1.1 NOSER BULGARIA EOOD (Noser Bulgaria), UIC: 204763906, with registered company address at Sofia, 1504, Tsar Osvoboditel Blvd., 17A, App. 6, info@noser-bulgaria.com is responsible for your personal data.

1.2 The Data Protection Officer can be reached at the aforementioned address (see section 1.1) or via email at datenschutz@nosermanagement.ch.

1.3 As far as Noser Bulgaria requires a representative in Switzerland for data protection purposes, Noser Management AG, Herostrasse 12, 8048 Zurich will act as their Swiss representative.

2.1 Categories of Personal Data

When you access the website, information is automatically sent from your browser to the server of our website. This information is temporarily stored in a so-called log file. The following information is collected and stored until automated deletion:

• IP address, including country
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transmitted
• Website from which the request originated
• Browser
• Operating system and its interface
• Language and version of the browser software

Additionally, we automatically use cookies during your visit to the website, which are necessary for the smooth functioning of the website. Our Cookie Policy informs you about which cookies we use and when they are deleted.

2.2 Purpose of Processing

We process the aforementioned data to ensure a smooth connection setup and user-friendly use of the website, to ensure network and information security, to evaluate system security and stability, and for administrative purposes and consent management (selected cookie settings). Additionally, we analyze the data of our users in anonymized form. This allows us to better tailor our content and offerings to the needs of our users.

You are not legally or contractually obligated to provide us with your personal data. However, the data is necessary for us to provide you with the full functionality of our website.

2.3 Legal Basis of Processing

The legal basis for data processing is the protection of our legitimate interests. The legitimate interest arises from the aforementioned purposes of data collection. We do not use the data to draw conclusions about your identity.

2.4 Cookies

We use cookies and tracking services on the website. We aim to ensure that our website is designed according to your needs and is continuously optimized. We inform you in this context that you can adjust your browser settings to exclude tracking. To do this, you need to enable the "Do not track" feature of your browser.

Automatically, only the cookies and tracking technologies necessary for the smooth functioning of our website are applied. You can set or completely disable the remaining cookies and tracking technologies yourself. You can change the choice at any time. More detailed explanations can be found in our Cookie Policy.

2.5 Newsletter Subscription

If you have consented to receiving our newsletter, as well as invitations to events and other relevant information, we use your name and email address to send you this information electronically. Typically, we first ask you to confirm your details via email (double opt-in).

You can revoke your consent at any time with effect for the future and unsubscribe from our newsletter. To do this, use the link at the end of each newsletter or alternatively the email address of the Data Protection Officer mentioned above (section 1.3). As a result, we will no longer continue the data processing based on this consent in the future and will delete the corresponding data (reserving the right to use your data for another legitimate purpose).

2.6 Use of Our Contact Form

For any questions, we offer you the opportunity to contact us via a form provided on the website. This requires the provision of data such as a valid email address, name, country, company, etc., so that we know from whom and where the inquiry originates and can respond accordingly. Additional information is voluntary. Typically, we first ask you to confirm your details via email before contacting you (double opt-in).

The data processing for the purpose of contacting us is based on your consent.

The personal data collected by us for the use of the contact form is stored in our marketing tool and our customer management system and assigned to the relevant department. This ensures the prompt and professional handling of your inquiry. After the purpose for which you contacted us has been fulfilled and as fas as there is no further legal basis for processing, your information will be deleted.

2.7 Social Plug-ins

It is in our legitimate interest to use social network plug-ins on our website for advertising purposes. The plug-ins are marked with the image/icon of the respective platform. The responsibility for the data protection-compliant operation lies with the respective provider. The plug-ins are only activated when you click on the corresponding buttons. The plug-ins establish a direct connection between your browser and the servers of the respective social network (Facebook, X [formerly Twitter], Google, etc.). We have no influence on the nature and extent of the data that the plug-in transmits to the servers of the respective social network.

If the plug-in is clicked, the respective network will be informed that you are visiting our website. It is possible that your IP address will be stored by the network. If you are logged into your respective network account (Facebook, X [formerly Twitter], Google, etc.) while visiting our website, the mentioned information will be linked to it.

Further information on how the individual plug-ins work and what information is collected can be found on the website of the respective provider.

3.1 Categories of Personal Data

We primarily process the following personal data:

• General data (such as name and, if necessary, for the creation of a user account, date of birth), contact data (such as address data, phone, email address, workplace, business card), signatures you place on documents, submitted powers of attorney;
• User accounts for the use of our systems, data required to grant access to our business premises;
• Your role and employer and, as far as it is relevant to the business relationship, your professional activities, experiences, qualifications, and references, as well as information about the services you have provided for us;
• In certain cases (e.g., in the context of cooperation with financial institutions) and only if legally permitted, we also receive debt collection or criminal record information (e.g., if the project you are involved in requires such proof and we are the responsible person for this information); in general, this data shall be transmitted directly from you to the respective organization and thus not processed by us;
• Information about you in correspondence, email communication, and meetings, your opinions and feedback, assessments, and protocol notes that are collected and recorded in the course of business activities;
• Data from your consultants and partners, and possibly from their employees;
• In certain cases, financial data (such as bank account details, payment method, and payment service provider) to make a payment or data from your insurance company for claims management;
• Information in connection with legal and non-legal proceedings;
• Publicly available data.

3.2 Source of Data

We receive your data directly from you or from the company that employs you. We also retrieve data from public registers or databases (such as commercial registers, the internet). As far as permitted, we also receive data about you from other companies in the Noser Group (recommendations, referrals, etc.), from authorities, and other third parties.

3.3 Purpose of Processing

We use the collected personal data to conduct our business activities. This includes, in particular, the following areas:

• Conclusion and execution of contracts, including correspondence, invoicing, contract management, project development and management, protection and management of contractual claims (this includes the use of IT tools and cloud solutions);
• Establishing and maintaining business relationships, including marketing (sending information about our offerings, invitations to events in our business area, greeting cards), contact management, correspondence, customer management, customer satisfaction surveys (this includes the use of IT tools and cloud solutions as well as the organization of webinars, training, and education);
• Managing permissions and use of our IT systems and internal tools;
• Handling claims and insurance cases;
• Carrying out restructuring and corporate acquisitions and sales;
• Ensuring our business operations as well as group management, such as retention, accounting, consultation with specialists on business incidents, fulfilling information obligations to administrative bodies and authorities, measures within the group, ensuring compliance, ensuring secure access to buildings and systems.

3.4 Legal Basis of Processing

In most cases, you are not legally obligated to share your personal data with us. However, in some cases, failure to provide certain data may result in a breach of contract.

The primary legal basis for processing your personal data is the negotiation, fulfillment, and execution of contracts concluded with you or your employer.

Additionally, we are legally required to collect and process certain data, such as for accounting and billing purposes.

Furthermore, processing your data may become necessary to protect our legitimate interests. This may include instances where we:

• Approach our existing customers and partners, as well as new customers, within the scope of marketing activities,
• Protect and enforce our legal claims,
• Ensure the security and availability of our IT systems and other infrastructure,
• Conduct or optimize business processes (including corporate governance and administration of the company and the group), as well as company acquisitions and restructurings,
• Share data with our service providers to fulfill certain tasks on our behalf.

Before processing data based on our legitimate interests, we ensure that your right to privacy is not outweighed by our legitimate interests.

If you submit your application via the website (job portal), please also refer to the information concerning the processing of your personal data in connection with the website visit (see section 2 of this privacy policy).

4.1 Categories of Personal Data

We primarily process the following personal data:

• Salutation, first name, and last name,
• Contact details such as telephone number, address, and email address,
• The resume/CV you or your agent create and any attached information, such as education details, skills, professional experience, qualifications, and certificates,
• If you contact us via email or through a contact form, the data you provide (your email address, possibly your name, phone number, resume, and personal concerns) will be stored and processed by us to answer your questions or address your concerns,
• Other information you voluntarily provide to us.
• We would like to explicitly point out that, if you enter into an employment relationship with us and provide services to our customers, the following personal data will be particularly necessary:A picture for an employee profile, which will be used to introduce you to our customers for service provision,
• For certain assignments: a current criminal record and/or debt collection register excerpt; this will, if possible, be sent directly by you to our customers; we do not store this data.

The provision of this data is required for the fulfillment of your employment obligations.

4.2 Purpose of Processing

All data is stored for the purpose of processing the application procedure regarding your potential employment. Where permissible, it is used for communication with you, to verify qualifications and suitability, for a possible interview, and to assess whether an employment relationship will be established or not.

For this purpose, the stored data is processed in the applicant management system we use. From there, the HR department and the line managers or their deputies responsible for the application process have access to your data. Your application data is processed and stored within our internal applications (Office Management System, Client or Applicant Management System, etc.), which may also include cloud applications.

If you send us a speculative application via email or contact form, we will process your application as we would an application received through the job portal.

4.3 Legal Basis for Processing

The legal basis for processing your personal data is the preparation and evaluation of an employment relationship (implementation of pre-contractual measures) that takes place at your request, as well as our legitimate interest in conducting efficient applicant management. If we include your data in our talent pool, we do so with your consent, which you can withdraw at any time.

By submitting an application, you voluntarily provide us with your data, and only as much data is requested as is necessary for processing your application. Mandatory fields are marked with an asterisk (*), all other information is optional.

If you provide us with references as part of the application process, we assume that you have obtained their consent for us to process their data if this information contains personal data of another individual. We will request these references only with your consent, which we will obtain separately.

4.4 Deletion

If the application process does not lead to employment, we will delete your data no later than one year after notifying you of the conclusion of the application process, unless a legal deadline requires a longer retention period, or we are permitted to store your data to fulfill legal obligations or to defend or assert legal claims. The period of one year is necessary in order to prevent certain claims under contracts with our recruiting partners.

If you have consented to further processing of your data, such as inclusion in a talent pool, we will store and process your data according to the consent you have given.

If the application process leads to employment, your data will be transferred to the personnel database and a personnel file and processed according to the legal requirements for the employment relationship.

The disclosure of personal data constitutes data processing. Therefore, we only disclose your personal data to third parties if there is a corresponding legal basis for doing so (as described in Sections 2 to 4, the legal bases we use are typically a contract with you, a legal obligation, our legitimate interest, or your consent). In our operations, we utilize professional support from external service providers who offer various consulting, IT, or other services necessary for our activities. We carefully select our service providers, and they are bound by our instructions.

Your personal data may be shared with the following service providers, companies, and authorities:

• Companies that provide services to us under contract, such as IT hosting and maintenance providers (including cloud service providers like Salesforce, Microsoft, Atlassian, Cisco, etc.), marketing agencies, consultants, banks, insurance companies, postal services, etc., including their subcontractors.
• Other subcontractors and business partners whose services we may lawfully obtain or with whom we conduct a joint business relationship.
• Authorities, enforcement agencies, and courts, if required for the purposes mentioned above, legally mandated, or necessary for the legal protection of our legitimate interests in compliance with applicable laws.

Additionally, your personal data may be disclosed in the following cases:

• The data of customers, suppliers, partners, or counterparties may be processed in the context of M&A transactions.
• Where permitted, personal data may be shared with other Noser Group companies for the purpose of managing and administering the group.
• Additionally, your data as a customer/supplier/partner may be shared with other partners and customers when the business relationship, project, or common market practice demands it.

We primarily process and store personal data in Switzerland and the European Economic Area (EEA). However, it is possible that we may need to transfer personal data to business partners or service providers located outside the EEA, including in the USA, or that data may be processed in a country outside the EEA, including the USA.

If we process or transfer personal data abroad, this is done only when the required data protection conditions are met, ensuring an adequate level of protection for personal data (through an adequacy decision, standard contractual clauses, an applicable data protection framework like the EU-US Data Protection Framework, explicit consent of the data subjects, etc.). Detailed information about this, including a copy of the specific safeguards in place, can be obtained at any time from the contact person mentioned in Section 1.3.

Your data will be retained for as long as (i) necessary for the purpose of processing and/or (ii) required by legal obligations, such as statutory retention periods for business records, and/or (iii) necessary for the establishment, exercise, or defense of legal claims. Once we no longer need your personal data for any of the above purposes, it will be deleted or anonymized as far as practicable. Additional details on retention periods and deletion procedures can be found in the information provided for individual data categories (described in Sections 2 to 4).

The data protection law applicable to you and the specific data processing grants you certain rights. These rights may differ between Switzerland, the EU, and other countries. If you have any questions regarding the existence or exercise of these rights, you can contact the person mentioned in Section 1.3 at any time.

Generally, as a data subject, you have the following rights:

• To request information about your personal data processed by us
• To request the correction of inaccurate or incomplete personal data stored by us.
• To withdraw your consent at any time, which will result in us no longer being able to continue processing based on that consent in the future.
• To request the deletion of your personal data stored by us; deletion may not be possible in all cases and may be lawfully refused in certain situations.
• To request the restriction of the processing of your personal data under certain circumstances.
• To object to the processing of your personal data if it is based on legitimate interests.
• To receive the personal data you have provided to us in a structured, commonly used, and machine-readable format or to request the transmission to another party, provided the conditions are met.
• To lodge a complaint with the competent supervisory authority.

We use appropriate technical (such as securing IT systems and building security) and organizational (such as internal policies, training, and procedures) security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction, or unauthorized access by third parties. Our security measures are continuously adjusted according to technological developments.

This privacy policy is currently valid and was last updated in September 2024. As our business activities evolve or as legal or regulatory requirements change, it may be necessary to amend this privacy policy. Therefore, we recommend regularly checking this privacy policy on our website.