We collect your personal data when you use the website, navigate it, use the search function and/or contact us via the website. This concerns in particular the following categories of personal data:

• Identification data (if you contact us through the website): such as your first and last name;
• Contact information (if you contact us through the website): such asyour email address and phone number;
• Communication data (if you contact us through the website): such as the company you work for or on whose behalf you are contacting us, the country you are in, and the content of your message;
• Server Log Data: Browser type and browser version of the browser you are using, the operating system you are using, address of the website from which you accessed the website (referrer URL), the host name of the accessing device, the time of your visit to the website and your IP address;
• Website activity data, such as your IP address, your behavior on the Website, information about the device you are using, the browser language, the date, time and duration of your visit to the Website, the names of the pages visited and the address of the website from which you accessed the Website;
• Location information, such asgeneral information about your location (e.g. time zone, city/state and/or zip code in conjunction with your IP address).

2.1 General

We process your personal data for the purposes listed in the table below. For some specific purposes of processing (e.g. server logs), you can find additional information below the table.

2.2 Server logs

As indicated in the table above, we store server logs, which contain server log data, in order to detect and correct malfunctions and to ensure the security of the website and related systems.

2.3 Customer relationship management Tool

Information that you provide to us when contacting us via contact forms available on the website (possibly identification data, contact data and communication data) is usually stored and managed in our customer relationship management tool. This tool accepts the data from the contact forms via API interface.

2.4 Consent management

We use a service to obtain - where necessary - your consent(s) for the inclusion of services on our website and to ensure that services which require consent are only carried out where such consent has been given.

2.5 Representation of the share prices

enables the display of these prices via iFrame.

The provider may process website activity data in this context. The basis for such processing is your consent.

More information on the handling of user data can be found in the data protection notice of EQS Group AG: https://www.eqs.com/about-eqs/data-protection/.

2.6 Website analysis and advertising

This website uses the open-source web analytics service Matomo. Matomo uses technologies that enable cross-page recognition of the user to analyze user behavior (e.g. cookies or device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. The IP address is anonymized (2 byte masked) before storage.

The information collected by Matomo about the use of this website is not shared with third parties.

2.7 YouTube (with enhanced privacy)

This website embeds videos from YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended privacy mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the disclosure of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube - regardless of whether you watch a video - establishes a connection to the Google DoubleClick network.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your end device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience, and prevent fraud attempts.

If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no control.

For more information about privacy at YouTube, please see their privacy notice at: https://policies.google.com/privacy?hl=en.

2.8 Google Maps

This site uses the map service Google Maps via an API. Provider is Google.

To use the functions of Google Maps, it is necessary to store your IP address.

You can find more information on the handling of user data in Google's privacy notice: https://policies.google.com/privacy?hl=en.

2.9 Cookies

Our website uses so-called "cookies". Cookies are small text files and do not cause any damage to your end device. They are stored either temporarily for the duration of a session ("Session Cookies"), or for a specific duration beyond the session ("Permanent Cookies") on your end device. Session Cookies are automatically deleted at the end of your visit. Cookies that are stored for a specific duration beyond the session are automatically deleted after this duration has expired.

In some cases, cookies from third-party companies may also be stored on your terminal device when you use our website ("Third-Party Cookies"). These enable us or you to use certain services of the third-party company.

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them. Other cookies are used to evaluate user behavior or to display advertising.

Otherwise, we will only use cookies (and comparable technologies) with your consent. You can adjust or withdraw your consent at any time with effect for the future in the "Privacy Setting"; you can access this by clicking on the checkmark icon displayed at the bottom left of the browser on the website. There you will also find further information on the cookies (and comparable technologies) used.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. When deactivating cookies, the functionality of this website may be limited.

3.1

3.1 We may share your personal data with service providers who process personal data on our behalf and based on our instructions as so-called processors in order to provide their services to us:

• Website hosting provider (in the EU)
• Customer relationship management tool provider (in the EU)
• Consent management provider (in the EU)
• Provider for sending newsletters (in the EU)
• EQS Group AG (presentation of share prices) (in the EU)
• Google Ireland Limited (Youtube with enhanced privacy, GoogleMaps) (in the EU)

3.2 We may share your personal information with the following third parties:

• Other Bilfinger group companies to the extent necessary for internal administrative purposes;
• Authorities, courts and consultants (e.g. lawyers, auditors), insofar as we are legally obliged to do so, or this is necessary to safeguard our rights
• Relevant third parties in the context of a corporate transaction, to the extent required for a transaction

The recipients of your personal data (see section 3) may be located in a country outside the United Arab Emirates. To the extent that the relevant country has not been recognized as a country where personal data are adequately protected, we will only transfer your personal data to such countries to the extent that another mechanism justifies the transfer (e.g. standard contractual clauses) or an exception under applicable data protection law applies (as required under applicable data protection law). Additional measures are taken / agreed upon to the extent necessary to ensure adequate protection for the personal data.

For more details about these transfers and the transfer mechanisms used with respect to them, please contact us at dataprivacynospam@bilfinger.com.

5.1 In general

Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

Exceptionally, we may store your personal data longer than shown in this section to the extent necessary to comply with a legal obligation or to establish, exercise or defend legal claims.

5.2 Server logs

We store server logs, including server log data, to investigate incidents and to ensure the security of the website and related systems for a period of 7 to 10 days, after which they are deleted; server logs that must be retained for evidentiary purposes are exempt from deletion until the incident in question is resolved.

5.3 Customer Relationship Management Tool and Contact Forms

We store information that you have provided to us via contact forms on our website and that is fed into our customer relationship management tool for up to 2 years from the point in time at which no further interaction (e.g. sending of mails, further contact) has taken place.

If, exceptionally, information from contact forms is not fed into our customer relationship management tool via API interface, the information provided is usually deleted in a cycle of 6 months.

5.4  Consent Management

We store information about whether you have consented to the provision of certain services on our website (where required) for up to 365 days.

5.5 Newsletter

In connection with newsletters, your personal data that you actively provided when subscribing to the newsletter is regularly stored for as long as the newsletter subscription is active. Documentation regarding your consent to receive newsletters is usually stored for up to three years after the calendar year in which the consent was withdrawn.

5.6 ​​​​​​​Website analysis

The data generated via the website analysis is stored by us exclusively in a non-personal manner.

5.7 Cookies

Cookies that you do not delete yourself expire after the period of time specified in the "Privacy Setting"; this can be accessed by clicking on the checkmark icon displayed on the website at the bottom left of the browser.

We have a presence on (i) LinkedIn, (ii) YouTube, (iii) Twitter, (iv) Instagram, (v) Xing and (vi) Facebook.

The providers of these social media process information about how you interact with our corporate presence on the respective network and data that you provide in your respective profile. The providers aggregate this data and provide it to us as statistics; however, you are not identifiable from these statistics. These statistics help us better understand trends and demographics of the groups of people who interact with our corporate presence.

The social network providers are the following companies:

• LinkedIn: LinkedIn Ireland Unlimited Company ("LIUC"), Wilton Place, Dublin 2, Ireland

Information about LIUC's processing of your personal data when using LinkedIn can be found in LIUC's privacy notice, which is available here. You can view the user agreement for LinkedIn here.

• YouTube: Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland

Information about Google's processing of your personal data when using YouTube can be found in Google's privacy notice, which is available here. You can view the terms of service for YouTube here.

• Twitter: Twitter International Unlimited Company ("TIUC"), One Cumberland Place, Fenian Street Dublin 2, Ireland

Information about TIUC's processing of your personal data when using Twitter can be found in Twitter's privacy notice, which is available here. You can view the Twitter user agreement here.

• Instagram: Meta Platforms Ireland Limited ("Meta"), 4 Grand Canal Square, Dublin 2, Ireland

Information about Meta's processing of your personal data when using Instagram can be found in Meta's privacy notice, which is available here. You can view the terms of use for Instagram here.

• Xing: New Work SE, Am Strandkai ("NW"), 20457 Hamburg, Germany

Information on the processing of your personal data by NW when using Xing can be found in NW's privacy notice, which is available here. You can view the general terms and conditions for the use of XING here.

• Facebook: Meta Platforms Ireland Limited ("Meta"), Block J, Serpentine Avenue, Dublin 4, Ireland

Information about Meta's processing of your personal data when using Facebook, in particular Meta's contact details and the contact details of Meta's designated data protection officer, as well as your rights vis-à-vis Meta, can be found in Meta's privacy notice, which is available here. You can view the terms of service for Facebook here.

We collect your personal data when you interact with us via social media. The categories of personal data we process in the course of such interaction depend on the platform used. Among others, this may involve the following categories of personal data:

• Identification data (if you contact us via social media): such as your first and last name;
• Contact details (if you contact us via social media): such asyour email address and phone number;
• Communication data (if you contact us via social media): such as the company you work for or on whose behalf you are contacting us, the country you are in, and the content of your message;
• Social media activity data, such as your IP address, your behavior on social media, information about the device you are using, browser language, the date, time and duration of your visit to social media;
• Location information, such asgeneral information about your location (e.g. time zone, city/state and/or zip code in conjunction with your IP address).

2.1 General

Wir verarbeiten Ihre personenbezogenen Daten für die in der nachstehenden Tabelle aufgeführten Zwecke. Wir stützen uns dabei auf die in der Tabelle aufgeführten Rechtsgrundlagen. Soweit relevant ist das berechtigte Interesse, welches wir mit der Verarbeitung verfolgen, ebenfalls aufgeführt. Grundsätzlich sind die folgenden Rechtsgrundlagen relevant:

• Erfüllung eines Vertrages (einschließlich der Verarbeitung, die erforderlich ist, um auf Ihren Wunsch hin Schritte vor Abschluss eines Vertrages zu unternehmen) (Art. 6 (1) (b) der Datenschutz-Grundverordnung („DSGVO“);
• Erfüllung rechtlicher Verpflichtungen (Art. 6 (1) (c) DSGVO);
• Berechtigte Interessen (Art. 6 (1) (f) DSGVO);
• Einwilligung (Art. 6 (1) (a), Art. 7 DSGVO).

2.2 Analysis of usage behavior in social media

The social media providers process information about how you interact with our corporate presence on the respective network and data that you provide in your respective profile. The providers aggregate this data and provide it to us as statistics; however, you are not identifiable from this aggregated data. These statistics help us better understand trends and demographics of the groups of people who interact with our company presence. Details about our corporate presences on social media and the respective providers can be found in section 1.

2.3 Social media

In connection with our channels on social media and those of other companies of the Bilfinger group, we ask you to consult the privacy notices of the respective platform if you would like to learn more about the processing of your personal data on these platforms.

3.1 We may share your personal data with service providers who process personal data on our behalf and based on our instructions as so-called processors in order to provide their services to us:

• Consent management provider (in the EU)
• Provider for sending newsletters (in the EU)

3.2 We may share your personal information with the following third parties:

• Other Bilfinger group companies to the extent necessary for internal administrative purposes;
• Authorities, courts and consultants (e.g. lawyers, auditors), insofar as we are legally obliged to do so, or this is necessary to safeguard our rights
• Relevant third parties in the context of a corporate transaction, to the extent required for a transaction

The recipients of your personal data (see section 3) may be located in a country outside the United Arab Emirates. To the extent that the relevant country has not been recognized as a country where personal data are adequately protected, we will only transfer your personal data to such countries to the extent that another mechanism justifies the transfer (e.g. standard contractual clauses) or an exception under applicable data protection law applies (as required under applicable data protection law). Additional measures are taken / agreed upon to the extent necessary to ensure adequate protection for the personal data.

For more details about these transfers and the transfer mechanisms used with respect to them, please contact us at dataprivacynospam@bilfinger.com.

Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

Exceptionally, we may store your personal data longer than shown in this section to the extent necessary to comply with a legal obligation or to assert, exercise or defend legal claims.

5.1 Newsletter

In connection with newsletters, your personal data that you actively provided when subscribing to the newsletter is regularly stored for as long as the newsletter subscription is active. Documentation regarding your consent to receive newsletters is usually stored for up to three years after the calendar year in which the consent was withdrawn.

5​.​​​​2 Analysis of usage behavior in social media

The data generated via the analysis is collected and stored by us exclusively in a non-personal manner.

We collect personal data either directly from you or may receive it from your employer/client, who provides it to us for the purpose of handling the business relationship with them (e.g. for contacting you).

In particular, these are the following categories of personal data:

• Identification data: such as your first and last name;
• Contact and administrative data: such asyour professional email address and professional telephone number; the company you work for, your position and activity in such company, your business relationship with us, the country in which you are located;
• Communication data such as the content of communications between you and us
• Payment data such as payment targets, bank details and other information required to process payments.

We process your personal data for the purposes listed in the table below.

If your personal data is not made available to us, we may not be able to (fully) carry out the business relationship with you or your employer or client.

3.1 We may share your personal data with service providers who process personal data on our behalf and based on our instructions as so-called processors in order to provide their services to us:

• Customer relationship management tool provider (in the EU)
• Provider for sending newsletters (in the EU)

3.2 We may share your personal information with the following third parties:

• Other Bilfinger group companies to the extent necessary for internal administrative purposes;
• Authorities, courts and consultants (e.g. lawyers, auditors), insofar as we are legally obliged to do so, or this is necessary to protect our rights
• Relevant third parties in the context of a corporate transaction, to the extent required for a transaction

The recipients of your personal data (see section 3) may be located in a country outside the United Arab Emirates. To the extent that the relevant country has not been recognized as a country where personal data are adequately protected, we will only transfer your personal data to such countries to the extent that another mechanism justifies the transfer (e.g. standard contractual clauses) or an exception under applicable data protection law applies (as required under applicable data protection law). Additional measures are taken / agreed upon to the extent necessary to ensure adequate protection for the personal data.

For more details about these transfers and the transfer mechanisms used with respect to them, please contact us at dataprivacynospam@bilfinger.com.

Your personal data is regularly deleted as soon as it is no longer required to achieve the purpose for which it was collected. The personal data is therefore usually deleted at the latest when the contractual relationship with you or your employer/client has ended, and the applicable limitation periods have expired.

The personal data of new leads that we have entered into our Customer Relationship Management tool will initially be checked within 28 days to determine whether it is still required for the purposes set out in section 2 above. If this check does not lead us to the conclusion that the personal data is required for this purpose, it will be deleted within four weeks of the expiry of these 28 days. This review will be repeated every three years thereafter and if we do not conclude within 28 days during this review that the personal data is still necessary, it will be deleted.

The personal data of contacts that we have entered into our customer relationship management tool are reviewed every ten years to determine whether they are still required for the purposes described in section 2 above. If we do not conclude within 28 days during this review that the personal data is still necessary, it will be deleted.

We retain e-mails for as long as they are needed for our operational purposes.

Insofar as personal data is processed on the basis of consent, we generally delete this data when the consent is withdrawn. The documentation relating to such consent is regularly stored for up to three years after the calendar year in which the consent was withdrawn.

Exceptionally, we may store your personal data for a longer period of time to the extent necessary to comply with a legal obligation or to establish, exercise or defend legal claims.