Privacy Policy & Imprint

The protection of your personal data is important to the Nordex Group. We would like to inform you what personal data we may use about you, how we may use it as well as inform you about your data protection rights.

PERSON RESPONSIBLE
The person responsible for the following data processing is mentioned in the Privacy Policy (09/10 Supervisory Authority & Data Protection Officer).

DATA RETENTION
Personal data will be kept for no longer than necessary and in accordance with local legal requirements.

USAGE DATA
Server log files record user activity on web pages. We collect this information of our websites https://nordex-online.com and https://ir.nordex-online.com to provide our services, to monitor privacy, and to detect and protect against attacks.

This data set regarding our website https://nordex-online.com consists of:

• the page from which the file was requested,
• the name of the file,
• the date and time of the query,
• the amount of data transferred,
• the access status (file transferred, file not found),
• the description of the type of web browser used,
• the IP address of the requesting computer shortened to the last three digits.

The log data is stored in anonymized form.

This data set regarding our website https://ir.nordex-online.com consists of:

• the page from which the file was requested,
• the name of the file,
• the date and time of the query,
• the amount of data transferred,
• the access status (file transferred, file not found),
• the description of the type of web browser used,
• the IP address of the requesting computer which will be made unrecognizable after 24h.

The legal basis for processing your IP address is our legitimate interest based on the following purposes:

• ensuring that a trouble-free connection is established
• ensuring the comfortable use of our websites
• the evaluation of system security and stability

The data will be erased as soon as it is no longer required for the purpose of its initial collection. In the case of data collection to enable making the website available, this is the case when the respective session ends. The data is stored in log-files for a period of 30 days and is then deleted automatically so that it is no longer possible to allocate the user.

CONTACT FORM/E-MAIL ADDRESS
We provide you with an e-mail address and a contact form which you can use to contact us, e.g. to ask us questions.
The contact form on the website https://www.nordex-online.com can be used by entering your name, your e-mail address, subject and message. The use of our e-mail address and the contact form is voluntary, and your data is processed to fulfill our contractual service obligations.
The contact form on the website https://ir.nordex-online.com can be used by entering your name, title, phone, company, street, ZIP code, city, country, e-mail address, subject and message. The use of our e-mail address and the contact form is voluntary, and your data is processed to fulfill our contractual service obligations.
The data will only be processed to answer the request. We will delete the data if it is no longer required and there are no legal obligations to retain it.

SUBSCRIPTION TO THE INVESTOR RELATING MAILING LIST
On our website https://ir.nordex-online.com, you can subscribe to the Investor Relations Mailing List for financial news on the Nordex’ Investor Relation Portal (“Newsletter”). Please note that certain data (e-mail address, full name, country, salutation, area of interest) is required to subscribe to the Newsletter. The legal basis for the processing of your personal data is your specific consent. The Newsletter will only be sent if you have given your consent.
Once you have registered for the Newsletter, you will receive a confirmation e-mail. You can withdraw your consent at any time via the unsubscribe link provided in every mailing or via e-mail to investor-relations@nordex-online.com.
As part of the registration to the Newsletter, we store further data in addition to the data already mentioned, insofar as this is necessary so that we can prove that you have ordered our newsletter. This may include the storage of the full IP address at the time of the order or confirmation of the Newsletter, as well as a copy of the confirmation email sent by us.

SUBSCRIPTION TO THE INVESTOR RELATING EVENT REMINDER
On our website https://ir.nordex-online.com, you can subscribe to the Investor Relations Event Reminder (“Event Reminder”) to receive an automatic reminder via e-mail of events related to investor relations of Nordex. Please note that your e-mail address is required to subscribe to the Event Reminder. The legal basis for the processing of your personal data and reminders sent to you will be based in your consent.
Once you have registered on the Event Reminder, you will receive a confirmation e-mail. You can withdraw your consent at any time via the unsubscribe link provided in every mailing or via e-mail to investor-relations@nordex-online.com.

DATA SECURITY
We have technical and organisational measures in place to protect your data from unwanted access as comprehensively as possible. If we provide contact forms on our websites https://nordex-online.com and https://ir.nordex-online.com, we use an encryption method on our pages. Your information is transmitted from your computer to our server and vice versa via the Internet using TLS encryption. You can recognise this by the fact that the lock symbol in the status bar of your browser is closed and the address line starts with https:/ .

COOKIES

We use cookies on our website https://nordex-online.com. Cookies are small text files that can be stored and read on your device. A distinction is made between essential cookies, which are necessary to ensure the technical functionality of the website and to provide the services you have specifically requested, statistic cookies, which allow us to count visits and traffic sources so we can measure and improve the performance of our website, and external media cookies that allow access to content from external platforms. Cookies may contain data that make it possible to recognise the device used. In some cases, however, cookies only contain information on certain settings that cannot be related to individuals.
We use essential cookies on our website. The processing is carried out in the interest of optimising user guidance.

You can set your browser to notify you before a cookie is saved. This will allow you to be aware of their use. You can update your cookie settings at any time here:

Change cookie consent

You can also delete cookies at any time via the corresponding browser setting and prevent the setting of new cookies. Please note that our web pages may not be displayed optimally and that some functions may no longer be available.

We use the following essential cookie on our websites:

BOORLABS COOKIE
Our website https://www.nordex-online.com uses the WordPress plug-in “Borlabs Cookie”, a service of Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg, Germany, to record and manage consent and any revocations. If you give your consent to the use of cookies, a cookie will be set (“borlabs cookie”), which will record your consent. We set this technically required cookie to document your consent. If you delete your cookies, we will ask you for your consent again when you visit the page later.
After 12 months, your consent will be automatically deleted from the log and, if necessary, used in aggregated and anonymized form for statistical purposes.

We use the following statistic cookie:

GOOGLE TAG MANAGER
Our website https://www.nordex-online.com uses Google Tag Manager. This Google service, which is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for people from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) for all other people, allows website tags to be managed via an interface.
A tag is a code element that is stored in the source code of the website, for example to control which page or service elements and tools are activated and loaded in which order. The tool triggers other tags, which in turn may collect data. The Tag Manager cookie expires after 2 years.
The legal basis is your consent given via our cookie banner. Some of the data is processed on a Google server in the USA. You can find more information about this Google’s information about Tag Manager: Tag Manager Overview.
For the risks associated with the transfer of data to third countries, please refer to section 05.

YOUTUBE
Our website https://www.nordex-online.com uses the YouTube embedding function to display and play videos if and insofar as you have given your consent. By clicking on “Load video”, you consent to content being reloaded.
The company providing the service in the European Economic Area and in Germany is Google Ireland Limited, a company incorporated and operated under Irish law with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland.
“YouTube” uses cookies to collect information about user behavior. According to information from YouTube, these are used, among other things, to record video statistics, improve user-friendliness and prevent abusive behavior. If you are logged in to Google, your data will be assigned directly to your account when you click on a video. Your given consent via the cookie banner expires after 6 months.
The legal basis is your consent given via our cookie banner. Some of the data is processed on a Google server in the USA. You can find more information here: Google Privacy Policy
For the risks associated with the transfer of data to third countries, please refer to section 05.

HEYZINE
Our website https://www.nordex-online.com uses the service of Heyzine Flipbooks SL, Eliseu Meifren, 4, B. 43850 Cambrils. Spain (“Heyzine”) to unblock the YouTube content on our website.
By clicking on “Load content”, you consent to content being reloaded by Heyzine. Your given consent via the cookie banner expires after 1 year.
This also provides Heyzine with the information that you have accessed our website as well as the technically necessary data in this context.
The legal basis is your consent given via our cookie banner. Some of the data is processed on server in the USA. You can find more information here: Heyzine Privacy Policy
For the risks associated with the transfer of data to third countries, please refer to section 05.

DATA TRANSMISSION TO THIRD PARTIES
As explained in this privacy policy, we use services whose providers are partly located outside the EU, i.e. countries whose data protection level does not correspond to that of the European Union (e.g. USA).
Insofar as this is the case the transfer is based on an adequacy decision of the European Commission, such as the EU-U.S. Data Privacy Framework or standard contractual clauses to ensure an adequate level of data protection for any data transfers. Where this is not possible, we base the transfer of data on your explicit consent or the necessity of the transfer for the fulfilment of the contract.
If a transfer to a third country is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence agencies) may be able to gain access to the transferred data in order to record and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. You will also be informed of this when you give your consent via the cookie banner.
Further, we also may transmit your personal data to parties established in the United Kingdom. The transfer is based on the European Union recognition of an adequate privacy framework to protect the data.

COMMISSIONED PROCESSING
Other service providers can support us in the operation of these websites and the associated processes (e.g. in hosting and web development or in the portal for online applications). These service providers are strictly bound to our instructions and contractually bound in accordance with Article 28 of the GDPR.

We may process your personal data for the following purposes (and legal grounds):

• manage secure access to offices, warehouses and wind farms and prevent damage to property and persons (consent, legitimate interest or legal obligation);
• communicate with you and process as well as respond to your request ((pre)contractual or legitimate interest);
• fulfill and execute your product purchase and use of services (contractual or legitimate interest);
• license monitoring purposes and application access (legitimate interest);
• marketing purposes; to provide you with personalized information about our products and services as well as conduct market research and satisfaction surveys (consent or legitimate interest);
• credit checks on customers, which may involve credit agencies ((pre)contractual or legitimate interest);
• assessment and screening, including due diligence purposes (also in mergers & acquisitions) (legitimate interest or legal obligation);
• comply with legal and regulatory requirements and requests (legal obligation);
• establish, exercise and defend legal claims (legitimate interest).
• respond to training requests and set up the platforms used to deliver training (legitimate interest);
• management of the external workforce (legitimate interest).

SECURE ACCESS TO PREMISES
We may process your personal data to handle access to premises managed by Nordex. In relation to wind farms, we may process your personal data to ensure your well-being and aid you in case of accidents. If health data is processed this will only take place on the basis of your explicit consent.
Relevant personal data: full name, date of birth, home address, employer name and address, mobile phone, emergency contacts and health data.

COMMUNICATION AND REQUESTS HANDLING
The exchange between individuals from different companies and the resolution of corporate requests requires the processing of personal data.
Relevant personal data: business email address, full name, job position, business mobile phone, corporate landline, company, country, content of request, date of request, and other data you may disclose to us.

PRE-CONTRACTUAL MEASURES, PRODUCT PURCHASE OR USE OF OUR SERVICES
The processing of your personal data may arise on the one hand due to the implementation of pre-contractual measures that precede a contractually regulated business relationship or on the other hand in the fulfilment of obligations arising from a concluded contract with you. For more detailed description of the performed data processing, please see our executed agreements and other documents related to data protection.
Relevant personal data: name, address, company name, telephone number, email address, log data, usage data, respective product or service.

WORKFORCE MANAGEMENT
We may process your personal data to conduct the purchasing of and invoicing of external workforce to appropriately allocate individuals to projects and provide services according to contractual agreements.

MICROSOFT “TEAMS”
We use “Teams” to conduct online meetings, conference calls and/or webinars (hereinafter collectively referred to as “Meetings”). Teams is a software from Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”), which is available as a desktop, web and mobile app.
The legal basis for data processing for conducting meetings via Teams is our legitimate interest in the effective and simple conduct of online meetings, discussion groups and presentations.
Insofar as the meetings are held within the framework of existing contractual relationships with you, the performance of our contractual relationship. We are not responsible for further data processing on the Teams product website, where the desktop software can be downloaded and the web app can be used.

The following data may be processed during a Meeting:

• Participant details: display name if applicable, first name, surname, telephone, e-mail address, password (encrypted for authentication), profile picture;
• Metadata: Topic and description of the meeting, IP address, telephone number of the participant, type of device/software (Windows/Mac/Linux/Web/iOS/Android Phone/Windows Phone), time of the participant’s last activity on Teams, number of chat and channel messages, number of meetings attended, duration of time for audio, video and screen sharing;
• For chat or channel message usage: text data for display and, if applicable, logging;
• For audio use: recording data of the microphone;
• For video use: recording data from the video camera;
• For recordings: Audio, video and screen sharing for storage in the cloud / Microsoft Stream;
• For telephone use: incoming and outgoing phone numbers, country name, start and end time, possibly other connection data, such as the IP address of the device.

Before a Meeting, you must register via our website or by e-mail. Your registration data will be processed by us. Before the Meeting, you will receive a confirmation email with an invitation link or a calendar date.
To participate in a Meeting, you must at least provide your name and – if you are using a telephone – your telephone number, unless we enable anonymous participation in Meetings. In the latter case, we will inform you of this possibility of anonymous participation in the course of the invitation. You can deactivate the transmission via microphone and camera at any time via the corresponding settings. We only record Meetings or log text data with your consent and prior notification. Microsoft stores and uses the metadata to enable us to analyze and report on the use of Teams.
Microsoft may obtain knowledge of the above-mentioned data as part of the commissioned processing in order to process it. All data traffic is encrypted (MTLS, TLS or SRTP) and encrypted data storage always takes place on servers in the European Economic Area (EEA). Where possible, we also activate end-to-end encryption. In the event that data is nevertheless processed in the USA, we refer to section 05.
Further information can be found in Microsoft’s privacy policy.

USE OF DOCUSIGN
We use the software ”DocuSign” from DocuSign Inc., 221 Main Street, Suite 1550, San Francisco, CA 94105.
The DocuSign software is used to formally simplify the processes within the controller. It is used where and in the form where the corresponding written form requirements allow this. Likewise, the traceability of the receipt of the necessary feedback can be facilitated.

We process the following personal data:

• Your email address,
• Your (qualified) digital signature via DocuSign.

The legal basis for the processing of personal data is our legitimate interest (optimization of formal processes). Your e-mail address is used to send the form and to facilitate the process of obtaining these necessary documents.

Further information can be found in DocuSign’s privacy policy.
Your personal data will be processed internally by the departments of Nordex with which you are in contact. Further, personal data my be transmitted within the Nordex Group.
For the risks associated with the transfer of data to third countries, please refer to section 05.

We may process personal data, which we receive directly from you or via publicly accessible sources (e.g., professional networks on the Internet) or data received from third parties (e.g., personnel service providers or employment/recruitment agencies).

We may process your personal data for the following purposes (and legal grounds):

• evaluate your candidature, assess your skills, experience, and qualifications ((pre)contractual);
• set up interviews and assessments ((pre)contractual);
• conduct background checks and assessments as required or permitted by applicable law ((pre)contractual or legal requirement);
• check for your eligibility for the particular role ((pre)contractual and legal obligation);
• contact third party references provided by you in order to evaluate your previous performances ((pre)contractual);
• contact you regarding the progress of your application ((pre)contractual);
• reimburse travel expenses during recruitment, if agreed ((pre)contractual);
• create an account for you in our application system ((pre)contractual);
• maintain records for hiring process ((pre)contractual);
• keep your application for the personnel files, in case of successful application (contractual);
• provide you with job opportunities based on your interest and skills and inform you about the latest news on recruitment activities (consent);
• conduct satisfaction surveys in order to improve our recruitment process (legitimate interest); You always have the right to object to such processing. More information on how to exercise your right can be found in section “YOUR DATA PROTECTION RIGHTS”
• comply with legal and regulatory requirements and requests, deriving for instance from the field of employment and social security and social protection law (legal obligation);
• establishment, exercise or deference of legal claims to which we may be subject to (legal obligation).

Relevant personal data: CV (including pictures or images provided by you), motivation letter, reference letters, contact data (e.g., name, address, telephone number, e-mail address, home address etc.), identification data (e.g. date of birth, gender, nationality, identity card or passport, etc.), employment data (e.g., work history employment contract, past employment, current employment status type of employment, function, work or a residence permit if necessary, to verify the legality of your employment, etc.), education and qualification data (e.g., degrees, certificates, previous career experience, secondary employment, if applicable as well as references and other related documents substantiating your professional expertise and experience), questionnaires and assessment results.
In individual cases, certain personal information may be stored for a longer period (e.g., travel expense reports). The duration of the data retention depends on the applicable local legal requirements (e.g., under the respective national tax laws).
If you have not been selected during the recruitment process, but your application is still of interest to us, we will ask you whether we may keep your application available for potential future appointments. The legal basis for this data storage is your explicit consent, which is completely voluntary and can be withdrawn at any time for the future.
For more details, please see the relevant Privacy Notice of our Career Portal.

1. RIGHT TO INFORMATION:
You have the right to request confirmation as to whether personal data concerning you is processed; if this is the case, you have a right of access to your personal data.

2. RIGHT TO CORRECTION AND DELETION:
You have the right to immediately request the correction of incorrect personal data concerning you and, if necessary, the completion of incomplete personal data.
You also have the right to request that personal data concerning you be deleted immediately in accordance with applicable legislation.

3. RIGHT TO LIMITATION OF PROCESSING:
You have the right to request a restriction on processing in accordance with applicable legislation.

4. RIGHT TO DATA PORTABILITY:
You have the right to request a restriction on processing in accordance with applicable legislation.

5. RIGHT OF OBJECTION:
In certain cases, you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling reasons to do it.

THE CONTACT DATA OF THE DATA PROTECTION OFFICERS
Our company data protection officers will be happy to provide you with information or suggestions on the subject of data protection:

THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
Pursuant to Article 77 of the GDPR, you have the right of appeal to a supervisory authority if you believe that the processing of data concerning you violates data protection regulations. In particular, the right of appeal may be invoked by a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement.