Privacy Policy Operations1

CONTENT OVERVIEW:

1. SUBJECT MATTER OF THIS PRIVACY POLICY

2. CONTROLLER

3. USING THE OPERATIONS1 PLATFORM

4. VISITING OUR WEBSITE

5. INTERESTED PARTIES, CUSTOMERS AND SERVICE PROVIDERS (CRM)

6. E-MAIL NEWSLETTER

7. SOCIAL MEDIA

8. VIDEO CONFERENCES AND WEBINARS

9. JOB APPLICATIONS

10. MERGERS AND ACQUISITIONS (M&A)

11. AGE RESTRICTION

12. RECIPIENTS OF DATA

13. YOUR RIGHTS

14. COMPULSORY DATA AND PROFILING

15. INFORMATION SECURITY AND DELETION

16. AMENDMENT OF THIS PRIVACY POLICY

1. SUBJECT MATTER OF THIS PRIVACY POLICY

This Privacy Policy provides information about which personal data is collected during individual processing operations and how and for what purposes this personal data is processed.

This Privacy Policy provides information about data processing when visiting the website, but also in other contexts, e.g. about the processing of data from customers, applicants and when participating in video conferences.

Your personal data will always be processed in accordance with the statutory data protection regulations and this Privacy Policy.

2. CONTROLLER

2.1 Operations1 as Controller

The Controller is cioplenu GmbH, Am Technologiezentrum 5, 86159 Augsburg, Germany, telephone: +49 69 87009063, e-mail: info@operations1.com (hereinafter "Operations1"). Our data protection officer is lawyer Christian Schmoll, e-mail: datenschutz@operations1.com.

2.2 Operations1 as a Data Processor

Operations1 makes the Operations1 platform available to customers as a data processor on the basis of a data processing agreement. When using the platform, the respective customer is the Controller with regard to the processing of the data processed via the platform.

3. USING THE OPERATIONS1 PLATFORM

3.1 Operations1 as a Data Processor when using the Platform

Operations1's clients use the Platform to digitally map their process documentation, connect it to existing IT systems and carry out analyses of work processes. With regard to the personal data that is collected and processed as part of the documentation and processing of the work processes, the respective customer of Operations1 is the controller and Operations1 acts as a processor on the instructions of the respective customer. As part of the documentation and processing of the work processes, inventory and contact data of the customer's employees and data for the documentation and processing of the work processes (e.g. input values and time stamps when using checklists and data for processing individual tasks) are regularly processed.

3.2 Operations1 as a Controller when using the Platform

In order to better understand how you use the Operations1 Platform and to continuously improve our app/platform and services, we collect and analyze how users use the Operations1 Platform. The data collected in this process is used to create aggregated usage reports.

Usage information may be stored as part of software-specific functions such as reports, analysis or value histories. This information includes user names and timestamps.

3.2.1 Creating an Account

If you as a user set up or have an account set up for the use of the Platform or register as an invited user, Operations1 processes your data as the controller in order to enable you to use the Platform.

In this context, Operations1 processes your data as part of the provision of the Platform or to provide the services offered by Operations1. This may include the processing of the surname and first name of the user, address(es), contact data (e.g. e-mail address, telephone number), contract data (e.g. subject matter of the contract, term), payment data and data required and processed for the provision of the services.

Your data will be processed for as long as you use your account. If you close/delete your account, the data processed via your account will be deleted (subject to any retention obligations, see "Retention and deletion" below).

The legal basis for this storage and processing is the fulfillment of the contract and/or the legitimate interest of Operations1 in providing the platform and checking compliance with the terms of use.

3.2.2 Usage Analysis

In order to better understand how you use the Platform and to continuously improve our Platform and services, Operations1 collects and analyzes the use of the Platform by users. The data processed is used to create aggregated/anonymized usage reports. The IP address of the respective user, browser type and browser version and information about the use of or interaction with the Operations1 Platform may be processed for the creation of the usage reports.

When creating usage analyses, a processor is used on the basis of an order processing agreement.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. Proof of these appropriate safeguards will be provided on request.

The legal basis for this data processing is the legitimate interest of Operations1 in the analysis of platform usage and the optimization of the platform based on this.

3.2.3 Chat Function and Ticketing

When creating support tickets and during live chat, the contact details and other content you provide will be processed. This processing is carried out to manage and process your support request.

For the ticketing system and live chat, an external service provider is used as a processor on the basis of an order processing agreement.

The legal basis for this storage and processing is the fulfillment of the contract and/or the legitimate interest of Operations1 in communicating with the users of the platform and the efficient processing of support requests.

3.2.4 Transactional Messages

For the sending of transactional messages by email in connection with the use of the platform, an external service provider is used as a data processor who carries out the email dispatch and ensures the deliverability of the emails.

The legal basis for this processing is the fulfillment of the contract and/or the legitimate interest of Operations1 in communicating with the users of the platform.

4. VISITING OUR WEBSITE

4.1 Hosting and Log Files

The website is hosted by a service provider on the basis of a data processing agreement.

Each time the website is accessed, the system automatically collects data and information from the computer system of the accessing end device. The following data is recorded or logged:

IP address of the calling computer
Operating system of the calling computer
Browser version of the calling computer
Name of the retrieved file/website
Date and time of retrieval
Transferred amount of data
Referring URL

This data is processed in order to be able to present the website, to ensure the security, availability and integrity of the website (e.g., detection and defense against DoS attacks or access by bots), to improve the quality and presentation of the website, to be able to identify and correct errors and for statistical purposes. This data is regularly deleted after a few days.

The legal basis for this data processing is the legitimate interest of the Controller in the above-mentioned purposes.

4.2 Content Delivery Network

The website uses a Content Delivery Network (CDN) to increase the security and delivery speed of the website. A CDN is a network of distributed servers that is able to deliver optimized content to users. For this purpose, personal data can be processed in server log files of the CDN provider.

Since a CDN is a network of servers that are often distributed worldwide, the use of a CDN may result in the transfer of personal data to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards upon request.

The legal basis for this data processing is the legitimate interest of the Controller in the above-mentioned purposes.

4.3 Cookies and Consent Management

Cookies are used on the website. Cookies are pieces of information that are transferred from our web server or third-party web servers to the browser of the website visitor and stored there for later retrieval. Cookies can be small files or other types of information storage. Information is stored in cookies that is generated in connection with the specific end device used. Cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. A cookie also contains information about its origin and the storage period. However, this does not mean that the identity of the website visitor can be obtained directly from a cookie.

When you visit the website, cookies are set that are absolutely necessary for the operation of the website. These strictly necessary cookies may, for example, be cookies that are required to display the website with a content management system, that are used to recognize language settings or that are used to document whether consent has been given to the setting of further (optional) cookies or whether such storage has been rejected. The strictly necessary cookies, including their purpose and storage or deletion period, are explained below and also in the cookie banner that is displayed when the website is accessed.

Optional cookies are also used, for example, to collect additional information about the interests of visitors to the website or their usage behavior in order to analyze and optimize the website and customer interactions in general.

Optional cookies, including their purpose and storage or deletion period, are explained below and also in the banner that is displayed when the website is accessed. Optional cookies are only set if you have expressly consented to the setting of optional cookies.

The Consent Management Platform ("CMP") Usercentrics from Usercentrics A/S in Denmark is used on the website.

Usercentrics is used to inform website visitors about the cookies used on the website and to request and, if necessary, document consent to the use of optional cookies. A permanent cookie is stored in the browser to save the consent.

The following data is logged automatically IP address in anonymized form (the last three digits are set to "0"), date and time of consent, user agent (information on the end device), URL on which the consent was collected, status of consent (which cookies were consented to).

The data collected and processed in the context of the use of Usercentrics is processed by Usercentrics A/S as a data processor on the basis of a data processing agreement in the EU.

The legal basis for this data processing is initially the Controller's legitimate interest in obtaining the consent of website visitors to the storage of optional cookies as part of the provision of the website. If such consent has been given, the legal basis for the processing of the data for consent is the fulfillment of the legal obligation to obtain and document consent for this.

4.4 Google Tag Manager

The tool Google Tag Manager is used on the website. Google Tag Manager is provided by Google Ireland Limited in Ireland.

The tool Google Tag Manager allows tags to be integrated centrally via a user interface. Tags are small sections of code that can track activities. Script codes from other tools are integrated via the tool and it is possible to control when a specific tag is triggered.

The tool Google Tag Manager is only used to integrate and control other tools; with the exception of the IP address of website visitors, the tool Google Tag Manager does not process any personal data.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the Controller's legitimate interest in the simple central integration and control of other tools.

4.5 Videos

Videos are embedded on the website. This functionality is made available via a plugin from our service provider Vimeo, LLC, in the USA as a processor.

When you visit a website that is equipped with such a Vimeo plugin, a connection to Vimeo is established and your IP address is transmitted to Vimeo. Even if you start a video by clicking on it, this information is transmitted to Vimeo. If you are logged in to Vimeo, the transmitted information may be linked to your Vimeo account.

Further information on the scope and purpose of data processing by Vimeo and the processing and use of your data by Vimeo as well as your setting options for protecting your privacy in this regard can be found in Vimeo's privacy policy at https://vimeo.com/privacy. Additional information on the use of cookies by Vimeo can be found here in the Vimeo Cookie Policy at https://vimeo.com/cookie_policy.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the Controller's legitimate interest in the integration of videos and the associated optimization of the interactivity of the website and customer interactions. If consent has been obtained, the expressly granted consent, which can be revoked at any time, constitutes the legal basis.

4.6 Web Analytics (Google Analytics)

The website uses the web analysis service Google Analytics from Google Ireland Limited in Ireland.

Google Analytics uses JavaScript tags to collect information about the use of the website. Google Analytics uses cookies to collect information on the interactions of visitors to the website with the website.

As part of the use of Google Analytics, the IP address of visitors to the website, information about the use of the website, browser type and version, operating system used, the previously visited page and the time of the server request are transmitted to Google servers and processed there.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the express consent of the visitor to the website, which can be revoked at any time.

4.7 Google Ads

The website provider uses the Google Ads advertising program of Google Ireland Limited in Ireland.

The Google Ads advertising program makes it possible to display targeted, interest-based advertisements on the Google search engine and on third-party websites and to evaluate and optimize the performance of individual advertisements, e.g. by analyzing which advertisements were clicked on and how often.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the express consent of the visitor to the website, which can be revoked at any time.

4.8 LinkedIn Ads

Tracking pixels and cookies from LinkedIn Ireland Unlimited Company in Ireland are used on the website to track the use of the website and the actions of website visitors for the purpose of conversion tracking.

The tracking pixels are a code snippet that can be used to track the actions of visitors to the website, which makes it possible to personalize and improve advertisements and measure their success. This allows the use of the website to be evaluated for statistical and market research purposes and advertising campaigns to be optimized.

The data collected via LinkedIn Ads may be used by LinkedIn as Controller for its own tracking and advertising purposes. For further details, please refer to LinkedIn's Privacy Policy at https://www.linkedin.com/legal/privacy-policy?.

If a visitor to the website is a member of the LinkedIn social media platform and has allowed the provider to do so via the settings of the user account with the social media network, the provider of the social media network or tracking pixel can link the information collected about the visit to the website with the associated user account with the respective social media network and use it for the targeted placement of advertisements.

The website provider can also measure the effectiveness of advertisements in the respective social media networks and see whether a user was redirected to the website via such advertisements (conversion measurement).

When such tracking pixels are integrated, personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing, including the transfer of data to LinkedIn, is the express consent of the website visitor.

4.9 Tracking-Pixel

Tracking pixels and cookies from various providers, e.g. LinkedIn, Bing, Meta, Google, Outbrain, Pinterest, Snapchat, Taboola, TikTok, Twitter and/or Yahoo Native (Gemini), are used on the website to track the use of the website and the actions of website visitors for the purpose of conversion tracking.

The tracking pixels are a code snippet that can be used to track the actions of visitors to the website, which makes it possible to personalize and improve advertisements and measure their success. In this way, the use of the website can be evaluated for statistical and market research purposes and advertising campaigns can be optimized.

The data collected via the tracking pixels can be used by the providers of the respective pixels for their own tracking and advertising purposes. Further details can be found in the Privacy Policies of the providers of the respective pixels.

If a visitor to the website is a member of a social media platform of one of the providers of the tracking pixels and has allowed the respective provider to do so via the settings of the user account with the social media network, the provider of the social media network or tracking pixel can link the information collected about the visit to the website with the associated user account with the respective social media network and use it for the targeted placement of advertisements.

The legal basis for this data processing is the express consent of the visitor to the website, which can be revoked at any time.

5. INTERESTED PARTIES, CUSTOMERS AND SERVICE PROVIDERS (CRM)

If you contact us, e.g. by e-mail, via a contact form or via a live chat, the information you provide will be processed for the purpose of processing the request.

We need the information requested in a contact form or live chat in order to process your request, address you correctly and send you an answer.

The legal basis for this data processing is our legitimate interest in communicating with interested parties, visitors and customers. If the contact is aimed at concluding a contract, the legal basis for the processing is the initiation of a contract.

We process the data of our customers, service providers and suppliers as part of the provision of our contractual services. This may involve processing inventory data (e.g. surname and first name of the contact person(s), address), contact data (e.g. email address, telephone number), contract data (e.g. subject matter of the contract, term), payment data and data that is collected as part of the provision of services and/or is necessary for the provision of services.

Inquiries and customer relationships are regularly stored and processed in our CRM system. The data processed (surname, first name, title, postal address, date of birth if applicable, your specific interest in our products and services and your interactions with us) may also be used by us for direct marketing purposes, in particular for postal advertising, in compliance with legal requirements.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this storage and processing is our legitimate interest in marketing our products and services and maintaining our relationships with interested parties, customers and service providers.

6.1 Registration

You can register on the website to receive an e-mail-newsletter. When you register, the data from the input screen, the IP address of the accessing computer and the date and time of registration are collected and stored.

The so-called "double opt-in" procedure is used to verify that a registration for the sending of a newsletter is made by the actual owner of an e-mail address. In this process, a confirmation e-mail is sent to the registered e-mail address after an e-mail address has been registered. Registration for the newsletter is only completed when a confirmation link contained in the confirmation email is activated. The IP address of the accessing computer and the date and time of activation of the confirmation link are also collected and stored.

You can unsubscribe from the newsletter at any time by using the unsubscribe link contained in each newsletter or by contacting the Controller using the contact details provided above.

The legal basis for the processing of data as part of the registration and sending of the email newsletter is your express consent, which can be revoked at any time.

Please note that if consent is withdrawn, the consent data will be stored until the statutory limitation period expires to enable the Controller to defend itself legally if necessary. The duty of accountability and proof takes precedence over the duty of erasure for this period. The legal basis for this retention of consent data is the fulfillment of a legal obligation (accountability) and the Controller's legitimate interest in a potential legal defense.

6.2 E-mail Newsletter for Existing Customers

If you register as a user of the platform and enter your e-mail address, it may be used to send you an e-mail newsletter, provided you have not objected to such use. Only direct advertising for our own similar goods or services is sent via the e-mail newsletter as part of an existing customer relationship. You can object to the use of your email address for this purpose at any time, without incurring any costs other than the transmission costs according to the basic rates, by using the unsubscribe link contained in each email newsletter or by contacting the Controller using the contact details given above.

The legal basis for sending the email newsletter as part of an existing customer relationship is the Controller's legitimate interest in carrying out direct marketing measures.

Please note that in the event of an objection to the further sending of the email newsletter as part of an existing customer relationship, the consent data will be retained until the expiry of the statutory limitation period in order to enable the Controller to defend itself legally if necessary. The obligation to provide accountability and evidence takes precedence over the obligation to delete data for this period. The legal basis for this retention of consent data is the fulfillment of a legal obligation (accountability) and the Controller's legitimate interest in a potential legal defense.

6.3 Newsletter Analytics/Tracking

A statistical analysis of usage data can be carried out for the email newsletter. For this purpose, the openings of the e-mail and the internal clicks are collected and stored. This information is used to measure and optimize the success of the email newsletter campaigns by making the content of the email newsletters more interesting and relevant for the target group.

The legal basis for this analysis is the consent expressly granted and revocable at any time.

6.4 Newsletter Service Provider

An external service provider is used as a data processor to send and analyze the email newsletter.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

7.1 Social Media Buttons

Social media buttons of various social media networks (e.g. Linkedin, Instagram, Twitter and Facebook) are integrated on our website.

If you click on one of these social media buttons, you will be redirected to our pages on the respective social media network. In this case, the provider of the respective social media network receives the information that your browser has accessed the corresponding page of our website, even if you do not have a profile with the respective social media network or are not logged in there. This information (including your IP address) is transmitted by your browser directly to a server of the respective provider. If you click on a social media button and are either logged in to the respective social media network or then log in to the page of the respective social media network, the transmitted information can be assigned to your account with the social media network.

For information on the purpose and scope of data collection and processing by the providers of the respective social media network, the provider identification, a contact option and your rights and setting options for data protection, please refer to the respective privacy policy of the providers of the social media networks.The legal basis for the integration and use of social media buttons is Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the marketing of our offers and our website.

7.2 Social Media Pages

We maintain a publicly accessible profile on various social media networks (e.g. Linkedin, Instagram, Twitter and Facebook).

If you visit our social media pages and are logged in to the respective social media network, the provider of the respective social media network can analyze your usage behavior and assign the information collected to your account with the social media network and enrich it there. Even if you are not logged in or if you do not have an account with the respective social media network, personal data may be collected by the provider of the respective social media network, for example your IP address or data collected via a cookie.

The operators of the social media networks can use this data to create user profiles. Based on your user profile, you can then be shown interest-based advertisements both on the websites of the social media network and on other websites.

If you visit one of our social media pages, we are jointly responsible with the provider of the social media network for the collection and processing of your personal data that takes place there. For information on the collection and processing of your personal data that takes place there, we refer you to the privacy policy of the respective social media network.

You can assert your data subject rights in accordance with Chapter III. of the GDPR (right to information, correction, deletion, restriction of processing, data portability, etc.) both against us and against the provider of the respective social media network. In this context, we would like to point out that we can only influence the processing of personal data and the implementation of data subject rights within the framework of our social media pages within the scope of the possibilities made available to us by the respective provider.

The legal basis for our use of social media pages is Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the presence and marketing of our products and services on the Internet.

8. VIDEO CONFERENCES AND WEBINARS

If you participate in a video conference, webinar or online meeting etc. organized by us. (hereinafter "video conferences") organized by us, we process your personal data in the course of your participation.

When you participate in a video conference, various categories of data are processed. The scope of the data also depends on the data you provide before or during participation in a video conference.

If you participate in a video conference organized by us, you usually have to provide at least a name when registering. However, you can also use a pseudonym. Your IP address will also be processed to enable your participation and login information and device/hardware information will be stored. Your email address and profile picture will also be processed, if provided. If you dial in by phone, your phone number and IP address, if any, will be processed.

To enable participation in the video conference, data from your terminal's microphone and any terminal video camera and, if you share your screen, information from this "screenshare" is processed. You can switch off or mute the camera or microphone yourself at any time. You always decide yourself whether and which parts of your screen are shared.

Audio and video recordings of the video conference can be made. In this case, MP4 files of all video, audio and presentation recordings are processed. There will always be an indication of the recording if one is made and, if necessary, the explicit consent of the participants to the recording will always be obtained.

You may have the opportunity to use the chat, question or survey functions in a video conference. In this respect, the text entries you make are processed in order to display them in the video conference and, if necessary, to record them.

Insofar as personal data of our employees is processed, § 26 BDSG (German Federal Data Protection Act) is the legal basis for data processing, insofar as German law is applicable to the processing of employee data.

If German law is not applicable to the processing of employee data or if, in connection with participation in video conferences, the processing of personal data is not necessary for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component of participation in a video conference, our overriding legitimate interest pursuant to Art. 6 (1) lit. f) GDPR is the legal basis for the data processing. In these cases, our overriding legitimate interest is in the effective implementation of video conferences.

Furthermore, the legal basis for data processing when conducting video conferences is Art. 6 (1) lit. b) GDPR, insofar as the meetings are conducted in the context of contractual relationships or with a view to initiating a contractual relationship (for example, in the case of video conferences with our clients in the context of the implementation of a project or participation in a webinar).

Furthermore, the legal basis for data processing in the context of your participation in a video conference organized by us is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR. Our legitimate interest in these cases is the effective implementation of video conferences.

We use one or more service providers as data processors for the implementation of video conferences on the basis of a data processing agreement pursuant to Art. 28 GDPR.

This may involve the transfer of personal data to a third country without an adequate level of data protection. In this case, we ensure that appropriate safeguards are provided for the transfer in accordance with Art. 46 GDPR. We will provide you with proof of the appropriate safeguards (Standard Contractual Clauses) at any time upon request.

9. JOB APPLICATIONS

9.1 Active Sourcing

We perform so-called active sourcing measures to identify promising potential employees on the external labor market and actively contact potential applicants and employees. The purpose of the data processing is recruitment, e.g. by individually referring promising candidates to job offers of our company.

In active sourcing, we collect the following categories of data: Last name, first name, gender, contact data, education, work experience, qualifications, salary data, application data, extra-occupational experience and interests, and other information derived from public profiles on social networks, in particular LinkedIn and Xing, and/or from other publicly accessible sources on the Internet.

All personal data processed in the context of active sourcing is collected from publicly accessible sources from the Internet, in particular from social networks such as LinkedIn and Xing.

The legal basis for the collection and processing of publicly available data in the context of active sourcing is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR. Our overriding legitimate interest is the identification, contacting and hiring of the best possible employees for our company.

9.2 Application Process

We collect and process personal data of applicants for the purpose of performing the application process.

If we conclude an employment contract with an applicant, the data transmitted will be processed in order to carry out the employment relationship in compliance with the statutory provisions.

If no employment contract is concluded with the applicant, the application documents will be deleted immediately after completion of the application procedure, provided that deletion does not conflict with any overriding legitimate interest, such as the defence of claims or a preservation of evidence function according to the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz - AGG).

The legal basis for this storage and processing is the performance of the contract or the implementation of pre-contractual measures pursuant to Art. 6 (1) lit. b) GDPR, in Germany § 26 BDSG.

9.3 Talent Pool

If the applicant has consented to a longer storage of his/her data, we will store the data submitted as part of the application in our talent pool for a further 2 years after the end of the application process in order to identify future positions of potential interest to the applicant and, if necessary, contact the applicant in this regard. After this period, the data will be deleted.

Such consent to the storage of application data in our talent pool can be withdrawn at any time for the future. To do so, please send us an email to the contact details provided above.

The legal basis for the storage of application documents in our talent pool is, if applicable, the applicant's consent pursuant to Art. 6 (1) lit. a) GDPR.

9.4 Compliance/Sanctions Screening

Applicants who are shortlisted during the application process may be subject to an initial compliance check. The compliance check involves a comparison of the applicant's name and address with relevant sanctions lists, in particular based on the EU anti-terrorism regulations.

To perform the compliance/sanctions list screening, we use an external service provider as a data processor based on a data processing agreement pursuant to Art. 28 GDPR.

The legal basis for this storage and processing, if there is a legal obligation to perform compliance/sanctions list screening, is Art. 6 (1) lit. c) GDPR. In individual cases, depending on a balancing of interests, a compliance/sanctions list screening may also take place if there is no mandatory legal obligation. In this case, the legal basis is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in avoiding potential sanctions by foreign authorities.

10. MERGERS AND ACQUISITIONS (M&A)

If we are involved in a restructuring, acquisition, asset sale, merger, financing, transfer of services to another provider, due diligence, insolvency or receivership, your personal data may be transferred to third parties to the extent legally permitted in connection with and as part of the relevant legal process, subject to the basic principles of data protection law.

11. AGE RESTRICTION

This website is not intended or designed for use by children under the age of 16. We do not knowingly collect personally identifiable information from or about anyone under the age of 16.

12. RECIPIENTS OF DATA

Within our company, those internal departments or organisational units receive your data which they need to fulfil their tasks, to fulfil contracts with you if necessary, for data processing with your consent or to safeguard our overriding legitimate interests.

Data will only be passed on to third parties within the framework of legal requirements. We will only pass on your data to third parties if, for example, this is necessary for contractual purposes on the basis of Art. 6 (1) lit. b) GDPR or to safeguard our overriding legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in the effective conduct of our business operations.

Insofar as we use service providers within the framework of the provision of the website and/or Platform or other services, we take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of your personal data.

13. YOUR RIGHTS

You have the rights explained below with regard to the personal data processed by us concerning you:

13.1 Right of Access

You can request information in accordance with Art. 15 GDPR about your personal data that we process.

13.2 Right to Rectification

If the information concerning you is not (or no longer) accurate, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request that it be completed.

13.3 Right to Erasure

You may request the erasure of your personal data in accordance with Art. 17 GDPR.

13.4 Right to Restriction of Processing

In accordance with Art. 18 GDPR you have the right to request restriction of processing of your personal data.

13.5 Right to Object to Processing

You have the right to object at any time on grounds relating to your particular situation to the processing of your personal data which is carried out on the basis of Art. 6 (1) lit. e) or lit. f) GDPR in accordance with Art. 21 (1) GDPR. In this case, we will not further process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to assert and exercise or defend against legal claims (Art. 21 (1) GDPR).

In addition, according to Art. 21 (2) DSGVO, you have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing; this also applies to any profiling, insofar as it is related to such direct marketing.

13.6 Right to Withdraw Consent

Insofar as you have given your consent for processing, you have a right to withdraw your consent pursuant to Art. 7 (3) GDPR.

13.7 Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format ("data portability") as well as the right to have this data transferred to another controller if the conditions of Art. 20 (1) lit. (a) and (b) GDPR are met.

13.8 Exercise of Rights

You can exercise your rights by notifying the above contact details for the data controller or the data protection officer.

13.9 Right to complain to the Data Protection Authorities

If you believe that our processing of your personal data violates data protection law, you also have the right to complain to a data protection supervisory authority of your choice pursuant to Article 77 of the GDPR.

The data protection supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Information Security, Friedrichtstr. 219, 10969 Berlin.

14. COMPULSORY DATA AND PROFILING

The provision of personal data is neither required by law nor by contract, and you are not obliged to provide personal data, although the provision of personal information is required for the conclusion of a contract to the extent that certain details are required in order to conclude (and perform) a contract.

We do not perform automated decision making, including profiling.

15. INFORMATION SECURITY AND DELETION

We take appropriate technical and organizational measures in accordance with the state of the art to ensure a level of protection for the personal data we process that is appropriate to the risk of the respective processing and to protect the data we process against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

Our website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as orders, inquiries or payment data that you send to us.

Our employees receive regular training on data protection and information security and are committed to confidentiality and data protection.

A restrictive rights and roles concept on a "need to know" basis ensures that employees only have access to the personal data they absolutely need to perform their duties.

We adhere to the principles of data avoidance and data economy and only store your personal data for as long as is necessary to achieve the respective purpose of the data processing purposes or as stipulated by the storage periods provided by law. If the purpose of storage no longer applies or if a storage period provided for by law expires, the personal data will be routinely anonymized or deleted in accordance with the statutory provisions.

16. AMENDMENT OF THIS PRIVACY POLICY

We reserve the right to amend this Privacy Policy from time to time so that it always complies with current legal requirements or in order to implement changes to our services in the Privacy Policy, e.g. when introducing new services. Your renewed visit will then be subject to the amended Privacy Policy.