pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR)

For reasons of better readability only, the simultaneous use of the language forms male, female and diverse (m/f/d) is dispensed with. All personal designations apply equally to all genders.

Preliminary remark

With this data protection information, we, e-mobilio GmbH (hereinafter also referred to as "e-mobilio", "we" or "us"), inform our customers and interested parties about the processing of their personal data and the rights to which they are entitled as data subjects under the data protection regulations.

The data subjects of our data processing activities and addressees of this data protection information are, with regard to the processing of personal data, in particular our customers and interested parties or the employees of our customers and interested parties (hereinafter also referred to as "customers", "interested parties" or "data subjects").

Personal data that e-mobilio processes on behalf of a controller is not part of this data protection information.

1. controller for data processing & data protection officer

1.1 Joint controllers for data processing are

Controller A
Name: e-mobilio GmbH
Address: Medienbrücke 7th floor, Rosenheimer Straße 145 d, 81671 Munich
E-mail: info@e-mobilio.de
Phone: +49 89 25555560

Managing directors: Ralph Missy, Denis Reichel

Responsible B

Name: co2.auto GmbH
Address: Rosenheimer Straße 145 d, 81671 Munich
E-mail: info@co2.auto
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

Name: co2.auto GmbH Branch Office Austria
Address: Simmeringer Hauptstraße 24, 1110 Vienna
E-mail: info@co2-auto.at
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

1.2 Data protection officer

Responsible person A

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@e-mobilio.de

Responsible person B

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@co2.auto

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can contact our management or the supervisory authority responsible for us below:

Bavarian State Office for Data Protection Supervision (BayLDA)
P.O. Box 1349
91504 Ansbach
Telephone: +49 981 180093 0 | e-mail: poststelle@lda.bayern.de

2 Purposes and legal basis of the processing
We process personal data in compliance with data protection laws, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

a) On the basis of consent (Art. 6 para. 1 lit. a) GDPR)

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Consent given can be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent given to us before the GDPR came into force. Please note that the revocation only takes effect for the future; processing that took place before the revocation is not affected.

Processing based on your consent is carried out, for example, to conduct customer surveys, marketing campaigns, market analyses, competitions or similar promotions and events, to record text, audio and video data, to send newsletters and to use the chatbot.

We may wish to collect further data from you at a later date or use it in other ways. Should this occur, we will ask you for your consent in accordance with Art. 6 para. 1 lit. a in conjunction with Art. 7 GDPR and inform you accordingly. If you give us this consent, it can be revoked informally at any time.

b) In the context of the performance of a contract or in order to take steps prior to entering into a contract (Art. 6 (1) (b) GDPR)

We process your personal data primarily to establish, implement and terminate the business relationship, i.e. to fulfill contractual obligations and provide the associated services or in the context of a corresponding contract initiation, e.g. for contract negotiations, to prepare offers, for electronic payment transactions via e.g. online banking or PayPal to settle liabilities or to conduct webinars or customer training and product training. The specific purposes depend on the respective service or product (e.g. charging cards) to which the business relationship or contract initiation relates.

In addition, we process your data in this context to open and provide a customer account and process all related offers. Further information on the processing of your data in the context of the customer account and for the transmission of data to car dealers in the case of source links and the use of the route planner can be found inAppendix 1.

c) For the fulfillment of a legal obligation (Art. 6 para. 1 lit. c) GDPR)

We process your data to fulfill legal obligations, e.g. to fulfill tax control and reporting obligations, to fulfill obligations under corporate, data protection and civil law, in the event of audits by authorities and to comply with statutory retention periods. In addition, the disclosure of personal data may become necessary due to official or judicial measures for the purposes of gathering evidence, criminal prosecution or the enforcement of civil law claims.

d) As part of the balancing of interests (Art. 6 para. 1 lit. f) GDPR)

Where necessary, we process your personal data within our business relationships on the basis of a balancing of interests, according to which processing is permissible if it is necessary to safeguard the legitimate interests of us or third parties and does not outweigh the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. This concerns

• Assertion of legal claims and defense in legal disputes;
• Measures to optimize our business processes, such as maintaining a supplier or customer relationship management database;
• Measures to ensure operational safety and business management;
• Measures to ensure IT security and IT operations;
• Checking creditworthiness via appropriate credit agencies to assess the risk of default in business relationships;
• the limited storage of your data if deletion is not possible or only possible with disproportionate effort due to the special type of storage
• internal administrative purposes;
• Measures to improve our internal business processes and for product optimization;
• Carrying out audits and company controls;
• Managing and using customer and prospect directories.

If we receive your e-mail address in connection with the sale of a product or service and you have not objected to this, we reserve the right to regularly send you offers for similar products to those you have already purchased from our range by e-mail on the basis of Section 7 (3) UWG. This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in a promotional approach to our customers. You can object to this use of your e-mail address at any time by sending a message to the contact option described in this privacy policy or via a link provided for this purpose in the advertising e-mail, without incurring any costs other than the transmission costs according to the basic rates.

After unsubscribing, we will delete your e-mail address from the recipient list. This does not affect any further data processing that is permitted by law (e.g. in accordance with Art. 6 para. 1 lit. b GDPR "contract fulfillment or initiation") and about which we provide information in this declaration.

3. categories of personal data

We mainly process the data that we receive directly from you in connection with the establishment, execution and/or termination of the business relationship (e.g. as part of a request for a quote, placing an order or contractual relationship as well as through other contact via our website, social media channels, by e-mail or telephone, at trade fairs or comparable events).

If we receive data via a third party (e.g. via a colleague of the data subject who names them as a contact person), we will inform them of the source during the initial communication.

In addition, we process - where necessary - personal data that we legitimately obtain from publicly accessible sources (e.g. commercial and association registers, press, internet) or are legitimately transmitted by other third parties (e.g. a credit agency).

The personal data processed by us includes

• Personal/contact data (e.g. title, first name, surname, gender, company if applicable, (company) address, (mobile) telephone number, fax, e-mail, profession, position, title, academic degree)
• Participation data in internal Group events or online offers (conference, meeting, webinar) such as display name, e-mail address if applicable, profile picture (optional), preferred language, meeting ID, photographs and video recordings
• Records of business transactions, business partner history, project details, communication data in connection with correspondence (emails, correspondence, telephone calls) and webinars, including text, audio and video data, if applicable
• Contract and billing data (e.g. bank details, credit card information if applicable, tax number/USt ID, invoice data, credit card data, order data, electricity tariff, delivery and payment conditions, data on purchased goods and services)
• Data from the fulfillment of our contractual obligations (e.g. sales data in payment transactions, electricity consumption with associated license plate number)
• Identification data (e.g. identity documents) and authentication data (e.g. specimen signature)
• Information about your financial situation (e.g. creditworthiness data)
• Information from publicly available sources and information databases (e.g. extract from the commercial register)
• Marketing information (contact and product preferences, cookie ID, IP address)
• CRM data (e.g. customer type, customer number, contact history, industry)
• Depending on the business purpose, possibly also user IDs for protected areas on systems
• Data for the processing/submission of GHG quotas (e.g. registration certificate part 1)
• Consumption and user data from our employee portal or the billing system
• as well as other data comparable to the categories mentioned

4. recipients or categories of recipients of the personal data

Within our company, only those persons have access to your data who need it to establish, implement and terminate our customer and business relationship or to fulfill our contractual and legal obligations and to carry out our internal processes (e.g. sales, purchasing, logistics, financial accounting). This may also involve several departments in our company, depending on which services or products you purchase from us. Furthermore, our IT department has access to your data exclusively for technical processing.

Service providers and vicarious agents employed by us may also receive data from you for this purpose as part of order processing in accordance with Art. 28 GDPR.

When processing your orders or fulfilling contracts, it is sometimes necessary for us to transfer certain data to our corresponding cooperation partners, suppliers, manufacturers or distributors based in Germany, other European countries or the European Economic Area.You can find further information on this in Appendix 1.

Insofar as electronic payment transactions take place in order to record any payment orders still submitted in paper form on EDP media and to process clearing transactions between the credit institutions or payment service providers using the paperless data carrier exchange procedure, the responsible employees/departments in the company (accounting), the responsible financial institution or various payment service providers such as PayPal will receive your data required for this purpose.

Furthermore, your data will be passed on within our affiliated companies if necessary as part of a joint responsibility. Detailed information on this can be found inAppendix 2.

Otherwise, data will only be passed on outside the company if this is required by law or if you have given your consent. For example, we may have to disclose certain data to authorized (public) bodies and institutions such as the tax authorities as part of our legal obligations.

5 Transfers to a third country

In principle, your personal data will only be processed within Germany, the European Union and the European Economic Area ("EEA"), where the provisions of the GDPR apply. As a rule, data is not transferred to countries, states or international organizations outside the EEA ("third country").

However, insofar as one of our service providers or the service providers may also use service providers that have their registered office, parent company or data centers in a third country, e-mobilio may transfer your personal data to a so-called third country in which the GDPR provisions do not apply. In such cases, data will only be transferred to third countries if the conditions of Chapter 5 (Art. 44 - 50) of the GDPR and the other provisions of the GDPR are implemented and complied with.

This applies in particular to the providers of the cloud applications we use for our company-wide communication system and for our CRM system.

Although we ensure that servers within Germany and the EU are used to store the data wherever possible, it cannot be ruled out that your data may be transferred to a third country (e.g. the USA) and processed there in this context.

We have concluded corresponding contracts with all our service providers of this kind and have also contractually agreed that guarantees in accordance with Chapter 5 (Art. 44 - 50) of the GDPR on data protection must always be in place with their contractual partners in compliance with the European level of data protection. We will provide you with a copy of these guarantees on request.

6 Duration of data storage

We process and store your data for as long as it is necessary to fulfill the purposes mentioned in section 2 and as long as it is necessary for the establishment, implementation and termination of our business relationship or for the fulfillment of our (pre-)contractual and legal obligations. It should be noted that many of our business relationships are long-term. If the data is no longer required for these contractual or legal obligations, it is regularly deleted or destroyed, unless its - temporary - further processing is required for the following purposes:

• Fulfillment of retention obligations under commercial and tax law, which may arise, for example, from: German Commercial Code (HGB), German Fiscal Code (AO), German Money Laundering Act (GwG). The retention and documentation periods specified there are generally two to ten years. The retention and documentation periods are, for example, ten years for accounting records and six years for commercial or business letters.
• Preservation of evidence within the framework of the statutory statute of limitations. According to §§ 195 ff of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

If the data processing is carried out in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists and provided that there are no storage and documentation obligations to the contrary.

Personal data collected on the basis of consent will be processed until consent is withdrawn. The withdrawal of consent does not affect the lawfulness of the data processed until the withdrawal.

7 Your rights

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to notification under Art. 19 GDPR and the right to data portability under Art. 20 GDPR.

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that your personal data is being processed unlawfully. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. The data protection supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), P.O. Box 1349, 91504 Ansbach, telephone +49 (0) 981 180093-0.

If your personal data is processed on the basis of your consent, you are entitled under Art. 7 GDPR to revoke your consent at any time and without giving reasons for the future. This does not affect processing that took place before you withdrew your consent. Please also note that we may have to retain certain data for a certain period of time in order to comply with legal requirements (see section 6).

Insofar as your personal data is processed in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR to safeguard legitimate interests, you also have the right to object to the processing of this personal data at any time in accordance with Art. 21 GDPR for reasons arising from your particular situation. We will then no longer process this personal data unless there are compelling legitimate grounds for the processing. These must outweigh your interests, rights and freedoms, or the processing must serve the assertion, exercise or defense of legal claims.

To assert your rights or if you have further questions about data processing, you can contact our data protection officer using the contact details provided in section 1 of this data protection information.

8 Voluntary provision of data

The provision of your personal data for the establishment and execution of the business relationship is neither legally nor contractually required, nor are you obliged to provide this data.

However, if you are in a direct business relationship with us, you must provide the personal data that is necessary for the establishment and implementation of a business relationship and the fulfillment of the associated contractual obligations.

Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it.

If it is a business relationship with a company that you have commissioned, you must provide us with the personal data that is required for the commencement and execution of a representation/authorization and the fulfillment of the associated contractual obligations. Without this data, we will generally have to reject you as an authorized representative / proxy or cancel an existing authorization to represent / proxy.

9 Automated decision-making / profiling

We do not use automated decision-making in accordance with Art. 22 GDPR to establish, implement and terminate the business relationship. We also do not use profiling as a matter of principle.

Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.

10. changes to this data protection information

e-mobilio reserves the right to change this data protection information at any time.

Attachments:

Appendix 1: Customer account, source links and route planner

Annex 2: Data protection information on joint responsibility pursuant to Art. 26 para. 2 GDPR

1. opening a customer account and contract processing

1.1 Establishing dealer contact

The dealer contact creation service offered by us supports you in your search for vehicle dealers, vehicle manufacturers and leasing providers. Your personal data is collected and processed using a form on the e-mobilio.de website or via an e-mobilio.de iFrame on the website of a cooperation partner.

This non-binding and free dealer contact establishment consists of the transmission of your request to up to three vehicle dealers, vehicle manufacturers or leasing providers.

If you visit our website via an iFrame, dealer contact is established by sending your request to the cooperation partner on whose website you visit our iFrame.

Data processing by us in the context of dealer contact is carried out as follows:

• Your personal data is collected and stored using an SSL-secured form.
• Your data is sent to up to three vehicle dealers, vehicle manufacturers, leasing providers or the cooperation partner via an SSL-encrypted e-mail server.

The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b GDPR (fulfillment of the contractual service to establish contact or the implementation of pre-contractual measures to fulfill the service to establish contact) and for the transmission of the information listed below as "optional" (i.e. your configured product package or your needs analysis) to the vehicle dealers, vehicle manufacturers or leasing providers, Art. 6 para. 1 lit. a GDPR (consent to the processing of personal data).

The processing of data for the purpose of accepting orders and responding to your inquiry by the vehicle dealer, vehicle manufacturer or leasing provider is carried out by the respective vehicle dealer, vehicle manufacturer or leasing provider as the controller and is not covered by this privacy policy. In the context of the processing of personal data via the website, we and the respective vehicle dealer, vehicle manufacturer, leasing provider or cooperation partner act as joint controllers in accordance with Art. 26 of the GDPR.

1.2 Employee portal and billing system

The employee portal provided by us offers you a self-service solution for your business e-mobility. You get access to useful tips on charging your company e-car and the reimbursement of charging costs. We only collect the data about you that you provide to us as part of the registration process. You also have the option of entering additional data in your profile.

Your charging costs are recorded in our billing system. Your data that we have received from your employer for billing your consumption is also stored there. Consumption of your company car is passed on to your employer. We have concluded an order processing agreement with your employer for the processing of your personal data in accordance with Art. 28 Para. 3 GDPR.

If you also use the employee portal and the billing system for a private vehicle, the legal basis for the processing of your personal data is Art. 6 para. 1 lit. b GDPR (fulfillment of contract).

While using the employee portal, it is possible for you to contact our AI assistant Emma via the chatbot. For all information on how your data is processed by Emma, please refer to thedata protection information for AI assistance, which you can view in the employee portal.

The legal basis for the use of the chatbot in the employee portal is Art. 6 para. 1 lit. a GDPR (consent to the processing of personal data).

1.3 Cookies in the employee portal

Cookies are small text files that enable us to make the use of our offers and our employee portal more pleasant for users, e.g. by determining whether you have already visited individual areas of our employee portal and thus to store information about your preferred activities in the employee portal or to tailor our employee portal to your individual interests. As soon as a user accesses our platform, a cookie is stored on the end device (laptop, tablet, smartphone or PC) of the respective user. Cookies that are not necessary for the provision of our employee portal are only placed on your device with your consent. (Art. 6 para. 1 lit. a) GDPR).

Essential functions:

These providers are used to operate the employee portal or certain functions thereof, for example to ensure security or to make an appointment with us. These providers are mandatory and cannot be deselected.

1.4 e-mobilio installation check

The e-mobilio installation check offered by us via the webshop - as a video installation check or on-site installation check - supports you in assessing whether your home is suitable for the installation of a charging station (wallbox). Your personal data is collected and processed using a form in the e-mobilio.de webshop or via an e-mobilio.de iFrame on the website of a cooperation partner.

Processing of personal data by e-mobilio:

We process your personal data for the purposes of providing the e-mobilio installation check and for evaluating the e-mobilio installation check and e-mobilio installation services.

In particular, we process data as part of the e-mobilio installation check as follows:

• Your personal data is collected and stored using an SSL-secured form.
• Your data will be processed to fulfill our contractual obligations.
• To carry out the on-site installation check, your data is sent to our installation partners via an SSL-encrypted email server (as part of order data processing).
• The results of the e-mobilio installation check, together with your personal data, are collected and stored using an SSL-encrypted e-mail server or video telephony.

The legal basis for the processing of your personal data is Art. 6 Para. 1 lit. b GDPR (fulfillment of the contractual services of the e-mobilio installation check or the implementation of pre-contractual measures to fulfill the e-mobilio installation check); for the evaluation of the e-mobilio installation check, Art. 6 Para. 1 lit. f GDPR (legitimate interest in the evaluation of the results from the e-mobilio installation check is quality control and the evaluation of the success rate of the e-mobilio installation check to improve service quality) and for the transmission of the information provided to us in connection with the product package configured by you or your needs analysis to the cooperation partner contacted for you, Art. 6 para. 1 lit. a GDPR (consent to the processing of personal data).

1.5 Arranging the installation of charging stations

As part of the mediation of your request regarding the installation of a charging station to an installation partner offered via the website / webshop, your personal data will be collected and processed by means of a form on the website / webshop of e-mobilio.de or via an iFrame of e-mobilio.de on the website of a cooperation partner.

Processing of personal data by e-mobilio:

We process your personal data for the purposes of communicating your request to our installation partner and for evaluating the e-mobilio installation service.

In particular, we process data as follows:

• Your personal data is collected and stored using an SSL-secured form.
• Your data is sent to our installation partners via an SSL-encrypted e-mail server.
• The results of the installation service, together with your personal data, are sent to us by the installation partner so that we can collect and store them using an SSL-encrypted email server.
• The results from the installation service, together with your personal data, may be sent via an SSL-encrypted e-mail server to the respective vehicle dealers with whom you have a contractual relationship.

The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b GDPR (fulfillment of contractual services to establish contact with the installation partners or the implementation of pre-contractual measures to fulfill the services to establish contact), for the evaluation of the e-mobilio installation service, Art. 6 para. 1 lit. f GDPR (legitimate interest in the evaluation of the results from contacting the installation partner is quality control and the evaluation of the success rate of the e-mobilio installation service to improve service quality) as well as for the transmission of the information provided to us in connection with the product package configured by you or your needs analysis to the cooperation partner contacted for you, Art. 6 para. 1 lit. a GDPR (consent to the processing of personal data).

The processing of data for the purpose of establishing contact and carrying out the commissioned installation by our installation partners is carried out by the respective installation partner as the controller and is not covered by this privacy policy.

1.6 Promotion service contact establishment

As part of the funding service contact establishment offered by e-mobilio, we will forward your request to febis Service GmbH, which will check the funding programs you are eligible for and, if necessary, support you in applying for funding programs.

Your personal data will be collected and processed using a form on the e-mobilio.de website or via an iFrame from e-mobilio.de on the website of a cooperation partner.

Processing of personal data by e-mobilio:

We process your personal data for the purpose of establishing contact with febis Service GmbH. This non-binding and free support service contact establishment consists of the transmission of your request to febis Service GmbH as well as the support and evaluation of the support process.

Data processing by us as part of the support service contact is carried out as follows:

• Your personal data is collected and stored using an SSL-secured form.
• Your data is sent to febis Service GmbH via an SSL-encrypted e-mail server.
• The results from the support service, together with your personal data, are sent to us by febis Service GmbH, so that we collect and store them using an SSL-encrypted e-mail server.
• The results from the support service, together with your personal data, may be sent via an SSL-encrypted email server to the respective vehicle dealers with whom you have a contractual relationship.

The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b GDPR (fulfillment of the contractual service to establish contact or the implementation of pre-contractual measures to fulfill the service to establish contact), Art. 6 para. 1 lit. f GDPR (legitimate interest in the evaluation of the results from the support service is the quality control from the support service as well as the evaluation of the success rate of the support service to improve the service quality) and Art. 6 para. 1 lit. a GDPR (consent to the processing of personal data) for the transmission of the information provided to us in connection with the product package configured by you or your needs analysis to the cooperation or installation partners contacted for you.

The processing of data for the purpose of order acceptance and implementation of the support service is carried out by febis Service GmbH as the controller and is not covered by this privacy policy.

1.7 SWM contact establishment

Aspartof the SWM contact establishment offered by e-mobilio, we will forward your request to Stadtwerke München GmbH, which will provide you with an offer for a rental charging solution. Your personal data is collected and processed using a form on the website of e-mobilio.de or via an iFrame of e-mobilio.de on the website of a cooperation partner.

Processing of personal data by e-mobilio:

We process your personal data for the purpose of providing the SWM contact establishment service. This non-binding and free SWM contact establishment consists of the transmission of your request to Stadtwerke München GmbH.

The data processing by us in the context of the SWM contact establishment takes place in particular as follows:

• Your personal data is collected and stored using an SSL-secured form.
• Your data is sent to Stadtwerke München GmbH via an SSL-encrypted e-mail server.

The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b GDPR (fulfillment of the contractual service to establish contact or the implementation of pre-contractual measures to fulfill the service to establish contact) and Art. 6 para. 1 lit. a GDPR (consent to the processing of personal data) for the transmission of the information provided to us in connection with the product package configured by you or your needs analysis to the cooperation and installation partners contacted for you.

The processing of data for the purpose of accepting an order and preparing an offer for a rental charging solution is carried out by SWM as the controller and is not covered by this privacy policy.

1.8 Charging station contact creation

As part of the charging station contact manufacturing service offered by e-mobilio, we will forward your request toacooperation partner who will prepare an offer for the requested charging station for you.

Your personal data is collected and processed by means of a form via an iFrame from e-mobilio.de on the website of a cooperation partner.

Processing of personal data by e-mobilio:

We process your personal data for the purpose of providing the charging station contact service. This non-binding and free charging station contact establishment consists of the transmission of your request to the cooperation partner.

The data processing by us in the context of the charging station contact establishment takes place in particular as follows:

• Your personal data is collected and stored using an SSL-secured form.
• Your data is sent to the cooperation partner via an SSL-encrypted e-mail server.

The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b GDPR (fulfillment of the contractual service to establish contact or the implementation of pre-contractual measures to fulfill the service to establish contact) and for the transmission of the information listed below as "optional" (i.e. your configured product package or your needs analysis) to the cooperation partner, Art. 6 para. 1 lit. a GDPR (consent to the processing of personal data).

The processing of data for the purpose of accepting orders and responding to your inquiry by the cooperation partner is carried out by the respective cooperation partner as the controller and is not covered by this privacy policy.

2. transmission of data to car dealers with source links

If you complete an order via a source link of a car dealer in the e-mobilio store or use a voucher code assigned to the dealer, we transmit your street (without house number), zip code and city to the car dealer for the purpose of seller comparison.

The legal basis for this is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. The legitimate interest lies in the fact that we have a brokerage agreement with the respective car dealers, which also provides for commission payments in the event of successful brokerage. If the customer referral came via your car dealer, we owe the corresponding commission amount. The respective car dealer can carry out a seller comparison using the street, zip code and city in order to be able to correctly allocate the commission claim to the individual seller.

If you do not agree to your street (without house number), zip code and city being passed on in this context, please send a message to info@e-mobilio.de(opt-out)

3. data processing through integration of the route planner

On our website, we offer the function of a route planner to your nearest charging station. This function requires the integration of content from and transfer of data to the following services: googleapis.com (Controller: Google LLC, Mountain View, California, USA), mapbox.com (Controller: Mapbox Inc., 740 15th Street NW, 6th Floor, Washington DC 20005, USA) and chargetrip.io. (Controller: Chargetrip B.V., Lijnbaansgracht 57, 1015 GS Amsterdam, Netherlands). If you confirm the activation of the route planner, the following (personal or personally identifiable) data will be shared with the respective services:

Google API (for geolocation + autocomplete for search): IP address, search data locations, optional: location service (if you want to determine the location via browser)

Mapbox (for map data): IP address, geolocation

Chargetrip (for route/range calculation): IP address, vehicle model, start and destination address

Please note that the respective third-party providers act as data processors in accordance with Art. 28 GDPR. Your confirmation of the activation of the route planner and the corresponding data processing will be stored on your device until you delete it. You will then be asked to confirm the activation again.

The legal basis for the processing is Art. 6 (1) lit. b) GDPR (you agree to use the service offered by us, in order to be able to provide this service requested by you, we must carry out the data processing specified above).

1. preamble

There is a cooperation between the controllers in the areas of marketing, customer service and finance & controlling or the entire accounting processes, such as financial accounting including accounts receivable and accounts payable and electronic payment transactions and payment of bonuses to end customers and commissions to affiliated companies and business partners, in accordance with Art. 26 GDPR in conjunction with Art. 4 No. 7 GDPR (cooperation between two or more controllers in the processing of personal data). As it is possible or necessary for the joint controllers to gain access to your personal data as part of this collaboration, they are jointly responsible for the protection of your personal data with regard to the processes described below. The main contents of the agreement between the controllers to fulfill their obligations under the GDPR are also described below.

2 Joint controllers

Controller A
Name: e-mobilio GmbH
Address: Medienbrücke 7th floor, Rosenheimer Straße 145 d, 81671 Munich, Germany
E-mail: info@e-mobilio.de
Phone: +49 89 25555560

Managing directors: Ralph Missy, Denis Reichel

Responsible B

Name: co2.auto GmbH
Address: Rosenheimer Straße 145 d, 81671 Munich
E-mail: info@co2.auto
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

Name: co2.auto GmbH Branch Office Austria
Address: Simmeringer Hauptstraße 24, 1110 Vienna
E-mail: info@co2-auto.at
Phone: +49 89 77997933

Managing Directors: Ralph Missy, Denis Reichel

3. purposes and description of the processing

In the area of marketing:

The processing serves to handle all relevant activities in the area of marketing and advertising. These include, in particular, all activities that promote sales through events, contact with customers and interested parties, advertising, observation and control of the market and appropriate management.

To this end, the parties shall cooperate closely in all relevant areas of marketing activities, including but not limited to: trade fairs, customer events, newsletter distribution, social media, website with web tracking and publications. There is no strict separation in the cooperation. For various reasons, areas are also processed by the respective partner.

In the area of customer service:

The processing serves the orderly processing of customer data from the establishment of contact by those responsible or the data subject using standard methods (including the website contact form) to the processing of the order through to invoicing and subsequent customer care. Furthermore, the processing serves to process THG quotas.

The parties carry out the associated processes in all relevant areas of the field of activity as part of an intensive collaboration. In particular, inquiries addressed to the responsible parties via the Internet portals of the co2-auto.de or co2-auto.at websites are processed jointly.

In the area of Finance & Controlling

The processing serves the purpose of the proper, legally prescribed financial accounting of the companies. Financial accounting as a sub-area of operational accounting determines the overall operating result within the meaning of Section 239 of the German Commercial Code (HGB) by recording all business transactions and thus fulfills the legally prescribed documentary function.

The parties cooperate closely in all relevant areas of finance and controlling, including but not limited to: payment of CO2 bonuses to end customers, payment of commissions for sales to e-mobilio or business partners, controlling, accounts receivable or accounts payable invoices, electronic payment transactions (instant invoice, direct debit, PayPal, online banking, Klarna, Amazon), granting bank authorization, financial accounting, credit cards, accounts payable or accounts payable invoices, insurance claims, prepayment and dunning.

However, it should be noted that there is no overarching central Finance & Controlling department for the parties together. The parties each have their own Finance & Controlling department. There is no strict separation in the cooperation. For various reasons, areas are also processed by the respective partner.

In this respect, Controlling performs planning, coordination and control tasks in order to provide the company management with relevant information. This forms the basis for the optimal and rational management of the company. The KPIs (Key Performance Indicators) are processed across all locations for this purpose. Microsoft's Excel and PowerBI software is used to analyze company data from any source and compile it into reports with key performance indicators for company management and investors.

4 Affected groups of persons

The groups of data subjects of controllers A and B are employees pursuant to Section 26 (8) BDSG, contractual partners, customers, interested parties, cooperation partners, newsletter subscribers, visitors to the company, visitors to the website, suppliers and service providers.

5 Categories of personal data

Within the scope of joint controllership, only such data is processed that is related to marketing, customer care and finance & controlling (see section 3). This may include the following personal data or categories of data:

Contractual partners, cooperation partners, customers, suppliers and service providers, visitors to the company and the website: First and last name, gender, private contact data, business contact data, address data, telecommunications data such as email, telephone etc., customer type, customer number, industry, professional information, contract data, sales data, cost unit data, invoice data, bank details, credit card data, delivery and payment terms, contact history, creditworthiness data, performance data, ID data, photographs, video recordings, product preferences, data on purchased goods and services, cookie ID, IP address, CRM data, vehicle data if applicable (in the form of a copy of the registration certificate).

Employees pursuant to Section 26 (8) BDSG: first and last name, gender, private contact data, business contact data, address data, telecommunications data such as e-mail, telephone, etc., personnel number, contract data, sales data, cost unit data, invoice data, bank details, credit card data, delivery and payment conditions, contact history, performance data, ID card data, photographs, video recordings.

6. joint responsibility and assignment of responsibilities for process steps

Even if there is joint responsibility, the controllers must fulfill the data protection obligations in accordance with their respective responsibilities for the individual process stages described below.

6.1In the context of joint controllership,Controller A is responsible forthe processing of personal data in the following process stages:

• Collection of data: Collection of the respective project-related personal data of the corresponding groups of data subjects; information obligations pursuant to Art. 13, 14 and 26 para. 2 sentence 2 GDPR.
• Storage of the data: Storage of the data in our own systems.
• Processing / use of the data: Collection and processing / evaluation of the data of the groups of persons named above; forwarding of the data to the relevant departments of the responsible parties (Finance & Controlling; management of the parties in accordance with the existing rights and roles concept) or to third parties in the form of tax consultants and auditors and authorities to be involved such as tax offices; printing, copying, archiving, deletion and destruction of the data and documents within the framework of the legal requirements.
• Deletion of data: In accordance with the deletion concept.

6.2 Within the scope of joint responsibility,Controller B is responsible forthe processing of personal data in the following process stages:

• Collection of data: Collection of the respective project-related personal data of the corresponding groups of data subjects; information obligations pursuant to Art. 13, 14 and 26 para. 2 sentence 2 GDPR.
• Storage of the data: Storage of the data in the applicant management system or in our own data storage systems.
• Processing / use of the data: Collection and processing / evaluation of the data of the groups of persons named above; forwarding of the data to the relevant departments of the responsible parties (Finance & Controlling; management of the parties in accordance with the existing rights and roles concept) or to third parties in the form of tax consultants and auditors and authorities to be involved, such as tax offices; printing, copying, archiving, deletion and destruction of the data and documents within the framework of the legal requirements.
• Deletion of data: In accordance with the deletion concept.

6.3Thecontrollers arejointly responsiblefor the following process stages:

• Determining the purpose of data processing, determining the categories of personal data concerned, guaranteeing the rights of data subjects in accordance with Art. 15, 16, 17, 18, 19, 20 and 21 GDPR, documenting the technical and organizational measures in accordance with Art. 32 GDPR, risk assessment and (if necessary) carrying out data protection impact assessments in accordance with Art. 35 GDPR, as well as coordination with the supervisory authorities, evaluation and monitoring of processors in accordance with Art. 28 GDPR, provision and documentation of records of processing activities in accordance with Art. 30 GDPR, evaluation and communication in the event of data breaches in accordance with Art. 33, 34 GDPR.

7 Agreements of the controllers regarding their data protection obligations

7.1 Information obligations pursuant to Art. 13 and 14 GDPR

In accordance with the contractual agreements, the controllers shall provide the data subjects with the information required under Art. 13 and 14 GDPR in a transparent and easily understandable form. Each controller shall provide the other controller with all necessary information from its sphere of activity.

7.2 Contact point for the assertion of data subject rights in accordance with the GDPR

The controllers may designate a contact point to which data subjects can turn to assert their rights under the GDPR. Irrespective of this agreement, data subjects can always assert their rights under Art. 26 (3) GDPR against each of the controllers. The controllers shall inform each other immediately of any claims asserted by data subjects and provide each other with all information necessary for processing.

7.3 Technical and organizational measures

The controllers have agreed to comply with all legal requirements in accordance with Art. 32 GDPR with the help of suitable technical and organizational measures in order to ensure an appropriate level of protection for the processing of personal data.

7.4 Further data protection obligations under the GDPR

The controllers have undertaken to support each other in complying with the contractually agreed provisions and all applicable data protection regulations and to coordinate accordingly. This applies in particular to the following areas

• Measures in the event of any data protection breaches;
• Cooperation with the competent data protection authorities;
• Creation and maintenance of processing directories;
• Coordination in the event of any deletion of personal data (statutory retention periods, etc.);
• Involvement of contract processors;
• Cooperation with the respective data protection officers;
• Obligation of all persons involved in data processing to maintain confidentiality.