Data Privacy Statement for Business Partners, Suppliers and other Third Parties

Throughout this privacy statement, "GRÜNENTHAL," "we," "us," and "our(s)" means GRÜNENTHAL GmbH, GRÜNENTHAL Pharma GmbH & Co KG or the respective legal entity with which you may have a relationship.

We would like to give you an overview of the processing of your personal data by us, as well as inform you about your rights under the General Data Protection Regulation (Regulation (EU) 2016/679 - "GDPR") and the German Federal Data Protection Act (“Bundesdatenschutzgesetz” - "BDSG").

This privacy statement is relevant with regard to all personal data of data subjects with whom we enter into contractual-, business- or other relationships, as well as of governing bodies, managing directors, key account managers or other employees of our contractual or business partners, which we process in the context of existing or emerging contractual-, business- or other relationships. This includes, among others, existing or potential suppliers, service providers, customers or consultants, as well as existing or potential cooperation partners or other partner companies.

What data do we process and where does it come from?

The subject of the processing is your personal data that you yourself provide to us in the context of contractual and business relationships or that we receive from the respective contractual and business partners or that we have obtained otherwise. In some cases, we process personal data that we collect from publicly accessible sources such as trade registers, the press or the internet. Furthermore, in certain cases we receive information from third parties, e.g. credit agencies or business partners.

The types of personal data concerned are primarily: surname, first name, address, bank details, billing address, tax number/VAT ID and other contact or master data, such as telephone number or e-mail address. However, the specific types of personal data processed by us will depend on the characteristics of your relationship with us. This data regularly relates solely to the business context, i.e. we only process private contact data in exceptional cases, for example if this is necessary to fulfill the contract with you.

The scope of the data processed about a person also varies depending on the function in which the person appears to us, such as the position he or she holds with the respective (business) partner and the subject of the (business) relationship.

What are the purposes and legal bases for the processing?

We process the (your) personal data for the following purposes and on the basis of the following legal grounds:

• Data processing is primarily carried out for the execution of contracts concluded with you or your employer with whom we have a business relationship, or for the execution of pre-contractual measures (Art. 6 (1) b GDPR). This relates, for example, to purchase and supply contracts and the processing of purchase and sales inquiries, authentication of contractual partners, processing and review of corresponding offers and inquiries, preparation and signing of contractual documents, execution of purchases and sales, invoicing and processing of purchase price payments, sending of information letters, service and work contracts as well as other contractual relationships.
• In addition, we process your data on the basis of legal requirements pursuant to Art. 6 (1) c GDPR, as well as to protect our legitimate interests pursuant to Art. 6 (1) f GDPR. This is done in particular for the fulfillment of tax and other legal control and reporting obligations, as well as audits by tax or other authorities and to comply with legal retention periods. It also serves for optimal maintenance of contact support and customer relations, also with regard to the employees of our business partners, and to optimize our business processes, such as by maintaining a supplier or prospect database and centralizing or outsourcing corporate functions. Furthermore, this serves to mitigate default risks in our business processes by consulting credit agencies (e.g. Creditreform, Bürgel) and determining score values that help us assess the likelihood of contractual partners meeting their payment obligations in accordance with the contract on the basis of a recognized mathematical-statistical procedure. In this context, we may also receive information about the directors and shareholders of your company (e.g., names of directors and shareholders, nationality, triggers for potential conflicts of interest, etc.). This information is needed to identify potential reputational and financial risks to which we may be exposed as a result of the business relationship and to comply with applicable anti-corruption, anti-money laundering and similar laws.
• We may process your data for the assertion and defense of legal claims. This is the case, for example, if we conduct a judicial or extrajudicial dispute with you, for example, about the existence or non-existence of payment obligations. This also applies in particular in the case of claims asserted against us due to possible product defects. In this context, special types of personal data, e.g. concerning your state of health, may also be processed if this is necessary in an individual case, for example, in the event of claims for damages due to alleged damage to health caused by one of our products. In the context of legal disputes, we may transfer your data to our external legal advisors or experts. The legal basis for this processing is Art. 6 (1) f GDPR in conjunction with Art. 9 (2) f GDPR.
• Insofar as you work with IT systems or hardware from GRÜNENTHAL in the course of your activities, personal data will be processed for the purposes of IT administration and security. This concerns, for example, login credentials, access logs and the like and serves to protect our systems from misuse and attacks by third parties. For more information, please refer to the specific terms of use for the respective system. The legal basis for the processing in this respect is Art. 6 (1) b GDPR, or Art. 6 (1) f GDPR.
• If you use online meeting tools to interact with us, we might collect additional kinds of data. Please refer to the privacy statement on our website at gruntenthal.com for further details.
• In individual cases, we process data because you have expressly consented to this (Art. 6 (1) a GDPR), for example in the receipt of advertising by electronic mail and/or telephone. You will receive specific information on this in the context of granting your consent.

To whom do we transfer your personal data?

Under certain circumstances (beyond the cases already mentioned above), your personal data might be passed on to third parties for the purposes mentioned above:

• Personal data is transferred to other companies in our group of companies. Exchanges between different companies of the GRÜNENTHAL Group, including outside the European Union (“EU”), are based on EU standard data protection clauses and additional technical or organizational safeguards, if necessary.
• Service providers, in particular data processors, receive personal data of our business partners or third parties we interact with that is required for the fulfillment of the respective service.
• Information necessary for the processing of existing contracts is transferred to customers and suppliers.
• Due to legal obligations to report and provide information, certain personal data is communicated to the competent authorities.
• If it is necessary for the clarification or prosecution of illegal or abusive incidents or for the establishment, exercise or defense of legal claims, personal data is forwarded to our legal advisors, the law enforcement authorities and, if necessary, to injured third parties.
• In the event of reorganizations or business restructurings, including financial restructurings, insolvency, M&A transactions, mergers, acquisitions, spin-offs, joint-ventures, assignments, sale or divestment of companies or parts thereof, any other sale or divestment of business or parts thereof, other business development activities such as in-licensing and out-licensing, personal data may be provided to the buyer, acquiring company, seller, merged companies, licensor, licensee, law firms and other consulting firms, liquidators, banks and other financial institutions, rating agencies and similar organizations. We will always carefully consider the need for such transfers and take steps (e.g., anonymization, pseudonymization or aggregation techniques) to reduce the amount of personal data to what is strictly necessary in such cases.
• If you have designated recipients (e.g., emergency contacts), personal information will be provided to them when certain circumstances arise.

In cooperation with service providers and other organizations, legal instruments are used to ensure that your personal data is processed lawfully and stored only as long as necessary. These are, for example, order processing agreements according to Art. 28 GDPR or agreements between joint controllers according to Art. 26 GDPR.

As a rule, the servers on which your personal data is stored by us or one of our service providers are located on the territory of the EU. In the course of some processing activities, your personal data may be stored outside the EU or personal data may be accessed by persons performing their activities in countries outside the EU (e.g., helpdesk hotline staff). These countries might provide a lower level of data protection. If there is no adequacy decision according to Art. 45 GDPR for these countries, legal instruments are used that also ensure the confidentiality, integrity and availability of the (your) personal data. This includes in particular the signing of the so-called EU standard data protection clauses according to Art. 46 (2) c GDPR.

How long do we store your data?

We will retain and process your personal data for as long as we can claim a legitimate interest, we have valid consent from you, or there is a legal obligation for a certain period of time, which is determined or specified by applicable law and our company's IT security and data protection policies.

What rights do you have?

You have the following rights under applicable data protection laws:

• Right to data portability if the legal requirements are met
• Right to complain to a supervisory authority
• Right to information about your personal data stored by us
• The right to erasure or restriction of processing, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or in the event that the processing serves the purpose of asserting, exercising or defending legal claims
• The right to have your personal data corrected
• The right to object to processing which serves our legitimate interest, a public interest or profiling, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or in the event that the processing serves the purpose of asserting, exercising or defending legal claims
• The right to withdraw your consent for the processing of your personal data at any time with effect for the future

If you wish to exercise your rights, please send your request to dataprivacy.de@grunenthal.com.