1.1 Categories of personal data We process the following categories of personal data: Inventory data (e.g., names, addresses, functions, organizational affiliation, etc.); contact data (e.g., email, telephone/fax numbers, etc.); content data (e.g., text entries, image files, videos, etc.); usage data (e.g., access data); meta/communication data (e.g., IP addresses).

1.2 Recipients or categories of recipients of personal data If, in the course of our processing, we disclose data to other persons and companies such as web hosts, processors or third parties, transfer it to them or otherwise grant them access to the data, this is done on the basis of a legal permission (e.g. if the transfer of data to third parties is necessary for the performance of a contract pursuant to Art. 6 (1) subparagraph 1 lit. 1 lit. b GDPR for the performance of a contract), if the data subjects have given their consent, or if a legal obligation provides for this.

1.3 Duration of storage of personal data The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data will be deleted unless it is no longer required for the purpose of achieving the purpose, fulfilling the contract or initiating a contract.

1.4 Transfers to third countries If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or the disclosure or transfer of data to third parties, this will only be done if it is necessary to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the data to be processed in a third country if the special requirements of Art. 44 ff. GDPR, i.e., processing is based on special guarantees, such as the officially recognized determination of a level of data protection equivalent to that of the EU or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

2. Responsible body We are responsible for the processing of personal data in connection with the personal information used on the website, including cookies and tracking procedures.

2.1 Name/company of the responsible body: PENTARC Rechtsanwälte PartG mbB

2.2 Owners [board members, managing directors, management, owners, partners]: Dr. Christian Lederer, Dr. Thomas Pattloch, Dr. Dieter Kamlah, Dr. Anja Lunze, Dr. Jan-Phillip Rektorschek

2.3 Data protection officer and contact: Dr. Thomas Pattloch, Kontakt: datenschutzbeauftragter@pentarc-legal.com

2.4 Address and contact details of the responsible body:  PENTARC Rechtsanwälte PartG mbB, Schmellerstr. 4, 80337 München, DE datenschutzbeauftragter@pentarc-legal.com

3. Collection, processing, and use of your data when visiting the website For technical reasons, the web server of the law firm's website collects the data that your Internet service provider and the browser you use automatically transmit via http headers when you visit the website. This data regularly includes: - the name of your Internet service provider, - the IP address assigned to you, - the address of the Internet page from which you are visiting the website, - the subpages of the website you have visited, and - the date and duration of your visit to the website. This information is not linked to other information that could identify you personally.

Log data Each time a data subject accesses our website, general data and information is stored in our system's log files: - Date and time of access (time stamp); - Request details and destination address (protocol version, HTTP method, referrer, UserAgent string); - Name of the file accessed and amount of data transferred (requested URL including query string, size in bytes); - Notification of whether the access was successful (HTTP status code).

When using this general data and information, we do not draw any conclusions about the data subject. There is no personal evaluation or evaluation of the data for marketing purposes or profiling. The IP address is not stored in this context. The legal basis for the temporary storage of the data is Art. 6 (1) (1) (f) GDPR. The collection of data for the provision of the website and the storage of data in log files is essential for the secure operation of our website.

Malware detection and log data analysis We collect log data generated during the operation of our law firm's communication technology and analyze it automatically to the extent necessary to detect, limit, or eliminate malfunctions or errors in communication technology, to defend against attacks on our information technology, or to detect and defend against malware. The legal basis for the temporary storage and evaluation of the data is Art. 6 (1) (1) (f) GDPR. The storage and evaluation of the data is absolutely necessary for the provision of the website and for its secure operation.

Hosting The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services, which we use for the purpose of operating our website. In doing so, we or our processors process inventory data, contact data, content data, contract data, usage data, and meta and communication data of users of our website on the basis of our legitimate interests in the efficient and secure provision of this online offering in accordance with Art. 6 para. 1 subpara.

4. Collection, processing, and use of your data when contacting us to establish a mandate (1) The law firm offers you the opportunity to contact us by email or via the contact form on this website. You can contact us by providing your name and email address. Please note that your personal data and the information relating to the matter that we are to process and review as lawyers can, for technical reasons, theoretically be read by our provider. However, it is also sufficient if you provide a brief subject line and discuss further details of the matter with us by telephone, in a personal or video appointment, or send them directly by email or web file after checking for any conflicts of interest and establishing the client relationship. (2) The law firm will initially save your contact request as a client inquiry and will first contact you to check for any conflicts of interest. If you subsequently instruct the law firm to represent your interests, we will store and process your contact request and the personal data collected for the purpose of handling the mandate, including that of other parties involved in the proceedings, electronically. (3) When contacting us electronically for the first time, please indicate if you do not wish us to contact you electronically in the client relationship. (4) If no client relationship is established, we will store the data that we are required to retain as evidence of the conflict of interest check and the non-establishment of a client relationship

5. Disclosure of your personal data to third parties (1) The law firm will only disclose your personal data to third parties for the purposes of handling the client relationship. Otherwise, data will only be disclosed to third parties if you have given your express consent separately in advance or if there is a legal obligation to disclose the data. If you have given your consent, you can revoke it at any time with future effect by simply notifying us in writing.

(2) Your data will be processed by third parties on our behalf. We engage our provider and our system consultant as service providers for the technical processing of our electronic communication and the provision of this website. We will inform you about the possible involvement of third-party service providers in the context of mandate processing when the mandate relationship is established or when the third party is involved and will request your consent if required under § 2 BORA.

(3) In addition, we may be obliged to disclose personal data in individual cases upon the order of a competent authority if and to the extent that this is necessary for the purposes of criminal prosecution, for the prevention of danger by the police authorities of the federal states, for the fulfillment of the statutory tasks of the constitutional authorities of the federal and state governments, the Federal Intelligence Service and/or the Military Counter-Intelligence Service and/or the Federal Criminal Police Office within the scope of its task of averting the dangers of international terrorism and/or enforcing intellectual property rights (Art. 6 (1) lit. c GDPR in conjunction with the respective special legal regulation).

6. Cookies (1) When you visit our website for the first time from one of your devices, the law firm will inform you that so-called cookies may be downloaded to your computer when you use the website. We ask for your consent to the use of cookies via a cookie consent banner.

(2) Cookies and flash cookies are alphanumeric identifiers that are transmitted to your computer's hard drive when you visit our website. They enable your browser to be recognized when you visit the website again and serve primarily to make your online visit more pleasant and personalized. Cookies enable us to recognize you as a specific user and to store your preferences when using the website. The main advantage for you is that you do not have to re-enter the information contained in the cookies each time you visit the website.

Cookie Policy This policy applies to the use of cookies in combination with pixels, local storage objects, similar devices, and technologies (collectively, “cookies”) that we or our authorized service providers may use in connection with your interaction with our website(s), applications, and communications (website) to enable the effective and efficient operation of our website. This policy explains how we use cookies and pixel tags, when your consent is required, how they are used on the website, and informs you about how you can exercise your rights in relation to cookies.

There are different types of cookies: - Session cookies - these cookies only remain on our website for the duration of your session and expire when you close your browser. - Persistent cookies - these cookies remain on a visitor's device for the period specified in the cookie. They are activated each time the visitor visits our website that created that particular cookie. - Cookies set by our website are referred to as “PENTARC cookies,” while cookies set by a website other than the one you are visiting are referred to as “third-party cookies.” - Web beacons (also known as “pixel tags” or GIFs) are small image file elements placed on web pages and in web-based messages, such as newsletters, and work with cookies to recognize visitors and determine how they interact with this content. These tools help us better understand what content is of interest to our visitors and newsletter subscribers. An SDK is a data code contained in mobile applications that works in a similar way.

Cookies are also typically used in combination with other identifiers, such as your device's IP address. IP addresses may be automatically recorded in our server log files when our website, applications, or online content is accessed and may be associated with cookies unless separate IP anonymization features are enabled. Our website contains essential and non-essential cookies. Essential cookies are necessary for our website to function. We do not need your consent to use essential cookies on the website. For non-essential cookies, we need your consent. You have the right to decide whether you want to accept or reject non-essential cookies, but rejecting them may affect the display of the website and its content. You can exercise your cookie preferences when you first visit our website, where you will see a notice regarding our use of technologies such as cookies, which gives you the opportunity to learn more and choose which cookie technologies you want to allow to access your device before you confirm and continue. You can also change these settings at a later date by accessing your cookie settings. (3) You can completely disable the use of cookies in your browser settings. The help function in the menu bar of most web browsers explains how to set up your browser so that new cookies are never accepted. Similar functions such as Flash cookies, which are used by browser add-ons, can be disabled or deleted by changing the settings of the browser add-on or via the website of the browser add-on manufacturer.

(4) Session cookies also require your prior consent, even if they are deleted after you leave the website. These enable you to use some essential functions of our website, so we recommend that you set your browser so that cookies are not automatically rejected, but that you can decide on a case-by-case basis. The law firm points out that some areas of the website may not function properly if your browser is set to refuse cookies or similar mechanisms or if you do not agree to the cookie consent.

7. Use of “X” for cookie consent (1) This website uses the web analysis service “X” if you allow this via the cookie content. (2) “X” creates detailed statistics about visits to our website. This includes information about the search engines used, the search terms used, the languages used, the origin of visitors by country, the browsers used and their plug-ins, the length of stay, entry pages, exit pages, abandonment rates, IP addresses, etc. (3) “X” is a web analysis solution that does not store or pass on your data to third parties. The law firm also uses a plug-in that anonymizes your IP address.

8. Data use in connection with social networks (1) On this website, you will find references to so-called “social networks.” We have set up these social links in such a way that they are only activated when you click on a button that is upstream of the original plug-in of the service. This is to inform active users there about our services and, if interested, to communicate via the platforms. Our social media channels can only be accessed via an external link. As soon as you access our social media profile in the respective network, the terms and conditions and data processing guidelines of the respective operators apply. We have no influence on the collection of data and its further use by social networks. There is no information about the extent to which, where and for how long the data is stored, to what extent the networks comply with existing deletion obligations, what evaluations and links are made with the data, and to whom the data is passed on. We therefore expressly point out that your data (e.g., personal information, IP address) is stored by the operators of the networks in accordance with their data usage guidelines and used for business purposes. We process data with regard to social media presences to the extent that, for example, comments or direct messages are sent to us via these channels. The legal basis for processing the data after the user has given their consent is Art. 6 (1) (1) (a) GDPR. By using the possibilities offered by social networks, we offer you modern communication options, but this does not imply any recommendation on our part. We cannot influence or check the use of your data by the providers of social networks. (2) If you activate such a social plug-in on our website, a direct connection to the technical systems of the respective provider is established via your browser, so that the content displayed in the social plug-in is transmitted directly from the respective provider to your browser and integrated into the website. In addition, the social plug-in transmits information to the respective provider that the corresponding page of our website has been accessed via your browser. If you actively use the social plug-in via the comment or recommendation buttons offered, this will also be transmitted to the respective provider via the social plug-in and stored there.

9. Data processing when subscribing to our newsletter When you subscribe to our newsletter, we store your email address and the newsletter you have selected on a server.

In addition, the following data is collected by the system during registration: - IP address of the accessing computer; - Date and time of registration.

Your consent is obtained during the registration process for the processing of the data and reference is made to this privacy policy. The data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR and within the scope of legitimate interest in accordance with Art. 6 (1) (f) GDPR.

We use this data exclusively for sending the newsletter. We do not pass on your data to third parties and do not use it for any other purposes of our own. When you register, your data is stored on our servers. A message with a link to confirm your registration is then generated and sent to the email address you provided (known as the double opt-in procedure). If you do not confirm your registration via the link in this email, the data will be deleted after 24 hours. Only by confirming the link in the email will your data be stored for the purpose of sending the newsletter for the duration of your use of our service. This ensures that the newsletter was requested by you and not by a third party.

If you no longer agree to the storage of your data for this purpose and therefore no longer wish to use our service, you can unsubscribe from our newsletter at any time. For this purpose, there is a corresponding link in every newsletter. The personal data you provided to subscribe to the newsletter will then be deleted.

10. Data security We protect personal data using appropriate technical and organizational measures to ensure an adequate level of protection and to safeguard the personal rights of the individuals concerned. The measures taken serve, among other things, to prevent unauthorized access to the technical equipment we use and to protect personal data from unauthorized access by third parties. In particular, this website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as your contact requests that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties. Nevertheless, we would like to point out that data transmission over the Internet (e.g., when communicating by email) may be subject to security vulnerabilities. It is therefore not possible to completely protect data from access by third parties.

11. Duration of storage The law firm will not store your data for longer than is necessary for the purposes specified in this privacy policy, unless you have consented to storage beyond the end of archiving obligations and other legitimate interests for processing. We generally store your personal data, which we process within the scope of our mandate, for 10 years after the end of the calendar year in which the mandate ended in order to fulfill our professional, tax, and commercial law retention obligations. We delete this data by default at the latest at the end of the year in which the retention period ends (Art. 6 (1) lit. c GDPR, Art. 6 (1) lit. f GDPR), unless you have expressly objected to the deletion or consented to us retaining the data.

12. Your rights As a data subject, you have the following rights: Als betroffene natürliche Person haben Sie folgende Rechte: - Pursuant to Art. 15 GDPR, the right to request information about your personal data processed by us to the extent specified therein. - Pursuant to Art. 16 GDPR, the right to request the immediate correction of inaccurate or incomplete personal data stored by us. - Pursuant to Art. 17 GDPR, the right to request the deletion of your personal data stored by us, unless further processing is necessary. - Pursuant to Art. 18 GDPR, the right to request the restriction of the processing of your personal data, unless - you dispute the accuracy of the data;

- the processing is unlawful, but you refuse to have it deleted;

- we no longer need the data, but you need it to assert, exercise, or defend

- legal claims, or - you have objected to the processing pursuant to Art. 21 GDPR.

- Pursuant to Art. 20 GDPR, the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format or to request its transfer to another controller.

- Pursuant to Art. 7(3) GDPR, the right to withdraw your declaration of consent under data protection law at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

- If personal data is transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer.

- Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. You can contact the supervisory authority of your usual place of residence or workplace or our law firm's registered office.

The supervisory authority responsible for our law firm is the Bavarian State Office for Data Protection Supervision (BayLDA), contact details at: https://www.lda.bayern.de/de/kontakt.html.

Insofar as we process personal data as explained above to safeguard our legitimate interests, which prevail in the context of a balancing of interests, you may object to this processing with effect for the future. After you have exercised your right to object, we will no longer process your personal data for these purposes, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves to assert, exercise, or defend legal claims.

If you have any questions about the collection, processing, archiving, or transfer of your personal data, or if you wish to request information, correction, restriction, or deletion of data, or revoke your consent or object to a specific use of data, please contact our data protection officer directly.

The responsible body is the Munich office,

October 1, 2025.