MPC Capital AG Data Privacy Advisory

II. Name and address of the data protection officer

The data protection officer of the controller is:

Luther Rechtsanwaltsgesellschaft mbH
Franziska Tilgner
Anna-Schneider-Steig 22
50678 Cologne
Tel.: +49 (0)221 9937 25790
Email: dataprotectionnoSpam@mpc-it.com

B. General information on data processing

I. Scope of personal data processing

We collect and use personal data from our users only to the extent necessary to provide a functional website and our content and services. The processing of personal data of our users is only carried out on the basis of a legal authorization or with the consent of the user.

Personal data within the meaning of Art. 4 No. 1 GDPR is any information relating to an identified or identifiable natural person; A natural person is considered identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier, or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.

II. Legal basis for data processing

The processing of personal data is generally prohibited and only permitted if the processing falls under one of the following legal bases:

• Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) GDPR serves as the legal basis.
• When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
• Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
• In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
• If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights, and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR serves as the legal basis for processing.

The storage of information in the end user's terminal equipment or access to information already stored in the terminal equipment is only permitted if it is covered by one of the following legal bases:

• If the end user has given their consent on the basis of clear and comprehensive information and the consent has been given in accordance with Art. 6 (1) (a) GDPR, § 25 (1) of the German Telecommunications Digital Services Data Protection Act (TDDDG) serves as the legal basis.
• If storage or access is absolutely necessary for the provider to be able to provide the service expressly requested by the user, Section 25 (2) No. 2 TDDDG serves as the legal basis.

We specify the applicable legal basis for each of the processing operations we carry out below. Processing may be based on several legal bases.

III. Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this has been provided for by European or national legislators in Union regulations, laws, or other provisions to which the controller is subject. The data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

C. Purposes and legal basis of data processing 

I. Informational use of the website

You can visit our website without providing any personal information. If you use our website for informational purposes only, we do not process any personal data, with the exception of the data transmitted by your browser to enable you to visit the website and information transmitted to us in the context of cookies used. 

II. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected:
(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's IP address
(4) Date and time of access
(5) Websites from which the user's system accesses our website
(6) Websites accessed by the user's system via our website

The data is stored in our system's log files. This data is not stored together with other personal data relating to the user. Log files are structured log files in which web servers automatically collect and store certain information about accesses and activities on a website.

2. Purpose of data processing

For the purpose of the technical provision of the website, our system (i.e. the web server) automatically collects information from your browser each time you access the website.

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

The data is stored in log files to ensure the functionality of the website. In addition, the data helps us to optimize the website and to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context.

3. Legal basis for data processing

We process your personal data for the technical provision of our website on the following legal basis:

• to fulfill a contract or to carry out pre-contractual measures in accordance with Art. 6 (1) (b) GDPR, insofar as you visit our website to find out about our company and our products/services;
• to protect our legitimate interests pursuant to Art. 6 (1) (f) GDPR in order to be able to provide you with the website from a technical perspective. Our legitimate interest lies in providing you with an appealing, technically functional, and user-friendly website, as well as taking measures to protect our website from cyber risks and preventing cyber risks to third parties arising from our website.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data collection for the provision of the website, this is the case when the respective session has ended.

In the case of data storage in log files, this is the case after 365 days at the latest.

IP addresses are logged in full for a maximum of 24 hours. After that, they are anonymized by deleting the last octet, so that it is no longer possible to assign them to the calling client.

5. Right to object and right to erasure

In principle, you have the right to object to the storage of log files or IP addresses or to request their deletion, unless the controller can demonstrate compelling legitimate grounds for processing that outweigh your interests or fundamental rights and freedoms ( ). One such reason is to ensure the protection of our IT systems. This requires the log files to be stored for 365 days. It is also necessary to log the IP address for 24 hours before it is anonymized. The user has no right to object or request deletion before the end of the storage period or anonymization.

III. Use of cookies

1. Description of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. When a website is accessed, the website is accessed in order to read the previously stored text files and, for example, to retrieve the previous language setting. Our website uses technically necessary cookies and optional cookies. 

2. Consent Management

We use the Consent Manager sgalinski Cookie Opt-In (sgalinski Internet Services, Bahnhofstraße 52, 37339 Gernrode) on our website. With the help of the Consent Manager, we obtain your consent for certain data processing operations that require consent (e.g., analysis, tracking, etc.). By using the Consent Manager, we can inform you about the individual cookies and tools we use. You can use the Consent Manager to choose which cookies and tools you want to allow or reject categorically. This enables you to make an informed decision about the transfer of your data and allows us to use cookies and tools in a manner that is compliant with data protection regulations, transparent, and documented. 

With the help of the Consent Manager, we process your personal data in order to record your decision on the acceptance of cookies and tools and to store it for a return visit to our website. This includes, in particular, the corresponding cookie with your (consent) decision. The cookie is stored for one year from the date of consent. 

We process your personal data for the technical provision of our website on the following legal bases:

• for the technical provision of our website and consent management in accordance with Section 25 (2) No. 2 TDDDG, as the processing of the above-mentioned data is absolutely necessary to enable you to use our website as you expressly requested (i.e., with or without cookies);
• to fulfill a contract or to carry out pre-contractual measures in accordance with Art. 6 (1) (b) GDPR, insofar as you visit our website to conclude a contract with us or to find out about our offers;
• for the use of cookie management to fulfill a legal obligation to which we are subject as the controller pursuant to Art. 6 (1) (c) GDPR. The legal obligation lies in informing you about the cookies we use and in obtaining and documenting your consent to data processing; and
• to safeguard our legitimate interests pursuant to Art. 6 (1) (f) GDPR in order to be able to provide you with cookie management from a technical perspective. Our legitimate interest lies in being able to provide you with an appealing, technically functional, and user-friendly cookie management system, as well as taking measures to protect the cookie management system from cyber risks and preventing the cookie management system from posing cyber risks to third parties.

3. Optional cookies

We also use optional cookies. You can consent to the use of optional cookies in whole or in part via the Cookie Consent Manager. Further information on the type, purpose, and storage duration of optional cookies can be obtained directly from the Cookie Consent Manager. 

The legal basis for the processing of your personal data through the use of optional cookies is your consent in accordance with Art. 6 (1) (a) GDPR.

The legal basis for the storage and use of optional cookies on your device is your consent pursuant to Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR.

IV. Video integration on the website

1. Description and scope of data processing

We embed videos on our website that are hosted on the YouTube video platform. The purpose of processing is to be able to offer you video content on our website and thus an attractive offering. The provider is Google Ireland Ltd. (YouTube), Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The address of the German branch is: Google Germany GmbH, ABC-Straße 19 Hamburg.

The integration of videos via YouTube is initially restricted and will only be displayed after you have given your express consent. This ensures that when you simply visit our website, no connection is established with YouTube's servers and does not transmit your data to YouTube. Only when you consent to the transfer to YouTube and/or make the appropriate settings in the Consent Manager will your browser establish a direct connection to YouTube so that you can watch a video embedded on the page.  In doing so, the YouTube server is informed which of our pages you have visited. In addition, further personal data, in particular your IP address and device and browser information, is collected and transmitted to Google.

Below you will find links to the privacy policies and information of the respective providers:

• YouTube: https://policies.google.com/privacy?hl=de

2. Legal basis for data processing

Your consent pursuant to Art. 6 (1) (a) GDPR serves as the legal basis for the processing of personal data in this context. 

The legal basis for the storage and access of cookies provided by Google is your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR. You can revoke your consent at any time with future effect via our consent management tool.

3. Processing by Google

Google may also transfer the data transmitted via YouTube to third countries (in particular the USA). For the USA, there is an adequacy decision by the EU Commission (EU-US Data Privacy Framework). Further information on data processing by Google can be found in Google's privacy policy. Google also stores your data independently. 

V. Integration of the share price on the website

1. Description and scope of data processing

We integrate a widget for our share price on our website, which is provided by Deutsche Börse AG, 60485 Frankfurt am Main. The purpose of the processing is to offer you an attractive website. The integration of the share price via Deutsche Börse AG is initially restricted and will only be displayed after you have given your express consent. This ensures that simply visiting our website does not establish a connection to the servers of Deutsche Börse AG and that your data is not transmitted to Deutsche Börse AG. Only when you consent to the transfer to Deutsche Börse AG and/or make the appropriate settings in the Consent Manager will your browser establish a direct connection to Deutsche Börse AG so that you can see the share price integrated on the page. Your IP address will be transmitted to Deutsche Börse AG in the process. 

2. Legal basis for data processing

Your consent pursuant to Art. 6 (1) (a) GDPR serves as the legal basis for the processing of personal data in this context. 

The legal basis for the storage of and access to the cookies provided by Deutsche Börse AG is your consent pursuant to Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR. 

You can revoke your consent at any time with future effect via our consent management tool.

VI. User inquiries

In addition to using our website for purely informational purposes, you can also actively use our website to contact us.

In order to process and respond to your inquiries to us, e.g., to our email address or by telephone, we process the personal data you provide in this context. This includes, in any case, your name and your email address or telephone number in order to send you a reply, as well as any other information you send us in your communications.

We process your personal data to respond to user inquiries on the following legal bases:

• To protect our legitimate interests pursuant to Art. 6 (1) (f) GDPR; our legitimate interest consists in responding appropriately to inquiries;
• If the inquiry is aimed at concluding a contract, the additional legal basis is Art. 6 (1) (b) GDPR
• If the inquiry is aimed at asserting your rights as a data subject, the additional legal basis is Art. 6 (1) (c) GDPR, as the processing of your data is necessary for the fulfillment of legal obligations.

VII. Advertising purposes and newsletters

With your consent, we use your data for advertising purposes, such as sending you our newsletter, sending you information about download links, inviting you to events that may be of interest to you, follow-ups, status updates, birthday mailings, market research, and other marketing and promotional campaigns. We collect mandatory information such as your email address, but also information that you voluntarily provide to us. We use the voluntary information to continuously improve our customer relationship.

If you have provided us with your email address in connection with the purchase of goods or services, we may subsequently use it to send you a newsletter. In such cases, the newsletter will only be used to send direct advertising for our own similar goods or services.

We process your data for the purpose of sending newsletters, surveys, etc., and personalizing our communications with you on the following legal bases:

• if you have given us your consent, in accordance with Art. 6 (1) (a) GDPR;
• if you have provided us with your email address in connection with the purchase of goods or services or if we send you personalized advertising, to protect our legitimate interests in accordance with Art. 6 (1) (f) GDPR in conjunction with § 7 (3) UWG (German Unfair Competition Act); our legitimate interest is based on our economic interests in carrying out advertising measures and target group-oriented advertising.

Right to object to use in the context of concluding a contract

If we receive your email address in connection with the conclusion of a contract and the provision of our products/services and you have not objected to this, we reserve the right to regularly send you offers for similar products from our range by email. You can object to this use of your email address at any time by sending a message to the contact option described below or via a link provided for this purpose in the newsletter email, without incurring any costs other than the transmission costs according to the basic rates.

VIII. Data recipients

Your data will only be passed on to third parties if this is permitted or required by law or if you have given your consent. We also share your data with the service providers we use to the extent necessary to provide our services. We limit the transfer of data to what is necessary to provide our services to you. In some cases, our service providers receive your data as processors and are then strictly bound by our instructions when handling your data. In some cases, the recipients act independently with the data we transfer to them. 

Below we list the categories of recipients of your data: 

• IT service providers who, among other things, assist with the administration and maintenance of the systems
• Public authorities and institutions, insofar as we are legally obliged to do so.

IX. Third country transfer

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the processing of our contractual relationships or required by law, if you have given us your consent, or in the context of order processing. As a matter of principle, we do not transfer your personal data to countries outside the EU or the EEA or to international organizations.

X. Scope of your obligations to provide data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make our website available to you, respond to your inquiries, send you information, etc., or enter into a contract with you. 

XI. Profiling / Automated decision-making 

We do not carry out profiling and do not use purely automated decision-making procedures in accordance with Article 22 GDPR. If we should use further procedures in individual cases in the future, we will inform you separately. 

D. Data processing when using social media

To present our company and communicate directly with you, we use social media platforms from providers such as LinkedIn, Facebook, and others ("providers") through which we maintain our presence (e.g., in the context of company and employee profiles) and process your data.

I. Joint responsibility

If data is collected on our website that is processed and used by both the provider and us for joint purposes (e.g., for analysis or advertising), the operator and we are jointly responsible. Often, we cannot deactivate this function. You can therefore contact both the respective provider and us with your request. We currently use the following providers:

• Facebook, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (address of the German branch: Facebook Germany GmbH, Schopenstehl 13, Haus am Domplatz, 20095 Hamburg);
• LinkedIn by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (address of the German branch: LinkedIn Germany GmbH, Sendlinger Str. 12, 80333 Munich);

Below you will find links to the privacy policies and information of the respective providers:

• Facebook: https://de-de.facebook.com/policy.php
• LinkedIn: https://de.linkedin.com/legal/privacy-policy

II. Data protection officers of the providers

In addition to our data protection officer, you can also contact the following data protection officers of the respective providers:

• Facebook: https://www.facebook.com/help/contact/540977946302970 or via the "How to contact Facebook with questions" section in Facebook's privacy policy (https://de-de.facebook.com/privacy/explanation)
• LinkedIn: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

III. Purposes and legal basis of data processing

1. Provision of the website

For the purpose of the technical provision of our social media presence, our system (i.e. the web server) automatically collects information from your browser each time you visit the website. 

You can visit our website without providing any personal information. If you use our website for informational purposes only, i.e., you do not register or otherwise provide us with personal information, we do not process any personal data, with the exception of the data that the operator collects within the scope of its platform and the cookies it uses and, if applicable, transmits to us. 

We or the provider process your personal data for the technical provision of our website on the basis of the following legal grounds:

• to fulfill a contract or to carry out pre-contractual measures in accordance with Art. 6 (1) (b) GDPR, insofar as you visit our website to find out about our company and our products/services; and
• to safeguard our legitimate interests pursuant to Art. 6 (1) (f) GDPR in order to be able to make the website technically available to you. Our legitimate interest lies in being able to provide you with an appealing, technically functional, and user-friendly website, as well as in taking measures to protect our website from cyber risks and to prevent cyber risks to third parties arising from our website.

2. Analysis and tracking 

For the purpose of analyzing and tracking the use of its social media platform and our website, the provider uses cookies that enable an evaluation of your surfing behavior. This allows us to improve the quality of the platform, website, and their content. We learn how the platform and website are used and can thus continuously optimize our offering.

However, we have no influence on the data collected and data processing operations, nor are we aware of the full scope of data collection, the exact purposes of processing, or the storage periods. We also have no information about the deletion of the collected data by the platform operator. 

Web analysis is the collection, gathering, and evaluation of data about the behavior of visitors to websites. Among other things, a web analysis service collects data about which website a data subject came to a website from (so-called referrer), which subpages of the website were accessed, or how often and for how long a subpage was viewed. Web analysis is regularly used to optimize a website and to analyze the cost-benefit ratio of Internet advertising. In this context, it may also happen that the information obtained in the course of the analysis and tracking of our website is merged with your other data collected in the course of using the website and the platform. If you register on the platform, the operator may link data relating to your platform activities with your personal details (including your name/email address) on the basis of your consent, thereby collecting it in a personalized manner and providing you with individualized and targeted information on your preferred topics, among other things.

With regard to statistics provided to us by the platform operator, we can only influence these to a limited extent and cannot disable them. However, we ensure that no additional optional statistics are made available to us.

We process your personal data on the basis of your consent in accordance with Art. 6 (1) (a) GDPR, which you gave to the provider when registering for the respective social media platform. If, for example, cookies are stored on your device by the provider, the consent you have given serves as consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR.

3. Sharing, publishing, and interacting with posts, reviews, photos, etc. 

In addition to using our website for purely informational purposes, you can also actively use our website to contact us. In addition to the processing of your personal data described above for purely informational purposes, we will then also process further personal data from you.

You can comment on, share, or interact in other ways (like, recommend, review, etc.) with posts, photos, videos, etc. created by us on the provider's platform and on our website. We may share your content on our website if this is a feature of the operator's platform and communicate with you via the platform. Public messages, etc. may be published by the operator, but will not be used or processed by us for any other purpose at any time.

In the case of reviews, we reserve the right to publish a response (e.g., to clarify a problem, etc.) to your message and to ask you to contact us again. This may involve the processing of personal data that you have voluntarily published in your review.

Furthermore, we reserve the right to delete content if necessary. 

We process your personal data on the following legal basis: to protect our legitimate interests in accordance with Art. 6 (1) (f) GDPR. Data processing is carried out in the interests of our public relations and communication.

4. User inquiries

In order to process your inquiries to us, e.g. via contact forms, chat or our email address, to respond to them in a targeted manner and to provide you with the desired information, we process the personal data you provide in this context. This includes your contact details so that we can send you a reply or ask any necessary questions, as well as any other information you provide us with in this context.

If you send us an inquiry via the platform, we may also refer you to other secure communication channels that guarantee confidentiality, depending on the required response. You always have the option of sending us confidential inquiries to the addresses listed in our legal notice or in this privacy policy. Depending on the subject of the inquiry, the availability of your contact details, and the appropriateness, we may contact you electronically, by telephone, or by post.

We process your personal data to respond to user inquiries, requests for materials, etc. on the basis of the following legal grounds:

• to protect our legitimate interests in accordance with Art. 6 (1) (f) GDPR; our legitimate interest consists in the proper response to or execution of (customer) inquiries;
• if the inquiry is aimed at concluding a contract or a complaint or otherwise relates to a contractual and/or business relationship between us and you, the additional legal basis is Art. 6 (1) (b) GDPR;
• with your consent in the context of using the chat, Art. 6 (1) (a) GDPR. 

IV. Third country transfer

When using social media, your data may be transferred to countries outside the European Union, including the USA. We have no influence over this. Further information can be found in the linked privacy policies of the platform operators.

V. Storage period

When you use our social media presence, the operator stores your personal data on its servers. Personal data and installed cookies are usually deleted by the operator. Unfortunately, we do not know the exact storage and deletion periods, but they can be found in the respective linked privacy policies.

VI. Profiling / Automated decision-making

It is possible that the operator of a social media platform may process your data in a partially automated manner with the aim of evaluating certain personal aspects (profiling). This may be done in order to provide you with targeted information and advice about products and services. This enables communication and advertising tailored to your needs, including market and opinion research.

E. Rights of the data subject

If your personal data is processed, you are a "data subject" within the meaning of the GDPR. You have the following rights vis-à-vis us as the controller, which you can also assert vis-à-vis the operator of the respective platform with regard to our social media presence. Please note that we do not have full control over the data processing operations of the operator. Our options are largely determined by the corporate policy of the respective operator. You have the right:

• request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of your data, if it was not collected by us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details;
• to request the immediate correction of inaccurate or incomplete personal data stored by us in accordance with Art. 16 GDPR;
• to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;
• to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to have it deleted and we no longer need the data, but you need it to assert, exercise or defend legal claims, or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
• to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request its transfer to another controller in accordance with Art. 20 GDPR;
• to withdraw your consent to us at any time in accordance with Art. 7 (3) GDPR. As a result, we will no longer be allowed to continue processing the data based on this consent in the future;
• to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.

The social media platform operators are based in other EU countries and are therefore subject to the supervisory authorities in those countries. As a rule, this is the Irish Data Protection Commission (21 Fitzwilliam Square South, Dublin 2, D02R 28, Ireland), but you can also address your complaints to the following German supervisory authorities:

• Facebook: The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str 22, 7th floor, 20459 Hamburg;
• LinkedIn: The Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach.

However, we recommend that you always address your complaint to our data protection officer or the data protection contact of the respective platform operator first.

Where possible, your requests to exercise your rights should be addressed in writing to the above address or by email directly to our data protection officer. 

F. Right to object (to advertising)

If your personal data is processed on the basis of legitimate interests pursuant to Article 6(1)(f) GDPR, you have the right to object to the processing of your personal data pursuant to Article 21 GDPR, provided that there are reasons for this arising from your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will enforce without you having to specify a particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

The objection can be made informally and should, if possible, be sent in writing to the above address or by email directly to our data protection officer at or to the contact details of the respective platform operator at.

G. Changes to data protection standards

We reserve the right to change this privacy policy at any time. Any changes will be announced by publishing the amended privacy policy on our website. Unless otherwise specified, such changes will take effect immediately. Therefore, please check this privacy policy regularly to view the current version. 

As of December 2025