PERSONAL DATA PROCESSING AND PROTECTION POLICY

---

1. What does the personal data processing and protection policy entail?

• The purpose of this Policy is to explain to you what data we process, why we process it and what we do with it.
• Our company uses technical means to store data securely.
• Our company will only disclose personal data in pursuit of your interests and for fulfilling legal obligations.
• We take privacy seriously and never sell lists or email addresses. We make every effort to securely store and process your personal data. We do not provide personal data to third parties without your consent.
• We do not use your personal data to make automated decisions or in automated profiling processes.
• Sending a message through this website confirms that you have accepted the conditions set forth below. If you do not agree with them, please do not continue to access the website and/or send us a message.

---

2. Who we are and how to contact us

PROFESSIONAL INTEGRATION TEAM S.A. COMPANY

• Romania Headquarters: Timişoara, Republicii boulevard, no. 21, 1-st floor, Timiş county
• Headquarters in Germany: Lichtenbergstraße 8, D-85748 Garching bei München
• Email: info@pinteam.eu

External Data Privacy Officer

• Graf Consultings GmbH
• Karwendelstr. 7
• 86949 Windach
• E-Mail: datenschutz@gc-gmbh.com
• http://www.gc-gmbh.com

---

3. Explanations of the terms and phrases used in this Policy

• Personal data controller - The controller responsible for the processing of personal data within the meaning of the Regulation on the protection of personal data no. 679/2016 is the company Professional Integration Team S.A.
• Data subject within the meaning of the Regulation on the protection of personal data no. 679/2016 - identified or identifiable individual (who can be identified, directly or indirectly, in particular by reference to an identification element: name, identification number, location data, an online identifier, or to one or more specific elements, specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity). The data subject may be the person requesting a service provided by the Controller, as well as any other natural person whose personal data are transmitted to the Controller (for example, a client or potential client, a user of the Controller's website, etc.).
• Processing of personal data means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, examination, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Profiling means any form of automated processing of personal data consisting in the use of personal data to assess certain personal aspects relating to a person, in particular to analyse or foresee aspects concerning the performance at work, the economic situation, health, personal preferences, interests, reliability, behaviour, location or trips of that natural person.
• A personal data security breach or a security breach means a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration or unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
• In accordance with the provisions of the Regulation no. 679/2016 on the protection of individuals with regard to the processing of personal data, in the relationship between the company Professional Integration Team S.A. and you, you are a data subject and the company Professional Integration Team S.A. has the position of data controller.

---

4. Which personal data do we process?

We collect your personal data requested in the "Contact" section, respectively your e-mail address, which you provide to us when sending a message by using the "Contact" section.

We collect your personal data requested in the "Career" section. You provide your data when submitting an application while using the "Careers" / "Apply" button section. These data are sent to the BambooHR platform that are used just for recruiting purpose.

---

5. Why and how we process your personal data?

We process your email to transmit the data requested within the website, in order to be able to provide you with an answer to the message that you sent to us, for communication with you, for carrying out our legitimate activity.

---

We process the content of the messages written by you on https://pinteam.eu/ website, on our e-mail address and the data transmitted by you because this content is necessary in order to be able to respond personally to you and to provide you with solutions tailored to your specific situation. The collection of these personal data and the texts of the messages written by you on https://pinteam.eu/ website and on our e-mail address is the result of an action by which you choose to send us a message, and the processing of this data will be carried out in accordance with the provisions of art. 6, paragraph 1, letter f) of Regulation No 679/2016 on the processing of personal data, respectively for the legitimate interest of the undersigned, taking into consideration our object of activity.

---

6. What is the legal basis for the processing of your personal data?

The processing of your personal data transmitted by messages in the "Contact" section is represented by Art. 6, paragraph 1, letter f) of Regulation No 679/2016 on the processing of personal data, respectively for the legitimate interest of the undersigned, taking into consideration our object of activity.

---

The storage and archiving of the personal data transmitted by you is carried out by the undersigned pursuant to Art. 6, paragraph 1, letter f) of Regulation no. 679/2016 regarding the processing of personal data, respectively for the fulfilment of the legal obligations of the undersigned.

---

If, as a result of discussions with you, we conclude a contract, it will include an information note regarding the protection of personal data in which all the legal grounds on which your personal data will be processed gradually: service provision, storage, archiving, deletion, etc. will be made known to you.

Cooperation with processors and third parties

If we disclose data to other persons and companies (processors or third parties) as part of our processing, transfer it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR), you have given your consent, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). If we commission third parties with the processing of data on the basis of a so-called "orderprocessing contract", this is done on the basis of Art. 28 GDPR.

---

7. About the purposes for which we process personal data

We process your personal data for the purposes described in Section 5.

Our purposes for processing your personal data are:

• real;
• present;
• legitimate.

We inform you before processing your personal data for secondary purposes:

• if we initially collect your personal data for a primary purpose;
• if our secondary purpose is incompatible with the main purpose.

---

8. How long do we keep your personal data?

• We limit the storage time of your personal data at the time of reaching the purposes for which we request your personal data, as well as for the fulfilment of the legal obligations of the undersigned company.

We review the need to continue to retain your personal data, every year we analyse the collected and processed data, in order to filter, sort and maintain the processing only for the data for which the purpose of the processing is current.

• If, as a result of the message sent by you, we conclude a contract, it will include an information note regarding the protection of personal data in which all the legal grounds on which your personal data will be processed gradually: service provision, storage, archiving, deletion, etc. will be made known to you.

---

9. Do we disclose your personal data?

• Our company does not disclose your personal data, unless a contract is concluded and this is necessary for the implementation of the contract or there are certain legal obligations incumbent on the undersigned company that involve the disclosure of your personal data.
• We remind you that we guarantee the strict confidentiality of your personal data and the messages you send us, maintaining your privacy is an essential value for us.

---

10. Do we transfer your personal data outside the EU or EEA?

We do not transfer your personal data:
- in countries outside the EU or EEA;
- to international organisations outside the EU or EEA.

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this will only take place if it is done to fulfill our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means, for example, that the processing takes place on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to the EU or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

---

11. Is your personal data safe?

Hosting

We keep your personal data safe:

• with appropriate technical measures;
• with appropriate organisational measures;
• with an adequate level of security;
• with measures against unauthorised processing;
• with measures against unlawful processing;
• with measures against accidental or illegal loss;
• with measures against accidental or unlawful destruction;

If we have a reasonable degree of certainty that there has been a breach of the security of the processing of your personal data, then:
- we report the security incident to the management of our company.
- immediately, a person responsible shall:
A. analyse whether the breach of security may have unfavourable effects for you;
B. inform the relevant staff of the undersigned company;
C. determine to what extent it is necessary to notify the Supervisory Authority about the security incident;
D. determine whether it is necessary to provide you with information about the security incident.
- we are investigating the security incident.
- we try to prevent the security incident from leading to:
A. accidental or unlawful destruction of personal data;
B. accidental or unlawful loss of control of personal data;
C. accidental or unlawful loss of access to personal data;
D. accidental or unlawful alteration of personal data;
E. unauthorized disclosure of personal data;
F. unauthorized access to personal data.
- we make every effort to mitigate the immediate risk of damage.
- we notify the Supervisory Authority about the security incident, if the violation is likely to lead to a high risk for your rights and freedoms.
- we inform you about the security breach:
A. if the breach is likely to result in a high risk to your rights and freedoms;
B. as soon as possible;
C. by appropriate contact channels, for example by e-mail, on our website, etc.
- we are not obliged to inform you directly if:
A. we have taken steps to make your personal data be incomprehensible to any person who is not authorized to access it;
B. as soon as possible;
C. immediately after the security incident, we have taken steps to ensure that the high risk to your rights and freedoms is no longer possible to occur;
D. it would involve disproportionate efforts from the part of the undersigned company.

---

12. What are your rights in relation to your personal data?

According to Regulation no. 679/2016 on the protection of personal data, as a data subject you benefit from a cumulation of rights, namely:

• The right to information and access to personal data: the right to obtain a confirmation as to whether or not personal data concerning you are being processed and, if so, access to that data.
• The right to rectification: the right to request the Controller and to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or to obtain the completion of personal data that are incomplete.
• The right to delete the data ("the right to be forgotten"): the right to obtain the deletion of personal data concerning you, without undue delay, in the cases specified in the Regulation no.679/2016.
• The right to restrict the processing: the right to obtain the restriction of the processing in certain cases.
• Right to data portability: the right to receive personal data concerning you and to transfer it to another controller.
• The right to object: the right to oppose at any time the processing of personal data concerning you, under the conditions of Regulation no. 679/2016.
• The right not to be the subject of a decision based solely on automatic processing, including the creation of profiles, which produces legal effects that concern you or similarly affect you to a significant extent.
• The right to address with a complaint to the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) if you consider that your data have not been processed in accordance with the legal provisions.

The rights listed above are not absolute. There are exceptions, so each received request will be analysed so that we can decide whether it is well-founded or not. To the extent that the request is well-founded, we will make it easier for you to exercise your rights. If the request is unfounded or there is a legal reason, we will reject it, but we will inform you of the reasons for the refusal and of the rights to file a complaint with the Supervisory Authority and to address the competent courts of law.

---

13. How can you enforce your rights?

• We invite you to communicate with us about the exercise of your rights on the protection of your personal data.
• We only accept written requests, as we cannot deal with verbal requests immediately, without first analysing the content of the application and without first identifying you.
• Your request must contain a detailed and precise description of the right you wish to exercise.
• You must provide us with a copy of an identification document to confirm your identity, for example:
  - identity card
  - passport.
• Using the information in your identification document:
  - is limited to the activity of confirming your identity;
  - it will not generate a storage of your personal data more than necessary for this purpose or for the legitimate interest, to which you have consented by providing the document.
• If we make every effort and fail to identify you, and you do not provide us with additional information to help us identify you, we are not obliged to comply with your request.
• You can submit your request regarding the protection of your personal data to:
  - the e-mail address: info@pinteam.eu
  - directly at our headquarters.
• You will receive our response to your requests concerning the protection of your personal data on our web form directly to your contact addresses officially communicated to us: e-mail.
• We inform you that the undersigned company will respond to your requests by the same manner of communication in which you will send us the requests (post, e-mail, etc.), unless you indicate in the request a less expensive means of communication for the undersigned company.
• We have implemented policies that ensure that a request for the protection of your personal data is effective and settled within the terms specified by law.
• We will try to respond to your request within 1 month of the receipt of the request. However, the term can be extended under the law, by 2 months, depending on different aspects, such as the complexity of the request, the large number of applications received or the impossibility to identify you within a useful time. If we are unable to reply to you within the 1-month period, within this period we will inform you of the extension of the deadline for replying and of the reasons for the extension.
• However, if we consider that your applications are substantially unfounded, excessive in particular because of their repetitive nature, then:
  - Either we will refuse to comply with the request;
  - Either we will ask you to pay a fee taking into account the administrative costs for filtering the requested information or for communicating it, or for taking the requested measures.

---

For even more details you can examine all the following legal acts:

• Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data.
• Law no. 506/2004 concerning the processing of personal data and privacy in electronic communications.

---

14. Hosting

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this online offering. In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with. Art. 28 GDPR (conclusion of order processing contract).

---

15. Collection of access data and log files

We, or our hosting provider, collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR. GDPR, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

---

16. Links to other websites

This data protection declaration applies exclusively to our own website. The Internet pages on this website may contain links (references) to the Internet pages of third parties. Our data protection declaration does not extend to these websites. When you leave our website, we recommend that you carefully read the privacy policy of every website that collects personal data.

---

17. Google Analytics

On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR), we use Google Analytics, a web analysis service provided by Google LLC ("Google"). GDPR) Google Analytics, a web analysis service of Google LLC ("Google"). Google uses cookies. The information generated by the cookie about the use of the online offer by the user is usually transmitted to a Google server in the USA and stored there. Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law.

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. Pseudonymous user profiles can be created from the processed data.

We only use Google Analytics with activated IP anonymization. This means that the IP address of users is truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.

The IP address transmitted by the user's browser will not be merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie and relating to their use of the online offer and from processing this data by Google by downloading and installing the browser plug-in available under the following link.

You can find further information on data use by Google, setting and objection options on the Google websites: ("Data use by Google when you use our partners' websites or apps"), ("Data use for advertising purposes"), ("Manage information that Google uses to show you advertising).

---

18. Google-Re/Marketing-Services

On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR), we use the marketing and remarketing services ("Google Marketing Services") of Google LLC. GDPR) the marketing and remarketing services ("Google Marketing Services" for short) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").

Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law.

Google marketing services allow us to display advertisements for and on our website in a more targeted manner in order to present users only with advertisements that potentially match their interests. If, for example, a user is shown ads for products that they have shown an interest in on other websites, this is referred to as "remarketing". For these purposes, when our and other websites on which Google marketing services are active are accessed, a code from Google is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). The cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file records which websites the user has visited, what content they are interested in and which offers they have clicked on, as well as technical information on the browser and operating system, referring websites, time of visit and other information on the use of the online offer. The IP address of the user is also recorded, whereby we inform you in the context of Google Analytics that the IP address is shortened within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only in exceptional cases is it transmitted in full to a Google server in the USA and shortened there. The IP address is not merged with the user's data within other Google offers. Google may also combine the aforementioned information with such information from other sources. If the user subsequently visits other websites, they can be shown ads tailored to their interests.

User data is processed pseudonymously as part of Google marketing services. This means that Google does not store and process the user's name or email address, for example, but processes the relevant data in relation to cookies within pseudonymous user profiles. This means that, from Google's perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected by Google marketing services about users is transmitted to Google and stored on Google's servers in the USA.

The Google marketing services we use include the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords customer receives a different "conversion cookie". Cookies can therefore not be tracked via the websites of AdWords customers. The information collected with the help of the cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers find out the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.

We can integrate third-party advertisements on the basis of the Google marketing service "AdSense". AdSense uses cookies to enable Google and its partner websites to serve ads based on users' visits to this website or other websites on the Internet. We may also use the "Google Tag Manager" to integrate and manage Google analysis and marketing services on our website. Further information on the use of data for marketing purposes by Google can be found on the overview page, Google's privacy policy is available here. If you wish to object to interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google.

---

19. Google Maps

We use the product Google Maps from Google Inc. By using this website, you consent to the collection, processing and use of the automatically collected data by Google Inc, its representatives and third parties. You can find the terms of use of Google Maps here.

---

20. Google Fonts

We integrate the fonts ("Google Fonts") of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: here, Opt-Out: here.