Dated: 18 May 2018

1. Data processing and legal basis
1.1. This privacy policy explains the type, scope and purpose of the processing of personal data within our website and the websites, functions and content linked to it (referred to below collectively as the "website"). The privacy policy applies regardless of the domains, systems, platforms and devices used (for example desktop or mobile) on which the website is run. 1.2. The terms used, for example "personal data" and their "processing", are defined in Art. 4 of the General Data Protection Regulation (GDPR). 1.3. The personal data of users processed within the scope of this website include data about the user (without login: for example IP address; logged in: for example name and addresses of customers), contractual data for logged in users (for example services used and payment information), usage data (for example the pages of our website visited) and content data (for example information provided upon registration). 1.4. The term "user" covers all categories of data subject. These include business partners, customers, potential business partners, potential customers and other visitors to our website. The terms used, for example "user", are to be understood as applying to all genders. 1.5. We only process the personal data of users in compliance with applicable data protection provisions. This means that user data will only be processed if we are legally authorised to do so. Such legal authorisation includes but is not limited to cases in which data processing is required for the provision of our contractual services (for example to process orders) or online services, or is required by law; cases in which the user has granted consent; cases in which we are processing on the grounds of legitimate interest (for example our interest in the analysis, optimisation and efficient operation and security of our website) pursuant to Art. (6)(1)(f) GDPR, including but not limited to the measurement of reach, the creation of profiles for advertising and marketing purposes, and the collection of access data and the use of third-party services. 1.6. Please note that the legal basis for consent is Art. 6(1)(a) and Art. 7 GDPR, the legal basis for processing to perform our services and to take contractual measures is Art. 6(1)(b) GDPR, the legal basis for processing for compliance with our legal obligations is Art. 6(1)(c) GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6(1)(f) GDPR.

2. Security measures
2.1. We take organisational, contractual and technical security measures corresponding to the state of the art in order to ensure that the regulations of the data protection legislation are complied with and in order to protect the data we process against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. 2.2. Said security measures include but are not limited to the encrypted transfer of data between your browser and our server.

3. Disclosure of data to third parties and third-party providers
3.1. Data shall only be disclosed to third parties in accordance with statutory requirements. We shall only disclose user data to third parties if, for example, this is necessary for contractual purposes pursuant to Art. 6(1)(b) GDPR or on the grounds of legitimate interest pursuant to Art. 6(1)(f) GDPR in the efficient and effective operation of our business. 3.2. If and to the extent that we use subcontractors for the provision of our services, we shall take appropriate legal precautions and appropriate technical and organisational measures to ensure the protection of personal data in accordance with the applicable statutory regulations. 3.3. If and to the extent that content, tools or other resources from other providers (hereinafter jointly referred to as "third parties") are used in the context of this privacy policy and the registered office of those third parties is in a third country, it is to be assumed that data transfer to the country in which the third-party provider is registered will take place. Third countries are countries in which the GDPR does not constitute directly applicable law, i.e. countries outside the EU or the European Economic Area. Data will be transmitted to third countries if there is an appropriate level of data protection in place or if the user has consented or other legal authorisation has been granted.

4. Provision of contractual services
4.1. We process data about the user (for example IP addresses) and contractual data upon registration (for example services used, names of contact people and payment information) for the purpose of fulfilling our contractual obligations and providing our services pursuant to Art. 6(1)(b) GDPR. 4.2. Users can register for re.comm. Information that is mandatory for registration will be marked as such. Registration is not public and user data cannot be indexed by search engines. Users can request the erasure of their data in writing at any time. User data shall be deleted on request, unless retention is necessary on commercial or tax law grounds in accordance with Art. 6(1)(c) GDPR. We are entitled permanently to delete all user data that have been stored during the term of the contract. 4.3. When a user registers, logs on or uses our online services, we save the IP address and the time of the user action. The legal basis for storage is our legitimate interest and the legitimate interest of users in protection from misuse and other unauthorised use. Such data will not be disclosed to third parties unless this is necessary for the exercise of our rights or we have a legal obligation to do so pursuant to Art. 6(1)(c) GDPR. 4.4. We process usage data (for example pages of our website visited and interest in our events) and content data (for example information provided during registration) for advertising purposes in a user profile in order, for example, to provide the user with event information based on the services they have used so far.

5. Contact
5.1. When a user contacts us (by e-mail or using the contact form), the user's details are processed to allow us to process the enquiry pursuant to Art. 6(1)(b) GDPR. 5.2. The user's details are only stored internally and are not disclosed to third parties unless we have a legal obligation to do so pursuant to Art. 6(1)(c) GDPR. 6. Collection of access data and log files 6.1. Based on our legitimate interests within the meaning of Art. 6(1)(f) GDPR, we collect data about each instance of access to the server on which this service is located ("server log files"). Access information includes the name of the website accessed, file, date and time of access, volume of data transferred, notification of successful access, browser type and version, the user's operating system, the referrer URL (the site visited before), the IP address and the requesting provider. 6.2. Log file information is stored for security reasons (for example to investigate misuse or fraud) for a maximum of seven days and then deleted. Data for which further storage is required for evidence purposes are exempt from erasure until the respective occurrence is finally clarified.

7. Cookies & reach measurement
7.1. Cookies are items of information that are transferred from our Web server or from the Web server of third parties to the Web browser of the user, and stored there for later retrieval. Cookies may be small files or other forms of information storage. 7.2. We use session cookies that are only stored for the duration of the user's current visit to our website (for example to save your login status or for the shopping basket function and therefore to enable the use of our website). A randomly generated unique identification number ("session ID") is saved in a session cookie. A cookie also contains information about its origin and storage period. These cookies cannot store other data. Session cookies are deleted when you have finished using our website and for example log out or close your browser. 7.3. This privacy policy notifies users of the use of cookies as part of pseudonymised reach measurement. 7.4. If users do not want cookies to be stored on their computer, they should deselect the relevant option in the system settings of their browser. Cookies that have been stored can be deleted in the system settings of the browser. Declining cookies can limit the website functions available. 7.5. You can reject cookies that are used for reach measurement and advertising purposes by visiting the Network Advertising Initiative opt-out page (http://optout.networkadvertising.org/) and the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

8. Google Analytics
8.1. On the basis of our legitimate interests (i.e. in the analysis, optimisation and efficient operation of our website within the meaning of Art. 6(1)(f) GDPR), we use Google Analytics, a Web analysis service provided by Google Inc. ("Google"). Google uses cookies. The information generated by the cookie about the user's use of the website is generally transferred to a Google server in the USA and stored there. 8.2. Google is certified under the Privacy Shield Framework, and therefore undertakes to comply with European privacy law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). 8.3. Google will use this information on our behalf to evaluate the use of our website by users, to compile reports on activities on this website and to provide us with other services associated with the use of this website and the Internet. Pseudonymous user profiles of users may be created from the data processed. 8.4. We only use Google Analytics with the IP anonymisation feature activated. This means that the IP address of users is shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. 8.5. Google will not combine the IP address transmitted by the user's browser with other data. Users can prevent the storage of cookies with a setting in their browser software; users can also prevent the collection of data generated by the cookie relating to their use of the website for Google and the processing of these data by Google by downloading and installing browser plugin available here: https://tools.google.com/dlpage/gaoptout?hl=en-GB. 8.6. More information on the use of data by Google and your setting and rejection options can be found on the Google website: https://policies.google.com/technologies/partner-sites?hl=en-GB ("How Google uses information from sites or apps that use our services"), http://www.google.com/policies/technologies/ads ("How Google uses cookies in advertising"), http://www.google.co.uk/settings/ads ("Control the information Google uses to show you ads").

9. Facebook Social Plugins
9.1. On the grounds of legitimate interest (i.e. in the analysis, optimisation and efficient operation of our website within the meaning of Art. 6(1)(f) GDPR), we may use social plugins ("plugins") for the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). Plugins can represent interactive elements or content (for example videos, graphics or text) and are indicated by the Facebook logo (white "f" on a blue square, the term "Like" or a "thumbs up" sign) or are labelled "Facebook Social Plugin". You can find a list of Facebook social plugins and see how they look here: https://developers.facebook.com/docs/plugins/. 9.2. Facebook is certified under the Privacy Shield Framework, and therefore undertakes to comply with European privacy law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). 9.3. When a user accesses a function of this website that contains such a plugin, the user's device establishes a direct connection to the Facebook servers. Facebook transfers the content of the plugin directly to the user's device and integrates it into the website. User profiles of users may be created from the data processed. We therefore have no control over the extent of the data that Facebook collects using these plugins and hereby notify users accordingly. 9.4. By integrating the plugins, Facebook receives the information that a user has accessed the relevant page of the website. If the user is logged in to Facebook, Facebook can associate the visit with the user's Facebook account. When users interact with the plugins, for example by pressing the Like button or posting a comment, the relevant information is transmitted straight from your device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to find out the user's IP address and store it. According to Facebook, only an anonymised IP address is stored in Austria. 9.5. The purpose and scope of data collection and further processing and use of the data by Facebook, and the relevant rights and possible settings for protecting the privacy of users, can be found in the Facebook privacy policy: https://www.facebook.com/about/privacy/. 9.6. If a user is a Facebook member and does not want Facebook to collect data about them via this website and associate those data with their membership data that is stored with Facebook, the user will need to log out of Facebook and delete their cookies before using our website. Additional settings and objections to the use of data for advertising purposes are possible in the Facebook profile settings: https://www.facebook.com/settings?tab=ads or on US site at http://www.aboutads.info/choices/ or the EU site at http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices such as desktop computers and mobile devices. 9.7. You can view the Facebook privacy policy at any time at https://www.facebook.com/privacy/explanation. If you have questions about Facebook's data policy, you can use the following contact form: https://www.facebook.com/help/contact/2061665240770586. You can contact the Facebook Privacy Officer online (https://www.facebook.com/help/contact/540977946302970) or at Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

10. Newsletter
10.1.The following section sets out the content of our newsletter, the registration, distribution and statistical evaluation procedure and your right to object. By subscribing to our newsletter, you agree to its receipt and to the procedures described. 10.2. Content of the newsletter: we only send newsletters, e-mails and other electronic notifications containing publicity information (hereinafter "newsletters") with the consent of the recipients or with legal authorisation. If the content of the newsletter is specified in the registration process, consent applies to that content. Our newsletters also contain information about our events (for example Cäsar, Immobilienball and re.comm) and companies. 10.3. Double opt-in and logging: the registration process for our newsletter is a double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is required so that nobody can register with someone else's e-mail address. Newsletter registrations are logged to ensure a record of the registration process in accordance with legal requirements. Logging involves storing the time of registration and confirmation and the IP address. Changes to your data stored by the distributor are also logged. 10.4. Distributor: the newsletter is sent through a) Active Campaign, ActiveCampaign, LLC, 1 N Dearborn, 5th Floor, Chicago, IL 60601, United States, hereinafter referred to as the "distributor". You can view the privacy policy of the distributor here: https://www.activecampaign.com/privacy-policy/. b) SendGrid, SendGrid, 1801 California Street Suite 500, Denver, CO 80202, United States, hereinafter referred to as "distributor". You can view the privacy policy of the distributor here: https://sendgrid.com/policies/privacy/. 10.5. The distributor may, according to its own information, use these data in pseudonymous form, i.e. without associating them with a user, for the purposes of optimising or improving its own services, for example for the technical optimisation of distribution and presentation of the newsletter or for statistical purposes to determine which countries the recipients come from. However, the distributor will not use the data of our newsletter recipients to write to recipients itself and will not disclose the data to third parties. 10.6. Registration data: the only information required to register for the newsletter is your e-mail address. We also ask for a name so that we can address you by name in the newsletter, but this information is optional. 10.7. Statistical data collection and analyses – the newsletters contain a "Web beacon", a pixel-sized file that is retrieved from the server of the distributor when the newsletter is opened. As part of this retrieval, technical information such as information on the browser and your system, as well as your IP address and time of retrieval are collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their locations (which can be determined using the IP address) or times of access. Statistical data collection includes determining whether newsletters are opened, when they are opened and which links are clicked on. For technical reasons, this information can be associated with individual newsletter recipients, but neither we nor the distributor seek to monitor individual users. We instead use the evaluations to establish the reading habits of our users and to adapt our content to those users or to send them different content according to their interests. 10.8. The basis for the use of the distributor, statistical data collection and analyses and logging the registration procedure is our legitimate interest pursuant to Art. 6(1)(f) GDPR. We have an interest in a user-friendly and secure newsletter system that both serves our business interests and meets the expectations of users. 10.9. Cancellation/withdrawal of consent – you can cancel our newsletter at any time i.e. withdraw your consent. This ends both your consent to being sent the newsletter by the distributor and to statistical analyses. Separate withdrawal of consent to receipt from the distributor or to statistical evaluation is unfortunately not possible. A link to cancel the newsletter can be found at the end of each newsletter. Each event has its own newsletter and must be cancelled separately. If you only subscribe to a specific newsletter and cancel that subscription, your personal data relating to this newsletter will be deleted.

11. Integration of third-party services and content
11.1. On the basis of our legitimate interest (i.e. in the analysis, optimisation and efficient operation of our website within the meaning of Art. 6(1)(f) GDPR), we use within our website content and services from third parties to integrate their content and services such as videos and fonts (hereinafter referred to as "content"). This requires the third party providers of this content to be aware of the IP address of the user, as without the IP address they would not be able to send the content to the user's browsers. The user IP address is therefore required for the display of this content. We make every effort only to use content from providers that use the IP address solely to deliver the content. Third-party providers may also use pixel tags (invisible graphics, also known as "Web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information on the browser and operating system, referring websites, the time of the visit and other details on the use of our website, and may be associated with such information from other sources. 11.2. The following sections provides an overview of third-party providers and their content, together with links to their privacy policies, which contain further information on the processing of data and ways to object ("opt-out"), which have in some cases already been mentioned in this privacy policy: - External fonts from Google, Inc., https://www.google.com/fonts ("Google Fonts"). Google Fonts are integrated by accessing a Google server (usually in the USA). Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/. - Videos from the platform "YouTube" operated by the third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.

12. Rights of the user
12.1. Users have the right to access, on request and free of charge, the personal data we have stored concerning them. 12.2. Users also have the right to have inaccurate data rectified, to the restriction of processing and to the erasure of their personal data, if applicable, to exercise their rights to data portability and, in the event of suspected unlawful data processing, to lodge a complaint with the competent supervisory authority. 12.3. Users are also entitled to withdraw their consent with effect for the future.

13. Erasure of data
13.1. The data stored with us shall be deleted as soon as they are no longer required for their intended purpose and their erasure does not contravene any statutory duties of retention. In the event that user data are not deleted because they are required for other and legally admissible purposes, their processing shall be restricted i.e. the data shall be made unavailable and not processed for other purposes. This applies, for example, to user data that is required to be retained for commercial or tax law reasons. 13.2. Under statutory requirements, retention is for seven years pursuant to Section 212 par. 1 of the Austria Commercial Code [UGB] (accounts, inventories, opening balance sheets, annual financial statements, business letters, accounting records, etc.) and pursuant to Section 190 and following UGB.

14. Right to object
User have the right to object at any time to future processing of their personal data in accordance with statutory provisions. They have in particular the right to object to processing for the purposes of direct marketing.

15. Changes to the privacy policy
15.1. We reserve the right to change the privacy policy in order to adapt to changed legal situations or if we change our services and the data processing activities. However, this only applies with regard to declarations on data processing. If consents of the users are required or components of the privacy policy contain regulations of the contractual arrangements with the users, the changes shall only be made with the permission of the user. 15.2. Users should check the content of the privacy policy on a regular basis.

16. Any other questions?
If you have any questions regarding the collection, processing or use of your personal data, you can contact our external data protection officer directly. The independent data protection officer monitors statutory compliance:

Johannes Eisert
epmedia Werbeagentur GmbH
Wienerbergstraße 11
1100 Wien
Tel.: 0043 1 512 16 16 – 0
E-Mail: office@epmedia.at