1. GENERAL INFORMATION AND PRINCIPLES OF DATA PROCESSING We are pleased that you are visiting our website. Protecting your privacy and your personal data (so-called "personally identifiable information") when using our website is an important concern for us.

According to Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable natural person. This includes, for example, information such as your first and last name, your address, your telephone number, your email address, but also your IP address. Data that cannot be linked to you personally, such as through anonymization, is not personal data. The processing of personal data (e.g., collection, storage, reading, querying, use, transmission, deletion, or destruction) according to Art. 4 No. 2 GDPR always requires a legal basis or your consent. Processed personal data must be deleted as soon as the purpose of the processing has been achieved and there are no longer any legally prescribed retention obligations to be observed. Here you will find information about the handling of your personal data when visiting our website. To provide the functions and services of our website, it is necessary for us to collect personal data about you. We also explain the type and scope of the respective data processing, the purpose and corresponding legal basis, and the respective storage period.

This privacy policy applies only to this website. It does not apply to other third-party websites to which we merely refer via a hyperlink. We cannot accept responsibility for the confidential handling of your personal data on these third-party websites, as we have no influence over whether these companies comply with data protection regulations. Please inform yourself directly on those websites about how these companies handle your personal data.

2. RESPONSIBLE ENTITY (CONTROLLER) The entity responsible for the processing of personal data on this website is: SPRIND GmbH Lagerhofstr. 4, 04103 Leipzig, Germany Management: Ms. Berit Dannenberg and Mr. Rafael Laguna de la Vera Email: INFO@SPRIND.ORG

3. HOSTING Our website is hosted at […]. Processing takes place on servers in Germany. When you visit our website, the hosting service provider processes server log files for technical reasons (in particular: IP address, date and time of access, page/file accessed, status code, amount of data transferred, as well as information about the browser/operating system used and the referrer). This processing is carried out for the purpose of providing the website and ensuring stability and security (e.g., error analysis and defense against attacks). The legal basis is Art. 6 Para. 1 (e) GDPR. The hosting service provider acts as a processor for us (Art. 28 GDPR). As a matter of principle, processing outside the EU/EEA does not take place within the scope of hosting unless otherwise stated. Server log files are only stored as long as necessary for the stated purposes and are subsequently deleted or anonymized.

4. DATA PROTECTION OFFICER If you have any questions regarding data protection, a Data Protection Officer acting for SPRIND is available at the business address: SPRIND GmbH, Lagerhofstr. 4, 04103 Leipzig, Email: DATENSCHUTZ@SPRIND.ORG.

5. DATA PROCESSING WHEN VISITING OUR WEBSITE

5.1. Type of Data Processed

5.1.1. Server Log Files and Technically Necessary Cookies When accessing and visiting our website, data from you is processed. This data includes, in particular: • IP address of the accessing terminal device or connection • Technically unique identification mark for recognizing the user across the entire website • Date and time of retrieval • Query made by the client • Message as to whether the retrieval was successful • Client information (including browser, operating system) • Amount of data transferred The storage and processing of this data take place on the one hand in server log files and on the other hand through so-called technically necessary cookies. Cookies are small text files that are stored on your terminal device by us or another entity and through which certain information flows to the entity setting the cookie. Session cookies, for example, are technically necessary cookies. They serve to assign activities on our website (e.g., page changes) to a session.

5.1.2. Use of Analysis Cookies or Comparable Tools When using our website, cookies and technologies comparable in function (hereinafter uniformly referred to as "cookies") are also set for analysis purposes. These cookies are only set if you have given us your prior consent. In this case, the following data in particular will be processed: • 2 bytes of the IP address of the user's calling system • The website accessed • The website from which you reached the accessed website (referrer) • The subpages accessed from the accessed website • The duration of stay on our website • The frequency of access to our website

5.2. Purpose and Legal Basis of Data Processing Data processing via log files and technically necessary cookies is carried out to ensure the error-free operation of our website. It also serves for troubleshooting, providing the intended functionality of the website, and the defense against and analysis of attacks. Data processing via cookies helps to optimize the website. With these technologies, we can, for example, recognize how the website is used, which subpages are visited often, and whether visitors return. The integration of social media serves the appealing presentation of our website and user-friendliness and represents a legitimate interest of ours. Insofar as data is retrieved from the user's terminal device or stored on the terminal device (technically necessary cookies), this is done on the legal basis of Section 25 Para. 2 of the Telecommunications-Digital-Services-Data-Protection-Act (TDDDG), as the retrieval and storage are required for the provision and intended functions of the website. Insofar as information is stored in your terminal equipment or information already stored there is accessed, this is based on your consent pursuant to Section 25 Para. 1 TDDDG. The setting of cookies only takes place if you have given us consent. The legal basis is therefore consent pursuant to Art. 6 Para. 1 (a) GDPR. You can revoke your consent to cookies at any time via the "Revoke Consent" link at the bottom of this page or via the privacy settings.

5.3. Storage Duration The access data collected as part of the use of our website is only kept for the period for which this data is required to achieve the above purposes. Your IP address is stored on our web server for a maximum of 7 days for IT security purposes.

6. DATA PROCESSING WHEN CONTACTING VIA EMAIL OR CONTACT FORM

6.1. Type of Data Processed If you contact us via the contact form provided or via email, the data you provide–such as your email address, your first and last name if applicable, and details of your request–will be stored by us to answer your questions.

6.2. Purpose and Legal Basis of Data Processing The purpose of the data processing is to handle your inquiry. Legal bases for processing your personal data are: • Generally, your consent according to Art. 6 Para. 1 (a) GDPR. You can revoke the consent you have given us at any time at INFO@SPRIND.ORG; • Art. 6 Para. 1 (b) GDPR, provided that the contact aims at the conclusion or performance of a contract.

6.3. Storage Duration We delete your data unless we no longer need it and no statutory retention obligations (ten years according to Section 147 Para. 1 AO; six years according to Section 257 Para. 1 HGB) stand in the way. In principle, data is deleted when it is no longer required to answer the inquiry. If the data is assigned to a contractual relationship, the storage period depends on the respective term or, if applicable, the statutory limitation period.

7. NEWSLETTER

7.1. Type of Data Processed You have the opportunity to subscribe to our newsletter on our website, through which we inform you about current developments. For registration for our newsletter, we use the double-opt-in process. After you have registered for the newsletter, you will receive an email at the address provided, in which we ask you to confirm the subscription and confirm that you are the owner of the corresponding email address. The link provided is valid for 24 hours. If we do not receive confirmation from you within this time, we will block your information and delete it after one month. When you confirm your email address, we store your IP address and the time of registration and confirmation in order to prove your registration and to clarify any possible misuse of your personal data. The only mandatory information for sending the newsletter is your email address. Providing additional, separately marked personal data is voluntary and is used to address you personally. After your confirmation, we store your email address and any other voluntary information for the purpose of sending the newsletter and optimizing the newsletter service.

7.2. Purpose and Legal Basis of Data Processing To send the newsletter, we need your email address, which we store for this purpose. You can also provide further data for a personalized address if you wish. The processing of personal data is based on your consent according to Art. 6 Para. 1 (a) GDPR.

7.3. Storage Duration We store your data until you revoke your consent. You can declare your revocation by clicking on the link provided in every newsletter email, by email to INFO@SPRIND.ORG, or by a message to the contact details published above.

7.4. Recipients of Personal Data We would like to point out that our email newsletter is sent via the technical service provider Hubspot Germany GmbH, Am Postbahnhof 17 in 10243 Berlin ("Hubspot"), to whom we pass on the data provided by users when registering for the newsletter. A corresponding agreement for order data processing is in place. The data entered by users for the purpose of receiving the newsletter (e.g., email address) is stored on Hubspot's servers in the EU/EEA. Hubspot uses this information to send and statistically evaluate the newsletter on our behalf. For the evaluation, the newsletters sent contain so-called web beacons or tracking pixels, which represent one-pixel image files stored on our website. This makes it possible to determine whether a newsletter message has been opened and which links, if any, were clicked. Technical information is also collected (e.g., time of retrieval, IP address, browser type, and operating system).

8. EVENTS

8.1. Type of Data Processed When registering for one of our events, we process your email address, your first and last name if applicable, your position and company, and your telephone number.

8.2. Purpose and Legal Basis of Data Processing We process your personal data insofar as this is necessary for the purpose of planning and conducting events, as well as for registration and participant management. In addition, data processing serves the networking of participants. The processing of personal data serves the fulfillment of SPRIND's tasks (Art. 6 Para. 1 (e) GDPR). There is an increased public interest in receiving information on the content of the event, the participants, and the general conditions. If, for example, you participate in an event as a speaker, the legal basis is the contract or pre-contractual measures regarding the performance of an event or participation in an event according to Art. 6 Para. 1 (b) GDPR.

8.3. Storage Duration Regarding data processing on the legal basis of Art. 6 Para. 1 (e) GDPR, you have the right to object at any time under Art. 21 Para. 1 GDPR for reasons arising from your particular situation. We will then no longer process your data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims. In the case of consent, we store your data until you revoke your consent. You can declare your revocation by email to INFO@SPRIND.ORG or by a message to the contact details published above.

9. VIRTUAL EVENTS To conduct virtual events (telephone conferences, online meetings, video conferences, and/or webinars), we use "Zoom." Zoom is a service of Zoom Video Communications, Inc., based at 55 Almaden Blvd., San Jose, CA 95113, USA. Insofar as you access the Zoom website, the provider of Zoom is responsible for data processing. However, accessing the website is only necessary for the use of Zoom to download the software for using Zoom. You can also use Zoom by entering the respective meeting ID and any other access data for the meeting directly in the Zoom app. If you do not want to or cannot use the Zoom app, basic functions can also be used via a browser version, which you can also find on the Zoom website.

9.1. Type and Scope of Processing As part of registration, organization, and execution of the virtual event, we process personal data necessary for the technical and content-related implementation. This includes, in particular: • User details: Displayed username, email address if applicable, optional profile picture, and preferred language if applicable. • Meeting metadata: Information such as meeting ID, description (if provided), time and duration of the meeting, IP addresses of participants, device and hardware information, and approximate location. • Telephone dial-in: When participating by telephone, details of the incoming and outgoing phone number, the country from which the call was made, and the start and end time of the call are processed. Connection data such as the IP address of the device used may also be stored. • Audio and video data: If you activate your camera and/or microphone, image and sound data from your terminal device will also be processed for the duration of the meeting. The use of these functions is voluntary–you can deactivate or mute the camera and microphone at any time yourself via the Zoom application.

9.2. Purposes and Legal Basis of Data Processing We process your personal data insofar as this is necessary for the purpose of organizing, conducting, and following up on virtual events, as well as for registration and participant management. In doing so, we process the data in particular in the context of SPRIND's public relations work. In addition, data processing serves the networking of participants. Finally, we process the data to provide participants with further information after the event (e.g., links to recordings, presentation materials, consolidated Q&A documents, and links to further content). We generally process your data in the context of virtual events on the basis of Art. 6 Para. 1 (b) GDPR, provided that the meetings are conducted within the framework of (pre-)contractual relationships. If, for example, you participate in a virtual event as a speaker, the legal basis is the contract or pre-contractual measures regarding the performance of a virtual event or participation in a virtual event according to Art. 6 Para. 1 (b) GDPR. Should no (pre-)contractual relationship exist, we process your data on the basis of Art. 6 Para. 1 (e) GDPR. The processing of personal data serves the fulfillment of SPRIND's tasks. There is an increased public interest in receiving information on the framework conditions and content of the EUDI Wallet provided within the scope of virtual events, as well as SPRIND's interest in achieving well-attended virtual events. Insofar as personal data of SPRIND employees is processed, Art. 6 Para. 1 (b) GDPR is the legal basis for data processing. Should personal data be processed in connection with the use of "Zoom" that is not directly necessary for the establishment, implementation, or termination of an employment relationship, but is necessary for the conduct of virtual events within the framework of our public duties, processing takes place on the basis of Art. 6 Para. 1 (e) GDPR in conjunction with the respective special statutory regulation. In these cases, processing serves the effective preparation, execution, and follow-up of virtual events within the framework of the sovereign tasks assigned to us.

9.3. Storage Duration Your data is processed specifically for the purpose of organizing and administering a virtual event and is deleted as soon as the purpose for processing has ceased. Data deletion takes place in compliance with statutory retention periods – six years regarding correspondence, and ten years regarding any invoicing that may have occurred. Regarding data processing on the legal basis of Art. 6 Para. 1 (e) GDPR, you have the right to object at any time under Art. 21 Para. 1 GDPR for reasons arising from your particular situation. We will then no longer process your data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims. In the case of consent to the further use of data for marketing or, for example, to receive email newsletters, we store your data until you revoke your consent. You can declare your revocation by email to INFO@SPRIND.ORG or by a message to the contact details published above.

9.4. Recipients Unless they are intended for disclosure, personal data processed in connection with participation in webinars is generally not passed on to third parties. Zoom necessarily receives knowledge of the aforementioned data insofar as this is provided for within the framework of the data processing agreement concluded with the service provider. You can find Zoom's privacy policy at: https://www.zoom.com/en/trust/privacy/privacy-statement/. There you will also find further information on your rights and settings options for protecting your privacy.

10. FILM AND PHOTO RECORDINGS AT OUR EVENTS

10.1. Type of Data Processed Film and photo recordings are regularly made at our events. These are used by us for documentation and presentation of the event to the public. The recordings made by us can be published in both print and digital form, e.g., on websites, press and event formats, and social media.

10.2. Purpose and Legal Basis of Data Processing We organize high-profile public events. The processing of film and photo recordings serves the fulfillment of SPRIND's tasks (Art. 6 Para. 1 (e) GDPR). There is an increased public interest in receiving information on the content of the event, the participants, and the general conditions. As a rule, both group and individual recordings are made. As a participant, you can leave the recording area at any time. Regarding the processing of your film and/or photo recordings and their publication in print, online, and social media, as well as with regard to any other data processing on the legal basis of Art. 6 Para. 1 (e) GDPR, you have the right to object at any time under Art. 21 Para. 1 GDPR for reasons arising from your particular situation. We will then no longer process your data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims. If you participate in the event as a speaker or contribute to its implementation and portrait shots are potentially made of you, the legal basis for processing your personal data for the above-mentioned purposes is consent pursuant to Art. 6 Para. 1 (a) GDPR, Art. 7 GDPR. You can revoke your consent with effect for the future at INFO@SPRIND.ORG.

10.3. Storage Duration Film and photo recordings are generally processed for as long as is necessary for the documentation of the event and public relations work.

11. SOCIAL MEDIA As part of its public relations work, SPRIND maintains online presences within the following social networks: • LinkedIn of LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland), • Instagram c/o Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), in order to inform users active there about SPRIND and the EUDI Wallet and to engage in an exchange with users. The references are marked within our website, among other things, by a link to our presence on the corresponding social networks. No social plugins are used. We point out that the terms of use of the services mentioned and linked on our homepage and their operators are not subject to the control of SPRIND and you use these at your own responsibility. These services and their operators store and process personal data of their users (including IP address, the application used, details of the terminal device you use including device ID and application ID, information from websites accessed, your location, and your mobile service provider). The data collected about you when using the services is processed according to their own policies and may be transferred to countries outside the European Union. This data is assigned to the data of your respective account or profile, provided you have set one up. SPRIND has no influence on the data collection and its further use by the social networks. Thus, there is no knowledge of the extent, location, and duration for which the data is stored, the extent to which the networks comply with existing deletion obligations, which evaluations and links are made with the data, and to whom the data is passed on. For information on your rights and settings options for protecting your privacy, please refer to the respective privacy notices: • https://www.linkedin.com/legal/privacy-policy • https://help.instagram.com/581066165581870/?helpref=hc_fnav The services pass on your personal data to their processors and third-party service providers, who are based, among other places, outside the European Economic Area (EEA). These process the personal data obtained in this way for their own purposes, e.g., analysis and marketing as well as your usage behavior on external and own websites of the third-party providers. Profiling is also not excluded. The personal data collected from you and those from third-party providers are transmitted to servers that are mostly located in the USA. Data transfer to the USA can be based on the agreement in the case of certification of the service under the Data Privacy Framework. The following services used by us are certified: • LinkedIn • Meta Nevertheless, it cannot be ruled out that US security authorities equipped with comprehensive powers may access your personal data at any time and without cause. This applies even if the servers are located in Europe. No effective legal remedies are available to you against this. You have options to restrict the processing of your data in the general settings of your user accounts. Furthermore, on mobile devices, you can restrict the services' access to contact and calendar data, photos, location data, etc., in the settings options there. However, this depends on the operating system used.

12. DATA TRANSFER TO THIRD COUNTRIES We use the video conferencing and communication software of Zoom Video Communications, Inc., based at 55 Almaden Blvd., San Jose, CA 95113, USA, to conduct virtual events. When using the Zoom service, the data you provided to us via the online form is processed. The permissibility of this processing is generally based on Art. 6 Para. 1 (e) GDPR (legitimate interest) or serves (pre-)contractual measures, Art. 6 Para. 1 (b) GDPR, unless consent is required, which we may obtain separately. Data transfer to the USA also takes place. Data transfer to a third country, such as the USA, is permissible under the conditions of Art. 46 GDPR and on the basis of a suitable guarantee. An adequate level of data protection is guaranteed, on the one hand, by the conclusion of so-called EU Standard Contractual Clauses. These were approved by the European Commission and guarantee you adequate protection of your personal data. You can access Standard Contractual Clauses on the website of the European Commission (https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_de). The provider of Zoom is also certified according to the so-called EU-U.S. Data Privacy Framework (DPF). We have concluded a data processing agreement with the provider of "Zoom" that meets the requirements of Art. 28 GDPR. As supplementary protective measures, we have also configured our Zoom settings so that only data centers in the EU, the EEA, or secure third countries such as Canada or Japan are used for conducting virtual events. You can find Zoom's privacy policy at: https://www.zoom.com/en/trust/privacy/privacy-statement/. There you will also find further information on your rights and settings options for protecting your privacy.

13. RIGHTS OF THE DATA SUBJECT The GDPR grants you as a data subject certain rights in relation to your personal data. These include:

13.1. Right of Access (Art. 15 GDPR) You have the right to request confirmation as to whether personal data concerning you is being processed. If this is the case, you have a right of access to this personal data and to the information listed in detail in Art. 15 GDPR.

13.2. Right to Rectification (Art. 16 GDPR) You have the right to demand the immediate rectification of incorrect personal data concerning you and, if necessary, the completion of incomplete data.

13.3. Right to Erasure (Art. 17 GDPR) You have the right to demand that personal data concerning you be deleted immediately, provided that one of the reasons listed in detail in Art. 17 GDPR applies.

13.4. Right to Restriction of Processing (Art. 18 GDPR) You have the right to demand the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g., if you have lodged an objection to the processing, for the duration of the review by the controller.

13.5. Right to Data Portability (Art. 20 GDPR) In certain cases listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common, and machine-readable format or to demand the transmission of this data to a third party.

13.6. Right of Revocation (Art. 7 GDPR) Insofar as the processing of data is based on your consent, you are entitled according to Art. 7 Para. 3 GDPR to revoke your consent to the use of your personal data at any time. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

13.7. Right to Object (Art. 21 GDPR) IF DATA IS COLLECTED ON THE BASIS OF ART. 6 PARA. 1 (F) GDPR (DATA PROCESSING FOR THE PROTECTION OF LEGITIMATE INTERESTS) OR ON THE BASIS OF ART. 6 PARA. 1 (E) GDPR (DATA PROCESSING FOR THE PROTECTION OF PUBLIC INTERESTS OR IN THE EXERCISE OF OFFICIAL AUTHORITY), YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION. UNLESS THERE ARE PROVABLY COMPELLING LEGITIMATE GROUNDS FOR PROCESSING THAT OUTWEIGH YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING SERVES THE ASSERTION, EXERCISE, OR DEFENSE OF LEGAL CLAIMS, WE WILL NO LONGER PROCESS THE PERSONAL DATA.

13.8. Complaint to a Supervisory Authority Furthermore, according to Art. 77 GDPR, you have the right to complain to a supervisory authority if you believe that the processing of your personal data violates the GDPR. The supervisory authority responsible for us is: The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) Graurheindorfer Str. 153, 53117 Bonn, Germany Phone: +49(0)228 997799-0 Email: poststelle@bfdi.bund.de De-Mail: poststelle@bfdi.de-mail.de Contact: https://www.bfdi.bund.de/DE/Service/Kontakt/kontakt_node.html?logoutReason=restricted Note: However, you can also submit your complaint to any other supervisory authority.

13.9. Assertion of Your Rights Unless otherwise described above, please contact the entity mentioned under No. 2 to assert your data subject rights.

13.10. Processing When Exercising Your Rights If you wish to exercise your rights according to Articles 15 to 22 of the GDPR, we will process the personal data you transmit in order to implement these rights and to be able to provide proof of this. We will process the data stored for the purpose of providing information and preparation exclusively for this purpose and for purposes of data protection control and otherwise restrict processing according to Art. 18 GDPR.

14. AUTOMATED DECISION-MAKING AND PROFILING SPRIND does not use any tools that enable automated decision-making including profiling according to Art. 22 GDPR.