Privacy notice in accordance with Article 13 GDPR

Name and address of the data controller

The responsible body within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

Biomex GmbH
Siemensstraße 38
69123 Heidelberg
Germany

Authorized representatives:
Dipl.-Chem., Dipl.-Kfm. Oliver Bošnjak
Phone: +49 6221-4166-0
E-Mail: info@biomex.de
Imprint: https://www.biomex.de/impressum

Name and address of the data protection officer

The data protection officer of the data controller is:
Kompetenzteam Thomas, owner Katrin Thomas
– Katrin Thomas –
Hauptstraße 88a
67365 Schwegenheim
Germany
E-Mail: datenschutz@biomex.de

General information on data processing

Legal basis for processing personal data

In accordance with Article 13 GDPR, we will inform you of the legal basis for our data processing. If the legal basis is not specified in the privacy notice, the following applies: the legal basis for obtaining consent is Article 6(1)(a) in conjunction with Article 7 GDPR. The legal basis for processing in order to provide our services and fulfil contractual measures, as well as answering inquiries, is Article 6(1) (b) GDPR. The legal basis for processing in order to fulfil our legal obligations is Article 6(1)(c) GDPR. If the processing of your data is necessary to safeguard the legitimate interests of our company or a third party and if your interests, fundamental rights and fundamental freedoms as the data subject do not outweigh the first interest, Article 6(1)(f) GDPR serves as the legal basis for the processing. In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

Data deletion and storage period

We adhere to the principles of data minimisation in accordance with Article 5(1)(c) GDPR and storage limitation according to Article 5(1)(e) GDPR. We only store your personal data for as long as is necessary to achieve the purposes stated here, or as stipulated by the retention periods provided for by law. After the respective purpose no longer applies or after these retention periods have expired, the corresponding data will be deleted as quickly as possible.

External Links

This website may contain links to third-party websites or to other websites under our responsibility. If you follow a link to any of the websites outside our control, please note that these websites have their own privacy notices. We do not assume any responsibility or liability for these external websites and their privacy notices. Before using these websites, please check whether you agree with their privacy policies. You can recognise external links either by the fact that they are displayed in a colour which is slightly different from the rest of the text or that they are underlined. Your cursor will show you external links when you move it over such a link. Only when you click on an external link will your personal data be transferred to the destination of the link. The operator of the other website will then receive your IP address, the time at which you clicked on the link, the website you were on when you clicked on the link, and other information that you can find in the respective provider’s privacy notice. Please also note that individual links may result in data transfer outside the European Economic Area. This could give foreign authorities access to your data. You may not be entitled to any legal recourse against such data access. If you do not want your personal data to be transferred to the link destination or potentially even accessed by foreign authorities against your will, please do not click on any links.

Rights of data subject

As a data subject within the meaning of the GDPR, you have the opportunity to assert various rights. The rights of data subjects arising from the GDPR are the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to object (Article 21), the right to lodge a complaint with a supervisory authority and the right to data portability (Article 20).

Withdrawal:
Some data processing can only be carried out with your explicit consent. You have the option of revoking your consent at any time. However, the lawfulness of the data processing until the revocation is not affected by this.

Right to object:
If the processing is based on Art. 6 (1) (e) or (f) GDPR, you as a data subject can object to the processing of personal data concerning you at any time for reasons arising from your particular situation. You are also entitled to this right in the case of profiling based on these provisions within the meaning of Art. 4 (4) GDPR. If we cannot prove a legitimate interest for the processing that outweighs your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims, we will refrain from processing your data after an objection has been made.
If the processing of personal data serves the purpose of direct marketing, you also have the right to object at any time. The same applies to profiling, which is related to direct advertising. Again, we will no longer process personal data as soon as you object.

Right to lodge a complaint with a supervisory authority:
If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, without prejudice to any other administrative or judicial remedy.

Right to data portability:
If your data is processed automatically on the basis of consent or performance of a contract, you have the right to receive this data in a structured, commonly used and machine-readable format. In addition, you have the right to request the transfer and provision of thedata to another controller, insofar as this is technically feasible.

Right to information, correction and deletion:
You have the right to obtain information about your processed personal data regarding the purpose of the data processing, the categories, the recipients and the duration of storage. If you have any questions on this topic or on other topics regarding personal data, you can of course contact us via the contact options given in the imprint.

Right to restriction of processing:
You can assert the restriction of the processing of your personal data at any time. To do this, you must meet one of the following requirements:
They contest the accuracy of the personal data. For the duration of the verification of accuracy, you have the right to request a restriction of processing. If processing is unlawful, you can request the restriction of the use of the data as an alternative to deletion. If we no longer need your personal data for the purposes of processing, but you need the data for the establishment, exerciseor defence of legal claims, you can request the restriction of processing as an alternative to deletion. If you object to the processing in accordance with Art. 21 (1) GDPR, a balancing of your interests and ours will be carried out. Until this balancing has been carried out, you have the right to request the restriction of processing. Restriction of processing means that, apart from storage, the personal data may only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

Provision of the website (web host)

Our website is hosted by:
The Constant Company, LLC, 319 Clematis Street – Suite 900, West Palm Beach, USA.

Server location: Germany.

When you access our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or our hosting company’s server.
These are:

IP address of the website visitor’s end device
device used
host name of the accessing computer
visitor’s operating system
browser type and version
name of the retrieved file
time of server request
amount of data
information on whether the retrieval of the data was successful

This data is not merged with other data sources.
Instead of operating this website on our own server, we may also commission an external service provider (hosting company) to operate it on their own server, which we have named above in this case. The personal data collected by this website will be stored onthe hosting company’s servers. In addition to the data mentioned above, the web host also stores for us, for example, contactrequests, contact details, names, website access data, meta and communication data, contract data and other data generated via a website.

The legal basis for processing this data is Article 6(1)(f) GDPR . Our legitimate interest is the technically error-free presentation and optimisation of this website. If the website is called up in order to enter into contract negotiations with us or to conclude a contract, this serves as a further legal basis (Article 6(1)(b) GDPR). In the event that we have commissioned a hosting company, a order processing contract will have been agreed with this service provider.

Use of local storage items, session storage items and cookies

Our website uses local storage items, session storage items and/or cookies. Local storage is a mechanism that enables data to be stored within the browser on your end device. This data usually includes user preferences, such as the “day” or “night” mode of awebsite, and is retained until you manually delete the data. Session storage is very similar to Local storage, whereas the storage duration only lasts during the current session, so until the current tab is closed. The session storage objects are then deleted from your end device. Cookies are information that a web server (server that provides web content) stores on your end device in order to be able to identify this end device. They are either temporarily deleted for the duration of a session (session cookies) and after your visit to a website or permanently (permanent cookies) on your end device until you delete them yourself or they are automatically deleted by your web browser.
These objects can also be stored on your end device by third-party companies when you visit our site (third-party requests). This allows us, as the operator, and you, as a visitor to this website, to make use of certain third-party services installed on this website. Examples are the processing payment services or displaying videos on a website.
These mechanisms have a variety of uses. They can improve the functionality of a website, control shopping cart functions, increasethe security and comfort of website use and carry out analyses regarding visitor flows and behaviour. Depending on their individual functions, they must be classified in terms of data protection legislation. Are they necessary for the operation of the website and intended to provide certain features (shopping cart feature) or serve to optimize the website (e.g. cookies to measure visitor behaviour), then their use is based on Article 6(1)(f) GDPR. As a website operator, we have a legitimate interest in storing local storage items, session storage items and cookies in order to ensure the technically error-free and optimized provision of our services. In all other cases, local storage items, session storage items and cookies are only stored with your express consent (Article 6(1)(a) GDPR).
If local storage items, session storage items and cookies are used by third-party companies or for analysis purposes, we will inform you about this separately in this privacy notice. When required, your consent will be requested and can be revoked at any time.

Use of external services

We use external services on our website. External services are services provided by third parties that are used on our website. This can be done for a variety of reasons, such as embedding videos or website security. When using these services, personal data is also passed on to the respective providers of these external services. If we have no legitimate interest in using these services, we will obtain your revocable consent as a visitor to our website before using them (Article 6(1)(a) GDPR).

Analytics

We process website visitors’ personal data in order to analyse user behaviour. Evaluation of this data enables us to compile information on how visitors use individual components of our website. This allows us to increase the user-friendliness of our website.The analysis tools may be used, for example, to create user profiles for the display of targeted or interest-based advertising messages, to recognise our website visitors the next time they visit our website, to measure their click/scroll behaviour and downloads, to create heat maps, to recognise page views, to measure the length of visits to the website or bounce rates, as well as to trace the origin ofwebsite visitors (city, country, the website visitors have come from). The analysis tools help us to improve our market research and marketing activities.
Processing only occurs if you expressly give consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent Art. 6(1)(a) GDPR. Without your consent, data processing in the manner described above will not takeplace. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will stop this data processing. The lawfulness of the processing carried out until the revocation remains unaffected.

Google Analytics

We use the service on our website Google Analytics. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL:
https://business.safety.google/privacy

The service uses the following cookies on our website:

Name	Storage period	Type	Purpose
_ga	400 days	1st-Party Cookie	Contains a randomly generated user ID. This ID enables GoogleAnalytics to recognise returning users on this website and tomerge data from previous visits.
_ga_DZ063MMMFV	400 days	1st-Party Cookie	Collects data on how often a user has visited a website, as well asdata for the first and last visit.

Consent management

In order to comply with data protection requirements, we use a consent management tool on our website. This tool enables us to obtain the necessary consents for the setting of cookies or the use of external services. We then store these consents.
The data processing is necessary for compliance with a legal obligation to which the data controller (website operator) is subject. Article 6(1)(c) GDPR is therefore used as the legal basis for the processing.

Usercentrics

We use the service on our website Usercentrics. The provider of the service is the Usercentrics GmbH, Sendlinger Straße 7, 80331 München, Germany.
Further information can be found in the provider’s data protection information at the following URL:
https://usercentrics.com/de/datenschutzerklaerung

The service stores the following data in the browser’s local or session storage:

Name	Storage period	Type	Purpose
ucData	Durable	1st-Party Storage	Will be stored by Usercentrics on the local device.
ucData_9BIbOfRLHrPWbe	Durable	3rd-Party LocalStorage,web.cmp.usercentrics.eu	Will be stored by Usercentrics on the local device.
ucString	Durable	1st-Party LocalStorage	Will be stored by Usercentrics on the local device.

Content Delivery Network (CDN)

We use a content delivery network (CDN) to optimise the performance and availability of our website. For this purpose, the service provider who makes this network available will process your IP address and information about when you visited our website. All further information on data processing by this service provider can be found in the company’s privacy notice.
This processing is based on our legitimate interest (Article 6(1)(f) GDPR).
Our legitimate interest in using a content delivery network is to be able to display our website as quickly, securely and reliably aspossible.

Google Static

We use the service on our website Google Static. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL
https://business.safety.google/privacy

Content management system

A content management system enables the creation, editing, organisation and presentation of digital content. We use a content management system to create content for our website. This enables us to design a more attractive website. This processing is based on our legitimate interest (Article 6(1)(f) GDPR).
Our legitimate interest is in the technically error-free display and optimisation of the website.

Elementor

We use the service on our website Elementor. The provider of the service is the Elementor Ltd., Tuval st. 40, Ramat Gan, 5126112, Israel.
Since this service is hosted locally on the web server, no data transfer to third parties takes place.
The service stores the following data in the browser’s local or session storage:

Name	Duration period	Type	Purpose
elementor	Durable	1st Party Local Storage	Used to store performed actions on the website.

Interface software

Business processes run faster, more cheaply and with fewer errors if they are automated using software via interfaces. This allows them to be efficiently integrated into the company’s processes via its own website or social networks. We use interface software on our website to link different applications and to transfer personal data securely from one application to another.
Processing only occurs if you expressly give consent to this data processing (via our consent banner on the website). The legal basisfor this processing is consent Art. 6(1)(a) GDPR. Without your consent, data processing in the manner described above will not take place. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will stop this dataprocessing. The lawfulness of the processing carried out until the revocation remains unaffected.

Google APIs

We use the service on our website Google APIs. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. DataPrivacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL:

https://business.safety.google/privacy

Google Tag Manager

We use the service on our website Google Tag Manager. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL:

https://business.safety.google/privacy

Video/Music service

We integrate audio files and videos into our website. These are retrieved from the server of our provider, the so-called audio or videoplatform. In order to be able to play an audio file or a video, your end device establishes a connection with the audio or video platformand transmits personal data to it. This includes in particular your IP address and any location data or information about your browserand end device.
Processing only occurs if you expressly give consent to this data processing (via our consent banner on the website). The legal basisfor this processing is consent Art. 6(1)(a) GDPR. Without your consent, data processing in the manner described above will not takeplace. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will stop this dataprocessing. The lawfulness of the processing carried out until the revocation remains unaffected.

YouTube

We use the service on our website YouTube. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. DataPrivacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL:
https://business.safety.google/privacy.
The service uses cookies on our website and stores data in the browser’s local or session storage:

Name	Storage period	Type	Purpose
__Secure-YNID	180 days	3rd-Party Cookie,. youtube.com	Will be stored by YouTube on the local device.
yt-remote-cast-available	Session	3rd-Party Session Storage, www.youtube.com	Will be stored by YouTube on the local device.
__Secure-ROLLOUT_TOKEN	180 days	3rd-Party Cookie,. youtube.com	This cookie is used by websites to manage the gradual release of new features or versions of the site to users.
VISITOR_INFO1_LIVE	180 days	3rd-Party Cookie, .youtube.com	Used to provide bandwidth estimations.
VISITOR_PRIVACY_METADATA	180 days	3rd-Party Cookie, .youtube.com	This cookie stores the user’s cookie consent state for the current domain
YSC	Session	3rd-Party Cookie, .youtube.com	Registers a unique ID to keep statistics of what videos fromYouTube the user has seen.
yt-remote-cast-installed	Session	3rd-Party Session Storage, www.youtube.com	Used by YouTube to enable tracking based on geographical GPS location, estimate bandwidth, keep viewing statistics, and monitor user preferences when viewing an embedded YouTube video.These cookies don’t gather information that identifies a user.
yt-remote-connected-devices	durable	3rd-Party Local Storage, www.youtube.com	This HTML storage key is used to regulate the behavior of the integrated YouTube video player.
yt-remote-device-id	durable	3rd-Party Local Storage, www.youtube.com	Saves the user settings when retrieving a Youtube video integrated on other websites.
yt-remote-fast-check-period	Session	3rd-Party Session Storage, www.youtube.com	Is used to regulate the behavior of the integrated YouTube videoplayer.
yt-remote-session-app	Session	3rd-Party Session Storage, www.youtube.com	This HTML storage key is used to regulate the behavior of theintegrated YouTube video player.
yt-remote-session-name	Session	3rd-Party Session Storage, www.youtube.com	Stores the user’s video player preferences using embedded YouTube video
ytidb::LAST_RESULT_ENTRY_KEY	durable	3rd-Party Local Storage, www.youtube.com	Stores the user’s video player preferences using an embedded YouTube video.

Webfonts

This site uses so-called web fonts for the uniform display of fonts, which are provided by an external provider and loaded by the browser when the website is accessed. When web fonts are loaded, the web font provider becomes aware that our website has been accessed from your IP address, as your browser establishes a direct connection to the web font provider.
Processing only occurs if you expressly give consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent Art. 6(1)(a) GDPR. Without your consent, data processing in the manner described above will not take place. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will stop this data processing. The lawfulness of the processing carried out until the revocation remains unaffected.

Google Fonts

We use the service on our website Google Fonts. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL:
https://business.safety.google/privacy

Advertising

Our website uses tools that facilitate or enable the placement of advertising, as well as evaluating its success. For this purpose, personal data is processed, in particular the IP address, access times and device information.
Processing only occurs if you expressly give consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent Art. 6(1)(a) GDPR. Without your consent, data processing in the manner described above will not take place. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will stop this data processing. The lawfulness of the processing carried out until the revocation remains unaffected.

Google Ads

We use the service on our website Google Ads. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL:

https://business.safety.google/privacy

Google Double Click

We use the service on our website Google Double Click. The provider of the service is the Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The use of the service may result in data transfer to a third country (USA). The provider is certified according to the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Further information can be found in the provider’s data protection information at the following URL:
https://business.safety.google/privacy

Contact form

You have the option to contact us via a form on the website. In order to contact to be established via this form, we need your contact details in particular.
The legal basis for data processing here is to fulfil a contract or pre-contractual measures in accordance with Article 6(1)(b) GDPR . There may also be a legitimate interest in maintaining business relationships or answering your request for other reasons.
In this case, the legal basis for the processing of your data would be Article 6(1)(f) GDPR.
The data will be deleted when we have resolved your request and no other retention obligations apply.

Hubspot

We use the HubSpot service on our website. The service provider is HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA (and, depending on the contractual arrangement, HubSpot group companies within the EU/EEA).
Depending on the specific implementation, HubSpot may be used to provide forms, for communication (e.g. contact inquiries), and to analyze and optimize our website and marketing activities. In particular, usage data (e.g. pages visited, click paths, time stamps), device/browser information, and cookie IDs may be processed.
Processing only takes place if you have consented to this data processing via our consent banner/consent tool (Art. 6(1)(a) GDPR). Insofar as HubSpot uses or reads cookies or similar technologies, this is done on the basis of your consent pursuant to §25(1)TDDDG. You can revoke your consent at any time via the cookie settings.
By using the service, data may be transferred to a third country (in particular the USA). Where required, the transfer is carried out on the basis of appropriate safeguards (e.g. certification under the EU-U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses, depending on the contractual status).
Further information can be found in the provider’s privacy information.
Cookies (typically, depending on consent and configuration):
hubspotutk (up to 6 months): Recognizes the browser/user (pseudonymous ID) and assigns form submissions, as well as analyzes visits.

hstc (up to 6 months): Visitor analytics (e.g. number of sessions, timestamps for first/last visit) and statistical evaluation.
hssc (up to 30 minutes): Session-related analytics (e.g. session count/assignment) to determine whether a session is continued.
hssrc (session): Set to determine whether the browser has been restarted (session/restart detection).

Advertising communication via e-mail, post, fax or telephone

We process personal data for the purposes of advertising communication, which can be carried out via various channels, suchas e-mail, telephone, post or fax, in accordance with the legal requirements.
Recipients have the right to revoke their consent at any time or to object to advertising communications at any time.
Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).
Data subjects: Communication partners.
Purposes of processing: Direct marketing (e.g. by e-mail or post).
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f.GDPR).

Application procedure

The application process requires applicants to provide us with the data necessary for their assessment and selection. Which information is required can be derived from the job description or, in the case of online forms, from the information provided there.
In principle, the required information includes personal details such as name, address, a means of contact, and evidence of the qualifications necessary for a position. Upon request, we will also be happy to inform you which details are needed.
If available, applicants can submit their applications to us via an online form.
To present our job postings and provide the online application form, we use the services of Personio SE & Co. KG, Rundfunkplatz 4, 80335 Munich, Germany (applicant management/recruiting software). The job postings are integrated into our website via a technical integration (e.g. iframe/XML). When accessing the relevant pages, technically required access data (inparticular IP address, date/time of access, browser/device information, referrer URL) is transmitted to Personio for the purposeof displaying the content.
If you apply via the form, the applicant data you enter will be processed for the purpose of carrying out the application process. Further information on data processing within the Personio career portal can be found at:
https://www.personio.de/datenschutzerklaerung/
The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants may also submit their applications to us via email. However, please note that emails are generally not sent encrypted over the internet. As a rule, emails are encrypted in transit, but not on the servers from which they are sent and received. We therefore cannot assume responsibility for the transmission of the application between the sender and receipt on our server.
For the purposes of applicant sourcing, submitting applications, and selecting applicants, we may, in compliance with statutory requirements, use applicant management or recruiting software, platforms, and services provided by third parties.
Applicants are welcome to contact us regarding the method of submitting their application or to send the application by post.
Processing of special categories of data: If, in the context of the application process, special categories of personal data withinthe meaning of Art. 9(1) GDPR (e.g. health data, such as severe disability status, or ethnic origin) are requested fromapplicants so that the controller or the data subject can exercise the rights arising under employment law and the law on socialsecurity and social protection and can comply with the relevant obligations, such data is processed pursuant to Art. 9(2)(b)GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Art. 9(2)(c) GDPR, or forpurposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medicaldiagnosis, for the provision of health or social care or treatment, or for the management of health or social care systems andservices pursuant to Art. 9(2)(h) GDPR. Where special categories of data are provided on the basis of voluntary consent, suchdata is processed on the basis of Art. 9(2)(a) GDPR.
Deletion of data: The data provided by applicants may, in the event of a successful application, be further processed by us forthe purposes of the employment relationship. Otherwise, if an application for a job posting is unsuccessful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at anytime. Subject to a legitimate revocation by the applicants, deletion will take place no later than after a period of six months, sothat we can answer any follow-up questions regarding the application and fulfill our obligations to provide evidence under theprovisions on equal treatment of applicants. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.
Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants will be informed that their consent to inclusion in the talent pool is voluntary, has no influence on the ongoing application process, and that they may revoke their consent at any time with effect for the future.
Categories of data processed: Applicant data (e.g. personal details, postal and contact addresses, the documents belonging tothe application and the information contained therein, such as cover letter, CV, references/certificates, as well as other information relating to a specific position or voluntarily provided by applicants regarding their person or qualifications).
Data subjects: Applicants.
Purposes of processing: Application process (establishment and any subsequent implementation as well as possible subsequent termination of the employment relationship).
Legal bases: Application process as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR and/or §26 BDSG; Art. 9(2)(b) GDPR (special categories)).

Cloud-services

We use software services accessible via the Internet and run on their providers’ servers (so-called “cloud services”, also referred to as “software as a service”) for the following purposes: document storage and management, calendar management, e-mailing, spreadsheets and presentations, exchange of documents, content and information with specific recipients, or publication of web pages, forms or other content and information as well as chats and participation in audio and video conferences.
In this context, personal data may be processed and stored on the providers’ servers, insofar as they are part of communication processes with us or are otherwise processed by us as set out in this privacy policy. This data may include, in particular, masterdata and contact details of the users, data on processes, contracts, other processes and their content. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.
If we use the cloud services to provide forms or similar documents and content to other users or publicly accessible websites, the providers may store cookies on users’ devices for web analysis purposes or to remember user settings (e.g. in the case of media control).
Information on legal bases: If we ask for consent to the use of the cloud services, the legal basis for the processing is consent. Furthermore, their use may be part of our (pre-) contractual services, provided that the use of cloud services has been agreed in this context. Otherwise, users’ data will be processed on the basis of our legitimate interests (i.e., interest in efficient andsecure management and collaboration processes)

Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Data subjects: customers, employees (e.g. employees, applicants, former employees), interested parties, communication partners.
Purposes of processing: Office and organizational procedures.
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Services and Service Providers Used: Microsoft Cloud Services: Cloud Storage Services; Service Provider: MicrosoftCorporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website:
https://microsoft.com/de-de; Privacy Policy: https://www.microsoft.com/de-de/privacy/privacystatement; Safety instructions: https://www.microsoft.com/de-de/trust-center

Contact

When contacting us (e.g. via contact form, e-mail, telephone or via social media), the information of the enquiring persons willbe processed insofar as this is necessary to answer the contact enquiries and any measures requested.
The response to contact enquiries within the framework of contractual or pre-contractual relationships is carried out in order to fulfil our contractual obligations or to answer (pre-)contractual enquiries and otherwise on the basis of the legitimate interests in answering the enquiries.
Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Data subjects: Communication partners.
Purposes of processing: contact requests and communication.
Legal bases: Performance of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimateinterests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to explicit consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of theEU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission
https://ec.europa.eu/info/law/law-topic/data-protection/international- dimension-data-protection_de

Deletion of data

The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of the processing of this data has ceased toapply or they are not necessary for the purpose).
Unless the data is deleted because it is necessary for other and legally permissible purposes, its processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or the storage of which is necessary for the assertion, exercise or defence of legal claims or to protect the rights of another natural or legal person.
As part of our privacy policy, we may provide users with further information on the deletion and retention of data that applies specifically to the respective processing processes.

Management, Organization and Auxiliary Tools

We use services, platforms and software from other providers (hereinafter referred to as “Third Party Providers”) for the purposes of organizing, managing, planning and providing our services. When selecting third-party providers and their services, we observe the legal requirements.
In this context, personal data may be processed and stored on the servers of the third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of the users, data on processes, contracts, other processes and their content.
To the extent that users are referred to the third-party service providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to observe the data protection notices ofthe respective third-party providers.
Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for processing data is consent. Furthermore, their use may be part of our (pre-)contractual services, provided that the use of the third-party providers has been agreed in this context. Otherwise, the users’ data will be processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Data subjects: communication partners, users (e.g. website visitors, users of online services).
Purposes of processing: contact requests and communication.
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), performance of a contract and pre-contractual inquiries(Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Services and service providers used:
- Confluence: Software for creating and administering wiki and knowledge platforms; Service Provider: AtlassianInc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Websites: https://www.atlassian.com/software/confluence; Privacy Policy:
  https://www.atlassian.com/legal/privacy-policy.
- Jira: Web application for error management, troubleshooting and operational project management; Service Provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Website: https://www.atlassian.com/software/jira; Privacy Policy: https://www.atlassian.com/legal/privacy-policy.
- Trello: Project management tool; Service Provider: Trello Inc., 55 Broadway New York, NY 10006, USA, parent company: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Website: https://trello.com/; Privacy Policy: https://trello.com/privacy
- WeTransfer: transfer files over the Internet; Service provider: WeTransfer BV, Oostelijke Handelskade 751, Amsterdam, 1019 BW, Netherlands; Website: https://wetransfer.com/; Privacy Policy: https://wetransfer.com/legal/privacy
- Salesforce: CRM and customer management platform; Service provider: Salesforce Inc., Salesforce Tower, 415Mission Street, 3rd Floor, San Francisco, CA 94105, USA; Website: https://www.salesforce.com/; Privacy policy: https://www.salesforce.com/company/legal/privacy/
- Asana: Project management and task management platform; Service provider: Asana Inc., 633 Folsom Street, Suite 100, San Francisco, CA 94107, USA; Website: https://asana.com/; Privacy policy: https://asana.com/terms/privacy-statement

Microsoft Clarity

We use the Microsoft Clarity service on our website to analyse website usage (e.g. heat maps and session evaluations). The provider is Microsoft (depending on the region, e.g. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA).
In particular, Clarity may process usage data (e.g. page views, click/scroll behaviour, interactions), technical information (e.g.browser/device information) and cookie IDs.
Processing only occurs if you have consented to this data processing via our consent banner/consent tool (Art. 6 para. 1 lit. a GDPR). Insofar as Clarity uses or reads cookies or similar technologies, this is done on the basis of your consent in accordance with §25 (1TDDDG). You can withdraw your consent at any time via the cookie settings.
The use of the service may result in data transfer to a third country (in particular the USA). The provider may provide suitable guarantees for this (e.g. certification according to the EU-U.S. Data Privacy Framework and/or EU standard contractual clauses, depending on the status of the contract).
Further information can be found in the data protection information of the provider.
Cookies (typically, depending on consent and configuration):

clck (up to 12 months): Stores a pseudonymous user ID and settings to recognize returning visitors and evaluate user interactions.
clsk (up to 24 hours): Links multiple page views of a user to a session (session mapping) and supports usage analysis.

Newsletters and electronic notifications

We send newsletters, e-mails and other electronic notifications (hereinafter referred to as “newsletters”) only with the consent of the recipients or legal permission. If its contents are specifically described in the context of a registration for the newsletter, they are decisive for the consent of the users. In addition, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name for the purpose of personal address in the newsletter, or other information if this is necessary for the purposes of the newsletter.
Double opt-in procedure: Registration for our newsletter is generally carried out in a so-called double opt-in procedure. This means that after registering, you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can log in with someone else’s e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the login and confirmation time as well as the IP address. Changes to your data stored by the shipping service provider will also be logged.
Deletion and restriction of processing: We may store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe contradictions, we reserve the right to store the e-mail address in a blacklist (so-called “blocklist”) for this purpose alone. The registration process is recorded on the basis of our legitimate interests for the purpose of proving that it is running properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.
Information on legal bases: The newsletters are sent on the basis of the consent of the recipients or, if consent is not required, on the basis of our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g. in the case of existing customer advertising. If we commission a service provider to send e-mails, this is done on the basis of our legitimateinterests. The registration procedure is recorded on the basis of our legitimate interests to prove that it has been carried out in accordance with the law.
Content: Information about us, our services, promotions and offers.
Measurement of opening and click rates: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened, or, if we use a shipping service provider, from its server. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of access, are first collected.
This information is used for the technical improvement of our newsletter on the basis of the technical data or the target groups and their reading behaviour on the basis of their access locations (which can be determined with the help of the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
The measurement of the opening rates and the click rates as well as the storage of the measurement results in the profiles of the users as well as their further processing are carried out on the basis of the consent of the users.
Unfortunately, it is not possible to revoke the performance measurement separately, in which case the entire newsletter subscription must be cancelled or objected to. In this case, the stored profile information will be deleted.

Types of data processed: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers),meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).
Data subjects: communication partners, users (e.g. website visitors, users of online services).
Purposes of processing: direct marketing (e.g. by e-mail or post), reach measurement (e.g. access statistics, recognitionof returning visitors), conversion measurement (measurement of the effectiveness of marketing measures), profiles with user-related information (creation of user profiles).
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f.GDPR).
Opt-out: You can unsubscribe from our newsletter at any time, i.e. Withdraw your consent or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably e-mail.
Services and service providers used:
- HubSpot: CRM/marketing/sales/service platform; Service provider: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany; Website: https://www.hubspot.de/; Privacy Policy: https://legal.hubspot.com/de/privacy-policy
- Mailchimp: Email marketing/marketing automation platform; Service provider: The Rocket Science Group LLCd/b/a Mailchimp, 405 N Angier Ave. NE, Atlanta, Georgia 30308, USA; Website: https://mailchimp.com/; PrivacyPolicy: https://www.intuit.com/privacy/statement/

Online marketing

We process personal data for online marketing purposes, which may include, in particular, the marketing of advertising space or the presentation of advertising and other content (collectively referred to as “content”) based on the potential interests of users and the measurement of their effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar processes are used to store the information about the user relevant to the presentation of the before mentioned content. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on times of use. If users have consented to the collectionof their location data, this can also be processed.
The IP addresses of the users are also stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of the users (such as e-mail addresses or names) is stored as part of the online marketing process, but pseudonyms. This means that we as well as the providers of the online marketing procedures do not know the actual identity of the users, but only the information stored in their profiles.
The information in the profiles is usually stored in cookies or by similar methods. These cookies can later be read out on other websites that use the same online marketing process and analysed for the purpose of displaying content, as well as supplemented with other data and stored on the server of the online marketing procedure provider.
Exceptionally, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing processes we use and the network connects the users’ profiles with the before mentioned information. We ask you to note that users can make additional agreements with the providers, e.g. by giving consent as part of the registration process.
As a matter of principle, we only have access to aggregated information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us, for example. Conversion measurement is used solely to analyze the success of our marketing efforts.
Unless otherwise stated, we ask you to assume that cookies used will be stored for a period of two years.
Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, the users’ data will be processed on the basis of our legitimate interests (i.e. interest in efficient,economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Types of data processed: usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: marketing, profiles with user-related information (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures). Security measures: IP masking (pseudonymization of the IP address).
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f.GDPR).
Opt-out: We refer to the data protection information of the respective providers and the options for objection specified for the providers (so-called “opt-out”). Unless an explicit opt-out option has been specified, there is the possibility that you switch off cookies in the settings of your browser. However, this may limit the functions of our online offer. We therefore also recommend the following opt-out options, which are offered collectively for the respective territories:
a) Europe: https://www.youronlinechoices.eu/
b) Canada: https://www.youradchoices.ca/choices
c) USA: https://www.aboutads.info/choices
d) Cross-territorial: https://optout.aboutads.info/

Presence in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with theusers active there or to offer information about us.
We would like to point out that user data may be processed outside the area of the European Union. This can result in risks forusers, for example, because it could make it more difficult to enforce users’ rights.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example,usage profiles can be created based on user behavior and the resulting interests of users. The user profiles can in turn beused, for example, to place advertisements inside and outside the networks that presumably correspond to the interests of theusers. For these purposes, cookies are usually stored on the users’ computers, in which the user’s usage behaviour andinterests are stored. Furthermore, data may also be stored in the user profiles regardless of the devices used by the users (inparticular if the users are members of the respective platforms and are logged in to them).
For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the privacypolicies and information provided by the operators of the respective networks.
In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can beasserted most effectively with the providers. Only the providers have access to the data of the users and can directly takeappropriate measures and provide information. If you still need help, you can contact us.

Types of data processed: contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms),usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information,IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: contact requests and communication, feedback (e.g. collecting feedback via online form),marketing.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Services and service providers used:
- LinkedIn: Social network; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com/; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
- Facebook: Together with Facebook Ireland Ltd., we are responsible for the collection (but not the further processing) of data of visitors to our Facebook page (so-called “fan page”). This data includes information aboutthe types of content users view or interact with, or the actions they take (see “Things You and Others Do and Provide” in Facebook’s Data Policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language preferences, cookie data; see under”Device Information” in the Facebook data policy statement: https://www.facebook.com/policy). As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services called “Page Insights” to Page operators to provide them with insights into how people interact with their Pages and with the content associated with them. We have entered into a special agreement with Facebook (“Page Insights Information”,
  https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to comply with the rights of data subjects (i.e. users can, for example, direct information or deletion requests to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “About Page Insights”. https://www.facebook.com/legal/terms/information_about_page_insights_data).

Rights of data subjects

As a data subject, you are entitled to various rights under the GDPR, which result in particular from Art. 15 to 21 GDPR:
Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing ofpersonal data concerning you that is carried out on the basis of Art. 6 (1) (e) or (f) GDPR,
to lodge an objection; this also applies to profiling based on these provisions. If the personal data concerning you is processedfor the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerningyou for the purpose of such advertising; this also applies to profiling, insofar as it is related to such direct advertising.

Right to withdraw consent: You have the right to revoke consent at any time.
Right of access: You have the right to request confirmation as to whether the data in question is being processed and toaccess this data, as well as to obtain further information and a copy of the data in accordance with the legalrequirements.
Right to rectification: In accordance with the legal requirements, you have the right to request the completion of the dataconcerning you or the correction of the inaccurate data concerning you.
Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demandthat data concerning you be deleted immediately, or alternatively to demand a restriction of the processing of the data inaccordance with the legal requirements.
Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured,commonly used and machine-readable format in accordance with the legal requirements, or to request that it betransmitted to another controller.
Complaint to supervisory authority: In accordance with the legal requirements and without prejudice to any otheradministrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisoryauthority, in particular a supervisory authority in the Member State in which you habitually reside, the supervisoryauthority of your place of work or the place of the alleged infringement, if you believe that the processing of personaldata concerning you violates the GDPR.

Supervisory authority responsible for us:
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Königstraße 10a
70173 Stuttgart
Phone: 0711 615541-0,
E-mail: poststelle@lfdi.bwl.de
Internet: https://www.baden-wuerttemberg.datenschutz.de/

Safety measures

In accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.
Measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability and separation. We have also put in place procedures to ensure that the rights of data subjects are exercised, that data is deleted and that data is compromised. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes in accordance with the principle of data protection, through technical design and through data protection-friendly default settings.
Shortening of the IP address: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address is shortened (also referred to as “IP masking”). The last two digits, or the last part of the IP address after a period, are removed or replaced by wildcards. The shortening of the IPaddress is intended to prevent or significantly complicate the identification of a person on the basis of his or her IP address.
SSL encryption (https): In order to protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Last updated: March 2026