In this notice “Roland Berger”, “we”, “us” or “our” refers to one or more of the Roland Berger Group Companies, most of which are a separate legal entity. The Roland Berger entity with which you have concluded a contract or are in the process of negotiating a contract and/or whose premises you visit and/or who is in contact with you in the context of public relations work is the data controller under the GDPR (if applicable), as this company uses your personal data in the context of the respective relationship with you. The address and name of this Roland Berger entity can be found here .

We welcome your feedback. If you have any comments, complaints or questions regarding this Privacy Notice or our processing of your personal Data, or would like to exercise any of your rights, you can contact us at:

Roland Berger Holding GmbH & Co. KGaA
Sederanger 1
80538 Munich
Germany
Phone: +49-89-9230-0
Fax: +49-89-9230-8202
Email: contact@rolandberger.com

The contact details of our data protection officer are:
Roland Berger Holding GmbH & Co. KGaA
z.Hd. Datenschutzbeauftragter
Sederanger 1
80538 Munich
Germany
Email: dataprotection@rolandberger.com

There are some points on our websites where we collect data for information and marketing purposes with your consent. This is generally done for all Roland Berger entities as joint controllers (Art. 26 GDPR).

This Privacy Notice explains how we collect, store, use, disclose and transfer (hereinafter “process”) your personal data. The personal data that we collect about you depends on the context of your interactions with us, the products, services and features that you use, your location, and applicable law. We process your data for the reasons described below and only for the purpose intended in each case.

Our services are neither aimed at nor intended for children.

It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be aware of. Please use the contact details above or keep your contact person at Roland Berger informed.

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing is subject to an explicit permission. We process your data under the following circumstances:

• "Consent": If you have voluntarily, in an informed and unambiguous manner, by means of a statement or other unambiguous affirmative act, indicated that you consent to the processing of personal data concerning you for one or more specific purposes (Art. 6 para. 1 sentence 1 lit. a GDPR)
• "Performance of a contract": If we conclude a contract with you and the processing is necessary for the performance of this contract to which you are a party or for the implementation of pre-contractual measures taken at your request (Art. 6 para. 1 sentence 1 lit. b GDPR);
• "Legal or regulatory obligation": If the processing is necessary to fulfill a legal obligation to which we are subject, e.g. a legal obligation to retain data (Art. 6 para. 1 sentence 1 lit. c GDPR);
• "Legitimate interests": Where processing is necessary for the purposes of our legitimate interests (in particular legal or economic interests) or those of a third party, except where such interests are overridden by your interests or rights to the contrary (in particular where the data subject is a minor) (Art. 6 para. 1 sentence 1 lit. f GDPR);

The storage of information in your terminal device or access to information that is already stored in the terminal device is only permitted if it is covered by one of the following legal grounds:

• § 25 (1) of the German Telecommunications Digital Services Data Protection Act (TDDDG): If you have given your consent on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;
• § 25 para. 2 no. 2 TDDDG: If the storage or access is absolutely necessary so that we, as provider of a telemedia service, can offer a telemedia service expressly requested by you.

Server logs
When you visit our websites, we record the following information:

• your IP address;
• the data you requested from the website;
• how much data you downloaded;
• the website from which your accessing system came to our website;
• the server reply code on the request from your browser;
• information about the browser you used;
• the date and time you visited, and for how long; and
• other similar data and information that serves to avert the risk of an attack on our information technology systems.

Roland Berger generally cannot attribute this data to any specific person.

This information is required in order to:

• properly deliver the contents of our websites;
• continually optimize our websites;
• ensure the continued functioning of our information technology systems and the technology of our websites; and
• provide law enforcement authorities with the necessary information for prosecution in the event of a cyberattack.

The legal basis for the processing of the data is Art. 6 para. 1 lit. a) GDPR (to optimize our websites), Art. 6 para. 1 lit. f) GDPR (to properly deliver the contents of our websites and to ensure the continued functioning of our information technology systems and the technology of our websites) and Art. 6 para. 1 lit. c) GDPR (to provide law enforcement authorities with the necessary information for prosecution in the event of a cyberattack).

Personal Data obtained from you directly
We record and process information you enter on our websites or send us otherwise. This includes data you enter in forms or contact fields (e.g. for the subscription of Newsletters) or select from lists or menus.

There are some points on our websites where you can send us information by uploading documents via those websites to our servers. That is what happens when you apply online, for example (refer to the supplementary Recruitment Privacy Policy ).

On our websites, you also have the possibility to contact Roland Berger using the contact forms, email addresses, telephone and fax numbers provided there. When you contact us through the above channels, we will store and process the resulting personal data for the purposes of dealing with your request. Your information can be stored in our Customer Relationship Management (CRM) system. All data are used exclusively for the processing of your request.

The legal basis for the processing of the data is Art. 6 para. 1 lit. f) GDPR (general requests). Where the data are processed in order to take steps prior to entering into a contract at your request, the legal basis shall be Art. 6 para. 1 lit. b) GDPR. We process the personal data we collect solely for the purposes of effectively handling the requests addressed to us.

Profile and login information for access-protected areas
There are some access-restricted areas of the websites for which you need to register before you can use them, like the recruiting/applicant and alumni areas in particular. When registering, there are some details you have to enter that the registration form itself requires, particularly your email address, a password, and some information about yourself. Any other details you enter are voluntary. We process and save this data in accordance with the supplementary Privacy Policies for applicants and alumni .

In some areas of our websites, like our alumni network in particular, some of your registration data or contributions you make can be seen by other users once they log in. It is up to you to decide whether you want other registered users of this site to see your information and, if so, what. You can change these settings at any time. During the registration process, we will ask you to give your consent for processing and saving that data. The legal basis for processing that data is Art. 6 para 1 lit. a) GDPR.

Within our website, we use content or service offers from third parties in order to integrate their content and services. In case of technically necessary cookies we do this on the legal basis of our legitimate interests according to Art. 6 para. 1 lit. f) GDPR, in case of technically non-necessary cookies on the legal basis of your consent according to Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website.

During some visits we may use software tools such as JavaScript to measure and collect session information, including page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse overs), and methods used to browse away from the page. We may use this information to measure website activity, to develop ideas for improving our websites and for any other purpose to the extent permitted by applicable law.

The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visiting times and other details about the use of our online offering, and may also be linked to such information from other sources.

We use and engage certain providers to use cookies, web beacons, and similar tracking technologies (collectively, "cookies") on our website. In the following you will find an overview of third-party providers and their content as well as links to their privacy policies, which contain further information on the processing of data and if applicable further options to object (known as opting out). You can, of course, change or withdraw any consent you may have given for cookies that are not absolutely technically necessary in this Privacy Policy under Cookie Declaration.

2.2.2.1 Google Analytics
If you have given your consent, this website uses Google Analytics (GA4), a web analytics service provided by Google LLC. The responsible party for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Scope of processing
Google Analytics uses JavaScript, Pixel and cookies that enable an analysis of your use of our websites. The information collected by means of the cookies about your use of this website is generally transferred to a Google server in the USA and stored there.
We use the User ID function. User ID allows us to assign a unique, persistent ID to one or more sessions (and the activities within those sessions) and to analyze user behavior across devices.
We use Google Signals. This allows Google Analytics to collect additional information about users who have personalized ads enabled (interests and demographics) and ads can be delivered to these users in cross-device remarketing campaigns.
Google Analytics 4 has IP address anonymization enabled by default. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

As part of the evaluation, Google Analytics 4 also utilizes artificial intelligence such as machine learning for automated analysis and enrichment of data. For instance, Google Analytics 4 models conversions when there is not enough data available to optimize the evaluation and reports. You can find information on this at the related link . Data evaluations are conducted automatically using artificial intelligence or based on specific individually defined criteria. More on this can be found at the related link .

During your website visit, your user behavior is recorded in the form of "events". Events can be:

• Page views
• First visit to the website
• Start of session
• Your "click path", interaction with the website
• Scrolls
• clicks on external links
• internal search queries
• interaction with videos
• file downloads
• language settings
• newsletter subscription

Also recorded:

• Your approximate location (region)
• your IP address (in shortened form)
• technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
• your internet service provider
• the referrer URL (via which website/advertising medium you came to this website)

Purposes of processing
On our behalf, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyze the performance of our website and the success of our marketing campaigns.

Recipients
Recipients of the data are/may be:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor under Art. 28 DSGVO).
• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that US authorities may access the data stored by Google.

Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

Duration of storage
Google places the following cookies when you visit our website and consent to the use of Google Analytics cookies:

_ga (14 Months): This helps us count how many people visit our web presentation if you have already visited before.

_gid (24 Hours): This helps us count how many people visit our web presentation if you have already visited before.

_gat (14 Months): This helps us manage the frequency at which requests for page views are made.

Legal basis
The legal basis for this data processing is your consent pursuant to Art.6 para.1 p.1 lit. a GDPR.

Revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.

You can also prevent the storage of cookies from the outset by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in a restriction of functionalities on this and other websites. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google, by

a. not giving your consent to the setting of the cookie or

b. downloading and installing the browser add-on to disable Google Analytics HERE .

For more information on Google Analytics' terms of use and Google's privacy policy, please visit https://marketingplatform.google.com/about/analytics/terms/us/ and at https://policies.google.com/?hl=en .

Server-Side Tracking

We implemented server-side tracking services. As part of this, usage, browser, and device data, including the IP address and user agent, are collected and processed on the server-side. The purpose of this processing is to analyze the use of the website, enabling us to further tailor and improve our website and content. As part of the server-side tracking, we utilize servers that are part of the Google Cloud infrastructure. These servers belong to services such as Google Compute Engine, over which we have full access and control. Although Google provides the platform, the company does not have direct access to our applications or the data stored on them. Access by Google is only possible in specific exceptional cases.

2.2.2.2. Google Tag Manager
This website uses Google Tag Manager. Google Tag Manager is a solution that allows marketed website tags to be managed using an interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not register Personal Data. The tool causes other tags to be activated that may, for their part, register data under certain circumstances. Google Tag Manager does not access this information. If recording has been deactivated at the domain or cookie level, this setting will remain in place for all tracking tags implemented with Google Tag Manager.

Your consent is the legal basis for this data processing, Art. 6 para.1 lit.a) GDPR.

2.2.2.3 FriendlyCaptcha

To detect bots and ensure the functionality of our website, we use the privacy-friendly solution "Friendly Captcha," a service provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. When you visit certain areas of our website, such as the contact form, a connection to the Friendly Captcha servers is established. Your browser receives a computational task that must be solved by your device. Your browser contacts the server of Friendly Captcha through an interface and receives a response indicating whether the puzzle was correctly solved by your device. Additionally, your browser transmits connection data, environmental data, interaction data, and functional data to Friendly Captcha. Friendly Captcha analyzes this data to determine the likelihood of the user being human or a bot and transmits the result to the service user. Based on this, the service user can treat access to their website or specific functions as either human or potentially automated. If personal data (such as your IP address) are processed in this context, they are anonymized using one-way hashing. For more information, please refer to Friendly Captcha’s privacy policy: Datenschutzbestimmungen für Endnutzer - Friendly Captcha .

If you provide us with your business card or share your contact details during personal interaction — for example, at events, trade fairs, business meetings, or seminars — we record the information provided by you. This typically includes your name, company, address, email address, and telephone or fax number. We use this data to initiate and maintain business relationships, send you relevant information about our services, products, and events, and store these details securely in our Customer Relationship Management (CRM) system for efficient contact and relationship management purposes.

The processing of this data is based on your consent (Art. 6 para. 1 lit. a GDPR), the necessity of the data for initiating or fulfilling a contract (Art. 6 para. 1 lit. b GDPR), as well as our legitimate interest in networking, client engagement, and relationship maintenance (Art. 6 para. 1 lit. f GDPR). You can object to this processing or revoke your consent at any time, and we will delete your data, unless retention is required for contractual purposes or due to statutory obligations.

We send newsletters, print materials such as our Think:Act magazine via post, and tailored offers or updates to keep you informed about our services, publications, and events. If you register for our newsletter, either online or through other registration channels, your submission requires the provision of a valid email address along with other mandatory details including your name, company, and job title. Collecting comprehensive information allows us to deliver more personalized and relevant communications that align with your professional interests and areas of focus. After subscribing to the newsletter, you will receive a confirmation link to validate your subscription (Double Opt-In); only after this confirmation will you begin receiving our newsletter.

In addition to electronic communications, our (potential) clients also may receive our Think:Act magazine as a hardcopy sent via post. If we have your postal address within the context of a business relationship and believe the content aligns with your interests, we may send this magazine to you without requiring additional explicit consent.

Where applicable, such communications are based on your consent (Art. 6 para. 1 lit. a GDPR). However, should your contact details originate from a client relationship with us, we may also process your data without prior explicit consent for the purposes of direct advertising, provided this aligns with the provisions of Article 13 para. 2 ePrivacy Directive (2002/58/EC) and e.g. in Germany with Section 7 para. 3 UWG (“Gesetz gegen den unlauteren Wettbewerb” or "Act against Unfair Competition”). You are entitled to opt out of receiving such communications at any time by contacting us via the provided communication channels or through an included unsubscribe link in email newsletters. Upon receiving an objection, we will stop using your data for these purposes and will delete it unless a legal obligation requires us to retain it.

For optimizing our newsletters, we analyze engagement through tracking tools such as web beacons, which allow us to understand interactions like email openings or link clicks. This analysis helps us improve the relevance and quality of our communication and is done with your prior explicit consent (Art. 6 para. 1 lit. a GDPR).

When you participate in events, webinars, surveys, workshops, or competitions organized by us, we process data both during the registration process and throughout the participation itself. In addition to basic registration details such as your name, company, email address, job title, or postal address, we may also record data generated during the course of your participation. This can include inputs provided during discussions, questions asked, feedback shared, voting preferences in interactive sessions, or data from networking activities facilitated through event platforms.

We use this data to manage registration and enable participation (e.g., sending confirmations or reminders, providing access to event platforms, or facilitating post-event follow-up communication). Additionally, the collected data may help us improve future activities, tailor communications to your interests, or provide updates about similar events or topics aligned to your profession and objectives.

Where events or webinars are conducted online, we use platforms like Microsoft Teams or Zoom, For this specific purpose separate data protection notices apply (refer to the supplementary Data Protection Information for M365 Cloud Services by RB and Data Protection Information for Telephone Conferences and Webinars via "Zoom" .

In addition, photographs and/or video recordings can be taken at the event. If you do not wish to be photographed or filmed, please let the photographer or camerapeople know on the spot. We process the photographs and/or video recordings for the purposes of documentation of the event, for printed and for online publicity on our publicly available websites or/and on social media (a.o. Instagram, Facebook, LinkedIn). For controllers in the EU the legal basis for taking and publishing of photographs and/or video recordings is our legitimate interests in reporting on the event pursuant to Art. 6 para. 1 lit. f GDPR. We ask for your separate consent pursuant to Art. 6 para. 1 lit. a GDPR for the publication of photos, if the content and composition of the photos or the intended use requires this. Further Information on the handling of your personal data for the aforementioned purpose can me found here .

If you as a business contact or other person are not simultaneously the affected data subject, you commit to forward this data protection notices to the affected individuals.

We process personal data of our clients, their empoyees, their representatives, and other persons whose personal data we receive from the client —such as name, job title, contact details, and employer—for the purpose of initiating and fulfilling contracts, providing consulting services and maintaining our business relationship. This includes, among other things, communication, invoicing, compliance checks, and invitations to events.

For more detailed information on how your personal data in connection with contractually agreed services is handled, please visit our dedicated Data Protection Notice for Clients

We manage supplier relationships by collecting and processing names, business contact details, bank details, and details of services provided. This involves invoicing and processing payments, ensuring effective communication and performing compliance checks to fulfill our contractual and statutory obligations.

Suppliers of Roland Berger, their employees and other persons whose personal data we receive from the supplier in connection with the specific contract can access more information regarding personal data processing here: Data Protection Notice for Suppliers

If you are in contact with us utilizing Microsoft 365 services for communication, we typically process various types of personal data such as profile data and data collected during meetings to ensure effective and secure communication.

Information regarding the handling of your personal data when using Microsoft365 Cloud Services can be found here: Privacy Notice for Microsoft365 Cloud Services

When you visit our offices, we can collect the following personal information about you for the following purposes:

• contact information by completion of the security list of visitors in line with our legitimate interests (security of the building);
• video images of you in the entry and exit areas from CCTV footage in line with our legitimate interests (security of the building);
• your name and time of entry to our offices through a security access system in line with our legitimate interests (maintaining security of our offices);
• names and dietary preferences for catering purposes in meetings in line with our legitimate interests (respecting visitors’ needs);
• health data to assist in the control of infectious diseases (such as the virus Covid-19) in line with our health and safety legal obligations;
• if applicable, health information by completion of the first aid accident book in order to comply with our health and safety legal obligations; and
• guests’ name and if applicable other information for the purpose of organising events (for example conferences, charity events or student/alumni events) and providing name badges, attendee lists, team lists and table plans.

We have the applicants' area of our different recruiting websites, where potential applicants can apply for jobs, internships and other positions. For this specific purpose a separate data protection notice applies (refer to the supplementary Recruitment Privacy Policy ).

We have our alumni area, where people who used to work for Roland Berger can keep in touch with their former colleagues and the company itself. For this specific purpose separate data protection notice apply (refer to the supplementary Data Protection Notice for alumni ). In order to support our alumni and employees, we offer them our exclusive Pathfinder Job board, where Clients, alumni, and executive search companies can post jobs in this exclusive database. For this specific purpose a separate data protection notice applies (refer to the supplementary Data Protection Notice for Pathfinder ).

We process your personal data to gain professional insights on specific topics relevant to our consulting projects, as well as for studies conducted by Roland Berger. This includes your name, contact details, professional position, and any information you voluntarily share during the interviews and/or surveys. The legal basis for processing is the fulfilment of our contractual agreement with you as a provider of specialised expertise in the requested area, in accordance with Art. 6 para 1 lit. b GDPR. In some cases, it is your consent, in accordance with Art. 6 para. 1 lit. a GDPR. In all other cases, the processing is carried out on the basis of our legitimate interests, pursuant to Art. 6 para 1 lit. f GDPR, to conduct our consulting work and research activities.

Your personal data may be shared within the relevant project or study team. Any disclosure of personally identifiable data to third parties will only occur with your explicit consent. In cases where the results of expert interviews or surveys are used for studies that may be published, shared with clients, or used for internal knowledge management purposes, only anonymized or aggregated insights derived from your input will be used to ensure that your personal information cannot be attributed to you or disclosed to any third party.

When visiting our Page on TikTok (i.e. our User Profile), TikTok collects personal data of the users. Information about the data collection and further processing by TikTok can be found in TikTok's privacy policy .

Roland Berger has no influence on what user data TikTok collects. Roland Berger also has no access to the personalized collected data or your profile data. Roland Berger can only see the public information of your profile and you decide in your TikTok settings what exactly this data is. In addition, you have the option in your TikTok settings to actively hide your "Likes" or to no longer follow the Roland Berger TikTok Page. Then your profile will no longer appear in the list of followers of our TikTok Page.

Roland Berger receives anonymous statistics from TikTok regarding the use and usage of the TikTok Page. The following information is provided here, for example:

• Followers: number of people who follow Roland Berger - including growth and development over a defined time frame.
• Reach: number of people who see a specific post. Number of interactions on a post. This can be used, for example, to determine which content is better received by the community than others.
• Ad performance: how many people saw an ad.
• Demographics: average age of visitors, gender, location, language.

We use these statistics, from which we cannot draw any conclusions about individual followers, to constantly improve our online offering on TikTok and to better respond to the interests of our followers. We cannot link the statistical data with the profile data of our followers. You can decide via your TikTok settings in which form targeted advertising will be shown to you. Roland Berger will display ads for events, jobs and employer branding. TikTok's " Ads and Your Data " guide gives you an overview of how your personal data is processed in connection with Ads.

Roland Berger receives personal data through TikTok when you actively share it with us via a personal message or comment on our TikTok Page (User Profile).

For the use of various TikTok services, we have concluded several data protection agreements with TikTok Ireland and TikTok United Kingdom (Joint Controller Agreement and Data Processing Agreement).

On our WhatsApp Channel "Roland Berger Career" you will find tips and information about the application process at the Roland Berger Group.

We do not process your personal data. However, if you have stored your first and last name or a photo as a display image in your WhatsApp profile, this personal data can be viewed by us. We do not (further) process this data. We cannot access your telephone number.

You can object to the data processing within the WhatsApp channel at any time by selecting "No longer subscribe" in the channel info.

WhatsApp is operated by WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5 Ireland. Further Information on the handling of your personal data can be found in the following privacy notice: https://www.whatsapp.com/legal/channels-privacy-policy-eea?lang=de.

To ensure the security, stability, integrity, and functionality of our IT systems as well as to safeguard data and data processing activities, we might need to process personal data stored in our IT systems. This could include actions such as creating backups or performing tests. The legal foundation for such data processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest arises from the aforementioned purposes.

Where does data go once it reaches Roland Berger?
Once you send data, or it is collected on our websites, we transmit it within Roland Berger to the recipients who need to know it. Applications, for instance, go to our human resources department and the department for which the position is advertised (refer to the supplementary Recruitment Privacy Policy ).

External service providers
We may involve service providers who support us in the processing of Personal Data or otherwise and who may come into contact with your Personal Data. This will only happen after the prior conclusion of a Data Protection Agreement that obligates our service providers to process Personal Data only according to our instructions and to keep it confidential.

Intra-group sharing, Joint Controllers
Within the Roland Berger Group's organization, there is a need to exchange Personal Data on an intra-group basis as Controller to Controller or Joint Controllers.

For example in the course of our business relationship with you, we may share Business Partner contact information with affiliated group companies. We and these companies (see the list here ) are jointly responsible for the proper protection of your personal data (Art. 26 GDPR). To allow you to effectively exercise your data subject rights in the context of this joint controllership, we entered into an agreement with these companies granting you the right to centrally exercise your data subject rights under section 4 of this Privacy Notice against Roland Berger Holding GmbH & Co. KGaA, Sederanger 1, 80538 Munich, Germany.

Roland Berger entities might also be established outside the EU or the EEA. In such cases, we will ensure that there are adequate safeguards (i.e. EU standard contractual clauses) in place to protect your Personal Data. We at Roland Berger are responsible for informing you about your rights as a data subject under applicable data protection laws. You can address any requests or complaints you may have with regard to your Personal Data to Roland Berger ( How to contact us? ). The other Roland Berger entities within the Roland Berger Group's organization that might also keep your Personal Data will give us reasonable cooperation, assistance and information in order to comply with such requests or complaints.

Sending data to third parties
As a fundamental rule, we do not disclose, transfer, sell or otherwise market Personal Data to third parties, such as other companies or organizations, without your express consent except as required to meet our contractual obligations between Roland Berger and you.

For example the following categories of recipients may receive your personal data:

• authorities, courts, parties to a legal dispute or their designees to whom we are required to provide your personal data by applicable law, regulation, legal process or enforceable governmental order, e.g., tax and customs authorities, regulatory authorities and their designees, financial market regulators, public registries;
• auditors or external consultants such as lawyers, tax advisors, insurers or banks, and
• another company in the event of a change of ownership, merger, acquisition or disposal of assets.

Transfer of data to countries outside the EU/EEA
Where there is a sufficient legal basis, your Personal Data may be transferred to and processed outside the EU/EEA in other countries where laws and provisions governing the processing of Personal Data may be less stringent. In such cases, we will ensure that the data transfer is based on an adequacy decision (e.g., the EU-US Data Privacy Framework for transfers to the U.S. for certified companies ) or conclusion of the EU standard contractual clauses, which can be viewed and downloaded here .

Data subjects have rights with respect to Roland Berger in relation to their Personal Data in accordance with Art. 15-21 GDPR. In particular, you have the right to:

• request a copy of the Personal Data we hold about you (right of access, Art. 15 GDPR);
• ask that we update the Personal Data we hold about you, or correct any Personal Data that you think is incorrect or incomplete (right to rectification, Art. 16 GDPR);
• ask that we delete Personal Data that we hold about you, or restrict the way in which we use your Personal Data (right to erasure, Art. 17 GDPR and right to restriction of processing, Art. 18 GDPR)
• object to our processing of your Personal Data (right to object, Art. 21 and 22 GDPR)
• request that your Personal Data be transferred to you or another data controller (right to data portability, Art. 20 GDPR).

If you are unhappy with the way we have handled your Personal Data or any data protection query or request that you have raised with us, you have a right to complain to the competent supervisory authority (Art. 77 GDPR). We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance.

We may need to request specific information from you to help us confirm your identity and ensure your right of access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Objection and withdrawal of consent
If you have given us your consent to process your Personal Data (Art. 6 para. 1 lit. a GDPR), you can withdraw your consent at any time with future effect. If we process your Personal Data based on Art. 6 para. 1 lit. f GDPR (legitimate interests), you can object at any time to the processing of your Personal Data for marketing reasons. (Art. 21 GDPR).

Please use either the link included in each Newsletter we send you or, alternatively, contact Roland Berger via mail, fax, email or using the contact details given above under How to contact us.

We store Personal Data in accordance with legal storage periods. We routinely delete this Personal Data or block it once these periods expire or the reasons for storage cease to apply, in accordance with data protection rules.

If you have agreed to a longer duration for storing, processing and using your data, we will delete or block your data after this duration expires or should you revoke your consent (refer to the supplementary Privacy Policy for applicants ).

We will retain the data you transfer to us in contact requests until you ask for their deletion, object to their storage, or the purpose for their storage no longer applies. The purpose for the storage of the data no longer applies when it becomes evident that the underlying issue has been conclusively settled.

We comply with applicable data protection laws. This says that the personal information we hold about you must be:

• used lawfully, fairly and in a transparent way;
• collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
• relevant to the purposes we have told you about and limited only to those purposes;
• accurate and to the extent appropriate, kept up to date;
• kept only as long as necessary for the purposes we have told you about; and
• kept securely.

In accordance with legal requirements, Roland Berger has taken extensive technical and organizational measures to ensure a level of protection that is in line with, or in some cases exceeds, data privacy requirements. The measures taken protect not only Personal Data, but also other data processed on the same systems. Roland Berger operates an Information Security Management System (ISMS) which is certified according to ISO/IEC 27001:2013. The ISMS provides the framework for ensuring the information security goals confidentiality, integrity and availability.

The security of your data is important to us, so all the areas of our websites where you can actively input data use encrypted data transmission such as TLS (Transport Layer Security) to protect your data from being accessed by unauthorized third parties.

If you register to use access-protected areas of Roland Berger's websites, you should keep the login details you receive in a safe place and protected from access by third parties. If you log in on a computer that is used by more than one person, please do not forget to log off properly at the end of each session and close the browser window you were using.

With help of the extensive technical and organizational security precautions Roland Berger protects your Personal Data from being manipulated, either accidentally or deliberately, or being lost, destroyed or accessed by unauthorized third parties. We are constantly improving these precautions as technology develops.

This Privacy Notice was last modified on May 26th, 2025. We may occasionally modify or amend it from time to time. When we make changes to this Privacy Notice we will update the revision date at the top of this Privacy Notice. Where those changes are material, we will take steps to let you know. The new modified or amended Privacy Notice will apply as from that revision date. Please always verify whether you have consulted the latest version of the Privacy Notice.