Bugatti Automobiles S.A.S., Bugatti International S.A

Data protection policy for Bugatti brand companies’ suppliers and their employees 10/2020

Preliminary remark This data protection policy covers the processing of your data when carrying out purchasing activities and order processing in the field of products, production materials and services by the companies of the Bugatti brand. The following three companies fall under the term "Bugatti brand companies": Bugatti Automobiles S.A.S., Bugatti International S.A. and Bugatti Engineering GmbH (hereinafter called the “Companies” or “we”). We attach great importance to the protection of your data and fundamental freedoms and for the processing of personal data, are committed to complying with the European data protection regulations and the special national regulations that apply in the respective country. With this data protection policy we would like to inform you about the conditions of the collection, use and storage of your personal data as well as about the most important purposes of the data processing carried out within the framework of our relations. Please read this text carefully and check it at regular intervals so that you are aware of any changes or updates.

§1. Legal framework We undertake to comply with our obligations regarding the protection of personal data, which are set out in Regulation (EU) No. 2016/689 of 27 April 2016 (hereinafter referred to as the "GDPR").

§2. Data Controller and contact person within the Bugatti brand In terms of Article 4 No. 7 of the GDPR, the "Bugatti brand" cannot be considered as a “data controller” and therefore does not provide a common point of contact for the three entities. The data controller is the entity among the Companies with which you have a relationship. The data controllers and the related contact persons for data protection issues are specified below. The company with which you have a business relationship is responsible. 1. The data controller for your relationships with Bugatti Automobiles S.A.S .: Bugatti Automobiles S.A.S. 1 Château Saint-Jean de Dorlisheim 67120 Molsheim Frankreich

For any questions about data protection law, please contact the following department: - By post: Bugatti Automobiles SAS, 1 Château Saint Jean, Chemin de Dorlisheim, 67120, Molsheim - By e-mail: [email protected] 2. The data controller for your relationships with Bugatti International S.A.: Bugatti International S.A.

Bugatti Beschaffung, BG-B/3 | KSU-Klasse 0.2 - 4 Jahre | Öffentlich 1

412F Route d’Esch L-2086 Luxemburg

For any questions about data protection law, please contact the following department: - By postal service: Bugatti International S.A., Gustav Hertz Straße 2, 38448 Wolfsburg (Deutschland) - By e-mail: [email protected]

3. The data controller for your relationships with Bugatti Engineering GmbH: Bugatti Engineering GmbH Gustav-Hertz-Straße 2 38448 Wolfsburg (Deutschland) Tel.: +495361915665

For have any questions about data protection law, you can contact the data protection officer - By postal service : Datenschutzbeauftragter der Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg (Deutschland) - By e-mail: [email protected]

The companies, together with others of the Bugatti brand and / or the Volkswagen Group, assume responsibility for data protection. Whether data processing is the joint responsibility of the Bugatti brand company and / or the Volkswagen Group under data protection law can be found in the following paragraphs §5 and §6.

§3. Modalities of processing personal supplier data As part of the performance of their contractual relations with their suppliers, the Companies are required to process personal data, in particular to ensure:

- the management of their business relationships by creating and tracking purchase inquiries, orders and supplier accounts (Art. 6 para. 1 b. of GDPR); - the management of accounting and payment of invoices (Art. 6 para. 1 c. of the GDPR); - the creation of group-wide synergies and "shared services" within the Bugatti brand (Art. 6 para. 1 f. GDPR - legitimate interest when weighing interests). We collect data about your identity (last name, first name, e-mail address, telephone number, postal address, language, position in the company) as well as economic and technical data (bank details of the company in which you work), as well as all personal information that is provided in the compliance declaration that you have previously made. The above-mentioned personal data (hereinafter referred to as “data”) are collected using the form for creating a supplier account that was sent to you by your contact person. This data is then recorded and stored in our internal management tools. Your data that was provided by you for the purpose of carrying out the business relationship will be processed. In addition, we may also and notably process your data from other IT systems of the Volkswagen Group. You must provide the personal data that is necessary for the execution of the contract and the fulfilment of the related contractual obligations or that we are legally obliged to collect. Without this data, we cannot process it.

Bugatti Beschaffung, BG-B/3 | KSU-Klasse 0.2 - 4 Jahre | Öffentlich 2

In this context, we process and store your data, unless otherwise stated, only for as long as is absolutely necessary for the processing purposes mentioned above, taking into account the applicable limitation periods. The data is also updated at regular intervals so that supplier accounts that have not been used for a longer period of time are deactivated and / or deleted.

§4. Recipients of your data Your data will only be processed in Europe. Within the Bugatti brand, the people who have access to your Data are those who need it in the course of their activity. Your personal data is also processed within the Volkswagen Group, on the basis of order processing contracts, in accordance with Art. 28 GDPR: Volkswagen Group Poland S.A. on behalf of Bugatti Engineering GmbH, - Volkswagen Group Services GmbH on behalf of Bugatti Engineering GmbH. In these cases, the companies ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR. In addition, your data can be communicated to other categories of recipients who act as data controllers, insofar as legal provisions allow this and / or in the context of the legitimate interest if this is necessary: - Bugatti brand companies based on a Joint Controllership Agreement in accordance with Art. 26 GDPR (see Section 5), - Group companies of the Volkswagen Group on the basis of a Joint Controllership Agreement according to Art. 26 GDPR (see §6), - Business partners (e.g. development partners, consulting service providers, lawyers, tax consultants, auditors ...).

§5. Data processing is the joint responsibility of the Bugatti brand companies In order to be able to offer our suppliers an effective and high-quality service, we have pooled our purchasing department within the Bugatti brand. Bugatti Engineering GmbH is the central point for the implementation of purchasing activities and order processing for the entire Bugatti brand, i.e. there is a shared responsibility between Bugatti Engineering GmbH and every other Bugatti brand company, independently of one another. Although your Data will be processed under joint responsibility, no Data exchange will take place between Bugatti Automobiles S.A.S. and Bugatti International S.A.

§6. Data processing is the joint responsibility of the Bugatti * brand companies and Volkswagen Group companies During the purchasing process, Bugatti Engineering GmbH and Bugatti Automobiles S.A.S record and save your data in the ONE Group business platform and in other internal management tools of the Volkswagen Group (e.g. Globe, SAMBA, ...). Each company, Bugatti Engineering GmbH and Bugatti Automobiles S.A.S (independently of one another) and companies of the Volkswagen Group are jointly responsible for the above data processing. Each Bugatti company and the Volkswagen Group companies have made agreements with regard to their joint responsibility within the meaning of Art. 26 GDPR. Information on the processing of your data in connection with the ONE.Konzern Business Platform can be viewed and downloaded here or via the platform: https://www.vwgroupsupply.com/one-kbp-

Bugatti Beschaffung, BG-B/3 | KSU-Klasse 0.2 - 4 Jahre | Öffentlich 3

pub/de/kbp_public/rechtliches_4/legal_information/privacy_policy/privacy_policy_1.html The use of the vwgroupsupply.com websites and the ONE.Konzern Business platform may result in the use of cookies, subject to your consent where applicable. You can see information on the use of cookies via the cookie policy: https://www.vwgroupsupply.com/one-kbp- pub/de/kbp_public/rechtliches_4/legal_information/cookie_guidelines/basicpage_for_general _pages__html_3.html

*Special feature: Section 6 does not apply to Bugatti International S.A. This company does not use the internal management tools (e.g. ONE.Group Business Platform, Globe, SAMBA ...) and therefore there is no joint responsibility with the group companies of the Volkswagen Group. Nevertheless, your data is recorded and saved in the various internal management tools, because Bugatti Engineering, as the central point for the purchasing process, use them(see §5).

§7. Security measures We attach great importance to maintaining the confidentiality, integrity, availability and security of your data. In accordance with Article 32 of the GDPR, we strive to take any suitable technical, logical and organisational measures to ensure a level of protection appropriate to the risk involved in the processing of your data. We also take measures to prevent the loss or unintentional destruction, alteration and unauthorised access to your data.

§8. How to exercise your rights In accordance with the applicable regulations, you have the following rights: - To request that you receive information about your data and have it corrected (right to information and right to correction). - To object to the processing of your data for legitimate reasons (right of objection). - To ask, within the framework of the applicable limitations, that the processing of the data concerning you is restricted or that the data be deleted (right to restriction of processing and right to deletion). If you have any questions about the present data protection declaration or the processing of the data concerning you, you can contact the office, as mentioned above in paragraph 2. Finally, we would like to point out that you have the right to lodge a complaint with the responsible data protection supervisory authorities against the way in which we process your data.

Bugatti Beschaffung, BG-B/3 | KSU-Klasse 0.2 - 4 Jahre | Öffentlich 4