USER PRIVACY NOTICE
In our User Privacy Notice we inform our users, among other things, about our handling of their personal data and the type, scope and purpose of the processing. We always process personal data in compliance with the European General Data Protection Regulation (“GDPR”) and the applicable data protection regulation, the Federal Data Protection Act (“BDSG”).
A. Data controller and data protection officer
Heidelberg Instruments Mikrotechnik GmbH
You can contact our data protection officer at any time via the e-mail address provided above.
B. What personal data we process, for what purposes and for how long
When you visit our website and use our services, various personal data are collected depending on what you do on our website and which functions you use. We particularly process your first and last name, your telephone number, e-mail address and all the information you provide us with and the websites you have visited.
I. Visit our website
Generally, you can access our website without having to provide any personal data. However, even if you use our website for a purely informational purpose, we collect certain personal data to be able to display our website to you technically. In addition, we use certain analysis procedures on our website based on cookies and similar technologies and have also integrated links to other websites whose operators may process further (personal) data.
If you access one of our websites without registering with us or providing any other data, we process the personal data that your browser transmits to our server. This is technically necessary to display our website and to ensure stability and security. Log files record the following data:
• IP address
• Date and time of access
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (concrete page)
• Access Status/HTTP Status Code
• Data volume transferred in each case
• Website from which the request comes
• Operating system and its interface
• Language and version of the browser software
The processing is carried out based on Article 6 (1) (1) (f) GDPR for the purpose of our legitimate interest in the unobstructed operation of our website. The data is stored for a period of 14 days and then automatically deleted.
For example, we use session cookies to recognize that you have already visited individual pages of our website. The session cookies are automatically deleted at the end of your session.
In addition, we also use permanent cookies for the purpose of user-friendliness, which are stored on your device for a certain fixed period. As soon as you visit our website again, your former visits, entries and settings are automatically recognized so that you do not have to provide them again. These cookies are deleted after 24 hours at the latest.
The processing of personal data by means of cookies, which is necessary for the provision of our services, is carried out on the basis of Article 6 (1) (1) (f) GDPR for the purpose of our legitimate interest in the unobstructed provision of our services. In addition, we only process your personal data in connection with cookies (in particular for analysis and advertising purposes and in connection with the third-party providers described below) when you have given us your prior consent to do so in accordance with Article 6 (1) (1) (a) GDPR. The processing is carried out for the purpose of advertising, market research on our website and the enhanced functionality and provision of our services.
Users can also deactivate cookies by using the corresponding settings in the browser. Please use the help function of your browser to find out how to deactivate and delete cookies. However, this may impair some of the functions of this website and reduce user-friendliness. The http://www.aboutads.info/choices/ (USA) und http://www.youronlinechoices.com/uk/your-ad-choices/ (Europe) sites allow you to manage online ad cookies.
3. Use of Google Analytics (with anonymization function)
This website uses Google Analytics, a web analytics service provided by Google LLC, Amphitheatre Parkway Mountain View, CA 94043, USA (“Google Analytics”). We use Google Analytics to analyze and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. Google Analytics uses methods such as “cookies”, which enable us to track your use of our website. The information generated by the cookie about your use of our website is usually transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymization on our websites, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of Google Analytics will not be combined with other Google data.
We only use Google Analytics in connection with your personal data if you have given us your express consent beforehand. Your consent is also the legal basis for the use of Google Analytics in accordance with Article 6 (1) (1) (a) GDPR. You can prevent the storage of cookies by setting your browser software accordingly. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.
Your personal data collected in connection with Google Analytics will be deleted or anonymized after 14 months.
4. Google Ads
This website uses the online advertising program “Google Ads” and, as part of this, conversion tracking to measure the effectiveness of individual advertisements, offers and functions. Google Ads sets a cookie on your device if you have accessed our website via a Google ad. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognize that the user has clicked on the ad and was redirected to our website. Each Google Ads customer receives a different cookie. Cookies can therefore not be tracked across Ads customers’ websites.
The information collected using the conversion cookie is used to create conversion statistics for Google Ads customers who have opted into conversion tracking. We learn the total number of users who clicked on an ad and were redirected to a website tagged with a conversion tracking tag. However, we do not receive any information that personally identifies users. The data collected in this way is usually only transmitted in anonymized form to Google servers in the USA and stored there.
II. Contact form
We offer you various ways to contact us. If you contact us via the online form or by e-mail, we process the information you provide in accordance with Art. 6 (1) (1) (b) GDPR in order to answer your enquiry and to ask possible follow-up questions. The data processed in connection with a business relationship or contact enquiry will be deleted at the latest after the expiry of the statutory retention periods. Those personal data that we must store for the fulfilment of retention obligations will be stored until the end of the respective retention obligation. Within the scope of storage for the fulfilment of retention obligations, access to this data is usually restricted.
We may also process other personal data for the purpose of our legitimate interests based on Art. 6 (1) (1) (f) GDPR, especially to prevent fraud and misuse of our services.
III. E-mail newsletter
So that you can regularly receive useful information from us, we offer you the opportunity to register for our newsletter on our website. Finally, in order to be able to ensure that no mistakes have been made when entering the e-mail address, we use the double opt-in procedure. This means that after you have entered your e-mail address and your name in the corresponding fields, we will send you a confirmation link by e-mail to the e-mail address you have provided. Only when you click on this confirmation link your e-mail address will be added to our distribution list. After your confirmation, we store your e-mail address for the purpose of sending you the newsletter. The legal basis is Article 6 (1) (1) (a) GDPR. You can revoke your consent to the sending of the newsletter at any time with effect for the future and unsubscribe from the newsletter. You can conveniently declare the revocation by clicking on the unsubscribe link provided in every newsletter email or by sending us a message (see above). The personal data processed in connection with the newsletter will be deleted immediately after you have unsubscribed from it and otherwise after three years at the latest.
Your e-mail address and your name are mandatory for registering for the newsletter. We need your name to be able to address you by name. Furthermore, you have the option of informing us of additional, voluntary questions, suggestions or requests when registering for the newsletter. If you make use of this possibility to contact us, we will use this information to meet your request (see above under II).
IV. Our social media presences
You can also contact us via our social media presences. In this context, we may process information on activities on our social media presences such as user posts, comments, reactions, etc., direct messages to us and messages sent directly to us via messenger services, mentions and tagging as well as any information you provide to us via our social media presences. We process your personal data to provide you with the requested services on the respective social media presence in accordance with Art. 6 (1) (1) (b) GDPR.
If you use the respective social media presence to interact with us, we use data that the respective social media provider provides us and that is necessary to enable you to access our social media presence (e.g. log data and technical cookies). For example, if you subscribe to messages from us via a messenger service, we store the data necessary for this, e.g. telephone number, user account name or other profile data that you have set to “public” according to your messenger settings.
To the extent necessary, we also use your personal data to verify and enforce our rights or the rights of third parties, in particular in the event of violations of statutory provisions or our User Privacy Notice and in the event of infringement of the rights of third parties. The legal basis is Article 6 (1) (1) f) GDPR.
We also analyze our own social media offerings in order to adapt and improve our content.
In order to compile statistics and analyses of our social media offerings (which, however, do not contain names or other personal data about individual users), we use certain analysis tools. These services allow us to analyze and improve our social media activities. We create analytics reports using the social media analytics tools or third-party tools that use such data provided by the relevant social media provider. The legal basis for these processing operations is Article 6 (1) (1) f) GDPR.
We are in each case jointly responsible with the social media provider for the processing of the personal data used to compile the aforementioned statistics and analyses (Article 26 GDPR). In short, the social media providers will collect and process the data to provide or enable us to provide the statistics and analysis, but without providing us with any information about the behavior of the respective individual users. We will use and perform the analysis to evaluate how our content is received and used.
For more information, please read the Shared Responsibility Agreement with LinkedIn.
V. Online application
Thank you for your interest in our company. We would like to inform you about the processing of the personal data you have submitted as part of the application process as well as any personal data we may have collected.
For you to be able to apply to us online, we use an online application tool provided by our service provider, with whom we have concluded a corresponding data processing agreement. Our service provider may only process your personal data for us according to our instructions and only for the purpose of your application.
We only process your personal data insofar as this is necessary for the purpose of the performance of the application process and for the decision on the establishment of an employment relationship with us. The legal basis for this is Article 88 GDPR in conjunction with section 26 BDSG as well as Article 6 (1) (1) b) GDPR for the performance of a contract with us or in order to take steps at the implementation of contractual relationships with us.
We store your personal data for as long as they are required for the decision on your application; they are deleted a maximum of six months after the end of the application process (e.g. the announcement of the rejection decision), unless longer storage is legally required or permitted or you have consented to the inclusion of our talent pool.
Only we, Heidelberg Instruments Mikrotechnik GmbH, have access to your personal data provided via the online application tool. We do not transfer your personal data to third parties or to other EU countries. Should your application be considered for a vacancy in one of our subsidiaries, only with your consent we will forward your application documents to them. You can revoke your consent at any time with effect for the future.
Please also refer to the information on the joint responsibility with our subsidiaries that exists in some cases below under VII.
Further information can be found in our information on data processing for the application process. Information on your rights as a data subject can be found below under IX.
VI. Data processing for compliance with legal obligations, for the performance of a task carried out in the public interest and for the protection of legitimate interests
We may also process the personal data presented in order to comply with legal obligations to which we are subject. In this case, the processing is based on Article 6 (1) (1) c) GDPR. We may, pursuant to Article 6 (1) (1) e) GDPR, we may also process the aforementioned personal data for the assertion of legal claims and defense in legal disputes.
Where necessary, we also process personal data beyond the purposes described above to protect our legitimate interests or the legitimate interests of third parties. This processing is then carried out based on Article 6 (1) (1) f) GDPR. Our legitimate interests include, in particular, the prevention and investigation of criminal offences and serious misuse of our services.
VII. Transfer of your personal data and joint responsibility with group companies
The personal data we collect is generally processed within our company. Depending on the type of personal data, only certain departments or organizational units have access to this personal data for which access is required in each case. These include, in particular, the specialist departments involved in the provision of our digital offerings or the respective business processes (e.g. our IT department) or, in the case of job applications, our HR department.
In addition, it is possible that our group subsidiaries also have access to personal data via the online application tool used (see V above), which is required for the decision on the establishment of an employment relationship with them. In this case, we and our affiliated companies are jointly responsible for your personal data. We have concluded a joint controller agreement for this purpose in accordance with Article 26 GDPR. Only the personal data required for the decision on the establishment of an employment relationship with one of our group subsidiaries will be jointly processed as described above. Our group subsidiaries do not have any access to applicant or employee data of Heidelberg Instruments Mikrotechnik GmbH.
The controllers have agreed among themselves which of them fulfils which obligations under the GDPR. This concerns in particular the exercise of the rights of the data subjects and the fulfilment of the information obligations under data protection law (Article 13 and 14 GDPR) and the data subject rights (Article 15-23 GDPR). According to this agreement, Heidelberg Instruments Mikrotechnik GmbH is also responsible for the information to be provided to data subjects and their rights. In fulfilling their obligations, the responsible parties shall work closely together and support each other in accordance with the agreement concluded. In particular, they shall provide each other with the necessary information to be able to properly fulfil information obligations and data subject rights. In the event of an application without a potential employment opportunity with one of our group subsidiaries, we, Heidelberg Instruments Mikrotechnik GmbH, are your contact for exercising your data subject rights. However, regarding your applicant data, you are also free to exercise your data protection rights against the other data controllers, i.e. our group subsidiaries, if employment with them is also a possibility.
In addition, to the extent permitted by law, we may also transfer personal data to third parties outside our company, in particular to those recipients who provide services for us on a separate contractual basis, which may include the processing of personal data, as well as non-public and public bodies, insofar as we are obliged to transfer your personal data due to legal obligations.
VIII. Data processing outside the EU or EEA
In principle, the processing of personal data by us takes place exclusively within the EU or the European Economic Area.
In individual cases, however, it may be necessary for us to transfer information to recipients in “third countries”. “Third countries” are countries outside the European Union or the Agreement on the European Economic Area in which a level of data protection that is comparable to that in the European Union cannot be assumed without further ado. If the information transferred also includes personal data, we ensure before such a transfer that the required adequate level of data protection is guaranteed in the respective third country or at the recipient in the third country. This may result in particular from an “adequacy decision” of the European Commission, which establishes an adequate level of data protection for a specific third country as a whole. Alternatively, we can also base the data transfer on the EU standard contractual clauses agreed with a recipient or on a declaration of consent provided by you accordingly.
We will be happy to provide you with further information on the appropriate and adequate safeguards for compliance with an adequate level of data protection upon request. Further information on the EU standard contractual clauses (in English) can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and information on the adequacy decisions (in English) at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
IX. Your rights as a data subject
As a data subject, you have various rights regarding us, which we would like to inform you about in more detail below.
To exercise these rights, you are welcome to contact us (email@example.com).
1. Right of access, Article 15 GDPR
You have the right to obtain information from us about whether and what personal data concerning you we process. This includes, among other things, information on how long and for what purpose we process the personal data, wher the personal data originates from and to which recipients or categories of recipients, we transfer it. In addition, we can provide you with a copy of the personal data undergoing processing.
2. Right to rectification, Article 16 GDPR
As a data subject, you have the right to request that we correct information about you that is not or no longer accurate without undue delay. In addition, you can request that we complete your incomplete personal data. If required by law, we will also inform third parties about this rectification if we have passed on your data to them.
3. Right to erasure (“right to be forgotten”), Article 17 GDPR
You have the right to request that we erase your personal data without undue delay if one of the following reasons applies:
• Your data is no longer necessary for the purposes for which it was collected or otherwise processed, or the purpose has been achieved;
• You withdraw consent and there is no other legal basis for the processing;
• You object to the processing and there are no overriding legitimate grounds for the processing;
• Your personal data has been processed unlawfully;
• the deletion of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.
Please note that your right to erasure may be restricted by legal provisions. These include the restrictions listed in Article 17 GDPR and section 35 BDSG.
4. Right to restriction of processing, Article 18 GDPR
You also have the right to request to restrict the processing of your personal data if one of the following applies:
• You contest the accuracy of your personal data for a period that allows us to verify the accuracy of the personal data;
• the processing is unlawful and you oppose to the erasure of the personal data and request instead the restriction of the use of your personal data;
• we no longer need your personal data for the purposes of processing, but you need it for the establishment, exercise or defense of legal claims, or
• You have objected to the processing as long as it has not yet been determined whether our legitimate grounds outweigh yours.
If you have obtained a restriction on processing under the above list, we will inform you before the restriction is lifted.
5. Right to withdraw your consent, Article 7 (3) GDPR
You may withdraw any consent at any time with effect for the future. This withdrawal can take the form of an informal communication to the above contact addresses or via the technical means provided by us for this purpose. If you withdraw your consent, the legality of the data processing carried out up to that point will not be affected.
6. Right to data portability, Article 20 GDPR
As a data subject, you have the right to receive personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to others. The exercise of this right does not affect your right to erasure.
7. Right to complain to the supervisory authority, Article 77 GDPR
If you believe that the processing of your data by us violates applicable data protection law, you have the right to lodge a complaint with one of the competent supervisory authorities.
8. Right to object, Art. 21 GDPR
As the data subject, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (1) e) or f) GDPR; this also applies to profiling based on these provisions. In the event of such an objection, we will no longer process the personal data concerning you, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or the processing serves to establish, exercise or defend legal claims.
If we process personal data for the purpose of direct marketing, you as the data subject have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If you, as the data subject, object to processing for direct marketing purposes, we will no longer process the personal data concerned for these purposes.
Change to our data protection information
In order to ensure that our data protection information always complies with the current legal requirements, we reserve the right to make changes at any time. This also applies if the Privacy Notice must be adapted due to new or revised services. We will be happy to provide you with the previous Privacy Notice on request.