DATA PROTECTION

I. GENERAL PRIVACY POLICY

Data protection is closely linked to maintaining the trust and confidence you place in our company. For this reason, we only ever process personal data about you which are necessary. We take the utmost care when processing your data, particularly to protect your data from potential misuse. With this Privacy Policy, we would like to provide you with an overview of how we process your data and to inform you of your rights pursuant to the provisions of the General Data Protection Regulation (GDPR) and the Liechtenstein Data Protection Act (DPA):

1. Name and address of the controller responsible for the processing of personal data

The controller, within the meaning of the GDPR, is Huber Fine Watches & Jewellery, Städtle 34, 9490 Vaduz, Liechtenstein, welcome@huber.li, T +423 237 14 14.

2. Collection and recording of personal data and the nature and purpose of their use

As stated above, we only process data which are necessary. What constitutes necessary data can vary depending on the individual or individuals concerned.

We collect the following information in particular when you contact us:

— Personal details (e.g. title, given name, family name, date of birth, nationality)

— Address and contact details (e.g. postal address, e-mail address, telephone number, mobile number)

This data is collected

— for the purposes of future correspondence with you;

— for invoicing purposes; and

— for the purposes of settling transactions.

As a rule, we are not in a position to conduct our business operations without this data. It is possible that we may process data that were not collected directly from you, but which come from third parties, sources available to the public or other data subjects. Processing of personal data begins once you have contacted us and is necessary for the purposes listed in Article 6(1)(b) GDPR (for the performance of a contract or in order to take steps prior to entering into a contract) and for the mutual fulfilment of obligations (such as settling transactions).

Your data is also processed in order to ensure compliance with legal obligations (Article 6[1][c] GDPR), particularly to ensure compliance with legal and regulatory provisions.

In addition, your data is processed for specific purposes concerning the legitimate interests pursued by us or a third party (Article 6[1][f] GDPR), particularly for the assertion and enforcement of claims, compliance with the rights of the data subject (e.g. right of access), to guarantee IT security and IT operations and to guarantee the security of buildings and facilities.

We reserve the right to continue processing any personal data collected for one of the purposes listed above for any of the other purposes listed above, provided this is consistent with the original purpose or is permitted and/or required by law.

3. Recipients or categories of recipients of the personal data

Within our company, employees are only permitted to process your data if they require your data for the purposes of fulfilling our contractual or legal obligations or safeguarding the rights of data subjects. Third parties, including processors in areas such as IT services, may also be recipients of personal data for these purposes.

Your personal data will also be passed on to third parties if this is necessary for the settlement of transactions or the provision of services.

3. Recipients or categories of recipients of the personal data

Data is only transferred to countries outside the European Economic Area (known as third countries) within the scope of adequacy decisions by the European Commission.

4. Transfer of personal data to third countries

Data is only transferred to countries outside the European Economic Area (known as third countries) within the scope of adequacy decisions by the European Commission.

5. Duration of personal data retention

In principle, personal data recorded by us are retained until the legal obligation to retain such data expires, after which the personal data are erased, unless we deem it necessary to retain such data for a longer period, pursuant to Article 6(1)(c) GDPR, or you have given your consent to a longer retention period, pursuant to Article 6(1)(a) GDPR. Further processing and retention may also continue for a longer period for the purposes of preserving evidence, for example while the applicable provisions of limitations are in effect.

6. Your data protection rights

As a data subject, you have the right to access your personal data at any time. You also have the right to rectification, the right to data portability, the right to object, the right to restriction of processing and the right to erasure of incorrect data or any data processed without authorisation. Any queries regarding the assertion of your right to access, erasure, rectification, object and/or data portability can be directed to the addresses given in Point 1 of this Privacy Policy. If you are of the opinion that the processing of your personal data by us is in violation of the applicable data protection rights or that your legal rights in terms of data

7. Applicable version

This Privacy Policy is valid in its current version of May 2021.

It may become necessary to amend this Privacy Policy due to the ongoing development of our website and the offers available via our website or as a result of amendments made to legal or regulatory provisions. The version of the Privacy Policy on our website is to be considered the current version, and is available to access and print off at any time.

II. Website Privacy Policy

II. WEBSITE PRIVACY POLICY

1. Hosting the website

Every time our website is accessed, our system automatically records data and information from the operating system of the computer accessing our website.

The following data are collected:

— Information on the type and version of the browser being used

— The user’s operating system

— The host name of the computer accessing our website

— The user’s IP address

— The time and date of the access request

— The referral website

It is not possible to assign an IP address to the access time or the referral website. It is only possible to determine which websites and what times produce the highest number of access requests. We retain this information within the scope of the relevant legal provisions for a maximum of 26 months. Processing is necessary for the purposes of data security, in order to ensure the stability and operational security of our system. Article 6(1)(f) GDPR forms the legal basis for this.

Our website uses the web analytics service Google Analytics. This service is only used to ensure the optimisation of the website in terms of user-friendliness and for the purposes of providing useful information about our services. Google Analytics uses “cookies” (see Point 2), which are text files stored on your computer. The information generated by the cookie about a visitor’s use of a website and browsing behaviour can be processed and evaluated by Google. The information collected by Google may also be transmitted to and stored by Google on servers outside the EU and EEA, specifically in the United States. For more information regarding your rights, please follow this link: https://support.google.com/analytics/answer/ 6004245p=privpol_data&hl=de&visit_id=637551942978216525-17983762&rd=1#zippy=%2Cgoogle -analytics-gem%C3%A4%C3%9F-der-eu-datenschutz-grundverordnung-dsgvo%2Ccookies-und- kennzeichnungen-von-google-analytics

We ensure that data is collected anonymously so that no evaluation of an individual’s specific personal data is carried out by us. Data is not passed on to third parties.

2. Cookies

We use cookies (see separate statement on cookie settings) to improve the user experience for visitors to our website. Cookies are small text files which are generated automatically by your browser and stored on your device (computer, tablet, smartphone, etc.) when you visit our website. This allows us to recognise your browser the next time you visit our website. Cookies are valid until they are deleted. You can delete cookies at any time.

You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of our website. Article 6(1)(a) or (f) GDPR forms the legal basis for data processed through the use of cookies. Temporary cookies remain valid for as long as your stay on a website, after which they are deleted by your browser. Permanent cookies are stored on your browser according to the settings you have selected or until you delete them.

Rolex space

When you visit the Rolex space on our website, you are interacting with an embedded website belonging to www.rolex.com. In this case, only the terms of use, privacy policy and cookie policy of www.rolex.com apply.

4. Applicable version

This Privacy Policy is valid in its current version of May 2021.

It may become necessary to amend this Privacy Policy due to the ongoing development of our website and the offers available via our website or as a result of amendments made to legal or regulatory provisions. The version of the Privacy Policy on our website is to be considered the current version, and is available to access and print off at any time.

5. Rolex space

When you visit the Rolex space on our website, you are interacting with an embedded website belonging to www.rolex.com. In this case, only the terms of use, privacy policy and cookie policy of www.rolex.com apply.

III. FACEBOOK PRIVACY

Huber Fine Watches & Jewellery, Städtle 34, 9490 Vaduz, Principality of Liechtenstein, runs the Facebook fan page at www.facebook.com/huberwatchesjewellery in conjunction with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When you visit our fan page, Facebook records your IP address along with other information present on your computer in the form of cookies. (This is also the case if you do not have a Facebook user account and regardless of whether you are logged into Facebook or not.) This information may be used to provide us as the operator of the fan page with statistical information (hereinafter referred to as “Insights Data”) on the usage of the fan page. We draw your express attention to the fact that we do not perform any analyses, not even statistical analyses. However, by setting up the fan page, we contribute to the processing of the personal data of our fan page visitors. Therefore, as the operator of the fan page, we are involved in decisions as to the purposes and means of processing of the personal data of our fan page visitors and therefore joint data controller in conjunction with Facebook as defined under Article 26 GDPR with regard to this processing.

The primary content of this agreement is supplied by Facebook Ireland. Facebook has made a commitment to us that it will assume primary responsibility for the processing of Insights Data and fulfil all obligations arising from the GDPR with regard to the processing of Insights Data as defined under Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR, among others. Facebook Ireland will furthermore supply the key findings of this page insights extension to the data subject.

Facebook provides further information on this under the following links:

de-de.facebook.com/full_data_use_policy

and

www.facebook.com/legal/terms/page_controller_addendum

Any of your personal data which have been collected in this context will be processed by Facebook Ltd. and therefore potentially transmitted to countries outside of the EEA. How Facebook uses data associated with visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are attributed to individual users, how long Facebook stores this data and whether or not data relating to visits to the Facebook site are passed on to third parties have not been fully and clearly disclosed by Facebook and are unknown to us.

In Facebook’s Data Policy, you will find, for example, information on ways of contacting Facebook and the setting options for advertisements. You can find this policy and information as to how you can manage or delete your data by visiting the following link:

de-de.facebook.com/privacy/

You can find Facebook’s full Data Policy here:

de-de.facebook.com/full_data_use_policy

We operate our Facebook page on the basis of our justified interest in optimising communications with you. This involves us processing your data, such as your name and the content of your messages, enquiries or posts, when you contact us via our fan page so that we can respond to your enquiries or posts. We do not, however, process any data in this connection for analysis or marketing purposes.

1. Video surveillance: rights of data subjects

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information described in Article 15 of the General Data Protection Regulation (GDPR). In this regard, it may be necessary for the data subject to provide specific details for the purpose of identifying him or her (Article 11 of the GDPR).

*

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and, where applicable, to have incomplete personal data completed (Article 16 of the GDPR).

The data subject has the right to obtain from the controller the erasure of data where one of the grounds listed in Article 17 of the GDPR applies, e.g. if the data are no longer necessary in relation to the pursued purposes.

The data subject has the right to obtain from the controller restriction of the processing of his or her data where one of the conditions listed in Article 18 of the GDPR applies.

The data subject has the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her (Article 21 of the GDPR).

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR (Article 77 of the GDPR). The data subject can assert this right with a supervisory authority in the member state of his or her habitual residence, place of work or place of the alleged infringement.

V. TERMS OF USE

Rolex space

When you visit the Rolex space on our website, you are interacting with an embedded website belonging to www.rolex.com. In this case, only the terms of use, privacy policy and cookie policy of www.rolex.com apply. 30.April 2021 – Version 2