Unless otherwise specified in this notice, the data controller pursuant to data protection laws is:

Nardò Technical Center S.r.l.

Località Fattizze

I-73050 Santa Chiara di Nardò (LE), Italy

Email: privacy@porsche-nardo.com

For any questions or comments related to data protection, you can contact our designated Data Protection Officer (DPO) at

Data Protection Officer (DPO)

Nardò Technical Center S.r.l.

Località Fattizze

I-73050 Santa Chiara di Nardò (LE), Italy

Email: privacy@porsche-nardo.com

With regard to certain processing activities conducted as part of the Porsche Group’s internal administration and centralized operational functions, the Company may act as joint controller together with other companies of the Porsche AG Group. These joint activities may involve the use and administration of shared databases, platforms, and IT systems.

The purposes and means of processing related to these activities are jointly determined by NTC and the respective Porsche Group companies.

In accordance with Article 26 of the GDPR, a Joint Controllership Agreement has been entered into with the respective companies, specifying the division of responsibilities and obligations relating to data processing and identifying the company responsible for fulfilling specific legal obligations.

An updated list of these companies can be found in the privacy notice available at the following link: https://jobs.porsche.com.

As data controllers or joint controllers, we protect your personal data. Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the “Data Subject”). The Company may process data you have directly provided within your CV and/or communicated during the application procedure carried out through the dedicated online platform (hereinafter referred to as the “Platform”) and/or via email or contact form.

Specifically, the following types of personal data may be processed:

1. So-called "common" personal data (such as personal details, contact information, professional and/or life experiences, education, citizenship, marital status, date and place of birth, etc.);

2. Special categories of personal data (such as potential membership in protected categories).

In any case, we ask you not to include in your CV and/or disclose during interviews or tests any sensitive data or information from which such data may be inferred (e.g. concerning health, political opinions, sexual life, etc.), unless strictly necessary by law for selection and CV evaluation purposes (e.g. membership in protected categories, immigration status, etc.).

Below is an overview of the purposes and legal bases for processing personal data as part of the application process at NTC.

If an employment contract is signed with the candidate, subsequent data processing will be carried out as per the employee privacy notice.

Providing personal data may be required by law, contractual obligations, or necessary for the conclusion of a contract. In such cases, we will inform the Data Subject about the mandatory nature of providing such data and the consequences of failing to do so (e.g. loss of certain rights or NTC’s inability to provide a specific service).

Access to the Platform is generally possible without registration; however, certain features may require prior registration. Even without registration, use of the Platform may involve the processing of personal data.

3.1     Contract Execution and Pre-Contractual Measures.

We process your personal data to the extent necessary to manage the application process and, if applicable, establish an employment relationship. Processing is carried out under Article 6 (1)(b) of the GDPR.

Processing purposes include, in particular:

1. registration and verification of the application;

2. management of the application and selection process (including forwarding to internal personnel, organizing and conducting interviews, and handling administrative hiring tasks);

3. organizing and conducting selection days or tests for specific application paths, such as internships, apprenticeships, or recruitment days;

4. for internal applications to corporate programs: management and selection of candidates.

Processing of your data through the Platform is performed under a joint controllership agreement under Article 26 of the GDPR between:

• Porsche AG Group, which centrally manages the application platforms and recruitment policies at group level;

• NTC, which directly assesses your profile for the position you applied for.

In this context:

• Centralized processes such as receipt of applications via shared portals and initial data storage are jointly managed.

• Operational selection activities (e.g., interviews, communication with recruiters, possible hiring) are handled directly by the company to which the application was submitted.

If no employment relationship is established, your data will be anonymized after four months unless there are other legal bases for retaining the data. In such cases, anonymization will occur once those bases cease to apply. Anonymization prevents any personal identification. The data will then be used solely for statistical purposes.

3.2     Statement Verification

During the selection process, we conduct a fact-checking procedure to ensure potential employees can perform their duties without conflicts of interest, in accordance with high ethical standards and company values.

Verification includes identity data (name, surname, date of birth, address), an original identity document or equivalent, certificates, especially the highest qualification obtained, or a certified copy.

Previous employment at Porsche Engineering Group GmbH may also be checked. If applicable, we will verify—solely in this case and in compliance with data protection laws—whether any written disciplinary measures were adopted in the previous three calendar years. This involves consulting personnel file data from that period.

Data will also be cross-checked with public EU sanction lists under Regulations (EC) No. 2580/2001 and No. 881/2002, including updates by the European Commission. If needed, you may be asked to present a residence permit or disability certification.

Verification is conducted by NTC’s Human Resources department. Only a limited number of internal staff members have access to your data. The verification outcome is documented and stored in the personnel file.

For hires under a collective agreement, the fact-check checklist is stored in the personnel file and retained according to personnel document retention laws. For external candidates not hired, the checklist is deleted after four months; otherwise, after three years.

Processing for these purposes is based on the company’s legitimate interest under Article 6(1)(f) of the GDPR in selecting compliant personnel. The verification methods are also governed by a collective labor agreement. Providing personal data is required for selection and potential contract conclusion.

3.3     Job Newsletter (“Job Abo”)

To subscribe to the “Job Abo” newsletter via the Platform, simply provide your email address and select the desired frequency. The newsletter is sent only to those who have given explicit consent under Article 6(1)(a) of the GDPR. See the specific notice provided at registration for content and consent scope.

The newsletter provides updates on career opportunities at Porsche AG and other Group companies.

Subscription requires a double opt-in process: after entering your data, you’ll receive a confirmation email with a link to verify your request. All registration steps are logged to prove legal compliance. This logging is based on the legitimate interest in demonstrating consent under Article 6 (1)(f) of the GDPR.

You may revoke your consent at any time, e.g., using the unsubscribe link at the bottom of each newsletter.

Processing is carried out solely by Porsche AG Group, which manages the newsletter service centrally. Job offers in the newsletter may relate to different group companies, but your personal data (especially email address) will not be shared with these companies unless you provide additional consent.

3.4     Personal Account – Registration & Profile Creation

You may create a personal account on the Platform to submit and manage your application to NTC or other Porsche Group companies. Account creation is recommended, as internal processes are optimized for it.

To create an account, registration is required, during which login credentials (username and password) are collected and processed.

The account allows you to build a candidate profile, including personal information (title, name, date/place of birth, nationality, address, phone, email), qualifications (education, work experience, language and IT skills), application documents (cover letter, CV), and additional relevant data (salary expectations, availability). Mandatory fields are marked.

The data collected is processed in accordance with Article 6(1)(b) of the GDPR to enable the creation of the account and the management of the application.

If the user has provided their consent, the data may also be used for verifying the application within the Porsche Group or for inclusion in the Talent Pool, in accordance with Article 6(1)(a) of the GDPR.

The processing is carried out under a joint controllership agreement pursuant to Article 26 of the GDPR, between:

• Porsche AG Group, which centrally manages the application platform, including account registration, profile creation, and the management of data in the Talent Pool;

• NCT, which uses the data contained in the profile for selection purposes relating to job positions of its own interest

The processing activities are divided as follows:

• The technical and functional management of the account, as well as the management of consent for the Talent Pool and cross-application opportunities, are handled by the parent company;

• The specific evaluations during the selection phase, interviews, and administrative formalities related to the job position are carried out by the individual Group company to which the user has applied.

If the account is deleted, the data entered in the personal profile will also be deleted.

3.5     Compliance with Legal Obligations

We also process your personal data to comply with legal obligations to which we are subject. These may arise from, for example, commercial, tax, anti-money laundering, financial, or criminal regulations.

The purposes of the processing are directly linked to the respective legal obligations and are aimed, in particular, at ensuring compliance with applicable monitoring and reporting requirements under the relevant legislation.

The data is processed in accordance with Article 6(1)(c) of the GDPR.

We only use the personal data necessary to comply with such legal obligations and delete them as soon as these obligations no longer apply, unless there are other legal bases justifying the continued processing. In such cases, the data will be deleted once those additional legal bases also cease to apply.

The processing of personal data for regulatory compliance purposes is carried out under a joint controllership agreement pursuant to Article 26 of the GDPR, between:

• Porsche AG Group, which centrally manages the applicable group-wide compliance flows and obligations, coordinating compliance procedures and data retention architectures;

• NCT, which remains responsible for the practical application of legal obligations in connection with local operations or specific job positions.

3.6     Legitimate interest of the controller or third parties

We also process your personal data to pursue our legitimate interests or those of third parties, unless your interests or fundamental rights override them. The data processing is based on Article 6(1)(f) of the GDPR.

The legitimate interests pursued include, in particular:

1. Operational reporting;

2. Implementation and optimization of the recruitment process, including specific consulting services, candidate surveys, and statistical data analysis.

When you access the Platform, we automatically collect, and store technical data related to your device and the use of the service through a log file. These data include, in particular:

Date and time of access, session duration, type of device used, operating system, features used, amount of data transferred, IP address,

Referring to the URL.

This information is processed exclusively to ensure the technical functionality of the service and to detect and resolve potential malfunctions, thereby pursuing the legitimate interest of ensuring the full operability of the system.

The collected data are not used to personally identify users.

This processing is carried out by Porsche AG Group as the data controller, which centrally manages the Platform, defines the recruitment policies, and coordinates the related processes also on behalf of the Group companies.

3.7     Consent

 Some personal data processing activities may be carried out only with the explicit consent of the data subject, in accordance with Article 6(1)(a) of the GDPR.

Where consent is given, it is always related to specific purposes, clearly indicated in the relevant notices.

It is understood that consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

If you have provided consent for specific purposes – for example, for the evaluation of your application by other Porsche Group companies, for inclusion in a Talent Pool, or for receiving the "Job Abo" newsletter – the purposes of the processing are defined by the content of the consent given in each case.

For sending the newsletter, we use the so-called double opt-in procedure to prevent misuse.

Your personal data will be deleted as soon as you withdraw your consent, unless other legal bases for the processing exist. In such cases, the data will be deleted once those bases no longer apply.

3.8     Change of purpose

If your personal data are processed for purposes other than those for which they were originally collected, we will carefully assess the compatibility between the original purposes and the new ones, the nature of the data processed, the potential consequences of the new processing for the data subject, and the security measures adopted to protect the personal data, in accordance with Article 6(4) of the GDPR.

3.9     Profiling

We do not carry out any automated decision-making or profiling within the meaning of Article 22 of the GDPR.

Some features of the Platform require your consent to process data from your device (e.g., location data).
Granting these permissions is optional. However, if you wish to use the related features, the necessary permissions must be granted; otherwise, such features will not be available. Permissions will remain active until manually disabled in your device settings.

If we integrate services from third-party providers into our Platform (e.g., to allow you to view videos or plan routes) and process personal data for that purpose, we do so in accordance with Article 6(1)(b) and (f) of the GDPR.
This processing is necessary both to provide the requested functionality and to pursue our legitimate interest in improving the performance and user experience of the Platform. We also invite you to consult the privacy notice of each third-party provider, where applicable, for more information about how they process your data.

We have no control over the content or operation of such third-party services and are not responsible for their processing of your personal data, unless the services are specifically developed on our behalf and integrated into the Platform under our direct responsibility.

If the integration of a third-party service involves joint processing of personal data, we will enter into a joint controllership agreement pursuant to Article 26 of the GDPR with the provider. This agreement will clearly define the respective responsibilities and roles regarding data protection, including the identification of the party responsible for fulfilling the legal obligations.

If cookies are used based on your consent, you will receive further information regarding responsibility for setting such cookies or the relevant third-party services in the consent management sections.

Unless otherwise indicated, social media profiles featured on our Platform are integrated solely as links to their respective third-party websites. By clicking on one of these links (text or image), you will be redirected to the respective provider's platform. Once redirected, the social media provider may collect personal data directly from you. If you are logged into your social media account when visiting, the provider may associate your visit with your user profile. Moreover, if you use features such as the "share" button, the relevant information may be stored in your account and, where applicable, made public.

To avoid such data being directly linked to your social media account, we recommend logging out of the platform before clicking the embedded link.

Within our company, access to your personal data is granted only to authorized personnel and exclusively for the specific purposes indicated in each case.

Your personal data may be disclosed to third parties only where legally permitted or where you have given your consent.

Below is an overview of the main recipients:

• Processors: companies within the Group or external service providers, including: DAG Engineering GmbH (support with application management and applicant hotline), Randstad Sourceright GmbH (assistance in recruitment and hiring processes), MHP Management- und IT-Beratung GmbH (support for the electronic application system) and milch & zucker Talent Acquisition & Talent Management Company AG (Provision, operation, and support of the electronic application system). These processors are carefully selected and regularly monitored to ensure your privacy is protected.
  Providers may only use the data for the purposes we specify.

• Public authorities: Government entities and institutions, such as tax authorities, public prosecutors, or courts, to whom we are required to disclose personal data in order to comply with legal obligations or to protect our legitimate interests.

• Private entities: Companies within the Group, Porsche dealerships and service companies, cooperation partners, service providers not acting under our instructions, and their appointed representatives, such as Porsche Centers, Porsche Service Centers, financial institutions, credit rating agencies, and transport service providers.

If data is transmitted to entities whose registered office or data processing location is not located in a Member State of the European Union or in another state party to the Agreement on the European Economic Area, we ensure, before the transfer, that, unless permitted by law, the recipient guarantees an adequate level of data protection (for example through a decision of adequacy by the European Commission pursuant to Article 45 of the GDPR, through the conclusion of the so-called EU standard contractual clauses with the data importer, pursuant to Article 46, paragraph 2, letter c) of the GDPR, or that you have given your consent to such data transfer pursuant to Article 49, paragraph 1, letter a) of the GDPR).

If the transfer of data is based on Articles 46, 47 or 49 (1) paragraph 2 of the GDPR, you may request a copy of the specific provisions agreed to ensure an adequate level of data protection. To obtain this information, you can contact us as indicated in paragraph 1.

 If the description of the individual services contained in this privacy notice does not provide more specific information on the retention period or data deletion, the following general principles apply.

We retain your personal data only for the time necessary to achieve the intended purposes or, in the case of consent, until such consent is withdrawn. In the event of an objection to the processing, we will delete your personal data, unless further processing is necessary to pursue other legitimate purposes of the processing. We will also delete your personal data when we are obliged to do so by legal requirements.

By applying these general principles, we will promptly delete your personal data:

• in the event that the legal basis on which the processing is based ceases to apply, unless further retention is necessary to comply with legal obligations or to pursue other legitimate purposes of the processing. If this latter case occurs, we will delete the data once the additional legal basis also ceases to apply;

• if the data is no longer necessary for the purposes of preparation and execution of a contract or legitimate interests and no other legal basis exists (as in the case where further retention is necessary to comply with legal obligations in tax matters or business record retention). If another legal basis does exist, we will delete the data when that legal basis also ceases to apply;

• if the purpose of the processing pursued by us ceases and no other legal basis exists (as in the case where further retention is necessary to comply with legal obligations in tax matters or business record retention). If another legal basis does exist, we will delete the data when that legal basis also ceases to apply.

As a data subject, you have the right to request access to personal data and the rectification or deletion of such data or the restriction of processing concerning you or to object to their processing, as well as the right to data portability. In detail:

Right to rectification and right to deletion: you have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to obtain the completion of incomplete personal data, also by providing a supplementary statement. You also have the right to obtain the erasure of personal data concerning you without undue delay if one of the grounds listed in Article 17 of the GDPR applies.

Right to restriction of processing: you have the right to obtain restriction of processing when one of the conditions listed in Article 18 of the GDPR applies.

Right to data portability: if the processing of your data is based on consent or contract and is carried out by automated means, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance.

Right to object: you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you pursuant to Article 6, paragraph 1, letter f) (processing based on legitimate interest), including profiling.

Withdrawal of consent: if you have given us your consent to the processing of your data, you may withdraw it at any time with immediate effect. The lawfulness of data processing up to the moment of withdrawal remains unaffected.

Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. You can contact the Italian Data Protection Authority (Garante per la protezione dei dati personali – www.garanteprivacy.it) or the supervisory authority of the EU Member State where you reside or work.

How to contact us: you can contact us free of charge using the contact details indicated in paragraph 1 for any questions regarding the processing of personal data and to exercise your rights.

The latest version of this Privacy Policy applies. This version is dated 28 July 2025.