We, Porsche Sales & Marketplace GmbH (hereinafter referred to as "we" or "PSM GmbH"), are pleased about your use of the Porsche Digital Service Infrastructure and other of our digital offers (hereinafter individually or jointly also referred to as "services" and jointly "Porsche Digital Service Infrastructure"). We take the protection of your personal data very seriously. Your personal data will only be processed in accordance with the provisions of data protection legislation, in particular the General Data Protection Regulation (hereinafter "GDPR"). This Privacy Policy provides information about the processing of your personal data and your privacy rights as a data subject in connection with your use of the Porsche Digital Service Infrastructure and our services. For information on the individual services, please refer to the Specific Privacy Policy and, if applicable, the further Special Data Protection Notices of the respective service.

1. Data Controller and Data Protection Officer

Unless otherwise expressly stated in this or a Specific Privacy Policy based thereon and, if applicable, in the further Special Data Protection Notices of the respective service, the entity responsible for data processing within the meaning of the data protection laws is:

Porsche Sales & Marketplace GmbH

Porscheplatz 1

70435 Stuttgart

Germany

E-mail: smartmobility@de.porsche.com

Please do not hesitate to contact us if you have any questions or ideas relating to data protection.

You can contact our data protection officer as follows:

Porsche Sales & Marketplace GmbH

Data Protection Officer

Porscheplatz 1

70435 Stuttgart

Germany

Contact: dataprotection.salesandmarketplace@porsche.de

In relation to certain processing operations, we may be joint controllers with Dr. Ing. h.c. Porsche AG (Porscheplatz 1, 70435 Stuttgart, Germany, e-mail: info@porsche.de, hereinafter "Porsche AG"), its group companies and/or third parties ("we" then also stands for these joint controllers). In relation to such joint processes, we jointly determine the purposes and means of processing personal data. In such cases, in an agreement on joint responsibility pursuant to GDPR Article 26, we accordingly also define the respective tasks and responsibilities in the processing of personal data and the responsible parties to fulfil data protection obligations. In particular, we define how an appropriate level of security and your rights as a data subject can be ensured, how we can jointly comply with information obligations under data protection law and how we can monitor potential data protection incidents. This also includes ensuring that we can fulfil our reporting and notification obligations. Insofar as you contact us, we will come to an agreement in accordance with the aforementioned agreement pursuant to GDPR Article 26 in order to answer your enquiry and guarantee your data subject rights. You can find out in which areas and with which companies joint responsibility exists in the Specific Privacy Policy and, if applicable, in the further Special Data Protection Notices of the respective service.

2. Object of data protection

The object of data protection is the protection of personal data. This is any information that relates to an identified or identifiable natural person (so-called data subject). This includes details such as name, postal address, e-mail address or telephone number, but also other information that arises in the course of using our Porsche Digital Service Infrastructure and vehicle usage data.

3. Purposes of and legal grounds for data processing

This General Privacy Policy provides you with the following overview of the purposes and legal bases of data processing in the context of registering, creating and using your Porsche ID user account and booking and using our services on the basis of your Porsche ID user account. We process personal data in any case in accordance with the legal requirements, even if a different legal basis should apply than stated below in individual cases.

We process your personal data in particular if this is necessary for the performance of a contract to which you are a party or for the performance of pre-contractual measures that take place at your request. Data is processed on the basis of Article 6 Paragraph 1 (b) GDPR. The purposes of the processing include enabling the use of our specific products and services within the services as explained below.

We also process your personal data, insofar as this is necessary, to comply with legal obligations to which we are subject. The data processing takes place on the basis of Article 6 Paragraph 1 (c) of the GDPR. The obligations may result, for example, from the commercial, tax, money laundering, financial or criminal law. The purposes of processing arise from the respective legal obligation; the processing generally serves the purpose of complying with state obligations with regard to monitoring and duty of disclosure. In this respect, too, you will find more detailed information below.

The provision of personal data by you may be required by law or contract when using the services or may be necessary for the conclusion of a contract. We will inform you separately if you are obliged to provide personal data and what the possible consequences of not doing so would be (e.g. a loss of claims or our advice not to provide the requested service without providing certain information).

4. Porsche ID user account

Registration and creation of a Porsche ID user account on My Porsche is required for full use of the Porsche Digital Service Infrastructure and the services offered under it. Once you have successfully completed registration and created your Porsche ID user account, you will also receive your Porsche ID (user name of the Porsche ID user account), with which you will be able to log in to all Porsche ID interfaces linked with your password or the QR code. When registering and creating and using your Porsche ID user account, personal data is processed and, if necessary, transmitted to third parties as described below in order to fulfil our contractual obligations in this context. Unless otherwise stated, we carry out all processing operations described in this section in order to fulfil our contract with you on the basis of Article 6 Paragraph 1(b) GDPR.

4.1 Registration process and creation of a Porsche ID user account

There are two methods to choose from in order to register and create your Porsche ID user account:

4.1.1 Invitation by authorised dealers

If you wish, your authorised dealer will enter the personal data you have provided to them on our systems for you via their access. You will then receive, for example, an e-mail with a link which you must use to confirm your registration and creation of your Porsche ID user account. Please note that the authorised dealers are independent companies and we have no influence over them. A second feature allows you to additionally verify your identity, for example via an SMS code, which you then enter during the process of registering and creating your Porsche ID user account.

4.1.2 Self-registration

In the event that the registration and creation of your Porsche ID user account was not carried out via an authorised dealer, you can register and create your Porsche ID user account yourself and enter your personal data independently. In selected countries you can also add a vehicle and use other digital services that require vehicle ownership. You must also upload a copy of an identification document and proof of ownership and, in case you are not the owner of the vehicle, a power of attorney from the vehicle owner after entering your vehicle identification number. These documents are forwarded to Porsche Connect Support or, in countries where the official language is not supported by Porsche Connect Support, directly to the dealer selected by you and are then checked locally using our verification criteria. As proof of successful verification, we also save the names, dates and places of birth, and addresses shown in the relevant identification documents along with the validity dates of the documents, as well as the vehicle identification numbers, owner names and addresses shown in the proof of ownership. After verification is complete, the copies of the documents will be deleted. Alternatively, you can use the video identification procedure for verification by our Porsche Connect Support. If you add a vehicle and a specific vehicle is therefore assigned to you in your Porsche ID user account, a vehicle relationship exists (hereinafter referred to as "vehicle relationship"). After successful verification, you will receive, for example, an email with a link that you must use to confirm your registration and creation of your Porsche ID user account. A second feature allows you to additionally verify your identity, for example via a text message code that you then enter when registering and creating your Porsche ID user account.

Self-registration requires the upload of images from the terminal. You will therefore be asked to grant permission for the app to access your device's camera or photo library. Granting permission is voluntary. However, if you wish to use the self-registration function, you must grant the relevant permission, otherwise you will not be able to use the self-registration. Permission remains active unless you revoke it in your device and/or Internet browser by deactivating the relevant setting.

(a) Mandatory data when registering and creating a Porsche ID user account

When registering and creating your Porsche ID user account, you must - in the case of self-registration - enter your e-mail address, a password, your name and name affixes, contact and address data, mobile phone number, e-mail address and, if applicable, the language in which you wish to communicate with us or - in the case of registration and creation of your Porsche ID user account by an authorised dealer - confirm this personal data as part of the process of registering and creating your Porsche ID user account. This personal data is required to set up and manage your Porsche ID user account for you so that you can use the full range of our services as part of the Porsche Digital Service Infrastructure. In selected countries, you can also use our offer as an interested party. In this case, you only need to provide your name, e-mail address and a password. Last but not least, we also need this and possibly other personal data in order to be able to respond to requests, questions and criticism. We also save the time of your last log-in. When you register and create your Porsche ID user account, we check your name and address data by means of a plausibility check.

(b) Voluntary data when registering and creating a Porsche ID user account

When registering and creating your Porsche ID user account, you also have the option of entering additional voluntary details such as additional name information (e.g. academic title etc.), company contact details, date of birth, additional telephone numbers, credit card information (this is only stored by the payment service provider) as well as your vehicle registration number and a personal vehicle name. In addition, you can provide information about your interests, preferences and the contact channels you would like to use. Please note that this information is not required when registering and creating your Porsche ID user account and that you alone decide whether you want to disclose this personal data to us.

4.1.3 Integration of the Porsche ID into third-party offers

We may enable cooperation partners to offer a registration and login procedure involving the Porsche ID. This means that you do not have to remember any new login data for the third-party offer. If you decide to use the registration and login procedure involving the Porsche ID as part of the third-party offer, you will be redirected to the PSM GmbH login/registration screen for the Porsche ID. Here you log in with your user name and password for the Porsche ID. We will then send a message to our cooperation partner that you have successfully registered. As part of the registration and login process, you can confirm to us that the cooperation partner may access the profile data of your Porsche ID user account. This then also applies to the payment data stored there, if applicable. This means that you do not have to re-enter or maintain your profile data and, if applicable, payment data (e.g. if your address changes) in order to create your user profile for the third-party offer. Conversely, changes to the profile data in the user account of the third-party offer are then also synchronised accordingly in your user account for the Porsche ID.

The data processing within the scope of the registration and login procedure with the integration of the Porsche ID is carried out on the basis of Article 6 Paragraph 1 (b) and (f) GDPR in order to register you with your user account for the third-party offer or to identify you when you register. In addition to carrying out your desired procedure, we are interested in making the registration and application process efficient and convenient. We are jointly responsible for this with our cooperation partner and, in relation to the process, we jointly determine the purposes and means of processing personal data. In an agreement on joint responsibility, we have defined, pursuant to GDPR Article 26, the respective tasks and responsibilities in the processing of personal data and the responsible parties to fulfil data protection obligations. In particular, we have defined how an appropriate level of security and your rights as a data subject can be ensured, how we can jointly comply with information obligations under data protection law and how we can monitor potential data protection incidents. This also includes ensuring that we can fulfil our reporting and notification obligations. Insofar as you contact us, we will come to an agreement in accordance with the aforementioned agreement pursuant to GDPR Article 26 in order to answer your enquiry and guarantee your data subject rights.

4.2 Porsche Digital Service Infrastructure: data processing after registration and creation of your Porsche ID user account

If you have registered and created your Porsche ID user account, we will, in order to fulfil the contract with you on the basis of Article 6 Paragraph 1 (b) GDPR, exchange basic information about your Porsche ID user account and your vehicles with responsible Porsche dealers in order to be able to serve you via our dealer organisation. In addition to the vehicle identification number, we transfer your user name (Porsche ID), the technical or sales availability of services and product offers for your Porsche ID user account or vehicle, as well as relevant events as part of the creation, modification or deletion of your Porsche ID user account, the linking of vehicles, the selection of traders, or the activation or deactivation of services.

If you have selected an authorised dealer and provided your consent, your personal data stored in your Porsche ID user account, in particular contact data, support, contractual and service data, as well as data about your interests, vehicles and services used will also be exchanged with the authorized dealer and with synchronised with any personal data stored about you. If you no longer wish data to be transferred in the future, you can change this in the user settings of your Porsche ID user account accordingly. The aforementioned personal data will no longer be exchanged with the authorised dealer from that date. The applicable legal basis for this processing of your personal data is your consent pursuant to Article 6 Paragraph 1 (a) GDPR.

If you are waiting for your vehicle to be delivered, we will provide you with information on the delivery status in your Porsche ID user account. To do this, we will share the VIN of your vehicle and your Porsche ID with Porsche AG. The applicable legal basis for the processing of your personal data is the fulfilment of our contract with you on the basis of Article 6 Paragraph 1 (b) GDPR.

4.3 Deletion of your Porsche ID user account

If you delete your Porsche ID user account, your personal data stored in your Porsche ID user account will also be deleted when the contractual relationship ends, but upon expiration of your existing service licenses at the earliest. As far as data must be stored for legal reasons, these are blocked (so-called limitation of processing). The personal data is for further use, especially for the use of services, and then is no longer available. The functionality of the services may be limited or eliminated. The full use of the Porsche Digital Service Infrastructure will then also no longer be available to you. If further responsible individuals within the Porsche Group and its sales organisation process personal data within their own responsibility, the processing of this personal data remains unaffected. If, on the basis of your consent pursuant to Article 6 Paragraph 1 (a) GDPR, personal data has been exchanged with a dealer of your choice, we inform the dealer about the deletion of your Porsche ID user account.

5. Central services

5.1 Booking and activating services, handling payment information

You can book individual or several My Porsche services and Porsche Connect services and activate service licences. When selecting the respective service or service package, you can also view the respective information on the processing of personal data within the scope of the services concerned under the offer details. In order to carry out and fulfil a booking and the associated contractual relationship, we process, in addition to the respective booking information, your personal data collected during registration and creation of your Porsche ID user account. You can change your billing address before completing the booking process. In this case, we use the address data provided by you for invoicing and processing.

We use a payment service provider to process payments for our paid services and products within the framework of My Porsche, Porsche Connect and the Online Marketplace. For this purpose, we and the payment service provider used will process your credit card information and the respective payment information. The payment service provider's systems are used to manage your credit card information and to process payments. When you enter your credit card information, it is done directly via an input field from the payment service provider, which encrypts, stores and uses this information independently for your payments. The encrypted information is then transferred from Porsche / from us to the payment service provider, where it is stored and used for your payment. Our legal basis for processing your personal data in order to process the payment is the fulfilment of the contract pursuant to Article 6 Paragraph 1(b) GDPR.

The payment service provider commissioned will process your customer and contact information (for example name, address, email address, Porsche Connect customer number, and if applicable, company and affiliates) and the vehicle identification number shown in the proof of ownership exclusively for the purpose of debtor management (including compliance checks, where legally required) and to carry out credit checks. The legal basis for processing the named personal data for the aforementioned purposes, in accordance with Article 6 Paragraph 1 (c) of the GDPR, is the fulfilment of a legal obligation incumbent on us and, in accordance with Article 6 Paragraph 1 (f) of the GDPR, our legitimate interest in appropriate accounts receivable management and credit controls, provided we are not subject to any legal obligation.

When purchasing through online shops, our payment service provider determines the fraud risk using customer data (e.g. name and identifier, sales history, etc.). The transaction data is checked and examined for abnormalities (e.g. frequency of password changes, delivery address differing from the invoicing address). The legal basis for the processing of the mentioned personal data for the aforementioned purposes is, in accordance with GDPR Article 6 Paragraph 1 (b), the fulfilment of a contract, or, pursuant to GDPR Article 6 Paragraph 1 (f), our legitimate interest in preventing fraud.

After completing the booking, you can activate the services. This saves the authorisation for use on the system side and updates the list of available services accordingly.

In order to use certain services (e.g. E-Charging offers), a personalised card (referred to as a Porsche ID Card, Porsche Charging Card) containing RFID chips is sent by post to numerous countries when a product is purchased. An identification number is stored on the card, which can be used to assign it to your Porsche ID user account. No personal data beyond the identification number, in particular your name or address, is stored digitally on the card itself. If the card is lost, you can block it within your Porsche ID user account.

After delivery, the Porsche ID card can be used directly with the supported infrastructure (e.g. public E-charging pedestals).

Unless stated otherwise, we carry out the processing described in this section for fulfilment of our contract with you on the basis of Article 6 Paragraph 1 (b) GDPR.

5.2 Using the My Porsche services and Porsche Connect services

Depending on the service, you can use the booked My Porsche services and Porsche Connect services in your vehicle (if available for your vehicle) via a radio network connection or via other terminal devices in My Porsche or in your Porsche Connect app and, if necessary, also from several or all access points. For this purpose, your vehicle or the respective end device connects to the Porsche Digital Service Infrastructure.

When you use the services booked via My Porsche or the Porsche Connect Store in your vehicle or on other devices, your personal data will be processed by us for the purpose of enabling the use of services, for support purposes and for other individually defined purposes. Unless otherwise stated, we will only process your personal data to the extent necessary to enable the relevant My Porsche service or Porsche Connect service to be used.

When using the individual My Porsche services or Porsche Connect services, the following categories of personal data, for example, may be processed, depending on the specific functionality of the respective service:

- Identification information, such as the vehicle identification number, your Porsche ID and device and system IDs of your end devices and mobile modules, which are required to identify your person, your end device or your vehicle for the purpose of establishing connections, using services or accessing content,

- Authorisation information, which includes that the vehicle or the respective terminal device is activated for the respective Porsche Connect service and which can be linked to your personal data that you entered as part of the registration and creation of your Porsche ID user account,

- Login information that is required if you want to use services from other providers that require a login in your vehicle or on additional end devices,

- Communication information required to establish a connection between your vehicle and/or other terminal devices and our servers or with the servers of third-party content providers for Porsche Connect services,

- Location and movement information, such as GPS or speed data, required in order to use location-related content,

- Voice data that enables voice control and voice input in certain Porsche Connect services. Voice data is transmitted to us as a recording for the purpose of conversion to text from the vehicle or a terminal. The text then generated by a service provider is transmitted back to the vehicle and the recording is then deleted by us,

- Contact data used in communication services, for example to send an e-mail or SMS,

- Billing data such as an itemised bill from charging operations. If necessary, we will combine this information with your address and payment information for individual billing purposes,

- Image/video data of your vehicle or its components

- Other content that needs to be shared with us or with service providers in order to provide a service to you.

Detailed information on which personal data is processed within the scope of which service can be found in the respective service descriptions at https://connect-store.porsche.com/gb/en/.

The following applies especially in the context of workshop visits and the associated use of online order extension:

Online order extension is a service that offers our customers the possibility to follow the vehicle acceptance process during a workshop appointment at any time and from anywhere through recorded and personalised videos of the service consultant and/or technician. In addition, the customer can release/approve additional repairs/repair extensions directly via the My Porsche Portal and/or the My Porsche App.

Unless otherwise stated here, in one of the Specific Privacy Policies or, where applicable, in the further Special Data Protection Notices of the respective service, we process your personal data in each case on the basis of Article 6 Paragraph 1 (b) GDPR in order to provide you with the services in this context and to perform the associated contractual relationship.

5.3 Use of third-party services

If you use the services of a third-party provider with whom you have your own contractual relationship, the content of these services may be displayed in your vehicle or on your terminal device and information may be exchanged between your vehicle or your terminal device and the respective service provider.

We have no influence on the data processing by this third-party provider or on the location of the data processing. Therefore, please inform yourself with the respective third-party provider about the type, scope and purpose of the processing of personal data with regard to the respective service in their separate data protection notices.

We transfer the necessary personal data to the relevant third-party provider on the basis of Article 6 Paragraph 1 (b) GDPR in order to fulfil the contract between you and us.

5.4 Porsche Contact Centre

You can use various communication channels to contact us, in particular the service hotline if you wish to contact us by telephone, but also e-mail or live chat. When you contact our Contact Centre, we will process your personal data insofar as this is necessary in order to provide the Contact Centre service and to process your request. It is possible that we may ask you to provide personal data that is required to prepare and organise contact in order to process your specific request. Without this data, we will not be able to process your inquiry or accede to your request. The purposes of processing arise specifically from your inquiry and the services you have booked. They cover in particular

- The processing of inquiries from interested parties, customers and dealers in relation to products and services from Porsche Sales & Marketplace GmbH. This includes, for example,

- Technical support services

- Assistance when purchasing services or products

- Answering general questions about Sales & Marketplace

- Technical support for customers and dealers, in particular through the provision of a service hotline for telephone contact.

Data is processed on the basis of Article 6 Paragraph 1 (b) GDPR for the purpose of fulfilling the contract with you and implementing measures in advance of the contract.

We also process your personal data to comply with legal obligations to which we are subject. Obligations may arise, for example, from commercial, tax, telecommunications, money laundering, financial or criminal law. The purposes of processing arise from the respective statutory obligation; the processing generally serves the purpose of complying with state obligations with regard to monitoring and duty of disclosure.

Data is processed on the basis of Article 6 Paragraph 1 (c) or (e) GDPR. If we collect data on the basis of a legal obligation or in the public interest, you need to provide the personal data that is required to comply with the legal obligation. Without this, we might not be able to process your request or fulfil these obligations.

If you use support services in a Porsche Centre, your dealer can also retrieve this data. To facilitate this service, we also transmit the aforementioned data to the relevant dealer. In this case, we will process your personal data in accordance with Article 6 Paragraph 1 (f) GDPR on the basis of our legitimate interest in facilitating customer service at your preferred point of contact or through your preferred dealer.

6. Safeguarding legitimate interests

We also process your personal data to protect the legitimate interests of us or third parties, unless your interests which require the protection of your personal data override these interests. Data is processed on the basis of Article 6 Paragraph 1 (f) GDPR. Processing for legitimate interest is carried out for the following purposes or to protect the following interests:

- Further development of products, services and mentoring, as well as other measures for business transactions and process control,

- Improvement of product quality, elimination of errors and disruption, etc. by analysing vehicle data and customer feedback,

- Processing data on a central prospect and customer care platform, as well as in up and downstream systems for customer loyalty and sales purposes,

- Settlement of guarantee and goodwill cases, processing of non-contractual questions and concerns from prospective customers and clients,

- Needs analysis and customer segmentation, e.g. calculating and evaluating affinities, preferences and customer potentials,

- Risk management and coordination of recall campaigns,

- Credit assessment through data exchange with credit agencies (e.g. SCHUFA),

- Ensuring the legally compliant handling, prevention of and protection against statutory violations (especially criminal offences), assertion of and defence against legal claims, internal and external compliance measures,

- Ensuring availability, operation and security of technical systems, as well as technical data management.

When we send e-mails to customers and prospective customers, we may use commercially available technologies such as tracking pixels or click-through links. This allows us to analyse which or how many e-mails are delivered and/or rejected and/or opened. The latter is carried out in particular by tracking pixel. It is not possible to measure the opening rate of our e-mails in full using tracking pixels, for example, if you have deactivated the display of images in your e-mail programme. In this case, the e-mail will not be displayed completely. It is nevertheless still possible for us to determine whether an e-mail has been opened if you click on the text or graphic link in the e-mail. Using click-through links, we can analyse which links have been clicked in our e-mails and determine the interest in certain topics. If you click on the corresponding link, you will be guided through our separate analysis server before accessing the target page. Based on the analysis results, we can make e-mails more relevant, send them in a more targeted manner or prevent e-mails from being sent. If you do not want such information collected and tracked, do not click text or graphic links in e-mails.

7. Consent

We process your personal data on the basis of corresponding consent. Data is processed on the basis of Article 6 Paragraph 1 (a) GDPR. If you have given consent, this is always for a specific purpose; the purposes of processing arise from the respective content in your declaration of consent. You may revoke your consent at any time, without affecting the legality of the processing carried out on the basis of your consent until revocation.

Insofar as you have given corresponding consent, the companies listed in the declaration of consent may, on this basis, use the data for individual customer and prospective customer support, for example, and contact you for these purposes via the communication channels you have requested. Your data is used within this framework to offer you an inspiring brand and support experience with Porsche and to make our communication and interaction with you as personal and as relevant as possible. Which of your data is specifically used for individual customer and prospect support depends in particular on which data was collected when using the services and which data you provided within the framework of the services (e.g. your personal interests).

8. Change of purpose

Where we process your personal data for a purpose other than that for which it was collected, beyond appropriate consent or a compelling legal basis, we will take into account, in accordance with Article 6 Paragraph 4 of the GDPR, the compatibility of the original purpose and the purpose now pursued, the nature of the personal data, the possible consequences for you of further processing and the safeguards for the protection of the personal data.

9. Profiling

We do not use automated decision-making in accordance with Article 22 GDPR to prepare, establish or conduct business relationships. If profiling is carried out, this is only done for the purposes stated in the General Privacy Policy, the Specific Privacy Policy and, if applicable, the additional Special Data Protection Notices of the respective service and on the basis of the legal grounds stated.

10. Device access permissions

Some functions of the services require you to grant access to your end device (e.g. access to location data). Granting permissions is voluntary. However, if you wish to use the corresponding functions, you must grant the corresponding authorisations, otherwise you will not be able to use these functions. Permissions remain active unless you revoke them in your device by deactivating the relevant setting. You can find out in which areas access to the device should occur in the Specific Privacy Policy and, if applicable, in the further Special Data Protection Notices of the respective service.

11. Cookies and comparable technologies

Insofar as we use cookies and comparable technologies within the scope of the services, you can find corresponding explanations in the specific data protection declaration and the further special data protection information of the respective service.

12. Sources and data categories in the collection of data by third parties

We also process personal data that we receive from third parties or from publicly available sources. Below is an overview of the relevant sources and the categories of data obtained from these sources.

- Porsche AG and its group companies, Porsche dealers and service operations: e.g. information about the products you use and your interests;

- Cooperation partners and service providers: e.g. creditworthiness data from credit agencies.

For information on collection of data by third parties, please refer to the Specific Privacy Policies and, if applicable, the further Special Data Protection Notices of the respective service.

13. Recipients of personal data

Within our company, the only people who have access to your personal data are those who need this for the purposes named above. We only pass on your personal data to external recipients if a legal licence exists or if we have your consent. Below you will find an overview of the corresponding recipients:

- Processors: Porsche AG and its group companies or external service providers, for example in the areas of technical infrastructure and maintenance, who are carefully selected and checked. The processors may only use the data in accordance with our instructions.

- Public bodies: authorities and public institutions, such as public prosecutors, courts or tax authorities to which we (must) transfer personal data, e.g. to fulfil legal requirements or to safeguard legitimate interests.

- Private entities: Porsche AG and its group companies, Porsche sales companies, dealerships and service companies, cooperation partners, service providers (not bound by instructions) or authorised persons such as Porsche Centres and Porsche Service Centres, financing banks, credit agencies or transport service providers.

14. Data processing in third countries

If data is transferred to bodies whose headquarters or place of data processing is not located in a member state of the European Union, another country outside of the European Union that is a signatory to the Agreement on the European Economic Area or a state for which an appropriate level of data protection has been determined through a decision of the European Commission, we will ensure before disclosure that the data transfer is either covered by a legal authorisation, that there are guarantees for an adequate level of data protection with regard to the data transfer (e.g. through the agreement of contractual warranties, officially recognised regulations or binding internal data protection regulations at the recipient) or that you have given your consent to the data transfer.

Insofar as data is transferred on the basis of Articles 46, 47 or 49, Paragraph 1, Subparagraph 2 GDPR, you can obtain from us a copy of the guarantees for the existence of an adequate level of data protection with regard to the data transfer or information on the availability of a copy of the guarantees. For this purpose, please use the information under point 1.

15. Duration of storage, deletion

The following shall apply if the description of the individual services does not provide information about the specific duration of storage or the deletion of the personal data:

We store your personal data, if a legal permission exists for this, only as long as necessary to achieve the purposes pursued or as long as you have not revoked your consent. In the event that you object to the processing, we will delete your personal data unless further processing is permitted by the legal provisions. We will also delete your personal data if we are obligated to do so for other legal reasons. Pursuant to these general principles, we will usually erase your personal information immediately

- after elimination of the legal basis and if no other legal basis (e.g. commercial and tax retention periods) impinges. If the latter is the case, we will erase the data once that other legal basis ceases to apply;

- if your personal data is no longer required for our purposes, and if no other legal basis (for example, commercial and tax retention periods) impinges. If the latter is the case, we will delete the data once that other legal basis ceases to apply.

16. Rights of data subjects

Right to information: you have the right to receive information about your personal data stored by us.

Permission and deletion right: you may request us to correct incorrect data and – insofar as the legal requirements are fulfilled – to delete your data.

Limitation of processing: you may require us to restrict the processing of your data, provided that the legal requirements are met.

Data transferability: if you have provided us with data based on a contract or consent, you may, if the statutory requirements are met, obtain from us the data provided by you in a structured, commonly used and machine-readable format, or require us to transmit it to another controller.

Objection: you have the right to object at any time, on grounds relating to your particular situation, to our processing of your data, provided this objection is based on the safeguarding of "legitimate interests". If you make use of your right of objection, we will stop processing your data, unless we can prove, in accordance with the legal requirements, compelling legitimate reasons for further processing that outweigh your rights.

Objection to direct marketing: if we process your personal data for the purpose of direct marketing, you have the right to object to our processing of your data for this purpose at any time. If you exercise your right to object, we will stop processing for this purpose.

Withdrawal of consent: if you have given us consent to the processing of your personal data, you can revoke this at any time with effect for the future. The withdrawal of consent will not affect the lawfulness of processing before its withdrawal.

Right of appeal to the supervisory authority: you can also lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. You can contact the supervisory authority responsible for your place of residence or country or the supervisory authority responsible for us.

Your contact with us and exercising your rights: furthermore, you can contact us free of charge with questions about the processing of your personal data and about your rights as a data subject. Please contact us by e-mail atdataprotection.salesandmarketplace@porsche.de

via the website https://www.porsche.com/international/privacy/contact/ or by post at the address indicated in section 1 above. When doing so, please make sure that we can clearly identify you. If you wish to withdraw your consent, you can alternatively use the method of contact that you used when you gave your consent.

17. Offers from third parties

Services of other providers that are referred to via our services were and are created and hosted by third parties. We have no influence over the design, content and function of these services. We dissociate ourselves expressly from the content of all services referred to. Please note that these services, for example third-party websites, may place their own cookies on your device and may collect personal data. We have no influence over this. If necessary, please refer directly to the providers of these referred services.

Insofar as the services also incorporate services of other providers in order to offer you certain content or functions, you can find corresponding explanations in the Specific Privacy Policy and the further Special Data Protection Notices of the respective service.

18. Status

The most up-to-date version of this Privacy Policy shall apply.

Status: 01.08.2022

In addition to the General Privacy Policy in relation to My Porsche and Porsche Connect Services / Porsche Digital Service Infrastructure, this Specific Privacy Policy applies to the use of the Porsche Golf Circle App (hereinafter also referred to as the "app").

If we refer to this Privacy Policy from external social media profiles, the following explanations apply only insofar as the processing takes place in our area of responsibility and insofar as no more specific and therefore prior information on data protection is provided in the context of such social media profiles.

1. Purposes and legal basis of data processing

In the following, you will find an overview of the purposes and legal basis of data processing in connection with the provision of the app and the functions available via the Porsche Golf Circle App.

1.1 Performance of a contract and pre-contractual measures

We process your personal data if this is necessary for the performance of a contract to which you are a party or for the performance of pre-contractual measures that take place at your request. The data processing is based on Article 6 par. 1 lit. b) GDPR. The purposes of the processing include enabling the use of our services within the scope of the app. In the specific case, these are in particular the following functions:

• Registration and login: Registration takes place using your Porsche ID. You can find more information on the processing of your data as part of Porsche ID in the general Privacy Policy for the Porsche Digital Service Infrastructure and Porsche ID. The data will be used by us to create your user account and later to identify you each time you log in.

• Your user profile: As part of the app, you can supplement the information based on your Porsche ID with further details to create an individual user profile. In particular, you can add the following information: profile picture, name and user name, location, badges, handicap, home club and other golf clubs used and other. Your user profile can be accessed by us and other users and searched for the information it contains.

• Posting user content: You may post your own content such as posts, comments and or distribute "Likes" and “Comments” for other user posts which will then be linked to your user profile. If the content is posted in a language other than the set device language of the end device, an automatic translation is performed. An external service provider is used for this purpose. The user content can be accessed by us and the other users.

• Chat between users: You may use the chat function to chat with other users.

• Organization of events: The events themselves are created by us, Porsche AG or its other group companies, Porsche Centers or also by the users. If you participate in the events, your participation and possibly also your score may be published as part of the app and assigned to your user profile.

1.2 Safeguarding of legitimate interests

We also process your personal data to pursue the legitimate interests of ourselves or third parties, unless your rights, which require the protection of your personal data, outweigh these interests. The data processing is based on Article 6 par. 1 lit. f) GDPR. The processing for the protection of legitimate interests is carried out in addition to the information provided in the general Privacy Policy for the Porsche Digital Service Infrastructure and Porsche ID for the following purposes or to protect the following interests.

• User content and networking: Insofar as your personal data are affected by other users’ content or in the context of their use of the networking functions (e.g., when your picture is included in another user’s post), our legitimate interest in processing such data follows from enabling the use of our services within the framework of the Terms of Use.

• Supplementing the customer data: We may use the information from your user profile to supplement your customer data record if it is linked to your Porsche ID. We use this supplemented customer data record as specified in the general Privacy Policy for the Porsche Digital Service Infrastructure and Porsche ID for customer loyalty and sales purposes, for the further development of products and for customer segmentation.

• Technical evaluation: When you access the app, data relating to your terminal device and your use of the app is processed and stored in a so-called log file. This concerns in particular technical data such as date and time of access, duration of the visit, type of end device, operating system used, functions used, amount of data sent, IP address and referrer URL. We process this data to ensure technical operation and to identify and eliminate malfunctions. In doing so, we pursue the interest of ensuring technical functionality on a permanent basis. We do not use this data for the purpose of drawing conclusions about your person.

· Further development of products, services and support offers as well as other measures to control business transactions and processes;

· Improvement of product quality, elimination of errors and malfunctions;

· Handling of non-contractual inquiries and concerns;

· Ensuring legally compliant actions, prevention of and protection against legal violations (especially criminal offences), assertion of and defence against legal claims, internal and external compliance measures;

· Ensuring availability, operation and security of technical systems as well as technical data management;

· Answering and evaluation of contact requests and feedback.

1.3 Consent

We process your personal data on the basis of corresponding consent. The data processing is based on Article 6 paragraph 1 letter a) GDPR. If you give your consent, it is always for a specific purpose; the purposes of processing are determined by the content of your declaration of consent. You may revoke any consent you have given at any time, without affecting the legality of the processing that has taken place on the basis of the consent until revocation.

• Newsletter: We send newsletters after corresponding registration, i.e. with your consent. If the contents of the newsletter are specifically described in the registration, these are decisive for the scope of the consent. In addition, our email newsletters contain information on new content from the Porsche Golf Circle and Porsche. Registration takes place by means of the so-called double opt-in procedure, i.e. after your registration you will receive an email in which you are asked to confirm your registration in order to prevent misuse of your email address. We log the registrations for the newsletter in order to be able to prove the registration process and the consent contained therein in accordance with the legal requirements. The logging of the registration and the processing of the data entered by you during registration that is necessary for this purpose is accordingly carried out on the basis of our legitimate interests pursuant to Article 6 par. 1 lit. f) GDPR. You can revoke your consent to receive our newsletter at any time, e.g. by unsubscribing from the newsletter. You will find an unsubscribe link to exercise this right at the end of each newsletter.

• Photos of events: In order to provide users with impressions of the events, we may publish photos and video recordings of past events as part of the app. Corresponding consent is obtained on site at the respective events. Please also note our data protection information in this regard at the respective event location.

2. Customer and prospect management

In the following, we would like to provide you with further information on data protection in the context of the implementation of customer and prospect management at Porsche. The purpose of the measures is to safeguard customer and prospect-oriented management.

Joint customer and prospect management at Porsche

The measures mentioned in this section within the scope of customer and prospect management (in particular service and support, implementation of legal requirements, needs analyses, individual support via the desired communication channels) are not, in principle, carried out by the person responsible alone. In addition to PSM GmbH, the parties involved in customer and prospect management under the Porsche brand include Dr. Ing. hc F. Porsche AG as manufacturer, the responsible Porsche centres, the responsible importer – in particular Porsche Deutschland GmbH – and other companies affiliated with Porsche in the areas of financial and mobility services, digital services and lifestyle products.

By using a central platform, we avoid situations in which information about your products, contact details and interests is not available to your contact person at Porsche, which would result in you being referred to another company involved. This also applies if the operating company of your respective Porsche Centre changes. By exchanging and comparing data, we ensure that you receive optimal support and advice. Of course, only the companies involved have access to your data, which they also need for operational purposes. Data is processed on the basis of Article 6 Paragraph 1 (f) GDPR.

In certain cases, joint customer and prospect management can lead to joint responsibility. In an agreement pursuant to Article 26 of the GDPR, the participating companies have therefore defined the respective tasks and responsibilities in the processing of personal data and the parties responsible for fulfilling data protection obligations. In particular, stipulations have been made as to how an appropriate level of security can be achieved and how your data subject rights and data protection information obligations can be guaranteed. Alongside the other companies involved, Porsche Sales & Marketplace GmbH is available to you as a central point of contact.

Individual customer and prospect management

Insofar as you have given voluntary consent to the individual customer and prospect management, your data – contact data, support and contract data (e.g. on purchase, leasing or financing), service information and data on interests, vehicles and the services and products that you use from the companies participating in the joint customer and prospect management – is used to send you personally tailored information and offers about vehicles, services and other products from Porsche, invitations to events and surveys on satisfaction and expectations via the desired communication channels and to create an individual customer profile.

The specific data used for this purpose depends on what data was collected on the basis of assignments, orders and consultations or made available by you (e.g. in the consultation at the Porsche Centre or as part of your activities under your Porsche ID at My Porsche). The data can also come from assignments or orders that are processed in collaboration with cooperation partners (e.g. insurance companies) and from whom we may then receive the information. If appropriate approvals have been granted, other data sources may also be included. This can be data from the vehicle (e.g. on your driving behaviour) or on the use of digital media (e.g. on website use). You will receive further information on the merging of the data with the corresponding release.

To offer you an inspiring brand and support experience with Porsche and to make our communication and interaction with you as personal and as relevant as possible, the data mentioned is used for needs analyses and customer segmentation. On this basis, it is possible to determine affinities, preferences and potentials within the scope of the individual customer and prospect management by the participating companies. Key figures regarding your probable product interests and your level of satisfaction are examples of such measures to individualise support. The corresponding information and analysis results are stored in your customer profile and are then available for designing the customer and prospect management. The personal evaluation and assignment in a customer profile only takes place if you have given your voluntary consent to the individual customer and prospect management. We do not offer individual customer and prospect management without these optimisation and personalisation measures.

If you do not give your consent, we only use the data mentioned in the context of customer and prospect management to carry out general evaluations on the basis of aggregated data from customers and prospects, with the aim of optimising our offers and systems and aligning them with overarching interests. Please note that your data may also be evaluated outside the scope of customer and prospect management; this is then based on your specific consent or another legal basis.

When we send e-mails within the context of the individual customer and prospect management, we may use commercially available technologies such as tracking pixels or click-through links. This allows us to analyse which or how many e-mails are delivered and/or rejected and/or opened. The latter is carried out in particular by tracking pixels. If you have deactivated the display of images in your e-mail program, it is not possible to measure the opening rate of our e-mails in full using tracking pixels. In this case, the e-mail will not be displayed completely. It is nevertheless still possible for us to determine whether an e-mail has been opened if you click on the text or graphic link in the e-mail. Using click-through links, we can analyse which links have been clicked in our e-mails and determine the interest in certain topics. If you click on the corresponding link, you will be guided through our separate analysis server before accessing the target page. Based on the analysis results, we can make e-mails more relevant within the scope of the individual customer and prospect management, send them in a more targeted manner or prevent e-mails from being sent. We only send e-mails to you and evaluate their use if you have given your voluntary consent to the individual customer and prospect management. We do not offer individual customer and prospect management without the described evaluation for optimisation.

3. Access authorizations in the end device

To the extent functions of the app require the granting of authorization to access your end device (e.g. access to location data, sending of messages directly from the app), the granting of these authorizations is voluntary. However, if you wish to use the corresponding functions, you must grant the appropriate authorizations, otherwise you will not be able to use these functions. The permissions remain active as long as you have not reset them in your device by deactivating the respective setting.

4. Cookies and similar technologies

When you use our app, "cookies" or similar technologies, i.e. small files, can be stored on your device in order to offer you a comprehensive range of functions to make your use more convenient and to optimise our offers. If you do not wish to use cookies and/or similar technologies, you can prevent their storage on your device by means of the corresponding settings on your device, browser or the app, or use separate options for objecting to their processing. Please note that the functionality and functional scope of our offering may be limited. For detailed information on the type, extent, purposes, legal bases and options for objecting to the processing of data in connection with cookies and similar technologies, please refer to our Cookie Policy for Apps

5. Use of third-party services

For general information about how third-party services are used, see Section 5.3 of the General Privacy Policy in relation to My Porsche and Porsche Connect Services/Porsche Digital Service Infrastructure.

Insofar as we integrate services of other providers within the scope of the app in order to provide you with certain content or functions (e.g. playing videos or route planning) and we process personal data in the process, this is done on the basis of Article 6 paragraph 1 letters b) and f) GDPR. This is because the data processing is then necessary to implement the functions you have selected or to protect our legitimate interest in an optimal range of functions of the app. Insofar as Cookies may be used within the scope of these third-party services, the statements under Section 5 apply. Please also refer to the privacy policy of the respective third-party provider with regard to the third-party services.

Services of other providers which we integrate or to which we refer are provided by the respective third parties. We have no influence on the content and function of the third-party services and are generally not responsible for the processing of your personal data by their providers, unless the third-party services are completely designed on our behalf and then integrated by us on our own responsibility. Insofar as the integration of a third-party service results in us establishing joint processes with its provider, we will define with this provider in an agreement on joint controllership pursuant to Article 26 GDPR how the respective tasks and responsibilities in the processing of personal data are structured and who fulfils which data protection obligations. Insofar as Cookies are to be set on the basis of your consent, you will receive further information on the responsibility for setting these Cookies and any associated third-party services in the corresponding area of the consent management.

Unless otherwise stated, profiles on social media are generally only included in the app as a link to the corresponding third-party services. After clicking on the integrated text/image link, you will be redirected to the offer of the respective social media provider. After the redirection, personal data may be collected directly by the third-party provider. If you are logged in to your user account of the respective social media provider, the provider may be able to assign the collected information of the specific visit to your personal user account. If you interact via a "share" button of the respective social media provider, this information can be stored in the personal user account and published if necessary. If you want to prevent the collected information from being assigned directly to your user account, you must log out before clicking the included text/image link.

6. Changes to this Privacy Policy and version

We reserve the right to change this Privacy Policy.

Date: 28.08.2023.