Information on data protection for clients and other data subjects

(If there is any contradiction to the German language version, then the German language version shall take precedence)

With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and the manner in which they are used is predominantly determined by the services requested or agreed. Therefore, not every element of this information may be applicable to you.

Who is responsible for data processing and who can I contact?

Responsibility lies with

Tradesignal GmbH
Linzer Str. 11, 28359 Bremen, Deutschland
phone: +49 421 20109-0

Our internal Data Protection Officer:

Ms. Tanja Wenk

Which sources and which data do we use?

We process personal data which we receive from our clients and other concerned parties in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as social media, press, Internet) or which have been legitimately transmitted to us from third parties.

Relevant personal data are personal details (name, address and other contact data, date and place of birth and nationality), legitimization data (such as data from ID cards) and also authentication data (such as a specimen signature). In addition, these may also be contract data (such as a payment order), data resulting from the performance of our contractual obligations and other data comparable with the above-mentioned categories.

What is the purpose of processing your data (purpose of personal data processing) and on which legal basis does this take place?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG)

a. in order to comply with contractual obligations (Art. 6 (1 b) GDPR)

Data are processed for the purpose of providing services in connection with the performance of our agreements with our clients or for performing pre-contractual measures. The purposes of data processing are primarily determined by the specific software-product or our services.

b. within the scope of the balancing of interests (Art. 6 (1 f) GDPR)

To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Examples:

- Consultation of and exchange of data with credit bureaus so as to determine default risks, - lodging legal claims and defense in case of legal disputes, - ensuring IT security and the IT operation of our company, - prevention and investigation of criminal acts, - video surveillance (entry control), - measures for business management and advanced development of services and products.

c. as a result of your consent Art. 6 (1 a) GDPR)

To the extent you have consented to the processing of personal data by us for certain purposes, such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.

d. on the basis of statutory regulations (Art. 6 (1 c) GDPR) or in the public interest (Art. 6 (1 e) GDPR)

Moreover, we are subject to various legal obligations, i.e. statutory requirements (such as tax laws) and regulations relating to the supervision of banking (e.g. the Federal Agency for the Supervision of Financial Services). The purposes of processing include, among others, the assessment of compliance with obligations of control and reporting under tax law and the assessment and management of risks in our company.

Who will receive my data?

Within our company, those units will be granted access to your data that need them in order to comply with our contractual and statutory obligations. Service providers and agents appointed by us may also receive the data for these purposes on the condition that there are bounded by an NDA. These are companies in the categories IT services, logistics, printing services, telecommunication, collection of receivables, consultation as well as sales and marketing.

As far as passing on data to recipients outside our company is concerned, it must first be kept in mind that we are obliged to keep all client-related facts and assessments we become aware of in strict confidence. As a matter of principle, we may pass on information about our clients only if this is required by law, the client has given his consent, or we have been granted authority to provide such information. Under these circumstances, recipients of personal data may, for example, be:

- Public authorities and institutions (such as the Federal Agency for the Supervision of Financial Services, tax authorities, authorities prosecuting criminal acts, courts), pro- vided a statutory obligation or an official decree is in place, - creditors or liquidators submitting queries in connection with a foreclosure, - service providers if payment by credit card is denied, - partners in the bank or credit card business (such as Banks, WorldPay, PayPal), - service providers whom we involve in connection with contract data processing relationships.

Will the data be transferred to a third country or an international organisation?

Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent

- this is required to carry out your orders (e.g. payment orders, Exchanges, Data Vendors), - it is required by contract or supervision (e.g. Audit procedures by exchanges or data vendors) - it is required by law (such as obligatory reporting under tax law) or - you have given your consent.

For how long will my data be stored?

We process and store your personal data as long as this is required to meet our contractual and statutory obligations.

If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless temporary further processing is necessary for the following purposes:

- Compliance with obligations of retention under commercial or tax law which, for example, may result from the German Commercial Code (HGB) or the German Fiscal Code (AO). As a rule, the time limit specified there for retention or documentation is 2 to 10 years. - Preservation of evidence under the statutory regulations regarding the statute of limitations. According to Secs. 195 et seqq. of the German Civil Code (BGB), these statutes of limitations may be up to 30 years, the regular statute of limitation being 3 years.

What are my rights with regard to data protection?

Every data subject has the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As far as the right to obtain information and the right to erasure are concerned, the restrictions pursuant to Secs. 34 and 35 BDSG are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG).

Your consent to the processing of personal data granted to us may be revoked at any time by informing us accordingly. This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.

Am I obliged to provide data?

Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.

We are especially obliged to ask for and record your name, address and contact details. So as to enable us to comply with these statutory obligations, you are obliged to provide the necessary information and documents and to report any changes that may occur promptly.

To what extent will decision-making be automated?

As a matter of principle, we do not use automated decision-making processes.

Will profiling take place?

We are not using profiling.