Privacy Policy for Photographic, Film and Sound Recordings

The purpose of this Privacy Policy is to inform all persons of whom Heraeus processes photographic, film and/or sound recordings (hereinafter collectively referred to as "Recordings") for use in training courses, internal communication, media work and public relations or other marketing activities (these persons are hereinafter referred to as "Data Subjects") pursuant to Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR), how Heraeus uses their data and what rights they have regarding these data.

This Privacy Policy does not apply to video surveillance at the Heraeus sites or to photographs which are processed in the performance of an employment relationship.

1 Who is responsible for the processing of data and who is the Data Subjects' point of contact at Heraeus?

The legal entity responsible for the processing of data within the meaning of data protection law is the Heraeus company for which the Recordings are processed (hereinafter referred to as "Heraeus"). Any inquiries or requests for information under data protection law must be directly addressed to the responsible legal entity. Inquiries or requests for information related to the European data protection law may also be directed to the Heraeus Data Protection Officer.

The Heraeus Data Protection Officer may be contacted at datenschutzbeauftragter@heraeus.com or

Data Protection Officer

c/o Heraeus Holding GmbH

Heraeusstra├če 12-14

63450 Hanau

Germany

2 What sources are used and what data are processed by Heraeus?

Heraeus processes the following data, which are always collected from the Data Subjects directly:

(1) The Recordings made from the Data Subjects. The processing also includes the creation und publication of digital Recordings. Details regarding the nature and scope of the data processing are set forth in the respective Consent Agreement for the Grant of Rights to Photographic, Film and Sound Recordings between Heraeus and the Data Subjects.

(2) Proof of the Data Subjects' consent to the creation and, if applicable, publication of Recordings. In connection with this consent, the names and the business or private contact data of the Data Subjects are processed.

(3) The Data Subjects' names, their employer and their position in the company may be processed in connection with the Recordings which are made, and possibly published, if this is required for the purpose of the Recordings or if the Data Subjects have given their consent.

The term "processing" as used herein covers the creation, storage, adaptation or modification, use, disclosure by transmission, dissemination or otherwise making available of the Recordings as well as the storage of the personal data collected in connection with the Recordings.

3 Where does Heraeus store the Data Subjects' data?

The data referred to in Section 2 will be stored by Heraeus on protected media with a restrictive release authorization level.

4 For what purpose are the Data processed?

Heraeus processes personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and other applicable laws.

The data referred to in Section 2 will be processed in accordance with the aforementioned Agreement between Heraeus and the Data Subjects for internal purposes such as training courses or internal communication, for external purposes such as media work and public relations, advertising, product information and sales materials, and for other purposes of Heraeus or other companies of the Heraeus Group. If so agreed, the processing of data for the purpose of joint marketing activities may also be carried out by third parties. All further details thereon are set forth in the respective Consent Agreement for the Grant of Rights to Photographic, Film and Sound Recordings between Heraeus and the Data Subjects.

When publishing any Recordings, Heraeus will ensure that the personal rights and the privacy of the Data Subjects are appropriately respected.

Selected Recordings may be permanently stored based on legitimate interest in the company's own historical archive for the purpose of historical documentation and history communication.

Any other use of the data is expressly subject to the consent of the Data Subjects (see Section 5.2.)

5. On what legal basis are the data processed?

5.1 For the safeguarding of legitimate interests pursuant to Art. 6 (1) f) GDPR

Heraeus has a legitimate interest in implementing effective marketing measures and in creating a historical archive.

This includes that employees, customers, partners, the general public and other relevant interest groups can be informed through all media currently known about events in which Heraeus or companies of the Heraeus Group are involved.

If any Recordings are made on the foregoing legal basis, Heraeus will advise the Data Subjects thereof in due course.

5.2 Based on consent given pursuant to Art. 6 (1) a) GDPR

The consent of the Data Subjects will always be obtained when the Recordings are focused on individual Data Subjects or on small groups of Data Subjects. The consent may be obtained in writing or inferred from any conduct of the Data Subjects implying intent.

The Data Subjects may revoke their consent to the processing of data at any time with effect for the future. The consent to publication may only be revoked for good cause.

6 To whom are the data disclosed?

Within the scope of the purpose set out in Section 4, the data may be passed on to:

(1) companies of the Heraeus Group

(2) the press, radio, television

(3) third parties with whom Heraeus wishes to conduct, or is already conducting, joint marketing activities (solely on the basis of consent)

(4) Social media

7 How long will the data be stored?

Heraeus generally deletes the Recordings and the Data Subjects' data stored in connection therewith when they are no longer needed for the purpose for which they were created. As an exception, Heraeus will store the Recordings and the related data of the Data Subjects for a longer period of time if there is a separate legal basis for this.

The Data Subjects' consent documents stored by Heraeus will also be deleted at the latest 1 year after the deletion of the Recordings and the related data of the Data Subjects, always provided that the consent documents are no longer required for the defense of any legal claims.

8 Are data transferred to third countries?

With regard to third countries, the data will be transferred only to the recipients specified in Section 6.

9 What data protection rights do Data Subjects have?

With respect to the processing of their data by Heraeus, the Data Subjects have the following rights according to the following Articles of the GDPR:

(1) the right of information and access pursuant to Article 15 GDPR

(2) the right to rectification pursuant to Article 16 GDPR

(3) the right to erasure (i.e. "the right to be forgotten") pursuant to Article 17 GDPR

(4) the right to restriction of processing pursuant to Article 18 GDPR

(5) the right to data portability pursuant to Article 20 GDPR

(6) the right of objection pursuant to Article 21 GDPR (see Section 10 for further details).

Without prejudice to any other administrative or judicial remedy, Data Subjects have the right to file a complaint with a supervisory authority, in particular in the Member State in which they have their residence, their place of work, or the place of the suspected violation, if they feel that the processing of their personal data constitutes a violation of the GDPR.

10 Information on the right of objection pursuant to Art. 21 GDPR

Data Subjects have the right to object to the processing of their personal data at any time for reasons arising from their particular situation, if their data are processed on the basis of the provisions in Article 6 (1) e) and f) GDPR (data processing for the safeguarding of interests).

Based on a Data Subject's objection, Heraeus will stop processing such Data Subject's personal data unless Heraeus can prove that the processing of the data is necessary for compelling legitimate reasons which outweigh the Data Subject's interests, rights and freedoms, or if the processing of the Data Subject's data serves the assertion, exercise or defense of legal claims of Heraeus.

The objection may be informal and should be addressed to: widerspruch@heraeus.com

Data Subjects should state as precisely as possible to which specific data processing operation they wish to object.

11 Are Data Subjects obligated to make personal data available to Heraeus?

Employees of Heraeus are not obligated to participate in any Recordings for the purposes set forth above, and the provision of personal data is also not mandatory.

The right of Heraeus to monitor the Heraeus sites by video surveillance or to take photographs of employees for their Heraeus ID card remains unaffected.

12 Amendments to this Privacy Policy

Heraeus reserves the right to modify and update this Privacy Policy to reflect new legal requirements or changes in data processing.

Last updated: 06/30/2020