Data Privacy Disclaimer

We as GROHE appreciate your interest in our company and our products. We take the protection of your privacy when using our websites very seriously. In the following we are pleased to inform you about the collection of anonymous and personal data.

A. Responsible for the data processing

The person responsible for the processing of personal data in the context of this website in accordance with the regulations of the European General Data Protection Regulation (GDPR) is named in the imprint.

You can reach our Corporate Data Protection Officer at DataProtection@grohe.com.

With this privacy statement we inform you about the extent of the processing of your personal data (hereinafter only "data").

B. Data processing

As part of the operation of our website we process data.

The processing of the data also includes the disclosure by transmission.

The EU Commission, the EU-US privacy shield, has an adequacy decision for data transfers to the United States. In this, the Commission has certified that the guarantees for the transmission of data to the United States on the basis of the EU-US privacy shield comply with the standards of data protection in the EU. As far as we transmit data to the USA, we have identified the participation of our service providers in the EU-US privacy shield.

The data, processing purposes, legal bases, recipients and transfers to non-EEA countries concerned are listed in the following list:

a) Log file

We log your visit to our websites. The following data is processed: Name of the retrieved web page, date and time of retrieval, time difference to Greenwich Mean Time, access status, amount of data transferred, browser type and version, the operating system you are using, the referrer URL (previously visited Website), your IP address and the requesting provider. This is necessary to ensure the security of the website. We process the data on the basis of our legitimate interests in accordance with Art. 6 para. 1 f) GDPR. The log file will be deleted after seven days, unless it is required to clarify or to prove concrete infringements that have become known within the retention period.

b) Hosting

Hosting will store all data to be processed in connection with the operation of this website. This is necessary to enable the operation of the website. We process the data accordingly on the basis of our legitimate interests in accordance with Art. 6 para. 1 f) GDPR. To provide our online presence, we use the services of web hosting providers to whom we provide the above data.

c) Contacting us

If you contact us, your data (name, contact details, if provided by you) and your message will be processed solely for the purpose of processing and processing your request. These data are processed by us on the basis of Art. 6 para. 1 b) GDPR or Art. 6 para. 1 f) GDPR to handle your request.

d) Newsletter

In order to provide you with regular information about our company and our range of service and products, we offer the dispatch of a newsletter. By registering for the newsletter, we process the data entered by you (e-mail address and other voluntary information).

In doing so we receive your consent as follows:

"I would like to order the Grohe AG newsletter as per my configuration of interest. I can revoke my consent at any time by using the unsubscribe link in the newsletter. "

The transmission of the newsletter by means of registration takes place on the basis of your consent in accordance with Art. 6 para. 1 a) GDPR.

The registration for the newsletter takes place in the so-called double opt-in procedure. To prevent abuse, we will send you an e-mail after your registration, asking you to confirm your registration. In order to prove the registration process according to the legal requirements, your application will be logged. Affected are the storage of the registration and the confirmation time and your IP address. To send the newsletter, we use service providers to whom we provide the above data.

To receive details regarding the specific Newsletter such as content or frequency, please refer to the respective registration page.

e) Customer Account

When you open a customer account, you consent to the storage of your data (name, address, e-mail address, bank details) as well as your usage data (username, password). This allows us to identify you as a customer and gives you the ability to manage your orders.

We receive your consent as follows:

"I want to create a customer account. Please process my data for this purpose. I can revoke my consent with effect for the future at any time by e-mail to the indicated e-mail address.".

You will find specific contact details to exercise your rights, including your right to revoke your consent, with each dedicated registration page.

Your data will be processed on the basis of your consent in accordance with Art. 6 para. 1 a) GDPR.

f) Purchase Processing

We process your order data to process the purchase contract. The processing of the data is carried out accordingly on the basis of Art. 6 para. 1 b) GDPR.

We transmit your address data to the company commissioned with the delivery. If it is necessary to process the contract, we will also provide your e-mail address or telephone number to coordinate a delivery date (Avis) to the company commissioned with the delivery.

We will transmit your transaction data (name, date of order, method of payment, date of dispatch and / or receipt, amount and payee, if applicable bank details or credit card details) to the payment service provider responsible for processing the payment.

g) Trade fairs, exhibitions and GROHE Truck Tour

At trade fairs, exhibitions and the GROHE Truck Tour we offer you the opportunity to request information from us. Information can be provided in digital form, in writing or in the form of personal meetings you can request. You are free to choose from the available information services offered.

We process your data for the purpose of sending you the requested information and to be allowed to contact you for further support. Furthermore, we use your data for statistical purposes to measure success and further improve our offer. We transmit relevant data to the company entrusted with the delivery. In the event of a personal appointment, we will pass on relevant data to the GROHE branch responsible for you. Your data will not be passed on to third parties.

After you have selected your information requests and/or communication channels, we will obtain the following consent:

"I would like to receive the selected information from GROHE via the specified communication channels. I agree that GROHE may process my information for the purpose of providing information, arranging appointments and for statistical purposes and may transfer my data within the GROHE Group to the GROHE company responsible for me for further support. I can revoke my consent at any time by sending an email to the email address published at the trade fair."

Your data will be processed on the basis of your consent in accordance with Art. 6 Par. 1 a) GDPR.

h) Photo and Video Recording

We may take photos and/or video recordings at trade fairs, exhibitions, events and the GROHE Truck Tour that are not based on an invitation. We will draw your attention to the recording activity as soon as possible, and at the latest before you enter the relevant area where recordings are being made, by providing information notices and handouts. You always have the opportunity to object to an individual recording with the respective film team.

This does not apply to overall shots in which the focus is on the presentation of the event and not on the presentation of a single person.

GROHE will use the documentation to accompany communication measures in print, on the Internet and/or social media, as well as for internal training and communication purposes. We process the data accordingly on the basis of our legitimate interests in accordance with Art. 6 para. 1 f) GDPR.

i) Competitions and Marketing Campaigns

As part of our business activities, we organize contests and marketing campaigns (hereinafter "Promotions") at irregular intervals.

We request personal data from you via web forms in order to carry out campaigns. This data is required so that you can participate in the respective campaign.

We process the data provided by you to carry out the respective campaign. In doing so, we obtain the following consent:

"I would like to participate in the action of the organising GROHE unit according to the action page. For this purpose, I consent to the processing of the personal data provided by me. I can revoke my consent at any time with effect for the future by sending a message to the e-mail address provided in the campaign."

The participation in these actions is voluntary. With your participation you agree to these data processing.

We process your data on the basis of your consent in accordance with Art. 6 Para. 1 a) GDPR.

To carry out campaigns, we make use of other service providers who support us in processing the campaign.

You will find further promotion-specific regulations on the respective promotion pages.

j) Website Analysis and Marketing

To enable the use of certain functions we use so-called cookies. These are short data packets that are stored on your end device and exchanged with other providers. Some of the cookies we use are deleted immediately after closing your browser (so-called session cookies). Other cookies remain on your terminal device and make it possible to recognize your browser the next time you visit us (persistent cookies).

You can delete all cookies stored on your terminal device and set the common browsers to prevent cookies from being stored. In this case you may have to change some settings each time you visit this website and accept the impairment of some functions.

We use cookies in connection with the following functionalities:

aa) Google Analytics

We use Google Analytics a service of Google LLC 1600 Amphitheater Parkway Mountain View, CA 94043 USA. Google uses certain cookies. The information generated by the cookie about your use of this website (including your IP address) will be transmitted to and stored by Google on servers in the United States. We use the information stored to evaluate your use of the website, to compile reports on website activity for website operators, and to provide other website-related services. Due to our predominant interest, we process the data thus obtained for the optimal marketing of our online offer according to Art.6 para. 1 f) GDPR. Google will never associate your IP address with other Google data.

Please note that this website uses Google Analytics with the extension "anonymizeIp ()". This truncates IP addresses before transmitting them to a server in the United States. A direct personal reference in connection with the stored data is thus usually excluded. Only in exceptional cases will the full IP address be sent to a server in the USA and shortened there.

You may opt-out of the collection of data at any time by opting for the Google Analytics Disable Add-on at any time

http://tools.google.com/dlpage/gaoptout?hl=en

Please also note the notes on the use of Google data in the Google Partner Network at:

http://www.google.com/intl/de/policies/privacy/partners/

www.google.de/privacy_ads.html

Google is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

For more information about privacy, please visit:

https://policies.google.com/privacy?hl=en&gl=en

bb) New Relic

We use the software NewRelic on our website. This will allow an analysis of your website usage. The information stored by the cookie about your use of this website (including your IP address) will be transmitted to a server of NewRelic in the USA. We process the data due to our predominant interest in the optimal marketing of our online offer according to Art.6 para. 1 f) GDPR.

NewRelic will use the information stored to evaluate your use of the website, to compile reports on website activity for website operators, and to provide other services related to website activity and internet usage.

NewRelic is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation:

https://www.privacyshield.gov/participant?id=a2zt0000000TNPiAAO&status=Active

Further information on data protection can be found at:

https://newrelic.com/termsandconditions/privacy

cc) Privacy Policy for Product Reviews (Bazaarvoice)

We work with Bazaarvoice to provide customers with rating options for our products. Bazaarvoice uses cookies to process information from consumers and monitor user behavior across multiple websites.

When you submit a product review, we collect personally identifiable information from you in a form. These are "display name", IP address, e-mail address, as well as a rating assigned to you, as well as any additional information voluntarily provided. The data provided will be processed for the use of the product evaluation and displayed on a GROHE website.

In doing so we get the following consent:

"I agree that GROHE and its service providers may use my e-mail address to contact me as part of my product review for administrative issues or for receiving information about rated or similar products. I can withdraw my consent at any time with effect for the future by message to GROHE. "

The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation. In case of a cancellation we will delete your data as well as your product rating (s) according to legal regulations.

Your Product Review will be processed by Bazaarvoice Inc, 3900 N. Capital of Texas Highway, Suite 300, Austin, Texas 78746, USA. A transfer of data to the USA may be made in accordance with Art. 45 General Data Protection Regulation if the EU Commission decides in an implementing act that the USA has an adequate level of data protection. On July 12, 2016, the EU Commission has determined that the US guarantees an adequate level of data protection due to the agreements on EU-US Privacy Shield.

Bazaarvoice is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation:

https://www.privacyshield.gov/participant?id=a2zt0000000KzSfAAK&status=Active

Further information on data protection can be found at:

https://www.bazaarvoice.com/legal/privacy-policy/

k) Use of Google ReCAPTCHA

To protect the comment section and the input forms of our websites against spam and abuse, we use the external service reCAPTCHA. This is a service provided by Google Inc, 1600 Amphitheater Parkway, Mountain View, CA 94043 USA (hereafter Google). reCAPTCHA makes it possible to differentiate between inputs of human origin and those that are abused by automated software (also called bots). When using the service, the following data will be transmitted to Google's servers in the USA:

• referrer URL

• IP address of the user

• the input behavior of the user as well as mouse movements in the area of the "reCAPTCHA" checkboxes

• Google Account: If the user is logged in to their Google Account at the same time, this will be recognized and assigned

• Information about the browser used, browser size, browser resolution, browser plug-ins, language settings, date

• Mouse and touch events within the page

• scripts and presentation instructions of the website

• cookies

The processing is based on our predominant legitimate interest in the security of our website in accordance with Art. 6 para. 1 f) of the GDPR.

Google is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

For more information about privacy, please visit:

https://policies.google.com/privacy?hl=en&gl=en

l) Integration of external content

We use external dynamic content to optimize the presentation and the offer of our website. When visiting the website, a request is automatically made via the API to the server of the respective content provider, in which certain log data (for example the IP address of the users) is transmitted. The dynamic content is then transmitted to our website and displayed there.

We use external content in connection with the following functionalities:

aa) Google Maps

We use Google's "Google Maps" map service on our website to provide you with an interactive map. When the map is displayed, data, including your IP address and location, is transmitted to Google's servers in the United States and stored there. This processing is based on our predominant legitimate interest in an optimal marketing of our offer according to Art. 6 para. 1 f) of the GDPR.

Google is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

For more information about privacy, please visit:

https://policies.google.com/privacy?hl=en&gl=en

bb) Facebook Visitor Tracker

We use the “visitor action pixels” from Facebook Inc (1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”)) on our website. This allows user behavior to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users.

When the website is called, the pixel is integrated directly by Facebook and can store a cookie on your device. If you subsequently log in to Facebook or are already logged in to Facebook, your website visit will be noted in your profile. The collected user data are anonymous for us and thus do not allow us to conclude on the user identity. However, this data is stored and processed by Facebook, which is why we are informing you, based on our knowledge of the situation. Facebook may link this information to your Facebook account and also use it for its own promotional purposes, in accordance with Facebook’s Data Usage Policy:

https://www.facebook.com/about/privacy/

You can allow Facebook and its partners to place ads on and off Facebook. A cookie may also be stored on your computer for these purposes. The legal basis for the use of this service is Art. 6 para. 1 sentence 1 f) GDPR. You can object to the collection of your data by Facebook pixel, or to the use of your data for the purpose of displaying Facebook ads by contacting the following address:

https://www.facebook.com/settings?tab=ads

Facebook is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection legislation

https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active

cc) Partner Programs

GROHE partners with online retailers to offer you, as a customer, online shops where you can buy GROHE products.

These are the retailers that are displayed after you have clicked on the 'Buy now' button on a product page. If you click on the online retailer's logo, you will be redirected to their website.

This routing is done by HATCH B.V. (Weerdestein 117-II, 1083 GH Amsterdam, the Netherlands). Hatch will place a tracking pixel on the purchase confirmation page at the retailer to track the initial lead at GROHE through to the sale at the retailer. In this context, anonymous data provided on the retailer website will be forwarded to the partner Hatch.

For more information on the use of tracking pixels on behalf of the retailer, please visit the privacy section on the website of the specific retailer. Despite careful control of content, we do not assume any liability for the content of external links. The operators of the linked pages are solely responsible for the content of their pages.

You can find more information about the use of data by Hatch in their privacy policy: www.gethatch.com/en/privacy-policy/.

C. Duration of data storage

We only store personal data for as long as it is necessary for the purposes for which it is processed or if your consent has been revoked. As far as statutory storage requirements are concerned, the storage period for certain data can be up to 10 years, regardless of the processing purposes.

D. Data Subjects’ Rights

a) Information

Upon request, you will receive information about all personal data that we have stored about you free of charge at any time.

For your own protection, we reserve the right to obtain further information upon request to confirm your identity in order to prevent unauthorized persons from gaining access to personal data that we undertake to protect. If identification is not possible, we reserve the right to refuse to process the request.

b) Correction, cancellation, limitation of processing (blocking), opposition

If you no longer consent to the storage of your personal data or if these have become incorrect, we will, upon appropriate instructions, arrange for the deletion or blocking of your data or make the necessary corrections (to the extent permitted by applicable law). The same applies if we are to process data in the future only in a restrictive way.

c) Data Portability

Upon request, we will provide you with your data in a standard, structured and machine-readable format so that you can, if you wish, submit the data to another person in charge.

d) Right to Complain

There is a right of appeal to the competent supervisory authority:

( https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html).

e) Right of revocation in the case of consent with effect for the future

Any given consent can be revoked at any time with effect for the future. Your revocation does not affect the lawfulness of the processing until the time of revocation.

f) Limitation

Data where we are unable to identify the data subject, for example, if they have been anonymised for analysis purposes, is not covered by the above rights. Information, deletion, blocking, correction or transfer to another company may be possible with respect to such information if you provide us with additional information that allows us to identify it.

g) Exercising your Rights

If you have any questions regarding the processing of your personal data, information, correction, blocking, opposition or deletion of data or the desire to transfer the data to another company, please contact “dataprotection_uk@grohe.com”.

E. Data Security

To ensure the security of the data transmitted to us, we use TLS encryption with 128 bits. You recognize such encrypted connections with the prefix "https: //" in the page link in the address bar of your browser. Unencrypted pages are identified by "http: //".

All data that you submit to our website - such as inquiries or logins - cannot be read by third parties thanks to SSL encryption.

F. Change of the privacy policy

In order to ensure that our data protection guidelines always comply with the current legal requirements, we reserve the right to make changes at any time. This also applies in the event that the data protection information must be adjusted due to new or revised offers or services.

STATUS: 04.2020