The use of this website may involve the processing of personal information. We would like to provide you with an overview of this processing by means of the following information to ensure you fully comprehend this processing. In addition, we would like to inform you regarding your rights under the EU General Data Protection Regulation (GDPR), and under the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). To ensure that your personal data remains safe, we ensure that your data is protected from access by unauthorised parties and from unauthorised disclosure. Your data will not be supplied to third parties without authorisation. If you have any questions or suggestions regarding this privacy policy or data protection in general please contact us via the contact information listed below.

The controller for the processing of personal data within the meaning of the EU General Data Protection Regulation and other data protection provisions is: TMG ThinkTank for Sustainability

and

TMG Research gGmbH

both:

EUREF-Campus 6-9,

10829 Berlin

Germany

Telephone +49 (30) 92 10 74 07 00

E-mail: info@tmg-thinktank.com

Website: www.tmg-thinktank.com

This privacy policy applies for both TMG ThinkTank for Sustainability and TMG Research gGmbH equally. In the following, both will be referred to as TMG or we/us.

Purposes of processing We process our users’ personal data only to the extent required for providing a functional website and supplying our content and services. We process our users’ personal data regularly only if the respective users have given their consent. The only exception to this is where it is actually impossible for us to obtain prior consent and processing of the data is legally allowed. Legal basis for processing personal data

Art. 6 paragraph 1 point a GDPR serves as the legal basis for processing personal data where we obtain the corresponding data subjects’ consent.

Art. 6 paragraph 1 point b GDPR serves as the legal basis where we need to process personal data for the purposes of fulfilling a contract, and the data subject is party to the contract. This also applies to processing necessary to accommodate preparations for entering into a contract.

Art. 6 paragraph 1 point c GDPR serves as the legal basis Where processing of personal data is necessary for our company to fulfil a legal obligation

Art. 6 paragraph 1 point d GDPR serves as the legal basis where processing of personal data is necessary for protecting the vital interests of the data subject, or those of another individual.

Art. 6 paragraph 1 point f GDPR serves as the legal basis where processing is necessary to protect our company's or a third party’s legitimate interests, and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject

The data subject’s personal data will be deleted or blocked as soon as the purpose for which it has been collected has been fulfilled. Data may remain on record beyond this period if such is specified in European or national legislation. Data will also be deleted if a storage period specified in the above standards expires unless conclusion or fulfillment of a contract requires the data to remain on record further.

If we process data in a third country (that is, outside the European Union (EU) or the European Economic Area (EEA)) or this takes place in consequence of the use of services of third parties or disclosure or transmission of data to third parties, this is only done in order to fulfil our (pre)contractual obligations on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permission, we process or allow the data to be processed in a third country only when the specific requirements of Article 44 ff GDPR are met. This means that the processing is for example performed on the basis of particular guarantees, such as the officially recognised confirmation of a data protection level corresponding to the US (such as for the USA through the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

Log Files Any time our website is accessed, our system automatically records data and information concerning the accessing computer. The following data is recorded: - Date and time of access - The user’s IP address - Browser type and version used - The user’s Internet service provider - The user’s operating system - Websites from which the user’s system reaches our website This data is recorded in our system’s log files. This data is not stored together with any of the user’s other personal data.

Our system needs to temporarily record the IP address in order to provide the website to the user’s computer. This also requires that the user’s IP address remains logged throughout the session.

Recording the data in log files is necessary to ensure that the website operates correctly. The data further helps us optimise the website and ensure that our computer systems remain secure. No data is processed for marketing purposes in this context.

The above purposes also constitute our legitimate interests in data processing under art. 6 paragraph 1 point f GDPR. Data storage period The data is deleted as soon as it is no longer required for achieving the purpose for which it was recorded. With respect to data being recorded in order to provide the website, the data is no longer required as soon as the respective session ends. With respect to data being recorded in log files, the data is no longer required after fourteen days at the latest. Data may remain on record for longer. If so, the users’ IP addresses are deleted or rendered untraceable to make identification of the accessing client impossible. Right to object and options for avoidance The website cannot be provided without recording the data and the operation of the site in the Internet is impossible without storing the data in log files. There is correspondingly no option for the user to object. Use of cookies

Our website does not use cookies. We are not collecting or processing any personal data.

We track traffic on our website by using the open source and GDPR-compliant service provided by Plausible Analytics. Data is routed through our subdomain stats to count website visits, downloads, etc. For more information, see the Plausible Data Policy.

Right to object and options for avoidance Cookies are stored on the user’s computer and transferred to us by that computer. If you want to prevent your computer from sending cookies in the future, you can deny or restrict the use of cookies by an appropriate setting in the web browser used. You can delete any saved cookies at any time. Encryption

To keep your data secure during transmission, we use the latest state of the art in encryption technology (e.g. TLS/SSL) via HTTPS.

On our website, we offer different ways for users to get in touch with us. It is possible to contact TMG by email, telephone, fax and mail. When you contact us, we store your contact information, e.g. email address or telephone number, and he personal user data included in the message. Processing this data serves the purpose to enable us to contact you and to deal with your request. Legal basis The legal basis for processing data received as part of our communication is art. 6 paragraph 1 point f GDPR. If email communication pursues conclusion of a contract, the legal basis shall further be art. 6 paragraph 1 point b GDPR. Data storage period The personal data that was transmissions in the course of communicating with the user will be deleted when the respective conversation with the user has concluded. The conversation has concluded when the circumstances indicate that the respective subject has been fully resolved. Right to object and options for avoidance All users can at any time withdraw their consent to our processing their personal data and object to our storing their personal data. If you do so, we will delete all personal data recorded as part of our contact. In this case, the conversation cannot be pursued further.

Embedded content Videos We embed YouTube videos on some of our websites. These plug-ins are operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you access a web page with the YouTube plug-in and click the video, you will be connected to YouTube’s servers. When this happens, YouTube receives information on the sites you are visiting. If you are logged in to your YouTube account, YouTube will be able to trace your surfing behaviour. You can prevent this by logging out of your YouTube account beforehand. When you start a YouTube video, the provider uses cookies that collect data on user behaviour. Right to object and options for avoidance If you have disabled cookies for the Google Ad program, these YouTube cookies will also be disabled. However, YouTube stores further, non-personal user data in other cookies. If you want to prevent this, you will need to disable cookies in your browser settings. For more information on data protection and YouTube, refer to the provider’s data policy here. Use of social media components On our website we use buttons from different social media networks to allow our users to easily share our content on other platforms. Loading a page that contains social media buttons does not lead to a transmission of data to external services. This only happens when you use the buttons. Please note that TMG as the provider of our sites is not informed of the data transmitted or of how the respective social media services use the data. For more information on this subject please refer to the data protection policies of the respective external provider. External links Our online offers contain links to the web pages of other providers – so-called external links. We have no influence over the contents of the targets of such links, so we are unable to take responsibility for such contents. The responsibility always rests with the respective operator of the external pages. At the time when the external link was established, no breaches of law could be seen. Permanent monitoring of external content for breaches of law without specific grounds cannot reasonably be expected of us. If we become aware of breaches of law, we will remove the corresponding external links without undue delay. Online presence in social media TMG currently maintains an online presence at the social media service Twitter. This serves to inform active users of the networks about the services and information available from TMG and in the case of interest to communicate directly over the platforms. You can reach our Twitter profile directly via the Twitter button at the top and bottom of our website. When accessing our Twitter profile, the terms and conditions and data policies of Twitter will apply.

TMG collects and processes personal data from applicants for the purpose of carrying out application procedures. This happens on the basis of art. 6 paragraph 1 point b GDPR and, if legal procedures require us to do so, as per art. 6 paragraph 1 point f GDPR (in Germany, the Federal Data Protection Act §26 BDSG also applies). The processing is usually by electronic means. This is particularly the case where the application documents are submitted electronically, but the data protection guideline described applies to all personal data regardless of you sent them to us. During the selection process, the applications received are inspected, any questions arising may be sent in response, invitations to interview will be sent and further personal data may be collected in discussions during the recruitment process, in order finally to be able to reach a decision regarding the choice of applicants. If personal data of a special category as per art. 9 paragraph 1 GDPR is voluntarily transmitted as part of an application, processing of this data is also subject to art. 9 paragraph 2 point b GDPR (e.g. data on health such as a disability or data concerning ethnicity). If, during the application process, we request personal data of a special category as per art. 9 paragraph 1 GDPR from applicants, processing of this data is also subject to art. 9 paragraph 2 point a GDPR (e.g. data on health that are required for performing the job). We will use your personal data and other data in our online application system solely to ensure that applications can be processed smoothly and correctly. Your data will be made available only to people involved in the application process. If the application process does not lead to an employment relationship, the application documents are deleted six months after notification of rejection of the application. If you consent, we may keep your personal data on record after the application process for an advertised vacancy is over or if you have sent us a speculative application so that you will remain in our applicant pool for consideration in the event of future vacancies.

Right of access Article 15 GDPR You are entitled to request information from TMG on whether we are processing any personal data related to yourself. If we do, you can further request information from the controller on the following: - the purposes to which the personal data is being processed; - the categories of personal data processed; - the recipients or categories of recipients to whom the personal data relating to yourself is or will be disclosed; - the period for which the personal data relating to yourself is intended to remain on record or, if this cannot be specified, the criteria for defining the storage period; - whether you are entitled to demand correction or deletion of the personal data relating to yourself, to demand limitation of processing by the controller or to object to processing; - whether you are entitled to file a complaint with a supervisory authority; - everything available on the data’s source if the entity you are enquiring with did not obtain it themselves; - whether personal data concerning you are transferred to a third country or to an international organisation; in this event you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR concerning the transfer; - whether there was any automated decision-making and profiling as per art. 22 paragraphs 1 and 4 GDPR and – at least where such was the case – useful information on the underlying logic and the impact and pursued effects of this processing on the data subject. Right to rectification Article 16 GDPR You have the right to rectification and/or completion by the controller if the personal data processed that relates to you is incorrect or incomplete. TMG will make the correction without undue delay. Right to restriction of processing Article 18 GDPR Under the following conditions, you can obtain a restriction of processing of personal data concerning you: - if the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data; - if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; - if the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or - if you objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds. If processing the personal data relating to yourself has been limited, the data can without your consent be used neither to assert, exercise or defend legal claims nor to enforce protection of another individual’s or legal entity’s rights nor can it be processed in the public interest of the European Union or one of its member states. This does not apply to the storing of the data. If processing has been restricted in accordance with the above conditions, you will be notified by the controller before any restrictions are lifted. Right to erasure Article 17 GDPR You can request that the controller delete the personal data relating to yourself immediately; the controller is then obliged to delete the data immediately, provided one of the following conditions applies: - The personal data relating to yourself is no longer required to achieve the purposes for which it was collected or otherwise processed. - You withdraw your consent, under which processing became legitimate as per art. 6 paragraph 1 point a or art. 9 paragraph 2 point a GDPR, and there is no other legal basis for processing. - You object to processing as per art. 21 paragraph 1 GDPR and your objection is not overridden by legitimate reasons for processing, or you object to processing as per art. 21 paragraph 2 GDPR. - The personal data relating to yourself have been processed unlawfully. - Deletion of the personal relating to yourself is necessary for the controller to fulfil a legal obligation imposed upon them by European Union law or the national laws of European Union member states. - The personal data relating to yourself has been collected in connection with the offer of information society services as per art. 8 paragraph 1 GDPR. If the controller has published personal data relating to yourself and has become obliged to delete it as per art. 17 paragraph 1 GDPR, the controller will take action, including technical measures, using the available technology and at appropriate expense with the aim of notifying any controllers processing your personal data that you as the data subject have requested deletion of all links to said personal data or to copies or reproductions thereof. The right to erasure becomes void if processing is necessary - to exercise of the right to free expression and information; - to fulfil a legal obligation requiring the controller to process the data imposed upon them by European Union law or the national laws of a European Union member state, or to complete a duty in the public interest or to perform executive duties appointed to the controller; - in the interests of public health and safety as per art. 9 paragraph 2 points h and i and art. 9 paragraph 3 GDPR; - for archiving purposes in the public interest, for scientific or historical research or for statistical purposes as per art. 89 paragraph 1 GDPR, provided that the right described in section a) can be reasonably assumed to prevent or seriously impede achievement of the processing purposes; - to assert, exercise or defend legal claims. Right to object Article 21 GDPR You are entitled to object for reasons arising from your own personal situation at any time against processing of personal data relating to yourself where processing is legitimised by art. 6 paragraph 1 points e or f GDPR; this applies in equal measure to profiling legitimised by these provisions. The controller will cease to process your personal data unless they can prove compelling legitimate reasons for processing that override your interests, rights and liberties or processing pursues the assertion, exercise or defence of legal claims. If personal data relating to yourself is processed for the purpose of direct advertising, you are entitled to object at any time to the processing of your personal data for this purpose; this applies equally to profiling where it occurs in connection with such direct advertising. If you object to processing for direct advertising, the personal data relating to yourself will no longer be processed for this purpose. You may, in connection with the use of information society services – Directive 2002/58/EC notwithstanding – exercise your right to object by means of automated methods that are subject to technical specifications. Right to data portability Article 20 GDPR You have the right to receive the personal data concerning yourself that you have provided to TMG in a structured, commonly used and machine-readable format. You are also entitled to transmit this data to another controller without TMG data hindering you from doing so and if - you have consented to processing as per art. 6 paragraph 1 point a GDPR or art. 9 paragraph 2 point a GDPR or processing is governed by a contract as per art. 6 paragraph 1 point b GDPR and - processing occurs using automated methods. When exercising this right, you can further request controllers to send the personal data relating to yourself directly to another controller, provided this is technically feasible. This must not adversely affect the liberties and rights of others. The right to data portability does not extend to the processing of personal data where such processing is necessary for fulfilling a duty in the public interest or for exercising executive duties appointed to the controller. Right to withdraw your consent under data protection law You are entitled to withdraw your consent under data protection law at any time. Your withdrawing consent does not affect legitimacy of any processing that has occurred with your consent prior to withdrawal. Automated individual decision-making, including profiling You have the right not to be subject to any decision that entails legal implications for yourself or has similar, substantially adverse effects on yourself, if said decision is based solely on automated processing; this includes profiling. You do not have this right if the decision - is necessary to allow conclusion or fulfilment of a contract between yourself and the controller, - is legitimate under the legal provisions of the European Union or its member states to which the controller is subject and these legal provisions include appropriate measures safeguarding your rights, liberties and legitimate personal interests or - is made with your express consent. However, such decisions may have been made based on personal data of special categories as per art. 9 paragraph 1 GDPR unless art. 9 paragraph 2 points a or g GDPR also apply and appropriate measures have been taken to protect your rights, liberties and legitimate personal interests. With respect to cases (1) and (3), the controller shall take appropriate precautions to protect your rights, liberties and legitimate personal interests; such precautions will include at least the right to enforce intervention by a human individual at the controller’s, to put forward your own opinion and to contest the decision. Right to complain with a supervisory authority If you believe that processing of personal data relating to yourself is in breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state you, your place of work or the locale of the alleged infringement are in. This does not affect your recourse to other administrative or judicial remedies. The supervisory authority receiving the complaint will keep the appellant up to date on status and results of the complaint, including on recourse to judicial remedies as per art. 78 GDPR.

We reserve the right to amend this data policy to keep it in line with the latest legal requirements or to adjust it to reflect changes to our services, e.g. if we introduce new services. The latest version of our data policy will apply to any further visits. Latest version: 21.05.2021