Privacy policy

The controller for data processing via this website is

BHI Biohealth International GmbH
Heinrich-Wirth-Straße 13
95213 Münchberg/Germany
Phone +49 (0) 9251 87087 20 info@biohealth-int.com

Authorized representatives: represented by the managing director Dr. Peter Pfeilschifter

E-mail address: info@biohealth-int.com
Imprint: www.biohealth-int.com

Contact data protection officer

SBS Data Protect GmbH
Represented by the Managing Director Mr. Thilo Noack
Hans-Henny-Jahnn Weg 49
22085 Hamburg
E-mail: noack@sbs-data.de

Security and protection of your personal data

We consider it our primary task to maintain the confidentiality of the personal data you provide and to protect it from unauthorized access.

As a company under private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the provisions of the German Federal Data Protection Act (BDSG). We have taken technical and organizational measures to ensure that the data protection regulations are observed both by us and by our external service providers.

Relevant legal bases

The processing of personal data is only lawful if there is a legal basis for the processing. The legal basis for processing may be in particular in accordance with Article 6 (1) (a) - (f) GDPR:

1. The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
3. processing is necessary for compliance with a legal obligation to which the controller is subject
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the
threat to the rights and freedoms of natural persons in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing is carried out in the context of the use of third-party services or subject to express consent or contractually or legally required transfer, we only process or have the data processed in third countries with appropriate guarantees in accordance with the current EU directives, contractual obligations through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR).

Information on the collection of personal data

In the following, we provide information about the collection of personal data when using our website. Personal data are e.g. name, address, e-mail addresses, user behavior.

Collection of personal data when visiting our website

When using the website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• amount of data transferred in each case
• Website from which the request originates
• browser
• Operating system and its interface
• Language and version of the browser software

After a technical evaluation, this data is deleted immediately. This data collection serves to safeguard our legitimate interests in the correct presentation of our website offer, which predominate in the context of a balancing of interests, as well as compliance with the EU General Data Protection Regulation in terms of security and confidentiality in accordance with Art. 6 para. 1 lit. f) GDPR.

Cookie consent tool

We use the cookie consent tool from Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, to obtain effective user consent for cookies and cookie-based applications that require consent.

By integrating this consent tool, a banner is displayed to users when they access the page, in which consent for certain cookies and/or cookie-based applications can be given by ticking the box. The tool blocks the setting of all cookies requiring consent until the respective user gives their consent by ticking the appropriate box. This ensures that such cookies are only set on your end device if you have given your consent. So that the cookie consent tool can clearly assign page views to individual users and individually record, log and store the consent settings you have made for a session duration, certain user information (including the IP address) is collected when our website is accessed by the cookie consent tool, transmitted to the server of the cookie consent tool provider and stored there. This data processing is carried out in accordance with Art. 6 para. 1 lit. f) GDPR on the basis of our legitimate interest in legally compliant, user-specific and user-friendly consent management for cookies and thus in a legally compliant design of our website. Another legal basis for the data processing described is Art. 6 para. 1 lit. c) GDPR. As the controller, we are subject to the legal obligation to make the use of technically unnecessary cookies dependent on the respective user consent.

By using our website, information (e.g. IP address) may be accessed or information (e.g. cookies) may be stored in your end devices. This access or storage may involve further processing of personal data within the meaning of the GDPR.

In cases where such access to information or such storage of information is absolutely necessary for the technically error-free provision of our services, this is done on the basis of Section 25 TDDDG (Telecommunications Digital Services Data Protection Act).

Telecommunications Digital Services Data Protection Act (TDDDG)

The legal basis for the storage and retrieval of information in the end user's terminal equipment is consent in accordance with Section 25 TDDDG. This consent is requested when the website is accessed.

According to Section 25 TDDDG, consent is not required if the storage of information in the end user's terminal equipment or access to information already stored in the end user's terminal equipment is absolutely necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user. In the cookie settings, you can see which cookies are classified as absolutely necessary (often also referred to as "technically necessary cookies") and therefore fall under the exemption rule of Section 25 (2) TDDDG and therefore do not require consent.

Please note that the legal basis for the downstream processing of personal data then results from the GDPR. The relevant legal basis for the processing of personal data on this website can be found further on in this privacy policy.

Use of cookies

In addition to the aforementioned data, cookies or similar technologies such as pixels (hereinafter generally referred to as "cookies") are used on your computer when you use and visit our website. Cookies are either small databases that are stored by your browser on your end device to store certain information, or image files such as pixels. The next time you visit our website with the same device, the information stored in cookies is subsequently sent back either to our website ("first party cookie") or to another website to which the cookie belongs ("third party cookie").

Through the stored and returned information, the respective website recognizes that you have already accessed and visited it with the browser of your end device. We use this information to optimize the design and display of the website according to your preferences. Only the cookie itself is identified on your end device. Any further storage of personal data will only take place with your express consent or if this is absolutely necessary in order to be able to use the service offered and accessed by you accordingly.

This website uses the following types of cookies, the scope and function of which are explained below:

• Strictly necessary cookies (type a)
• Functional and performance cookies (type b)
• Cookies requiring consent (type c)

Strictly necessary cookies (type a)

Strictly necessary cookies ensure functions without which you cannot use our websites as intended. These cookies are used exclusively by us and are therefore first party cookies. This means that all information stored in the cookies is sent back to our website.

Strictly necessary cookies are used, for example, to ensure that you as a registered user always remain logged in when accessing various subpages of our website and therefore do not have to re-enter your login details each time you access a new page.

The use of strictly necessary cookies on our website is possible without your consent. For this reason, strictly necessary cookies cannot be deactivated or activated individually. However, you have the option of deactivating cookies in your browser at any time (see below).

Functional and performance cookies (type b)

Functional cookies enable our website to save information you have already provided (such as your registered name or language selection) and to offer you improved and more personalized functions based on this information. These cookies only collect and store anonymized information so that they cannot track your movements on other websites.

Performance cookies collect information about how our websites are used in order to improve their attractiveness, content and functionality. These cookies help us, for example, to determine whether and which subpages of our website are visited and what content users are particularly interested in. In particular, we record the number of visits to a page, the number of subpages accessed, the time spent on our website, the order of the pages visited, which search terms led you to us, the country, region and, if applicable, the city from which the access is made, as well as the proportion of mobile devices that access our websites. We also record movements, "clicks" and scrolling with the computer mouse in order to understand which areas of our website are of particular interest to users. As a result, we can tailor the content of our website more specifically to the needs of our users and optimize our offering. The IP address of your computer transmitted for technical reasons is automatically anonymized and does not allow us to draw any conclusions about the individual user.

You can object to the use of functional and performance cookies at any time by adjusting your cookie settings accordingly.

Legal basis: Art. 6 para. 1 lit. f) GDPR

Cookies requiring consent (type c)

Cookies that are neither absolutely necessary (type a) nor functional or performance cookies (type b) are only used after you have given your consent.

We also reserve the right to use information that we have obtained by means of cookies from an anonymized analysis of the usage behavior of visitors to our websites in order to display specific advertising for certain of our products on our own websites. We believe that you as a user benefit from this because we display advertising or content that we assume, based on your surfing behavior, matches your interests and you are thus shown less randomly scattered advertising or certain content that may be of less interest to you.

Marketing cookies originate from external advertising companies (third-party cookies) and are used to collect information about the websites visited by the user in order to create targeted advertising for the user.

Legal basis: Art. 6 para. 1 lit. a) GDPR

Opt-out for marketing cookies

You can also manage cookies used for online advertising via the tools developed in many countries as part of self-regulatory programs, such as the US-based www.aboutads.info/choices/ or the EU-based www.youronlinechoices.com/uk/your-ad-choices.

Legal basis: Art. 6 para. 1 lit. a) GDPR

Management and deletion of all cookies

In addition, you can set your Internet browser to generally prevent cookies from being stored on your device or to ask you each time whether you agree to the setting of cookies. Once cookies have been set, you can also delete them at any time. You can find out how all this works in detail in the help function of your browser.

The cookies and third-party requests described above are placed on your device by the following services through our website:

Google Analytics 4 (GA4)

This website uses Google Analytics 4, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), which can be used to analyze the use of websites.

When using Google Analytics 4, so-called "cookies" are used. Cookies are databases that are stored on your end device and enable your use of a website to be analyzed. The information collected by cookies about your use of the website (including the IP address transmitted by your device, shortened by the last digits, see below) is usually transmitted to a Google server, where it is stored and processed. This may also result in information being transmitted to the servers of Google LLC based in the USA and further processing of the information there. GA4 also offers server-side tracking, which enables us to pseudonymize user data on our own server and only then transmit it to Google.

When using Google Analytics 4, the IP address transmitted by your end device when using the website is automatically collected and processed only in a pseudonymized manner, so that the information collected cannot be directly linked to a person. This automatic pseudonymization takes place by Google truncating the IP address transmitted by your device within member states of the European Union (EU) or other signatory states to the Agreement on the European Economic Area (EEA).

Google uses this and other information on our behalf to evaluate your use of the website, to compile reports on your website activity and usage behavior and to provide us with other services relating to your use of the website and the Internet. The abbreviated IP address transmitted by your device as part of Google Analytics 4 will not be merged with other Google data. The data collected as part of the use of Google Analytics 4 is stored for 2 months and then deleted.

Google Analytics 4 enables us to recognize the so-called "demographic characteristics" of a user via browser fingerprints. This enables us to evaluate information about the age, gender and interests of website users across all devices on the basis of an evaluation of interest-based advertising and with the help of third-party information. This makes it possible to determine and differentiate between user groups of the website for the purpose of target group-optimized marketing measures. However, data collected via the "demographic characteristics" cannot be assigned to a specific person and therefore not to you personally. This data collected via the "demographic characteristics" function is stored for two months and then deleted.

All processing described above, in particular the setting of Google Analytics cookies for the storage and reading of information on the device you use to access the website, will only take place if you have given us your express consent to do so in accordance with Art. 6 para. 1 lit. a) GDPR. Without your consent, Google Analytics 4 will not be used during your use of the website. You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service using the "cookie consent tool" provided on the website.

We have concluded a so-called order processing contract with Google for our use of Google Analytics 4, which obliges Google to protect the data of our website users and not to pass it on to third parties.

In order to ensure compliance with the European level of data protection even in the event of a data transfer from the EU or the EEA to the USA and possible further processing there, the provider has certified itself for the Trans Atlantic Data Privacy Framework. You can view the certification under the following link: https://www.dataprivacyframework.gov/s/participant-search
If the TADPF should fall, the processing can be based on the standard contractual clauses of the prevailing data protection regulations of the EU (https://ec.europa.eu/info/law/law-topic/data-protection/publications/standard-contractual-clauses-controllers-and-processors).

Further legal information on Google Analytics 4 can be found at policies.google.com/privacy and at https://policies.google.com/technologies/partner-sites.

Google Ads

Our website uses Google AdWords, an online advertising program operated in cooperation with Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.

We use Google Conversion Tracking within this online advertising program. After clicking on a Google ad, a cookie is placed for the purpose of conversion tracking. These cookies, small databases, are stored on your device by your web browser. The validity of Google AdWords cookies expires after 30 days and does not allow users to be personally identified. The cookie enables Google and us to recognize that you have clicked on an ad and visited our website

Each Google AdWords customer receives a unique cookie that cannot be tracked by other AdWords customers. Conversion cookies are only used to generate conversion statistics for AdWords customers who use conversion tracking. These statistics show how many users click on their ads and are redirected to pages with the conversion tracking tag. However, no information is provided that allows users to be personally identified. If you do not wish to participate in tracking, you can object to its use by deactivating the conversion cookie in your browser settings. This means that you will not be included in the conversion tracking statistics

The storage of "conversion cookies" is based on Art. 6 para. 1 lit. a) GDPR and serves our legitimate interest in analyzing user behavior and optimizing our website and advertising.

For more information on Google AdWords and Google Conversion Tracking, please refer to Google's privacy policy: https: //www.google.de/policies/privacy/.

In order to ensure compliance with the European level of data protection even in the event of a data transfer from the EU or the EEA to the USA and possible further processing there, the provider has certified itself for the Trans Atlantic Data Privacy Framework. You can view the certification under the following link: https: //www.dataprivacyframework.gov/s/participant-search

Using a modern web browser, you have the option of monitoring, restricting or blocking the setting of cookies. However, deactivating cookies may impair the functionality of our website.

Legal basis: Art. 6 para. 1 lit. a) GDPR

Google Tag Manager

With the Google Tag Management solution, marketers have the option to manage the handling of website tags through an intuitive user interface. The tag manager is solely responsible for monitoring the triggering of tags. With regard to these specific third-party providers, corresponding explanations are available in the privacy policy. However, this information is not used by the Google Tag Management Platform. If you have set a deactivation of cookies or made other adjustments, these settings will be taken into account for all tracking markers used with the Google Tag Manager, which means that the tool will not make any changes to your cookie settings.

The legal basis is Art. 6 para. 1 lit. a) GDPR.

The following social networks are integrated on our website

LinkedIn link

We have integrated a link to the LinkedIn portal on our website. The professional network "LinkedIn" is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

We maintain our own company page on LinkedIn. This is used to actively address potential employees in a professional environment. On this page, we also share information about our company and present ourselves to the outside world in this way.

Together with LinkedIn, we are responsible for the operation of the site and therefore have a so-called "joint responsibility" towards the user. We have concluded a corresponding agreement with LinkedIn. This sets out the respective responsibilities for fulfilling the obligations under Art. 26 GDPR.

For detailed information on the processing and use of data by us and by LinkedIn, as well as a contact option and your rights in this regard and setting options to protect your privacy, please refer to LinkedIn's privacy policy: https: //de.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

YouTube link

We have integrated a link to the provider YouTube, Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland, into our online offering. We have no influence on this data transmission. The purpose of the processing is for marketing purposes.

By clicking on the YouTube link, you will be forwarded directly to the YouTube page. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your YouTube profile, you must log out before activating the link. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or needs-based design of the website. Such an evaluation is also carried out (even for users who are not logged in) to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.

Further information on the purpose and scope of data collection and its processing by YouTube can be found in YouTube's privacy policy. There you will also find further information on your rights and setting options to protect your privacy: https: //policies.google.com/privacy.

We would like to point out that you can reject cookies. You can deactivate them at any time in your web browser. Google also offers a range of options for objecting to the collection of personal data by Google: https: //policies.google.com/privacy#infochoices

Instagram link

We have integrated a component of the Instagram service on our website. Instagram is a service that qualifies as an audiovisual platform and enables users to share photos and videos and also to redistribute such data in other social networks.

The operating company of the Instagram services is Meta Platforms Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which an Instagram component (Insta button) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to the download of a display of the corresponding Instagram component of Instagram. As part of this technical process, Instagram receives information about which specific subpage of our website is visited by the data subject.

If the data subject is logged in at the same time on Instagram, Instagram detects with every call-up to our website by the data subject-and for the entire duration of their stay on our Internet site-which specific sub-page of our Internet page was visited by the data subject. This information is collected by the Instagram component and assigned by Instagram to the respective Instagram account of the data subject. If the data subject clicks on one of the Instagram buttons integrated on our website, the data and information transmitted with it is assigned to the personal Instagram user account of the data subject and stored and processed by Instagram.

Instagram always receives information via the Instagram component that the data subject has visited our website if the data subject is logged in to Instagram at the same time as accessing our website; this takes place regardless of whether the data subject clicks on the Instagram component or not. If the data subject does not want this information to be transmitted to Instagram, they can prevent the transmission by logging out of their Instagram account before accessing our website

Further information and the applicable data protection provisions of Instagram may be retrieved under help.instagram.com/155833707900388 and www.instagram.com/about/legal/privacy/

Facebook fan page link

We have integrated a component of the Facebook service on our website, which is a link to our Facebook fan page. We use the technical platform of Meta Platforms Ireland Limited, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland (hereinafter: Facebook) for the information service offered here.

According to the ECJ, there is joint responsibility within the meaning of Art. 26 GDPR between Facebook and the operator of a Facebook fan page for the personal data processed via the Facebook fan page. For this reason, we have concluded an agreement with Facebook on joint responsibility.

When you access a Facebook fan page, the IP address of your end device is transmitted to Facebook. According to Facebook, this IP address is anonymized and deleted after 90 days, at least if it is a German IP address. In addition, Facebook stores further information about the end devices of its users, e.g. the Internet browser used. This may enable Facebook to assign IP addresses to individual users. If you are logged into your Facebook account while visiting our fan page, a cookie with your Facebook ID will be stored on your device. This cookie enables Facebook to understand that you have visited our fan page and how you have used it. Facebook uses this information to present you with customized content or advertising. If you do not want this, you should log out of your Facebook account or deactivate the "stay logged in" function. We also recommend deleting the cookies on your device and closing and restarting your browser. This process deletes Facebook information that Facebook can use to establish a link to you. However, if you wish to use the interactive functions of our fan page, you will have to log in to Facebook again using your Facebook login information. This will also allow Facebook to create a link to you again. How Facebook uses the data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties is not conclusively and clearly stated by Facebook and is not known to us. In this respect, we can only refer you as a user of our fan page to Facebook's privacy policy. The data collected about you in this context is processed by Facebook and may be transferred to countries outside the European Union.

What information Facebook receives and how it is used is described by Facebook in general terms in its data usage guidelines. There you will also find information on how to contact Facebook and the settings options for advertisements. The data usage guidelines are available at the following link: de-de.facebook.com/about/privacy. Objection options (so-called opt-out) can be set here: www.facebook.com/settings and here www.youronlinechoices.com

The transfer and further processing of users' personal data to third countries, such as the USA, and the associated potential risks for you as a user cannot be assessed by us as the operator of the Facebook fan page.

Blogs and publication media

We use blogs or comparable means of online communication and publication (hereinafter "publication medium"). Readers' data is only processed for the purposes of the publication medium to the extent necessary for its presentation and communication between authors and readers or for security reasons. In addition, we refer to the information on the processing of visitors to our publication medium in the context of this data protection notice.

Comments and contributions: If users leave comments or other contributions, their IP addresses may be stored on the basis of our legitimate interests. This is done for our security,

if someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves may be prosecuted for the comment or post and are therefore interested in the identity of the author.

Furthermore, we reserve the right to process user data for the purpose of spam detection on the basis of our legitimate interests.

On the same legal basis, we reserve the right to store users' IP addresses for the duration of surveys and to use cookies in order to avoid multiple votes.

The personal information provided in the comments and contributions, any contact and website information as well as the content information will be stored by us permanently until the user objects.

• Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of Processing: Contractual services and support, Feedback (e.g. collecting feedback via online form), Security measures, Managing and responding to inquiries.

Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR), Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Protection of vital interests (Art. 6 para. 1 sentence 1 lit. d. GDPR).

Making contact

When contacting us (e.g. by contact form, email, telephone or via social media), the information of the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.

The response to contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of your implied consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

• Processed data types: Inventory data (e.g. names, addresses), Contact data (e.g. email, telephone numbers), Content data (e.g. text input, photographs, videos).
• Data subjects: Communication partners.
• Purposes of processing: Contact requests and communication.
• Legal bases: Contract fulfillment and pre-contractual inquiries

Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR, consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Implementation of the whistleblower system

In our company, every person who has a business relationship with our company has the opportunity to report misconduct or malpractice. We thereby comply with the provisions of the Whistleblower Protection Act (HinSchG).

Please read the following data protection information for our whistleblower system carefully before submitting a report.

We hereby inform you about the collection, processing and use of personal data in connection with the system introduced. The data is collected when you submit a report to BHI Biohealth International GmbH. You can submit a report in person, by letter or e-mail.

Purpose of data processing

The purpose of data processing within the framework of the whistleblower system is to receive and clarify breaches of regulations at BHI Biohealth International GmbH. The clarification of misconduct, prevention of future misconduct, exercise of legal claims and legal defense if necessary, exoneration of employees in the event of unlawful accusations, implementation of compliance obligations, resolution of conflicts of interest, detection of sexualized violence, violations of competition law and the investigation of white-collar crime and possible corruption are also part of the purpose of the processing.

Categories of data subjects

The reported facts may contain information about other persons who are affected by the report. The following persons are the subject of data processing in a report: The reporting person - in this context, the whistleblower - and employees of our company whose behavior is the subject of the report. Other persons may also be involved in the context of the report. In this case, the data of these additional persons will also be part of the data processing.

Categories of data processed

The following data of the data subjects are processed as part of the report in the whistleblower system: Surname, first name, email address, position at the company, If applicable, further information on employment such as the exact area of activity. Content data containing information about the behavior of the data subject(s) is also processed.

Recipients of personal data

The data collected in the context described above will only be made accessible to persons who are responsible for recording and processing the report and implementing the follow-up measures. No other persons have access to the data. In principle, the data is not transferred to third parties. One exception, however, is the obligation to cooperate in the investigation of criminal offenses. In this case, we are obliged to forward the data to law enforcement agencies or other authorities.

All persons involved who have access to data from the whistleblower system have been obliged to maintain confidentiality and secrecy.

Duration of data storage

The duration of data storage depends on the retention period required to clarify and conclusively assess the facts of the report. As soon as data storage is no longer required for the above-mentioned purposes, we delete the data. Art. 17 GDPR is relevant here. The deletion takes place as long as no other statutory retention periods or legitimate interests of the company or interests of data subjects worthy of protection prevent the deletion of the data.

Legal basis for data processing

The legal basis is Article 6(1)(c) GDPR in conjunction with Article 13 HinSchG - as a company, we are thus fulfilling the compliance and supervisory obligations imposed on us. Article 6(1)(f) GDPR serves as a further legal basis - the data is processed on the basis of the company's legitimate interests. In addition, Article 6(1)(a) GDPR also serves as the legal basis for data processing. This legal basis applies to the processing of the whistleblower's data. The whistleblower has given their consent to data processing with the report.

Automated decision making

Within the framework of the Whistleblower Protection Act, neither automated individual case decisions nor profiling measures within the meaning of Art. 22 GDPR take place.

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications of other providers (hereinafter referred to as "third-party providers") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings. When selecting third-party providers and their services, we observe the legal requirements.

In this context, data of the communication participants are processed and stored on the servers of the third-party providers, insofar as these are part of communication processes with us. This data may include, in particular, registration and contact data, visual and vocal contributions as well as entries in chats and shared screen content.

If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.

Notes on legal bases: If we ask users for their consent to the use of third-party providers or certain functions (e.g. consent to the recording of conversations), the legal basis for processing is consent. Furthermore, their use may be part of our (pre)contractual services, provided that the use of third-party providers has been agreed in this context. Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners. In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

• Processed data types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Content data (e.g. text input, photographs, videos), Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
• Data subjects: Communication partners, users (e.g. website visitors, users of online services).
• Purposes of Processing: Contractual services and support, contact requests and communication, Office and organizational procedures.
• Legal bases: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b. GDPR), Legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).