otherwise to protect our legitimate interests and the other purposes listed in Section 3. We may disclose your personal data to the following categories of recipients:

• ERNE Group companies. Disclosure may be for internal group administration or to support the group companies concerned and their own processing purposes.

• Service operators and service providers (such as IT providers, hosting and cloud services, shipping companies, material suppliers, advertising service providers, cleaning companies, security companies, banks, insurance companies, debt collection companies, credit agencies or address verifiers).

• Public authorities (offices, courts and other authorities at home and abroad)

As described, we also disclose data to other bodies. These are not only located in Switzerland, but your data may be processed in any country in Europe.

If necessary for the provision of our services, data will be transferred to the recipients within Switzerland and the EU described above. In particular, you must expect your data to be transferred to all countries in which the ERNE Group is represented. If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection (for this purpose we use the revised standard contractual clauses of the European Commission, which have been recognized by the Federal Data Protection and Information Commissioner FDPIC: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exemption provision. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have given your consent or if the data in question has been made generally accessible by you and you have not objected to its processing.

Please also note that data exchanged via the Internet is often routed via third countries. Your data may therefore be sent abroad even if the sender and recipient are located in the same country.

We only process your personal data for as long as is necessary for the fulfillment of our contractual and legal obligations or otherwise for the purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, processing to the termination of a contract and the warranty period as well as any subsequent support phase) and beyond that in accordance with the statutory retention and documentation obligations. It is possible that personal data may be stored for the period in which claims can be asserted against us and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymized as far as possible. Shorter retention periods apply in some cases for operational data (e.g. system logs or logs).

We take appropriate technical and organizational security precautions to protect your data from unauthorized or unlawful access or even misuse and to counteract the risks of loss, unintentional alteration, unwanted disclosure or unauthorized access.

As a data subject, you have the following rights vis-à-vis us:

Right to information: You have the right to obtain information from us about the processing of your data.

Right to rectification: You have the right to obtain from us the rectification of inaccurate or incomplete data concerning you.

Right to erasure: You have the right to request the erasure of your data under certain conditions. For example, you can request the erasure of your data if it is no longer necessary for the purposes for which it was collected. You can also request erasure if we process your data on the basis of your consent and you withdraw this consent.

Right to data surrender and transfer: You have the right to request the surrender of your personal data in a commonly used electronic format or the transfer of your data to another location.

Right to withdraw consent: You have the right to withdraw your consent at any time with effect for the future.

Right to restriction of processing: You have the right to request the restriction of the processing of your data under certain conditions.

Right to object: You have the right to object to the processing of personal data by us at any time.

Rights with regard to automated individual decisions: You have the right not to be subject to a decision based solely on automated processing.

In order to exercise these rights, you must provide clear proof of your identity (e.g. a copy of your ID where your identity is otherwise not clear or cannot be verified). To assert your rights, please contact us in writing by e-mail or letter to the address given in section 1.

Please note that these rights are subject to conditions, exceptions or restrictions under the applicable data protection law (e.g. to protect third parties or business secrets. We will inform you accordingly if necessary.

If you do not agree with our handling of your rights or data protection, please inform us or, if you are located in Germany, the data protection officer in accordance with Art. 37 ff. and Art. 38 BDSG (Section 1). In particular, if you are in the EEA or Switzerland, you also have the right to lodge a complaint with the data protection supervisory authority in your country. You can find a list of the authorities in the EEA here:edpb.europa.eu/about-edpb/about-edpb/members_en. You can contact the Swiss supervisory authority here:www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/adresse.html.

The website is aimed at an adult audience. Minors, in particular children under the age of 16, are prohibited from transmitting personal data to us or registering for a service without the consent of their parents. If we discover that such data has been transmitted to us, it will be deleted from our database. The parents (or legal representative) of the child can contact us and request the deletion or deregistration. To do this, we require a copy of an official document that identifies you as the parent or legal guardian.

We use cookies on our websites and may operate pages and other online presences ("fan pages", "channels", "profiles", etc.) on social networks and other platforms operated by third parties and collect the data about you described in section 2 and below. For the settings regarding the use of cookies by the ERNE Group and any third parties, please refer to the Cookie Policy.

We reserve the right to amend or supplement this privacy policy at any time. All changes and additions are at our sole discretion. The version published on our website applies in each case.

Request for information form