In this notice “Roland Berger”, “we”, “us” or “our” refers to one or more of the Roland Berger Group Companies, most of which are a separate legal entity. The Roland Berger entity with which you have concluded a contract or are in the process of negotiating a contract and/or whose premises you visit and/or who is in contact with you in the context of public relations work is the data controller under the GDPR (if applicable), as this company uses your personal data in the context of the respective relationship with you. The address and name of this Roland Berger entity can be found here .

We welcome your feedback. If you have any comments, complaints or questions regarding this Privacy Notice or our processing of your Personal Data, or would like to exercise any of your rights, you can contact us at:

Roland Berger Holding GmbH & Co. KGaA
Sederanger 1
80538 Munich
Germany
Phone: +49-89-9230-0
Fax: +49-89-9230-8202
Email: [email protected]

The contact details of our data protection officer are:
Roland Berger Holding GmbH & Co. KGaA
z.Hd. Datenschutzbeauftragter
Sederanger 1
80538 Munich
Germany
Email: [email protected]

There are some points on our websites where we collect data for information and marketing purposes with your consent. This is generally done for all Roland Berger entities as joint controllers (Art. 26 GDPR).

This Privacy Notice explains how we collect, store, use, disclose and transfer (hereinafter “process”) your personal data. The personal data that we collect about you depends on the context of your interactions with us, the products, services and features that you use, your location, and applicable law. We process your data for the reasons described below and only for the purpose intended in each case.

Our services are neither aimed at nor intended for children.

It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be aware of. Please use the contact details above or keep your contact person at Roland Berger informed.

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing is subject to an explicit permission. We process your data under the following circumstances:

• "Consent": If you have voluntarily, in an informed and unambiguous manner, by means of a statement or other unambiguous affirmative act, indicated that you consent to the processing of personal data concerning you for one or more specific purposes (Art. 6 para. 1 sentence 1 lit. a GDPR)
• "Performance of a contract": If we conclude a contract with you and the processing is necessary for the performance of this contract to which you are a party or for the implementation of pre-contractual measures taken at your request (Art. 6 para. 1 sentence 1 lit. b GDPR);
• "Legal or regulatory obligation": If the processing is necessary to fulfill a legal obligation to which we are subject, e.g. a legal obligation to retain data (Art. 6 para. 1 sentence 1 lit. c GDPR);
• "Legitimate interests": Where processing is necessary for the purposes of our legitimate interests (in particular legal or economic interests) or those of a third party, except where such interests are overridden by your interests or rights to the contrary (in particular where the data subject is a minor) (Art. 6 para. 1 sentence 1 lit. f GDPR);

The storage of information in your terminal device or access to information that is already stored in the terminal device is only permitted if it is covered by one of the following legal grounds:

• § 25 (1) of the German Telecommunications Digital Services Data Protection Act (TDDDG): If you have given your consent on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;
• § 25 para. 2 no. 2 TDDDG: If the storage or access is absolutely necessary so that we, as provider of a telemedia service, can offer a telemedia service expressly requested by you.

Server logs
When you visit our websites, we record the following information:

• your IP address;
• the data you requested from the website;
• how much data you downloaded;
• the website from which your accessing system came to our website;
• the server reply code on the request from your browser;
• information about the browser you used;
• the date and time you visited, and for how long; and
• other similar data and information that serves to avert the risk of an attack on our information technology systems.

Roland Berger generally cannot attribute this data to any specific person.

This information is required in order to:

• properly deliver the contents of our websites;
• continually optimize our websites;
• ensure the continued functioning of our information technology systems and the technology of our websites; and
• provide law enforcement authorities with the necessary information for prosecution in the event of a cyberattack.

The legal basis for the processing of the data is Art. 6 para. 1 lit. a) GDPR (to optimize our websites), Art. 6 para. 1 lit. f) GDPR (to properly deliver the contents of our websites and to ensure the continued functioning of our information technology systems and the technology of our websites) and Art. 6 para. 1 lit. c) GDPR (to provide law enforcement authorities with the necessary information for prosecution in the event of a cyberattack).

Personal Data obtained from you directly
We record and process information you enter on our websites or send us otherwise. This includes data you enter in forms or contact fields (e.g. for the subscription of Newsletters) or select from lists or menus.

There are some points on our websites where you can send us information by uploading documents via those websites to our servers. That is what happens when you apply online, for example (refer to the supplementary Recruitment Privacy Policy ).

On our websites, you also have the possibility to contact Roland Berger using the contact forms, email addresses, telephone and fax numbers provided there. When you contact us through the above channels, we will store and process the resulting personal data for the purposes of dealing with your request. Your information can be stored in our Customer Relationship Management (CRM) system. All data are used exclusively for the processing of your request.

The legal basis for the processing of the data is Art. 6 para. 1 lit. f) GDPR (general requests). Where the data are processed in order to take steps prior to entering into a contract at your request, the legal basis shall be Art. 6 para. 1 lit. b) GDPR. We process the personal data we collect solely for the purposes of effectively handling the requests addressed to us.

Profile and login information for access-protected areas
There are some access-restricted areas of the websites for which you need to register before you can use them, like the recruiting/applicant and alumni areas in particular. When registering, there are some details you have to enter that the registration form itself requires, particularly your email address, a password, and some information about yourself. Any other details you enter are voluntary. We process and save this data in accordance with the supplementary Privacy Policies for applicants and alumni .

In some areas of our websites, like our alumni network in particular, some of your registration data or contributions you make can be seen by other users once they log in. It is up to you to decide whether you want other registered users of this site to see your information and, if so, what. You can change these settings at any time. During the registration process, we will ask you to give your consent for processing and saving that data. The legal basis for processing that data is Art. 6 para 1 lit. a) GDPR.

Within our website, we use content or service offers from third parties in order to integrate their content and services. In case of technically necessary cookies we do this on the legal basis of our legitimate interests according to Art. 6 para. 1 lit. f) GDPR, in case of technically non-necessary cookies on the legal basis of your consent according to Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website.

During some visits we may use software tools such as JavaScript to measure and collect session information, including page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse overs), and methods used to browse away from the page. We may use this information to measure website activity, to develop ideas for improving our websites and for any other purpose to the extent permitted by applicable law.

The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visiting times and other details about the use of our online offering, and may also be linked to such information from other sources.

We use and engage certain providers to use cookies, web beacons, and similar tracking technologies (collectively, "cookies") on our website. In the following you will find an overview of third-party providers and their content as well as links to their privacy policies, which contain further information on the processing of data and if applicable further options to object (known as opting out). You can, of course, change or withdraw any consent you may have given for cookies that are not absolutely technically necessary in this Privacy Policy under Cookie Declaration.

2.2.2.1 Google Analytics
If you have given your consent, this website uses Google Analytics (GA4), a web analytics service provided by Google LLC. The responsible party for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Scope of processing
Google Analytics uses JavaScript, Pixel and cookies that enable an analysis of your use of our websites. The information collected by means of the cookies about your use of this website is generally transferred to a Google server in the USA and stored there.
We use the User ID function. User ID allows us to assign a unique, persistent ID to one or more sessions (and the activities within those sessions) and to analyze user behavior across devices.
We use Google Signals. This allows Google Analytics to collect additional information about users who have personalized ads enabled (interests and demographics) and ads can be delivered to these users in cross-device remarketing campaigns.
Google Analytics 4 has IP address anonymization enabled by default. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

As part of the evaluation, Google Analytics 4 also utilizes artificial intelligence such as machine learning for automated analysis and enrichment of data. For instance, Google Analytics 4 models conversions when there is not enough data available to optimize the evaluation and reports. You can find information on this at the related link . Data evaluations are conducted automatically using artificial intelligence or based on specific individually defined criteria. More on this can be found at the related link .

During your website visit, your user behavior is recorded in the form of "events". Events can be:

• Page views
• First visit to the website
• Start of session
• Your "click path", interaction with the website
• Scrolls
• clicks on external links
• internal search queries
• interaction with videos
• file downloads
• language settings
• newsletter subscription

Also recorded:

• Your approximate location (region)
• your IP address (in shortened form)
• technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
• your internet service provider
• the referrer URL (via which website/advertising medium you came to this website)

Purposes of processing
On our behalf, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyze the performance of our website and the success of our marketing campaigns.

Recipients
Recipients of the data are/may be:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor under Art. 28 DSGVO).
• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that US authorities may access the data stored by Google.

Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

Duration of storage
Google places the following cookies when you visit our website and consent to the use of Google Analytics cookies:

_ga (14 Months): This helps us count how many people visit our web presentation if you have already visited before.

_gid (24 Hours): This helps us count how many people visit our web presentation if you have already visited before.

_gat (14 Months): This helps us manage the frequency at which requests for page views are made.

Legal basis
The legal basis for this data processing is your consent pursuant to Art.6 para.1 p.1 lit. a GDPR.

Revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.

You can also prevent the storage of cookies from the outset by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in a restriction of functionalities on this and other websites. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google, by

a. not giving your consent to the setting of the cookie or

b. downloading and installing the browser add-on to disable Google Analytics HERE .

For more information on Google Analytics' terms of use and Google's privacy policy, please visit https://marketingplatform.google.com/about/analytics/terms/us/ and at https://policies.google.com/?hl=en .

Server-Side Tracking

We implemented server-side tracking services. As part of this, usage, browser, and device data, including the IP address and user agent, are collected and processed on the server-side. The purpose of this processing is to analyze the use of the website, enabling us to further tailor and improve our website and content. As part of the server-side tracking, we utilize servers that are part of the Google Cloud infrastructure. These servers belong to services such as Google Compute Engine, over which we have full access and control. Although Google provides the platform, the company does not have direct access to our applications or the data stored on them. Access by Google is only possible in specific exceptional cases.

2.2.2.2. Google Tag Manager
This website uses Google Tag Manager. Google Tag Manager is a solution that allows marketed website tags to be managed using an interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not register Personal Data. The tool causes other tags to be activated that may, for their part, register data under certain circumstances. Google Tag Manager does not access this information. If recording has been deactivated at the domain or cookie level, this setting will remain in place for all tracking tags implemented with Google Tag Manager.

Your consent is the legal basis for this data processing, Art. 6 para.1 lit.a) GDPR.

2.2.2.3 FriendlyCaptcha

To detect bots and ensure the functionality of our website, we use the privacy-friendly solution "Friendly Captcha," a service provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. When you visit certain areas of our website, such as the contact form, a connection to the Friendly Captcha servers is established. Your browser receives a computational task that must be solved by your device. Your browser contacts the server of Friendly Captcha through an interface and receives a response indicating whether the puzzle was correctly solved by your device. Additionally, your browser transmits connection data, environmental data, interaction data, and functional data to Friendly Captcha. Friendly Captcha analyzes this data to determine the likelihood of the user being human or a bot and transmits the result to the service user. Based on this, the service user can treat access to their website or specific functions as either human or potentially automated. If personal data (such as your IP address) are processed in this context, they are anonymized using one-way hashing. For more information, please refer to Friendly Captcha’s privacy policy: Datenschutzbestimmungen für Endnutzer - Friendly Captcha .

We offer the possibility to subscribe to Newsletters and studies, participate in surveys or in interviews, receive similar information and marketing materials (“Newsletter”), or register for events. If you would like to use these services, we will need a working email address from you and details to enable us to verify that this email address is really yours and whether you agree to receive the Newsletters. For legal reasons, an email will be sent to the email address you provided asking for confirmation in a double-opt-in procedure after signing up for our Newsletter. The legal basis for sending Newsletters Newsletteris Art. 6 para. 1 lit. a) GDPR.

When you register, we record the following data:

• Title (required)
• First name (required)
• Last name (required)
• Email (required)
• Company (required)
• Job title (required)
• Country (optional)

The Personal Data collected when ordering information and marketing material will be used exclusively for the following purposes:

• Sending the Newsletter
• Consulting, marketing and advertising
• Composing the topics of the Newsletter according to your interests

Our Newsletters and other automatically sent emails with information and marketing material as well as emails in connection with events contain so-called web beacons for statistical analysis. We use these to optimize the content of the Newsletters and adapt them better to user interests. By integrating these web beacons, we can identify when an email was opened by a person concerned and which links in the email were opened. This will only be done with your consent when requesting such emails.

If you register for one of our events, we also use your Personal Data for the following purposes: to identify you as a registered participant of the event, to grant you access to the event, to send reminders and to inform you if there are any changes to the event (e.g. a change of date and time), to contact you after the event to ask for your feedback in accordance with Art. 6 para. 1 lit. b) GDPR.

For the implementation of the online event (e.g webinar) we use Microsoft Teams or Zoom. For this specific purpose separate data protection notice apply (refer to the supplementary Data Protection Information for M365 Cloud Services by RB and Data Protection Information for Telephone Conferences and Webinars via "Zoom" ).

In addition, photographs and/or video recordings can be taken at the event. If you do not wish to be photographed or filmed, please let the photographer or camerapeople know on the spot. We process the photographs and/or video recordings for the purposes of documentation of the event, for printed and for online publicity on our publicly available websites or/and on social media (a.o. Instagram, Facebook, LinkedIn). For controllers in the EU the legal basis for taking and publishing of photographs and/or video recordings is our legitimate interests in reporting on the event pursuant to Art. 6 para. 1 lit. f) GDPR. We ask for your separate consent pursuant to Art. 6 para. 1 lit. a) GDPR for the publication of photos, if the content and composition of the photos or the intended use requires this.

In case Roland Berger organizes a competition on a social media channel of Facebook or Instagram following personal data will be process:

• participant´s account name on social media channel;
• winners last name, first name, birthday, address.

A processing of the data is carried out exclusively for the implementation of the competition (for the purpose of the implementation of the participation contract and in particular for the notification of the prize). The legal basis for this data processing is Art. 6 para. 1 lit. b) GDPR and Art. 6 para. 1 lit. f) GDPR.

If you have had contact with us for the purpose of concluding a contract (e.g. consulting agreement) between us, for example through emailing or meeting our representative, we collect, use and store limited amounts of personal information relating to you, such as your name, job title, employer organization, contact details and other information necessary for the contract (e.g. for advising to the Client).

We collect, process and store this personal information for the following purposes:

• Identification of shareholders and employees or contact persons of Client or Supplier
• Provision of advisory support to Client and for the performance of the contract
• For corresponding with the Client or Supplier or the contact persons of the Client or Supplier
• For invoicing
• In relation to managing disputes or any other legal complaints
• Contacting the shareholders or the contact persons of Client or Supplier in the event of future business transactions of interest to the shareholders and/or Client or Supplier
• To invite Client or Supplier to take part in marketing or other promotional events, or seminars or similar events, and to inform Client or Supplier about other topics which might interest them
• To carry out sanction list / compliance screenings (see more details below)
• To ask you for feedback (for instance, in a survey about our client services and to manage, review and act on feedback we are getting)
• To send you our Newsletter in case you have given us your business card for the purpose of sending you information and making further business contact

The legal basis for processing the data is Art. 6 para 1 lit. b) GDPR as it is necessary for the entering into a contract, for the establishment, execution and termination of the contract and for the mutual fulfilment of obligations arising from the contract, further Art. 6 para 1 lit. c) GDPR as it is legal obligation in case of managing disputes or any other legal complaints, further your consent according to Art. 6 para 1 lit. a) GDPR in case you have given us your business card, and Art. 6 para 1 lit. f) GDPR as it is necessary for the legitimate interests of Roland Berger.

We may carry out sanction list / compliance screenings with regard to the business relationship with you and in compliance with legal compliance obligations. Any such use of your Personal Data is based on the permission to process Personal Data in order to comply with statutory obligations (Art. 6 para. 1 lit. c) GDPR) and our legitimate interests (Art. 6 para. 1 lit. f) GDPR) or under the equivalent provisions under applicable law.

In some cases, we search and use Personal Data from public sources (such as LinkedIn, Xing and other publicly available sources on the internet) to complete or correct your data (first name, company, country, etc.). We store this data in our CRM system. The legal basis for this data processing is Art. 6 para. 1 lit. f) GDPR.

Your personal data, such as names, email addresses, organisational details, may also be processed by us in connection with the use of our Microsoft 365 Services. For this specific purpose separate data protection notice apply (refer to the supplementary Privacy Policy for Microsoft365 Cloud Services ).

When you visit our offices, we can collect the following personal information about you for the following purposes:

• contact information by completion of the security list of visitors in line with our legitimate interests (security of the building);
• video images of you in the entry and exit areas from CCTV footage in line with our legitimate interests (security of the building);
• your name and time of entry to our offices through a security access system in line with our legitimate interests (maintaining security of our offices);
• names and dietary preferences for catering purposes in meetings in line with our legitimate interests (respecting visitors’ needs);
• health data to assist in the control of infectious diseases (such as the virus Covid-19) in line with our health and safety legal obligations;
• if applicable, health information by completion of the first aid accident book in order to comply with our health and safety legal obligations; and
• guests’ name and if applicable other information for the purpose of organising events (for example conferences, charity events or student/alumni events) and providing name badges, attendee lists, team lists and table plans.

We have the applicants' area of our different recruiting websites, where potential applicants can apply for jobs, internships and other positions. For this specific purpose a separate data protection notice applies (refer to the supplementary Recruitment Privacy Policy ).

We have our alumni area, where people who used to work for Roland Berger can keep in touch with their former colleagues and the company itself. For this specific purpose separate data protection notice apply (refer to the supplementary Data Protection Notice for alumni ). In order to support our alumni and employees, we offer them our exclusive Pathfinder Job board, where Clients, alumni, and executive search companies can post jobs in this exclusive database. For this specific purpose a separate data protection notice applies (refer to the supplementary Data Protection Notice for Pathfinder ).

When visiting our Page on TikTok (i.e. our User Profile), TikTok collects personal data of the users. Information about the data collection and further processing by TikTok can be found in TikTok's privacy policy .

Roland Berger has no influence on what user data TikTok collects. Roland Berger also has no access to the personalized collected data or your profile data. Roland Berger can only see the public information of your profile and you decide in your TikTok settings what exactly this data is. In addition, you have the option in your TikTok settings to actively hide your "Likes" or to no longer follow the Roland Berger TikTok Page. Then your profile will no longer appear in the list of followers of our TikTok Page.

Roland Berger receives anonymous statistics from TikTok regarding the use and usage of the TikTok Page. The following information is provided here, for example:

• Followers: number of people who follow Roland Berger - including growth and development over a defined time frame.
• Reach: number of people who see a specific post. Number of interactions on a post. This can be used, for example, to determine which content is better received by the community than others.
• Ad performance: how many people saw an ad.
• Demographics: average age of visitors, gender, location, language.

We use these statistics, from which we cannot draw any conclusions about individual followers, to constantly improve our online offering on TikTok and to better respond to the interests of our followers. We cannot link the statistical data with the profile data of our followers. You can decide via your TikTok settings in which form targeted advertising will be shown to you. Roland Berger will display ads for events, jobs and employer branding. TikTok's " Ads and Your Data " guide gives you an overview of how your personal data is processed in connection with Ads.

Roland Berger receives personal data through TikTok when you actively share it with us via a personal message or comment on our TikTok Page (User Profile).

For the use of various TikTok services, we have concluded several data protection agreements with TikTok Ireland and TikTok United Kingdom (Joint Controller Agreement and Data Processing Agreement).

On our WhatsApp Channel "Roland Berger Career" you will find tips and information about the application process at the Roland Berger Group.

We do not process your personal data. However, if you have stored your first and last name or a photo as a display image in your WhatsApp profile, this personal data can be viewed by us. We do not (further) process this data. We cannot access your telephone number.

You can object to the data processing within the WhatsApp channel at any time by selecting "No longer subscribe" in the channel info.

WhatsApp is operated by WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5 Ireland. Further Information on the handling of your personal data can be found in the following privacy notice: https://www.whatsapp.com/legal/channels-privacy-policy-eea?lang=de.

Where does data go once it reaches Roland Berger?
Once you send data, or it is collected on our websites, we transmit it within Roland Berger to the recipients who need to know it. Applications, for instance, go to our human resources department and the department for which the position is advertised (refer to the supplementary Recruitment Privacy Policy ).

External service providers
We may involve service providers who support us in the processing of Personal Data or otherwise and who may come into contact with your Personal Data. This will only happen after the prior conclusion of a Data Protection Agreement that obligates our service providers to process Personal Data only according to our instructions and to keep it confidential.

Intra-group sharing, Joint Controllers
Within the Roland Berger Group's organization, there is a need to exchange Personal Data on an intra-group basis as Controller to Controller or Joint Controllers.

For example in the course of our business relationship with you, we may share Business Partner contact information with affiliated group companies. We and these companies (see the list here ) are jointly responsible for the proper protection of your personal data (Art. 26 GDPR). To allow you to effectively exercise your data subject rights in the context of this joint controllership, we entered into an agreement with these companies granting you the right to centrally exercise your data subject rights under section 4 of this Privacy Notice against Roland Berger Holding GmbH & Co. KGaA, Sederanger 1, 80538 Munich, Germany.

Roland Berger entities might also be established outside the EU or the EEA. In such cases, we will ensure that there are adequate safeguards (i.e. EU standard contractual clauses) in place to protect your Personal Data. We at Roland Berger are responsible for informing you about your rights as a data subject under applicable data protection laws. You can address any requests or complaints you may have with regard to your Personal Data to Roland Berger ( How to contact us? ). The other Roland Berger entities within the Roland Berger Group's organization that might also keep your Personal Data will give us reasonable cooperation, assistance and information in order to comply with such requests or complaints.

Sending data to third parties
As a fundamental rule, we do not disclose, transfer, sell or otherwise market Personal Data to third parties, such as other companies or organizations, without your express consent except as required to meet our contractual obligations between Roland Berger and you.

For example the following categories of recipients may receive your personal data:

• authorities, courts, parties to a legal dispute or their designees to whom we are required to provide your personal data by applicable law, regulation, legal process or enforceable governmental order, e.g., tax and customs authorities, regulatory authorities and their designees, financial market regulators, public registries;
• auditors or external consultants such as lawyers, tax advisors, insurers or banks, and
• another company in the event of a change of ownership, merger, acquisition or disposal of assets.

Transfer of data to countries outside the EU/EEA
Where there is a sufficient legal basis, your Personal Data may be transferred to and processed outside the EU/EEA in other countries where laws and provisions governing the processing of Personal Data may be less stringent. In such cases, we will ensure that the data transfer is based on an adequacy decision (e.g., the EU-US Data Privacy Framework for transfers to the U.S. for certified companies ) or conclusion of the EU standard contractual clauses, which can be viewed and downloaded here .

Data subjects have rights with respect to Roland Berger in relation to their Personal Data in accordance with Art. 15-21 GDPR. In particular, you have the right to:

• request a copy of the Personal Data we hold about you (right of access, Art. 15 GDPR);
• ask that we update the Personal Data we hold about you, or correct any Personal Data that you think is incorrect or incomplete (right to rectification, Art. 16 GDPR);
• ask that we delete Personal Data that we hold about you, or restrict the way in which we use your Personal Data (right to erasure, Art. 17 GDPR and right to restriction of processing, Art. 18 GDPR)
• object to our processing of your Personal Data (right to object, Art. 21 and 22 GDPR)
• request that your Personal Data be transferred to you or another data controller (right to data portability, Art. 20 GDPR).

If you are unhappy with the way we have handled your Personal Data or any data protection query or request that you have raised with us, you have a right to complain to the competent supervisory authority (Art. 77 GDPR). We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance.

We may need to request specific information from you to help us confirm your identity and ensure your right of access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Objection and withdrawal of consent
If you have given us your consent to process your Personal Data (Art. 6 para. 1 lit. a) GDPR), you can withdraw your consent at any time with future effect. If we process your Personal Data based on Art. 6 para. 1 lit. f) GDPR (legitimate interests), you can object at any time to the processing of your Personal Data for marketing reasons.

Please use either the link included in each Newsletter we send you or, alternatively, contact Roland Berger via mail, fax, email or using the contact details given above under How to contact us.

We store Personal Data in accordance with legal storage periods. We routinely delete this Personal Data or block it once these periods expire or the reasons for storage cease to apply, in accordance with data protection rules.

If you have agreed to a longer duration for storing, processing and using your data, we will delete or block your data after this duration expires or should you revoke your consent (refer to the supplementary Privacy Policy for applicants ).

We will retain the data you transfer to us in contact requests until you ask for their deletion, object to their storage, or the purpose for their storage no longer applies. The purpose for the storage of the data no longer applies when it becomes evident that the underlying issue has been conclusively settled.

We comply with applicable data protection laws. This says that the personal information we hold about you must be:

• used lawfully, fairly and in a transparent way;
• collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
• relevant to the purposes we have told you about and limited only to those purposes;
• accurate and to the extent appropriate, kept up to date;
• kept only as long as necessary for the purposes we have told you about; and
• kept securely.

In accordance with legal requirements, Roland Berger has taken extensive technical and organizational measures to ensure a level of protection that is in line with, or in some cases exceeds, data privacy requirements. The measures taken protect not only Personal Data, but also other data processed on the same systems. Roland Berger operates an Information Security Management System (ISMS) which is certified according to ISO/IEC 27001:2013. The ISMS provides the framework for ensuring the information security goals confidentiality, integrity and availability.

The security of your data is important to us, so all the areas of our websites where you can actively input data use encrypted data transmission such as TLS (Transport Layer Security) to protect your data from being accessed by unauthorized third parties.

If you register to use access-protected areas of Roland Berger's websites, you should keep the login details you receive in a safe place and protected from access by third parties. If you log in on a computer that is used by more than one person, please do not forget to log off properly at the end of each session and close the browser window you were using.

With help of the extensive technical and organizational security precautions Roland Berger protects your Personal Data from being manipulated, either accidentally or deliberately, or being lost, destroyed or accessed by unauthorized third parties. We are constantly improving these precautions as technology develops.

This Privacy Notice was last modified on March 5th, 2025. We may occasionally modify or amend it from time to time. When we make changes to this Privacy Notice we will update the revision date at the top of this Privacy Notice. Where those changes are material, we will take steps to let you know. The new modified or amended Privacy Notice will apply as from that revision date. Please always verify whether you have consulted the latest version of the Privacy Notice.