PRIVACY POLICY AND CONSENTS

Information according to §5 TMG:

Table of contents

1. objective and responsible body
2. basic information on data processing
3. processing of personal data
4. processing of your IP address by the web server
5. automatic collection of technical data (server log files)
6. encrypted transmission (SSL)
7. collection of access data
8. WP Statistics
9. cookies & reach measurement
10. google analytics
11. google re/marketing services
12. Facebook Social Plugins
13. Facebook Remarketing
14. newsletter
15. contact form
16. integration of third-party services and content
17. social media
18. hyperlinks to third-party websites
19. user rights and deletion
20. changes to the data protection declaration

1. Objective and responsible body

This data protection declaration provides information on the type, scope and purpose of the processing (including
collection, processing and use as well as obtaining consent) of personal data within our online offer and the websites,
functions and content connected with it (hereinafter jointly referred to as „online offer“ or „website“). The data protection
declaration applies irrespective of the domains, systems, platforms and devices (e.g. desktop or mobile) used
on which the online offer is executed.
The responsible party within the meaning of the General Data Protection Regulation, other data protection laws applicable
in the Member States of the European Union and other provisions of a data protection nature is:
Stein Consults, Owner: Dr. Frank Stein, Hess Str. 19, 80798 Munich (hereinafter referred to as „provider“, „we“ or
„us“). For contact details, please refer to our imprint.
The term „user“ includes all customers and visitors to our online offer. The terms used, such as „user“, are to be understood
as gender-neutral.

2. Basic information on data processing

We process users‘ personal data only in compliance with the relevant data protection regulations in accordance with
the principles of data economy and data avoidance. This means that the user‘s data will only be processed if we are
legally permitted to do so, in particular if the data is necessary for the provision of our contractual services and online
services or is required by law, or if consent has been given.
We take organisational, contractual and technical security measures in accordance with the state of the art to ensure
that the provisions of the data protection laws are complied with and to protect the data processed by us against accidental
or intentional manipulation, loss, destruction or against access by unauthorised persons.
If content, tools or other means from other providers (hereinafter collectively referred to as „third party providers“) are
used within the scope of this data protection declaration and their named registered office is abroad, it is to be assumed
that a transfer of data to the countries in which the third party providers are based takes place. The transfer of
data to third countries takes place either on the basis of legal permission, user consent or special contractual clauses
that guarantee the legally required security of the data.

3. Processing of personal data

Personal data will be processed, in addition to the uses expressly stated in this Privacy Policy, for the following purposes
based on legal permissions or user consents:
– The provision, execution, maintenance, optimisation and safeguarding of our services, service and user performance;
– To ensure effective customer service and technical support.
We transmit users‘ data to third parties only if this is necessary for billing purposes (e.g. to a payment service provider)
or for other purposes if these are necessary to fulfil our contractual obligations towards users (e.g. communication of
addresses to suppliers).
When contacting us (via contact form or email), the user‘s details are stored for the purpose of processing the enquiry
and in case follow-up questions arise.
Personal data is deleted if it has fulfilled its purpose and there are no storage obligations that prevent its deletion.

4. Processing of your IP address by the web server

For technical reasons, services on the Internet can only be used if you disclose your IP address. This is processed by
the web servers that deliver these web pages. The processing for the delivery of our web pages is therefore not
anonymised.
IP addresses are unique numerical addresses under which your computer retrieves data or sends data to the Internet.
As a rule, we do not know which person is behind the respective IP address; we cannot normally assign the data to a
person who can be specifically identified to us.
Exception: When using our website, you provide us with your name, an e-mail address or other data that enables us
to identify you. This is done, for example, as part of the Newslette subscription (see section B). Furthermore, you may
be identified if we take legal action against you (e.g. in the event of attacks against our website) and become aware of
your identity in the course of the investigation.
The temporary storage of the IP address by the system is necessary to enable the delivery of our pages to your
computer. For this purpose, your IP address must remain stored for the duration of the session or beyond.
The processing of your IP address is based on Art. 6 para. 1 lit. f DSGVO, our legitimate interest is the operation of our
web server, as well as the detection and defence against abuse and technical attacks.

5. Automatic collection of technical data (server log files)

Each time our platform is called up, our system automatically collects data and information from the computer system
of the calling computer. This data is automatically transmitted to our web servers by your browser, we cannot prevent
this. The following data is involved:
• Name of the page called up
• Referrer URL (the page from which you reached us, e.g. a search engine)
• Your anonymised IP address
• Name of the web browser used
• Information about the type of browser and version used
• Your operating system (name, release)
• Date and time of access
• Server errors / files not found
• Contents accessed / files downloaded
This data is stored in so-called log files. Occasionally, we evaluate these log files in order to be able to draw conclusions
about the need to adapt our website from the technical information stored there. This processing is based on Art.
6 para. 1 lit. f DSGVO, our legitimate interest is the ongoing technical optimisation of our website. The stored data is
deleted after 60 days.

6. Encrypted transmission (SSL)

Our server always uses encrypted transmission of pages and data. You can also recognise the encryption in many
browsers by the lock symbol in the address bar.

7.Collection of access data

We collect data on every access to the server on which this service is located (so-called server log files). The access
data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification
of successful access, browser type and version, the user‘s operating system, referrer URL (the previously visited page),
IP address and the requesting provider.
We use the log data without assigning it to the person of the user or otherwise creating a profile in accordance with
the statutory provisions only for statistical evaluations for the purpose of the operation, security and optimisation of
our online offer. However, we reserve the right to check the log data retrospectively if there is a justified suspicion of
unlawful use due to concrete indications.

8. WP Statistics

This website uses the WordPress analytics plugin WP Statistics. The provider of this plugin is wp-statistics.com. Simple
statistics are created from the data in anonymised form. No usage profiles are created and no cookies are set. All data
collected by WP Statistics is stored completely anonymously on this web server. A personal identification of a visitor is
therefore not possible, even retrospectively.

9. Cookies & Reach Measurement

Cookies are pieces of information that are transmitted from our web server or third-party web servers to the users‘
web browsers and stored there for later retrieval. Users are informed about the use of cookies in the context of pseudonymous
range measurement within the scope of this data protection declaration.
The viewing of this online offer is also possible under exclusion of cookies. If users do not wish cookies to be stored
on their computer, they are requested to deactivate the corresponding option in the system settings of their browser.
Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional
restrictions of this online offer.
It is possible to manage many online ad cookies from companies via the US site http://www.aboutads.info/choices or
the EU site.

http://www.youronlinechoices.com/uk/your-ad-choices/.

10. Google Analytics

We use Google Analytics, a web analytics service provided by Google, Inc. („Google“). Google uses cookies. The
information generated by the cookie about the use of the online offer by the users is usually transmitted to a Google
server in the USA and stored there.
Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports
on website activity for website operators and providing other services relating to website activity and internet usage.
In doing so, pseudonymous user profiles can be created from the processed data.
We only use Google Analytics with IP anonymisation activated. This means that the IP address of the user is shortened
by Google within member states of the European Union or in other contracting states of the Agreement on the European
Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA
and shortened there.
The IP address transmitted by the user‘s browser will not be merged with other data from Google. Users can prevent
the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data
generated by the cookie and related to their use of the online offer to Google as well as the processing of this data by
Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/
dlpage/gaoptout?hl=de.
For more information on Google‘s use of data for advertising purposes, settings and opt-out options, please visit the
Google websites: https://www.google.com/intl/de/policies/privacy/partners („Google‘s use of data when you use our
partners‘ websites or apps“), http://www.google.com/policies/technologies/ads („Use of data for advertising purposes“),
http://www.google.de/settings/ads („Manage the information Google uses to show you ads“) and http://www.
google.com/ads/preferences („Determine what ads Google shows you“).

11. Google-Re/Marketing-Services

We use the marketing and remarketing services (Google Marketing Services for short) of Google Inc, 1600 Amphitheatre
Parkway, Mountain View, CA 94043, USA, („Google“).
The Google Marketing Services allow us to display advertisements for and on our website in a more targeted manner
in order to present users only with ads that potentially match their interests. If, for example, users are shown ads for
products they were interested in on other websites, this is referred to as „remarketing“. For these purposes, when our
website and other websites on which Google marketing services are active are called up, a code is executed directly
by Google and so-called (re)marketing tags (invisible graphics or code, also known as „web beacons“) are integrated
into the website. With their help, an individual cookie, i.e. a small file, is stored on the user‘s device (comparable
technologies can also be used instead of cookies). The cookies can be set by various domains, including google.com,
doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file records
which websites the user has visited, which content he or she is interested in and which offers he or she has clicked on,
as well as technical information on the browser and operating system, referring websites, time of visit and other information
on the use of the online offer. The IP address of the user is also recorded, whereby we inform Google Analytics
that the IP address is shortened within Member States of the European Union or in other contracting states to the
Agreement on the European Economic Area and only in exceptional cases is transmitted in full to a Google server in
the USA and shortened there. The IP address will not be merged with user data within other Google offerings. This
aforementioned information may also be combined with such information from other sources. If the user subsequently
visits other websites, he or she may be shown ads tailored to his or her interests.
User data is processed pseudonymously within the scope of Google marketing services. This means that Google does
not store and process the name or email address of the user, for example, but processes the relevant data in a cookie-
related manner within pseudonymous user profiles. I.e. from Google‘s perspective, the ads are not managed and
displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This
does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information
collected by „DoubleClick“ about users is transmitted to Google and stored on Google‘s servers in the USA.
The Google marketing services we use include the online advertising programme „Google AdWords“. In the case
of Google AdWords, each AdWords customer receives a different „conversion cookie“. Cookies can therefore not
be tracked via the websites of AdWords customers. The information obtained with the help of the cookie is used to
create conversion statistics for AdWords customers who have opted for conversion tracking. The AdWords customers
learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking
tag. However, they do not receive any information with which users can be personally identified.
We integrate third-party advertisements based on the Google marketing service „DoubleClick“. DoubleClick uses
cookies to enable Google and its partner websites to serve ads based on users‘ visits to this website or other websites
on the internet.
We also include third-party advertisements based on Google‘s AdSense marketing service. AdSense uses cookies to
enable Google and its partner websites to serve ads based on users‘ visits to this website or other websites on the
Internet.
Another Google marketing service used by us is the „Google Tag Manager“, with the help of which further Google
analysis and marketing services can be integrated into our website (e.g. „AdWords“, „DoubleClick“ or „Google Analytics“).
Further information on the use of data for marketing purposes by Google can be found on the overview page: https://
www.google.com/policies/technologies/ads. Google‘s data protection declaration is available at https://www.google.
com/policies/privacy.
If you wish to object to the collection of data by Google marketing services, you can use the settings and opt-out
options provided by Google: http://w

ww.google.com/ads/preferences.

12. Facebook Social Plugins

Our online offer uses social plugins („plugins“) of the social network facebook.com, which is operated by Facebook
Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland („Facebook“). The plugins are recognisable
by one of the Facebook logos (white „f“ on a blue tile, the terms „Like“, „Like“ or a „thumbs up“ sign) or are marked
with the addition „Facebook Social Plugin“. The list and appearance of Facebook social plugins can be viewed here:
https://developers.facebook.com/docs/plugins/.
When a user calls up a function of this online offer that contains such a plugin, his or her device establishes a direct
connection with Facebook‘s servers. The content of the plugin is transmitted by Facebook directly to the user‘s device
and integrated into the online offer by the latter. In the process, user profiles can be created from the processed data.
We therefore have no influence on the scope of the data that Facebook collects with the help of this plugin and therefore
inform users according to our level of knowledge.
By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the
online offer. If the user is logged in to Facebook, Facebook can assign the visit to his or her Facebook account. If users
interact with the plugins, for example by clicking the Like button or posting a comment, the corresponding information
is transmitted from their device directly to Facebook and stored there. If a user is not a member of Facebook,
there is still the possibility that Facebook will find out and store his or her IP address. According to Facebook, only an
anonymised IP address is stored in Germany.
The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well
as the related rights and setting options for protecting the privacy of the users, can be found in the data protection
information of Facebook: https://www.facebook.com/about/privacy/.
If a user is a Facebook member and does not want Facebook to collect data about him or her via this online offer and
link it to his or her membership data stored with Facebook, he or she must log out of Facebook and delete his or her
cookies before using our online offer. Further settings and objections to the use of data for advertising purposes are
possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US site http://
www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are platform-independent,
i.e. they are applied to all devices, such as desktop computers or mobile devices.

13. Facebook Remarketing

Within our online offer, so-called „Facebook pixels“ of the social network Facebook, which is operated by Facebook
Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are a resident of the EU, Facebook Ireland Ltd, 4 Grand Canal
Square, Grand Canal Harbour, Dublin 2, Ireland („Facebook“), are used. With the help of the Facebook pixel, it is possible
for Facebook to determine the visitors to our offer as a target group for the display of advertisements, so-called
„Facebook ads“. Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook
users who have also shown an interest in our website. This means that with the help of the Facebook pixel we
want to ensure that our Facebook ads correspond to the potential interest of the users and do not have a harassing
effect. With the help of the Facebook pixel, we can also track the effectiveness of the Facebook ads for statistical and
market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad.
The Facebook pixel is directly integrated by Facebook when our website is accessed and can save a so-called cookie,
i.e. a small file, on your device. If you subsequently log in to Facebook or visit Facebook while logged in, your visit to
our website will be noted in your profile. The data collected about you is anonymous for us, so it does not allow us to
draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that
a connection to the respective user profile is possible. The processing of the data by Facebook takes place within the
framework of Facebook‘s data usage policy. Accordingly, you can find more information on how the remarketing pixel
works and generally on the display of Facebook ads, in Facebook‘s data usage policy: https://www.facebook.com/
policy.php.
You can object to the collection by the Facebook pixel and the use of your data to display Facebook ads. To do so,
you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising:
https://www.facebook.com/settings?tab=ads or declare the objection via the US site http://www.aboutads.
info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are
applied to all devices, such as desktop computers or mobile devices.

14. Newsletter

The following information explains the contents of our newsletter as well as the registration, dispatch and statistical
evaluation procedures and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the
procedures described.
Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional information
(hereinafter „newsletter“) only with the consent of the recipients or a legal permission. Insofar as the contents of
the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users.
In addition, our newsletters contain the following information: our products, offers, promotions and our company.
Double opt-in and logging: Registration for our newsletter is carried out in a so-called double opt-in process. This
means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation
is necessary so that no one can register with other email addresses. The registrations for the newsletter are
logged in order to be able to prove the registration process in accordance with the legal requirements. This includes
the storage of the registration and confirmation time as well as the IP address. Changes to your data stored with the
dispatch service provider are also logged.
Shipping service provider: The newsletter is sent by „“ (hereinafter referred to as the „shipping service provider“). You
can view the data protection provisions of the dispatch service provider here: .
The e-mail addresses of our newsletter recipients, as well as their other data described in these notes, are stored
on the servers of the dispatch service provider. The dispatch service provider uses this information to dispatch and
evaluate the newsletter on our behalf. Furthermore, according to its own information, the dispatch service provider
may use this data to optimise or improve its own services, e.g. for the technical optimisation of the dispatch and the
presentation of the newsletter or for economic purposes in order to determine from which countries the recipients
come. However, the dispatch service provider does not use the data of our newsletter recipients to write to them itself
or to pass them on to third parties.
Registration data: To register for the newsletter, it is sufficient to enter your e-mail address.
Statistical collection and analyses – The newsletters contain a so-called „web beacon“, i.e. a pixel-sized file that is
retrieved from the server of the dispatch service provider when the newsletter is opened. Within the scope of this
retrieval, technical information, such as information on the browser and your system, as well as your IP address and the
time of the retrieval are initially collected. This information is used for the technical improvement of the services based
on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be
determined with the help of the IP address) or the access times. Statistical surveys also include determining whether
newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can
be assigned to the individual newsletter recipients. However, it is neither our intention nor that of the dispatch service
provider to observe individual users. The analyses serve us much more to recognise the reading habits of our users
and to adapt our content to them or to send different content according to the interests of our users.
Cancellation/revocation – You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. At the
same time, your consent to the dispatch of the newsletter by the dispatch service provider and the statistical analyses
will expire. Unfortunately, it is not possible to separately cancel the dispatch by the dispatch service provider or the
statistical analysis. You will find a link to cancel the newsletter at the end of each newsletter.

15. Contact form

If you make use of the possibility to send us enquiries via our contact form, we will ask you for your first and last name,
your company and your e-mail address or telephone number. Furthermore, you can enter your individual message to
us in the message field.
It is your free decision whether you provide us with this data. Currently, all transmissions are encrypted to prevent third
parties from reading them.

16. Integration of third-party services and content

It may happen that content or services from third-party providers, such as city maps or fonts from other websites, are
integrated within our online offer. The integration of third-party content always requires that the third-party providers
are aware of the user‘s IP address, as without the IP address they would not be able to send the content to the
user‘s browser. The IP address is thus required for the display of this content. Furthermore, the providers of third-party
content can set their own cookies and process the users‘ data for their own purposes. In doing so, user profiles can be
created from the processed data. We will use this content as sparingly as possible and in a data-avoiding manner and
select reliable third-party providers with regard to data security.
The following presentation provides an overview of third-party providers and their content, along with links to their
data protection declarations, which contain further information on the processing of data and, in part already mentioned
here, options for objection (so-called opt-out):
Google Fonts
We use Google Fonts for the presentation of our website. This is a collection of fonts from Google LLC („Google“),
Amphitheatre Parkway, Mountain View, CA 94043, USA, which can be used in particular for websites. When you call up
the font used by our website through your browser, the public IP address of the computer you are using is transmitted
to Google LLC („Google“), Amphitheatre Parkway, Mountain View, CA 94043, USA. The IP address is a unique numerical
address under which this computer sends or retrieves data on the Internet.
When you call up our website, your browser loads the fonts required for their correct display in order to display them
as we have intended. If your browser does not support web fonts, a standard font from your computer will be used to
display our website. You can find more information about Google Fonts at https://developers.google.com/fonts/faq.
Google‘s general privacy policy applies here, which can be found at https://www.google.com/policies/privacy/ . Our
legitimate interest in using Google Web Fonts is to ensure a uniform appearance of the website and thus its functionality
on all end devices. The legal basis for the processing is therefore Art. 6 para. 1 lit. f DSGVO.
Google Maps
Furthermore, Google Maps, a map service of Google Inc. („Google“) is integrated on this website. Google Maps uses
so-called „cookies“, text files that are stored on your computer if you use the map function on our website.
When you click on the link, a direct connection is established between your browser and the Google server. Google
thereby receives the information that you have visited our site with your IP address. If you click on the Google Maps
link while you are logged into your Google account, Google can associate your visit to our site with your user account.
We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted
data or its use by Google. Details on data collection (purpose, scope, further processing, use) as well as your rights
and setting options can be found in Google‘s privacy policy, which can be accessed at https://www.google.de/intl/de/
policies/privacy/?fg=1.
YouTube
We use embedded YouTube videos. YouTube is a service provided by Google Inc., Amphitheatre Parkway, Mountain
View, CA 94043, USA.
When the website is called up and the videos are embedded, the IP address is transmitted. This cannot be assigned
unless you have logged in to YouTube or another Google service before accessing the page or are permanently logged
in.
As soon as you start the playback of an embedded video by clicking on it, YouTube only saves cookies on your computer
that do not contain any personally identifiable data. These cookies can be prevented by appropriate browser
settings and extensions (source: YouTube „Activating the extended data protection mode for embedded videos“).
You can find more information on the integration of YouTube videos on the YouTube information page: https://support.google.com/youtube/answer/171780?hl=de.

17. Social Media

Our websites also contain social media buttons. The buttons shown on our website are not plug-ins. Behind the buttons
is an external link to our page on the respective platforms. No cookies are stored on your computer and no data
is transferred. Currently, links to the social networks
„Twitter“ (Twitter, Inc. 1355 Market St, Suite 900, San Francisco, CA 94103, USA),
„LinkedIn“ (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA),
„Xing“ (XING AG, Dammtorstraße 30, 20354 Hamburg, Germany)
a) Xing
We would like to inform you here about the processing of personal data by Xing, whose link is used on this website.
When you call up the link, a connection to Xing‘s servers is briefly established via your browser. You can access Xing‘s
current data protection information and supplementary information on this website: https://www.xing.com/app/share?
op=data_protection and www.xing.com/privacy.
b) LinkedIN
Links to the social network LinkedIn are also integrated on our pages. When you visit our pages, if you click on the
link, a direct connection is established between your browser and the LinkedIn server. LinkedIn thereby receives the information
that you have visited our site with your IP address. If you click on the LinkedIn link while you are logged into
your LinkedIn account, you can link the content of our pages on your LinkedIn profile. This enables LinkedIn to assign
the visit to our pages to your user account. We would like to point out that we, as the provider of the pages, have no
knowledge of the content of the transmitted data or its use by LinkedIn.
Details on data collection (purpose, scope, further processing, use) as well as your rights and setting options can be
found in LinkedIn‘s privacy policy, which is available at http://www.linkedin.com/static?key=privacy_policy&trk=hb_ft_
priv.
c) Twitter
We have integrated a Twitter feed and link into our website. By clicking on the feed or the link, you are redirected to
Twitter and a cookie is stored on your computer. With the help of this cookie, Twitter can establish a connection between
you and your account. If you do not have a Twitter account or have never visited the Twitter website, Twitter will
assign you an identifier to log your visits to our Twitter feed.
For further data protection information, please refer to Twitter‘s privacy policy: https://twitter.com/privacy?lang=de.

18. Hyperlinks to external websites

Our website contains so-called hyperlinks to websites of other providers. When you activate these hyperlinks, you
will be redirected from our website directly to the website of the other provider. You will recognise this by the change
of URL, among other things. We cannot accept any responsibility for the confidential handling of your data on these
third-party websites, as we have no influence on whether these companies comply with data protection regulations.
Please inform yourself directly about the handling of your personal data by these companies on these websites.

19. User rights and deletion of data

Users have the right, upon request and free of charge, to obtain information about the personal data we have stored
about them.
In addition, users have the right to correct incorrect data, revoke consent, block and delete their personal data, as well
as the right to lodge a complaint with the competent supervisory authority in the event of the assumption of unlawful
data processing.
The data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion
is not contrary to any statutory retention obligations.

20. Changes to the data protection declaration

We reserve the right to change the data protection declaration in order to adapt it to changed legal situations or in
the event of changes to the service and data processing. However, this only applies with regard to declarations on
data processing. Insofar as user consent is required or components of the data protection declaration contain provisions
of the contractual relationship with the users, the changes will only be made with the consent of the users.
Users are requested to inform themselves regularly about the content of the data protection declaration.