Privacy policy

We welcome you to our website and thank you for your interest in our company and our products. The protection of your data is very important to us. Therefore, we would like to inform you in the following which data of your visit we use for which purposes. ProMinent only processes personal data in accordance with the legal regulations, in particular the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

This data protection declaration informs you in particular about the processing of personal data

  • The use of our website and the offers contained therein;
  • Data processing via social media (LinkedIn and XING);
  • Job applications;
  • Applicant database;
  • Contract conclusions;
  • Remote Support Services;
  • Supplier management system;
  • Ordinary contact in the course of business operations;
  • Visitor process in our premises;
  • Whistleblowing reports.

In addition, this data protection declaration contains information about data recipients / data transmission in third countries, rights of data subjects, your right to object and automated decision-making.

I. Name and address of the responsible person

The responsible person within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

ProMinent GmbH
Im Schuhmachergewann 5-11
69123 Heidelberg
Tel.: +49 6221 842 0

II. Name and address of the data protection officer

If you have any questions about these data protection regulations, the balancing of legitimate interests, or about data protection at ProMinent in general, you can also contact our data protection officer directly. The data protection officer of the data controller is:

Jens Christian Böttcher
Im Schuhmachergewann 5-11
69123 Heidelberg
Tel.: +49 6221 842 655

III. General information on data processing

1. Scope of the processing of personal data

As a matter of principle, we process personal data of our users only insofar as this is necessary for the provision of a functional website as well as our contents and services. Otherwise, the collection and use of personal data of our users only takes place with the consent of the user.

2. Data deletion and storage period

The personal data of the person concerned will be deleted or blocked as soon as the data is no longer required for the purpose of storage and there is no further obligation to store the data. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. If you use the website for information purposes, you can find the storage periods in the following information. In the case of active use of our website, we initially store your personal data for the duration of the response to your enquiry or for the duration of our business relationship. This also includes the initiation of a contract or pre-contractual legal relationship and the processing of the same. We store your personal data for the purpose of preserving evidence until any legal claims arising from the relationship with you become time-barred. We delete your personal data when the statute of limitations expires, unless there is a legal obligation to retain the data, for example from the German Commercial Code (§§ 238, 257 para. 4 HGB) or from the German Fiscal Code (§ 147 para. 3, 4 AO). These retention obligations can be two to ten years.

IV. Provision of the website and creation of log files

Each time our website is accessed, our web server automatically records the following data:

  • IP address of the user
  • Host name (which ProMinent page was visited, e.g. or similar)
  • Date and time of access (Time)
  • Type and location of the request
  • Information about the browser type and the used version

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the data processing, as the temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after 30 days at the latest. In addition, the log files are stored in backup files for up to 12 months. These backups are only accessed in exceptional cases.

V. Use of cookies and associated functions/technologies

In addition to the data mentioned above, cookies are stored on your computer when you use our website. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. These cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. In addition, we also refer to "cookies" as web beacons as well as other comparable storage technologies for tracking user activities. Web beacons are mostly transparent graphic/image elements, usually no larger than 1 x 1 pixels, that are embedded in the website and can be used to detect cookies on your devices.

Cookies are used by us on the one hand to store session-relevant information within the website. These cookies expire at the end of the browser session (so-called transient cookies) and are not stored permanently. Other cookies remain on your computer beyond the respective browser session and enable us to recognise your computer on your next visit (so-called persistent/permanent cookies). Persistent cookies are automatically deleted after a specified period of time, which may differ depending on the type of cookie.

Cookies can be divided into the following categories/cookie types in particular:

  • Essential cookies
    Essential cookies are required for the necessary execution of specific website functionalities.
  • Performance Cookies
    Performance cookies collect information about the use of a website. These cookies do not store any information that allows the user to be identified, but are only used to measure the performance of our website and improve the user experience.
  • Functional Cookies
    Functional cookies are used to enable requested services and functionalities (e.g. playing videos) on the website and/or to increase "usability".
  • Targeting Cookies
    Targeting cookies may be used by third parties (e.g. advertising partners) to profile user interests and display relevant ads and promotions on other websites based on this.
  • Social Media Cookies
    Social media cookies from social media services allow content to be shared with friends and networks. These services can track browsers across websites and profile interests.

By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. You can regularly obtain the procedure for deactivating cookies via the "Help" function of your internet browser. Please note, however, that these settings may potentially affect the full availability and function of our website.

To ensure that our use of cookies complies with legal requirements, we use a cookie tool provided by OneTrust Technology Limited, 82 St John St, London, UK ("OneTrust"). You can review and manage your cookie consents and make cookie-specific settings and deactivations at the link below:

Cookie-Einstellungen verwalten

Some of the cookies we use on our website are from third parties that help us analyse the impact of our website content and visitors' interests, measure the power and performance of our website or communicate with you. As part of our website, we use both first party cookies (only visible from the domain you are visiting) and third party cookies (visible across domains and set regularly by third parties).

Further details on the respective cookie providers, can be found in the Privacy Preference Centre, there under the respective cookie categories.

Cookie-based data processing is carried out for absolutely necessary cookies on the basis of Art. 6 Para. 1 lit f GDPR (legal basis) due to our legitimate interest in providing the information offer on our website. In the case of the other cookie types, data processing is carried out on the basis of your consent pursuant to Art. 6 para. 1 lit a GDPR (legal basis). You can revoke your consent at any time with effect for the future without affecting the lawfulness of the processing carried out on the basis of the consent until revocation. In particular, you can use the following link to reset your cookie settings and thus revoke any consent you may have given:

Cookie-Einstellungen zurücksetzen / Einwilligungen widerrufen

VI. Matomo Analytics (On-Premise)

We use the open-source software tool Matomo Analytics on our website to analyse the surfing habits of our users. We also use Matomo Tag Manager. Matomo Tag Manager is a Matomo Analytics Software add-on. Tag Manager is used to integrate Matomo Analytics, for tracking events and to control the integration of third-party provider code. The following data is processed when a user visits our website:

  • 2 bytes of the IP address of the system the user uses to visit our website
  • the website visited (URL)
  • the website from which the user accessed the visited website (referrer)
  • the sub-pages visited from the visited website
  • the time spent on the website
  • how often the website has been visited

We use the on-premise version of Matomo Analytics and host the software on our own servers in Germany. The aforementioned data is exclusively stored there. We use Matomo Analytics without cookies. We do not pass the data on to third parties. The Matomo software has been configured such that IP addresses are not saved in full. Instead, the last 2 bytes of the IP address are masked (e.g. This means it is no longer possible to link the truncated IP address to the computer used to visit the website.

The legal basis for the processing is our legitimate interest in analysing the surfing habits on our website pursuant to Art. 6 (1f) of the GDPR. Processing this data allows us to analyse the surfing habits of website visitors. This information helps us to improve our website and make it more user-friendly. By anonymising the IP address, due consideration has been given to the user's interest in protecting their personal data.

For more information about Matomo's privacy settings, please visit .

Google Marketing Services

We use the marketing and remarketing services (Google Marketing Services for short) of Google LLC, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). We or Google will only process your personal data in this context if you have given your consent to do so.

Google's marketing services allow us to target advertisements for and on our website in order to present users only with ads that potentially match their interests. For example, if a user is shown ads for products in which he or she has shown interest on other websites, this is known as "remarketing". For these purposes, when our website and other websites on which Google marketing services are active are accessed, a code is executed directly by Google and so-called (re)marketing tags (invisible graphics or codes, also known as "web beacons") are integrated into the website, provided you have given your consent to this. With their help, an individual cookie is stored on the user's device (comparable technologies can also be used instead of cookies). The cookies can be set by various domains, including, , , etc. More information: . This file records which websites the user has visited, which content he or she is interested in and which offers he or she has clicked on, as well as technical information on the browser and operating system, referring websites, time of visit and other information on the use of the online offer. The IP address will not be merged with the user's data within other Google offers. Google may also combine the above information with information from other sources. If the user subsequently visits other websites, he or she may be shown ads tailored to his or her interests.

The user's data is processed pseudonymously as part of Google's marketing services. This means that Google does not store and process the name or email address of the user, for example, but processes the relevant data in a cookie-related manner within pseudonymous user profiles. This means that from Google's perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected by Google marketing services about users is transmitted to Google and stored on Google's servers in the USA.

For more information on Google's use of data for marketing purposes, please visit the overview page: , Google's privacy policy is available at .

If you do not wish to receive interest-based advertising through Google marketing services, you can use the settings options set by Google: .

VII. YouTube

We use plugins from the YouTube video platform to embed videos and play them directly on this website. The operator of the video platform is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA ("YouTube"). YouTube is a company affiliated with Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").

The YouTube videos are integrated in the so-called "extended data protection mode", which, according to the provider, only triggers the storage of user information when a video is played. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. When you activate embedded videos on our website, a connection to YouTube's servers is established and a data transmission is started. We have no influence on the scope and content of the data that is transmitted to YouTube and possibly other YouTube partners by activating the plugin. Among other things, the YouTube server is informed which of our pages you have visited. According to YouTube, this information is used, among other things, to collect video statistics, to improve user-friendliness and to prevent abusive behaviour. YouTube uses cookies to collect information about user behaviour, provided you have consented to the use of these cookies. The cookies remain on your terminal device until you delete them. If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account before activating the play button.

The information generated by the YouTube cookies about your use of our website is usually transmitted to a YouTube server in the USA and stored there. Information on data protection at YouTube can be found at the following link .

VIII. Newsletter

On our website, you have the option of subscribing to a free newsletter. When you register for the newsletter, the data you enter in the input mask is transmitted to us and processed (e.g. first and last name, e-mail address, address). If a field is not marked as "mandatory", the information is optional. In addition, the date and time of registration are collected during registration.

Your consent is obtained for the processing of the data during the registration process and reference is made to this data protection declaration. We use the so-called double-opt-in procedure to register for the newsletter, i.e. your registration is only completed when you have reconfirmed your registration by clicking on a link in a confirmation e-mail sent for this purpose. The confirmation is deemed to be your consent. If your confirmation is not received within 100 days, your registration will be automatically deleted from our database. This ensures that no one else can register you for our newsletter.

The data is used for sending the newsletter. The collection of the user's e-mail address is used to deliver the newsletter. The collection of other personal data during the registration process serves to prevent misuse of the services or the e-mai address used.

The legal basis for the processing of the data after the user has registered for the newsletter is the user's consent in accordance with Art. 6 Para. 1 lit. a) GDPR.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. The user's email address is therefore stored as long as the subscription to the newsletter is active.

The subscription to the newsletter can be cancelled by the user concerned at any time. For this purpose, there is a corresponding link in each newsletter. This also revokes the consent to the storage of the personal data collected during the registration process.

1. Tracking newsletter reactions in the Inxmail newsletter system

Tracking in Inxmail Professional is understood to mean the tracking or saving of recipient behaviour. Inxmail Professional is operated by Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg ("Inxmail"). Recipient behaviour refers to the following three actions of your recipients:

  • Opening a newsletter
  • Clicking on text and image links
  • Downloading images in an e-mail programme

2. Person-related Tracking (Unique-Count-tracking)

When a recipient opens a newsletter, clicks on a link or downloads images in their email program, this can be registered and saved by Inxmail Professional. These actions of the recipients are referred to as recipient reactions in Inxmail Professional. Inxmail Professional can be used to create an interest profile of the recipient based on the recipient reactions. For example, it can be determined which recipients have clicked on certain links. On the basis of these clicks, target groups can be formed and the recipients can be sent further information tailored to their areas of interest.

When registering for the newsletter, you can consent to your user behaviour being tracked on a personal basis in accordance with Art. 6 para. 1 lit. a GDPR as follows.

„Yes, I hereby confirm that ProMinent GmbH may record and evaluate my personal user behaviour in the newsletter in order to better tailor content to my personal interests. I can revoke my consent at any time via the link in the newsletter.“

In order to optimise content of the themed newsletters, we compare opening rates and recipient reactions of different mailings in general. The stored personal data is immediately deleted from the system when a recipient unsubscribes from the newsletter.

3. E-mail advertising without registering for the newsletter and your right to object

If we receive your e-mail address in connection with the sale of goods or services and you have not objected to this, we reserve the right to regularly send you offers for similar products to those already purchased on the basis of Section 7 (3) UWG , from our range by e-mail. This serves to safeguard our overriding legitimate interests in advertising to our customers (Art. 6 Para. 1 lit. f GDPR). You can object to this use of your e-mail address at any time by sending a message to the contact option described under Section I. or via a link provided for this purpose in the advertising e-mail, without incurring any costs other than the transmission costs according to the basic tariffs.

IX. Contact form and e-mail contact

There are various contact forms on our website which can be used for electronic contact. If a user makes use of this option, the data entered in the input mask will be transmitted to us and processed (e.g. first and last name, e-mail address, address, details of the system relating to the service request (including service type, system type, location of the system, industry, country, language and message), details of the seminar request and required hotel reservation and, in the case of returned goods, details of the product and the use of the product). For product enquiries, spare parts enquiries, service enquiries and returned goods, file attachments provided by the user.

If a field is not marked as "mandatory", the information is optional.

At the time of sending the message, the date, time and IP address of the sending are also stored. Alternatively, it is possible to contact us by e-mail. In this case, the user's personal data transmitted with the e-mail will be stored. In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

The processing of the personal data from the input mask serves us solely to process the contact request. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data in accordance with the legal basis of Art. 6 (1) lit. f GDPR. If the e-mail contact is aimed at concluding a contract, Art. 6 para. 1 lit. b GDPR serves as the legal basis for further processing.

In this context, no data is passed on to third parties, but we may forward your enquiry to a responsible ProMinent company or the responsible ProMinent sales partner for processing.

The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected and any applicable legal retention periods have expired.

If the user contacts us by e-mail, he or she can object to the storage of his or her personal data at any time. In such a case, however, the conversation cannot be continued.

X. GetSiteControl

We embed the widget tool "GetSiteControl" of GetWebCraft Limited, Klimentos 41-43, Klimentos Tower, Flat/Office 25, 1061, Nicosia, Cyprus ("GetWebCraft") on our websites. This is a widget that allows us to display information as a "layover". The layover windows can be displayed according to certain rules (e.g. duration of the page visit), so that the setting of a cookie is necessary for this. We or GetWebCraft will only process your personal data in this context if you have given your consent. When you access the layover, data is transferred to the servers of GetWebCraft Limited in the same way as if you were visiting their own website. For more information on GetWebCraft's privacy policy, please refer to the company's privacy policy:

With the widget tool "GetSiteControl", content from our website can be shared on social networks of Facebook Ireland Ltd. or Facebook Inc, Google LLC, Twitter Inc and LinkedIn Ireland Unlimited Company. Through the integration into our internet pages, a connection to the servers of the respective social network is established via cookies stored on your computer, provided that you have given your consent to this. By clicking on the respective button, your IP address is transmitted to the respective social network.

If you are logged into your profile of one of the aforementioned social networks during your visit to our website, the operator of this network may collect and store further data about your visit to our website. If you do not wish such an allocation, we recommend that you log out of social networks before visiting our internet pages.

Please contact the respective operator of the social networks for information on the processing and use of your data. You can obtain information from the operators on the respective data protection provisions and, where applicable, possible settings to protect your privacy here:

XI. App Store Links

Our website contains links to app stores (e.g. Google Play Store for Android or Apple App Store for iOS). These services are operated exclusively by third parties. If you follow these links, information may be passed on to these providers. This only happens when you click on one of the App Store buttons. For the purpose and scope of data processing as well as your rights and setting options, please refer to the privacy policy of the respective provider:

XII. Data processing via social media (LinkedIn and XING)

ProMinent has a company profile on the LinkledIn and Xing social media platforms. We would like to provide you with further information about our company and use the opportunity to exchange information with you via social media. These services are operated exclusively by third parties. If you visit or interact with a profile on a social media platform, personal data about you may be processed. The purpose and scope of the data collection and the further processing and use of the data by the provider as well as your rights in this regard and setting options for protecting your privacy can be found in the data protection information of the respective provider.

1. LinkedIn

In principle, LinkedIn Ireland Unlimited Company (“LinkedIn”) is solely responsible for the processing of personal data when you visit our LinkedIn page. You can find more information about the processing of personal data by LinkedIn at .

2. LinkedIn Insights Feature

We also use LinkedIn's Insights function. In doing so, we receive aggregated data from the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn") in particular in the following areas: Reach (impressions, page views, unique users, access to subpages), target group (demographic information), interaction (impressions, reactions, click-through rate, likes, shares, comments, (link) clicks, engagement rate), target group (demographic/geographical information). With regard to data processing as part of the Insights function, we are jointly responsible with LinkedIn for data processing and have concluded an agreement between joint controllers in accordance with Art. 26 GDPR ("Page Insights Supplement" - https://legal.linkedin .com/pages-joint-controller-addendum ), which sets out our respective obligations under the GDPR. In it we agreed with LinkedIn that

  • we are joint data controllers with LinkedIn for the processing of Page Insights data;
  • LinkedIn takes primary responsibility and is primarily responsible for providing you with information about the joint processing and enabling you to exercise your rights under the GDPR;
  • the Data Protection Commission of Ireland ( ) is the authority with lead oversight over processing under shared responsibility.

You can reach LinkedIn's data protection officer via an online contact form provided by LinkedIn: .


In principle, New Work SE (Germany/EU) is solely responsible for the processing of personal data when you visit our XING profile. Further information about the processing of personal data by New Work SE can be found at .

XIII. Job applications

Within the application process, regardless of whether the application is made via an online module, by e-mail or by post, we process your personal data that you transmit to us (e.g. first and last name, e-mail address, address, application documents).

The legal basis for the processing of your personal data is § 26 para. 1, para. 8 p. 2 BDSG or § 26 para. 2, para. 8 p. 2 BDSG. The processing is carried out for the purpose of contacting you and assessing your suitability for the position for which you are applying.

It is not possible to apply to us without providing personal data. You are neither obliged to apply with us nor to provide your personal data. If you do not provide us with personal data, you may not be able to use the online application tool or we may not be able to consider your application. Otherwise, there will be no consequences for you.

XIV. Applicant database

ProMinent operates an applicant database. ProMinent offers applicants who cannot currently be offered a position but who are of interest for future employment to include their data (e.g. first and last name, e-mail address, address, application documents) in the applicant database with their consent. The legal basis for the processing and inclusion of your data in the applicant database for this purpose is consent in accordance with Article 6 (1) (a) GDPR, Section 26 (2) BDSG. You can revoke your consent to the inclusion of your data in the applicant database at any time with effect for the future.

XV. Conclusion and execution of contracts

In order to conclude or implement contracts with you (e.g. purchase contracts for our products, maintenance or other service or work contracts), we process personal data relating to you (e.g. contact data such as your name, address, e-mail or telephone number, order and contract data). The legal basis for the processing of your personal data is Article 6 (1) (b) GDPR. The purpose of the processing is to establish and implement the contractual relationship with you. This requires the provision of your personal data. You are not obliged to provide your personal data, but if you do not provide them, it is not possible to establish and implement the contractual relationship. Otherwise there will be no consequences for you.

In addition, we also process data from persons with whom there is no (direct) contractual relationship, insofar as this is necessary for the initiation or execution of contracts. This is how we can process your data if you are a representative, contact person or employee of a company that is our customer or other business partner. In this case, the legal basis is our legitimate interest in initiating or implementing the respective contractual relationship (Article 6 (1) (f) GDPR).

XVI. Remote Support Services

When you use our remote support services, we process your personal data (name, position/job title, qualification, company (contracting party) name, telephone number and e-mail address) to provide the relevant contractual services for your employer or client. We may also use your work telephone number to coordinate and make any necessary arrangements beforehand. The legal basis for the processing is Art. 6 (1f) of the General Data Protection Regulation (GDPR). Our legitimate interest is the fulfilment of contractual obligations to provide digital maintenance services to your employer or client. If you use our remote support services yourself as a client, the legal basis for the processing will be Art. 6 (1b) of the GDPR.

Where necessary, we use the "Help Lightning" software from the provider of the same name in the USA to provide remote support services. Your personal data (name, e-mail address, video and audio recordings) may be transferred to the USA while using this tool. However, Help Lightning is contractually bound to ProMinent to ensure data protection-compliant processing via EU standard contractual clauses.

XVII. Supplier Management (SAP Ariba)

To optimize our supplier network and the supplier approval process, we use the SAP Ariba supplier network (Supplier Lifecycle and Performance) SAP Deutschland SE & Co. KG, Hasso-Plattner-Ring 7, 69190 Walldorf, Baden, and use SAP Ariba as the processor. SAP Ariba is a web-based cloud platform. We use SAP Ariba to design our purchasing processes efficiently and digitally. The legal basis for its use is therefore Art. 6 Para. 1 Letter f GDPR. All you need to log in to SAP Ariba is a working internet connection. You will receive an e-mail from us with the invitation to use and a registration e-mail from SAP Ariba. If you are already using SAP Ariba, you can link directly to ProMinent within your account, otherwise you will need to create a SAP Ariba account. The following personal data is processed when using the SAP Ariba supplier network: Name, contact details, authorization data (data required for access to SAP Ariba), contract, payment and billing data and all other information that you have in SAP -Enter Ariba and contain personal information.

XVIII. Ordinary contact in the course of business operations (e.g. trade fairs)

This paragraph describes those circumstances that result in the processing of personal data that are customary in normal business operations and in which a notice in accordance with Art. 13 and Art. 14 GDPR cannot usually be given.

These are primarily cases such as the exchange of contact details at trade fairs, events, business lunches or other official activities, e.g. by exchanging business cards or the initial contact by ProMinent or by you with business content. ProMinent collects the following categories of personal data when you or we contact you: contact data such as your name, address, email or telephone number, data about your company such as address, email, business area, job description, title, data about your input/enquiry , such as content, time of request and means of communication. This data is processed for storage in our contact databases as part of business activities, such as e-mail programs, telephone books, files or our CRM system for the purpose of re-establishing contact and/or processing your request and further processing.

Your data is processed on the basis of Art. 6 (1) (f) GDPR and is in our legitimate interest in contacting you to initiate a business relationship, re-establishing contact and/or processing your request and further processing.

XIX. Visitor process in our premises

As a visitor to our company, you must register upon arrival at the reception desk on our factory premises. Your name, company and contact person at ProMinent will be noted there and you will be given a visitor pass, which you must wear during your visit to our premises. The processing of your data as part of this visitor process takes place in our legitimate interest in securing our buildings and production facilities against unauthorized access, so that third parties cannot enter business premises unnoticed or unaccompanied and gain access to personal data or confidential information (Art. 6 Para. 1 lit . f GDPR).

XX. Whistleblowing Reports

As part of the processing of a whistleblowing report, personal data about the person named in a report, the person submitting the report (if it is not submitted anonymously), and about third parties involved may be collected in order to investigate the reported (potential) misconduct investigate. This processing is carried out for the purpose of implementing the legal obligation to operate a whistleblower system and also the legitimate interest of the person responsible for processing to avoid reputational risks and promote integrity (Art. 6 Para. 1 lit. c and f GDPR). If you have any questions about the balancing of interests, you can contact the contact specified in Section II at any time.

The descriptions and facts provided as part of this processing are reserved exclusively for the competent and authorized persons who treat this information confidentially. The recipient of personal data is WhistleB Whistleblowing Center AB, World Trade Centre, Klarabergsviadukten 70, SE-107 24 Stockholm, Sweden (WhistleB) as processor for hosting and providing the whistleblowing application, including the processing of encrypted data, such as e.g. B. Whistleblowing Reports. WhistleB cannot decrypt or read messages. The data is stored within the EU.

XXI. Data recipients/data transfer to third countries

Firstly, only employees who provide technical, commercial or editorial support gain knowledge of your personal data.

Moreover, within the framework of the aforementioned data processing, we use external service providers and, where necessary, commission them to provide comparable services. Where service providers do receive your personal data in their capacity as contract processors, they are strictly bound by our instructions when dealing with your personal data. Specifically, we have shared personal data with the following categories of service providers:

  • IT service providers, e.g. within the framework of the administration and hosting of our website or for website analysis/measurement, supplier management and whistle-blowing reports
  • IT service and infrastructure
  • IT support and maintenance, including remote support
  • Companies affiliated with us pursuant to Art. 15 et seq. of the German Stock Corporation Act (AktG) and with whom we collaborate to provide services, and sales partners
  • Where you have granted consent, we will pass your respective personal data to the recipients specified in the consent.
  • Service providers for application and human resources management

We may transfer your personal data to recipients in countries outside the European Union (the "EU") and the European Economic Area, in particular to the United States of America (the "USA"). If, as is the case in the USA, the level of data protection in that country is not equivalent to the level of data protection within the EU, we will provide appropriate safeguards as defined by Art. 46 of the GDPR. These may include agreeing on the EU Commission's standard contractual clauses and, where applicable, additional measures necessary to ensure an adequate level of data protection. In specific cases, we will make the transfer to third countries dependent on you consenting to this data transfer pursuant to Art. 49 (1) (1a) of the GDPR.

XXII. Data subject rights

You have the following rights in relation to personal data relating to you:

  • pursuant to Art. 7 Para. 3 GDPR, to revoke the consent you have given to us at any time. As a result, we are no longer allowed to continue the data processing based on this consent for the future. However, even after a revocation and the deletion of the personal data (e.g. from the newsletter database), we must be able to prove the consent. The legal basis for the (also continued) storage of the consent is Article 6 Paragraph 1 lit. c i. In conjunction with Article 5 Paragraph 1 Letter a, Paragraph 2, Article 7 Paragraph 1 GDPR and Article 6 Paragraph 1 Letter f GDPR. It must be possible to provide evidence of consent both to the supervisory authority and to the person concerned within the standard periods of limitation for fines and civil law for claims (3 years, Section 31 (2) No. 1 OWiG and Section 195 BGB);
  • in accordance with Art. 15 GDPR, the right to information;
  • according to Art. 16 and 17 GDPR right to correction or deletion;
  • according to Art. 18 GDPR, the right to restriction of processing;
  • according to Art. 20 GDPR, the right to data portability;
  • pursuant to Art. 77 GDPR, the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us. The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Königstraße 10a, 70173 Stuttgart.

XXIII. Opposition

Insofar as your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR. If you wish to exercise your right to object, please contact our data protection officer using the contact details provided in section II. or send an email to

XXIV. No automated decision-making (including profiling)

We do not use your personal data for automated decision-making (including profiling) within the meaning of Art. 22 (1) and (4) GDPR.

XXV. Amendment of the privacy policy

We will update this Privacy Policy from time to time. Unless otherwise specified, such changes will be effective immediately. You should review this privacy statement from time to time to stay informed about how we are protecting your information and continually improving the content of our website. You can always find the latest version on our website.

Status: August 2023