We are very delighted that you have shown interest in our enterprise. Data protection is of aparticularly high priority for the management of the Innolume GmbH. The use of the Internet pagesof the Innolume GmbH is possible without any indication of personal data; however, if a datasubject wants to use special enterprise services via our website, processing of personal data couldbecome necessary. If the processing of personal data is necessary and there is no statutory basisfor such processing, we generally obtain consent from the data subject.
The processing of personal data, such as the name, address, e-mail address, or telephone numberof a data subject shall always be in line with the General Data Protection Regulation (GDPR), andin accordance with the country-specific data protection regulations applicable to the InnolumeGmbH. By means of this data protection declaration, our enterprise would like to inform thegeneral public of the nature, scope, and purpose of the personal data we collect, use and process.Furthermore, data subjects are informed, by means of this data protection declaration, of the rightsto which they are entitled.
As the controller, the Innolume GmbH has implemented numerous technical and organizationalmeasures to ensure the most complete protection of personal data processed through this website.However, Internet-based data transmissions may in principle have security gaps, so absoluteprotection may not be guaranteed. For this reason, every data subject is free to transfer personaldata to us via alternative means, e.g. by telephone.
The data protection declaration of the Innolume GmbH is based on the terms used by the Europeanlegislator for the adoption of the General Data Protection Regulation (GDPR). Our data protectiondeclaration should be legible and understandable for the general public, as well as our customersand business partners. To ensure this, we would like to first explain the terminology used.In this data protection declaration, we use, inter alia, the following terms:
- a) Personal data
Personal data means any information relating to an identified or identifiable natural person(“data subject”). An identifiable natural person is one who can be identified, directly orindirectly, in particular by reference to an identifier such as a name, an identificationnumber, location data, an online identifier or to one or more factors specific to the physical,physiological, genetic, mental, economic, cultural or social identity of that natural person.
- b) Data subject
Data subject is any identified or identifiable natural person, whose personal data isprocessed by the controller responsible for the processing.
- c) Processing
Processing is any operation or set of operations which is performed on personal data or onsets of personal data, whether or not by automated means, such as collection, recording,organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,disclosure by transmission, dissemination or otherwise making available, alignment orcombination, restriction, erasure or destruction.
- d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limitingtheir processing in the future.
- e) Profiling
Profiling means any form of automated processing of personal data consisting of the useof personal data to evaluate certain personal aspects relating to a natural person, inparticular to analyse or predict aspects concerning that natural person’s performance atwork, economic situation, health, personal preferences, interests, reliability, behaviour,location or movements.
- f) Pseudonymisation
Pseudonymisation is the processing of personal data in such a manner that the personaldata can no longer be attributed to a specific data subject without the use of additionalinformation, provided that such additional information is kept separately and is subject totechnical and organisational measures to ensure that the personal data are not attributed toan identified or identifiable natural person.
- g) Controller or controller responsible for the processing
Controller or controller responsible for the processing is the natural or legal person, publicauthority, agency or other body which, alone or jointly with others, determines the purposesand means of the processing of personal data; where the purposes and means of suchprocessing are determined by Union or Member State law, the controller or the specificcriteria for its nomination may be provided for by Union or Member State law.
- h) Processor
Processor is a natural or legal person, public authority, agency or other body whichprocesses personal data on behalf of the controller.
- i) Recipient
Recipient is a natural or legal person, public authority, agency or another body, to whichthe personal data are disclosed, whether a third party or not. However, public authoritieswhich may receive personal data in the framework of a particular inquiry in accordancewith Union or Member State law shall not be regarded as recipients; the processing of thosedata by those public authorities shall be in compliance with the applicable data protectionrules according to the purposes of the processing.
- j) Third party
Third party is a natural or legal person, public authority, agency or body other than the datasubject, controller, processor and persons who, under the direct authority of the controlleror processor, are authorised to process personal data.
- k) Consent
Consent of the data subject is any freely given, specific, informed and unambiguousindication of the data subject’s wishes by which he or she, by a statement or by a clearaffirmative action, signifies agreement to the processing of personal data relating to him orher.
2. Name and Address of the controller
Controller for the purposes of the General Data Protection Regulation (GDPR), other dataprotection laws applicable in Member states of the European Union and other provisions relatedto data protection is:
Phone: +49 (0)231 47730200
3. Name and Address of the Data Protection Officer
The Data Protection Officer of the controller is:
Phone: +49 (0)231 47730200
Any data subject may, at any time, contact our Data Protection Officer directly with all questionsand suggestions concerning data protection.
4. Collection of general data and information
The website of the Innolume GmbH collects a series of general data and information when a datasubject or automated system calls up the website. This general data and information are stored inthe server log files. Collected may be (1) the browser types and versions used, (2) the operatingsystem used by the accessing system, (3) the website from which an accessing system reaches ourwebsite (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internetsite, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessingsystem, and (8) any other similar data and information that may be used in the event of attacks onour information technology systems.
When using these general data and information, the Innolume GmbH does not draw anyconclusions about the data subject. Rather, this information is needed to (1) deliver the content ofour website correctly, (2) optimize the content of our website as well as its advertisement, (3)ensure the long-term viability of our information technology systems and website technology, and(4) provide law enforcement authorities with the information necessary for criminal prosecutionin case of a cyber-attack. Therefore, the Innolume GmbH analyzes anonymously collected dataand information statistically, with the aim of increasing the data protection and data security ofour enterprise, and to ensure an optimal level of protection for the personal data we process. Theanonymous data of the server log files are stored separately from all personal data provided by adata subject.
5. Routine erasure and blocking of personal data
The data controller shall process and store the personal data of the data subject only for the periodnecessary to achieve the purpose of storage, or as far as this is granted by the European legislatoror other legislators in laws or regulations to which the controller is subject to.If the storage purpose is not applicable, or if a storage period prescribed by the European legislatoror another competent legislator expires, the personal data are routinely blocked or erased inaccordance with legal requirements.
6. Rights of the data subject
- a) Right of confirmation
Each data subject shall have the right granted by the European legislator to obtain from thecontroller the confirmation as to whether or not personal data concerning him or her arebeing processed. If a data subject wishes to avail himself of this right of confirmation, heor she may, at any time, contact any employee of the controller.
- b) Right of access
Each data subject shall have the right granted by the European legislator to obtain from thecontroller free information about his or her personal data stored at any time and a copy ofthis information. Furthermore, the European directives and regulations grant the datasubject access to the following information:o the purposes of the processing;
o the categories of personal data concerned;
o the recipients or categories of recipients to whom the personal data have been orwill be disclosed, in particular recipients in third countries or internationalorganisations;
o where possible, the envisaged period for which the personal data will be stored, or,if not possible, the criteria used to determine that period;
o the existence of the right to request from the controller rectification or erasure ofpersonal data, or restriction of processing of personal data concerning the datasubject, or to object to such processing;
o the existence of the right to lodge a complaint with a supervisory authority;o where the personal data are not collected from the data subject, any availableinformation as to their source;
o the existence of automated decision-making, including profiling, referred to inArticle 22(1) and (4) of the GDPR and, at least in those cases, meaningfulinformation about the logic involved, as well as the significance and envisagedconsequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personaldata are transferred to a third country or to an international organisation. Where this is thecase, the data subject shall have the right to be informed of the appropriate safeguardsrelating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may, at any time,contact any employee of the controller.
- c) Right to rectification
Each data subject shall have the right granted by the European legislator to obtain from thecontroller without undue delay the rectification of inaccurate personal data concerning himor her. Taking into account the purposes of the processing, the data subject shall have theright to have incomplete personal data completed, including by means of providing asupplementary statement.
If a data subject wishes to exercise this right to rectification, he or she may, at any time,contact any employee of the controller.
- d) Right to erasure (Right to be forgotten)
Each data subject shall have the right granted by the European legislator to obtain from thecontroller the erasure of personal data concerning him or her without undue delay, and thecontroller shall have the obligation to erase personal data without undue delay where oneof the following grounds applies, as long as the processing is not necessary:o The personal data are no longer necessary in relation to the purposes for which theywere collected or otherwise processed.
o The data subject withdraws consent to which the processing is based according topoint (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, andwhere there is no other legal ground for the processing.
o The data subject objects to the processing pursuant to Article 21(1) of the GDPRand there are no overriding legitimate grounds for the processing, or the data subjectobjects to the processing pursuant to Article 21(2) of the GDPR.
o The personal data have been unlawfully processed.
o The personal data must be erased for compliance with a legal obligation in Unionor Member State law to which the controller is subject.
o The personal data have been collected in relation to the offer of information societyservices referred to in Article 8(1) of the GDPR.If one of the aforementioned reasons applies, and a data subject wishes to request theerasure of personal data stored by the Innolume GmbH, he or she may, at any time, contactany employee of the controller. An employee of Innolume GmbH shall promptly ensurethat the erasure request is complied with immediately.
Where the controller has made personal data public and is obliged pursuant to Article 17(1)to erase the personal data, the controller, taking account of available technology and thecost of implementation, shall take reasonable steps, including technical measures, to informother controllers processing the personal data that the data subject has requested erasure bysuch controllers of any links to, or copy or replication of, those personal data, as far asprocessing is not required. The employees of the Innolume GmbH will arrange thenecessary measures in individual cases.
- e) Right of restriction of processing
Each data subject shall have the right granted by the European legislator to obtain from thecontroller restriction of processing where one of the following applies:o The accuracy of the personal data is contested by the data subject, for a periodenabling the controller to verify the accuracy of the personal data.
o The processing is unlawful and the data subject opposes the erasure of the personaldata and requests instead the restriction of their use instead.
o The controller no longer needs the personal data for the purposes of the processing,but they are required by the data subject for the establishment, exercise or defenceof legal claims.
o The data subject has objected to processing pursuant to Article 21(1) of the GDPRpending the verification whether the legitimate grounds of the controller overridethose of the data subject.If one of the aforementioned conditions is met, and a data subject wishes to request therestriction of the processing of personal data stored by the Innolume GmbH, he or she mayat any time contact any employee of the controller. The employee of the Innolume GmbHwill arrange the restriction of the processing.
- f) Right to data portability
Each data subject shall have the right granted by the European legislator, to receive thepersonal data concerning him or her, which was provided to a controller, in a structured,commonly used and machine-readable format. He or she shall have the right to transmitthose data to another controller without hindrance from the controller to which the personaldata have been provided, as long as the processing is based on consent pursuant to point(a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contractpursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out byautomated means, as long as the processing is not necessary for the performance of a taskcarried out in the public interest or in the exercise of official authority vested in thecontroller.
Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) ofthe GDPR, the data subject shall have the right to have personal data transmitted directlyfrom one controller to another, where technically feasible and when doing so does notadversely affect the rights and freedoms of others.
In order to assert the right to data portability, the data subject may at any time contact anyemployee of the Innolume GmbH.
- g) Right to object
Each data subject shall have the right granted by the European legislator to object, ongrounds relating to his or her particular situation, at any time, to processing of personaldata concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR.This also applies to profiling based on these provisions.
The Innolume GmbH shall no longer process the personal data in the event of the objection,unless we can demonstrate compelling legitimate grounds for the processing whichoverride the interests, rights and freedoms of the data subject, or for the establishment,exercise or defence of legal claims.
If the Innolume GmbH processes personal data for direct marketing purposes, the datasubject shall have the right to object at any time to processing of personal data concerninghim or her for such marketing. This applies to profiling to the extent that it is related tosuch direct marketing. If the data subject objects to the Innolume GmbH to the processingfor direct marketing purposes, the Innolume GmbH will no longer process the personaldata for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particularsituation, to object to processing of personal data concerning him or her by the InnolumeGmbH for scientific or historical research purposes, or for statistical purposes pursuant toArticle 89(1) of the GDPR, unless the processing is necessary for the performance of a taskcarried out for reasons of public interest.
In order to exercise the right to object, the data subject may contact any employee of theInnolume GmbH. In addition, the data subject is free in the context of the use ofinformation society services, and notwithstanding Directive 2002/58/EC, to use his or herright to object by automated means using technical specifications.
- h) Automated individual decision-making, including profiling
Each data subject shall have the right granted by the European legislator not to be subjectto a decision based solely on automated processing, including profiling, which produceslegal effects concerning him or her, or similarly significantly affects him or her, as long asthe decision (1) is not is necessary for entering into, or the performance of, a contractbetween the data subject and a data controller, or (2) is not authorised by Union or MemberState law to which the controller is subject and which also lays down suitable measures tosafeguard the data subject’s rights and freedoms and legitimate interests, or (3) is not basedon the data subject’s explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract betweenthe data subject and a data controller, or (2) it is based on the data subject’s explicit consent,the Innolume GmbH shall implement suitable measures to safeguard the data subject’srights and freedoms and legitimate interests, at least the right to obtain human interventionon the part of the controller, to express his or her point of view and contest the decision.If the data subject wishes to exercise the rights concerning automated individual decisionmaking, he or she may, at anytime, contact any employee of the Innolume GmbH.
- i) Right to withdraw data protection consent
Each data subject shall have the right granted by the European legislator to withdraw hisor her consent to processing of his or her personal data at any time.If the data subject wishes to exercise the right to withdraw the consent, he or she may, atany time, contact any employee of the Innolume GmbH.
7. Data protection for applications and the application procedures
The data controller shall collect and process the personal data of applicants for the purpose of theprocessing of the application procedure. The processing may also be carried out electronically.This is the case, in particular, if an applicant submits corresponding application documents by email or by means of aweb form on the website to the controller. If the data controller concludesan employment contract with an applicant, the submitted data will be stored for the purpose ofprocessing the employment relationship in compliance with legal requirements. If no employmentcontract is concluded with the applicant by the controller, the application documents shall beautomatically erased two months after notification of the refusal decision, provided that no otherlegitimate interests of the controller are opposed to the erasure. Other legitimate interest in thisrelation is, e.g. a burden of proof in a procedure under the General Equal Treatment Act (AGG).
8. Data protection provisions about the application and use of Google Analytics (withanonymization function)
On this website, the controller has integrated the component of Google Analytics (with theanonymizer function). Google Analytics is a web analytics service. Web analytics is the collection,gathering, and analysis of data about the behaviour of visitors to websites. A web analysis servicecollects, inter alia, data about the website from which a person has come (the so-called referrer),which sub-pages were visited, or how often and for what duration a sub-page was viewed. Webanalytics are mainly used for the optimization of a website and in order to carry out a cost-benefitanalysis of Internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy,Mountain View, CA 94043-1351, United States.
For the web analytics through Google Analytics the controller uses the application “_gat._anonymizeIp”. By means of this application the IP address of the Internet connection of the datasubject is abridged by Google and anonymised when accessing our websites from a Member Stateof the European Union or another Contracting State to the Agreement on the European EconomicArea.
The purpose of the Google Analytics component is to analyse the traffic on our website. Googleuses the collected data and information, inter alia, to evaluate the use of our website and to provideonline reports, which show the activities on our websites, and to provide other services concerningthe use of our Internet site for us.
Google Analytics places a cookie on the information technology system of the data subject. Thedefinition of cookies is explained above. With the setting of the cookie, Google is enabled toanalyse the use of our website. With each call-up to one of the individual pages of this Internetsite, which is operated by the controller and into which a Google Analytics component wasintegrated, the Internet browser on the information technology system of the data subject willautomatically submit data through the Google Analytics component for the purpose of onlineadvertising and the settlement of commissions to Google. During the course of this technicalprocedure, the enterprise Google gains knowledge of personal information, such as the IP addressof the data subject, which serves Google, inter alia, to understand the origin of visitors and clicks,and subsequently create commission settlements.
The cookie is used to store personal information, such as the access time, the location from whichthe access was made, and the frequency of visits of our website by the data subject. With each visitto our Internet site, such personal data, including the IP address of the Internet access used by thedata subject, will be transmitted to Google in the United States of America. These personal dataare stored by Google in the United States of America. Google may pass these personal datacollected through the technical procedure to third parties.
The data subject may, as stated above, prevent the setting of cookies through our website at anytime by means of a corresponding adjustment of the web browser used and thus permanently denythe setting of cookies. Such an adjustment to the Internet browser used would also prevent GoogleAnalytics from setting a cookie on the information technology system of the data subject. Inaddition, cookies already in use by Google Analytics may be deleted at any time via a web browseror other software programs.
9. Data protection provisions about the application and use of Google-AdWords
On this website, the controller has integrated Google AdWords. Google AdWords is a service forInternet advertising that allows the advertiser to place ads in Google search engine results and theGoogle advertising network. Google AdWords allows an advertiser to pre-define specifickeywords with the help of which an ad on Google’s search results only then displayed, when theuser utilizes the search engine to retrieve a keyword-relevant search result. In the GoogleAdvertising Network, the ads are distributed on relevant web pages using an automatic algorithm,taking into account the previously defined keywords.
The operating company of Google AdWords is Google Inc., 1600 Amphitheatre Pkwy, MountainView, CA 94043-1351, UNITED STATES.
The purpose of Google AdWords is the promotion of our website by the inclusion of relevantadvertising on the websites of third parties and in the search engine results of the search engineGoogle and an insertion of third-party advertising on our website.
If a data subject reaches our website via a Google ad, a conversion cookie is filed on theinformation technology system of the data subject through Google. The definition of cookies isexplained above. A conversion cookie loses its validity after 30 days and is not used to identifythe data subject. If the cookie has not expired, the conversion cookie is used to check whethercertain sub-pages, e.g., the shopping cart from an online shop system, were called up on ourwebsite. Through the conversion cookie, both Google and the controller can understand whethera person who reached an AdWords ad on our website generated sales, that is, executed or cancelleda sale of goods.
The data and information collected through the use of the conversion cookie is used by Google tocreate visit statistics for our website. These visit statistics are used in order to determine the totalnumber of users who have been served through AdWords ads to ascertain the success or failure ofeach AdWords ad and to optimize our AdWords ads in the future. Neither our company nor otherGoogle AdWords advertisers receive information from Google that could identify the data subject.The conversion cookie stores personal information, e.g. the Internet pages visited by the datasubject. Each time we visit our Internet pages, personal data, including the IP address of theInternet access used by the data subject, is transmitted to Google in the United States of America.These personal data are stored by Google in the United States of America. Google may pass thesepersonal data collected through the technical procedure to third parties.
The data subject may, at any time, prevent the setting of cookies by our website, as stated above,by means of a corresponding setting of the Internet browser used and thus permanently deny thesetting of cookies. Such a setting of the Internet browser used would also prevent Google fromplacing a conversion cookie on the information technology system of the data subject. In addition,a cookie set by Google AdWords may be deleted at any time via the Internet browser or othersoftware programs.
The data subject has a possibility of objecting to the interest based advertisement of Google.Therefore, the data subject must access from each of the browsers in use the linkwww.google.de/settings/ads and set the desired settings.Further information and the applicable data protection provisions of Google may be retrievedunder https://www.google.com/intl/en/policies/privacy/.
10. Legal basis for the processing
Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtainconsent for a specific processing purpose. If the processing of personal data is necessary for theperformance of a contract to which the data subject is party, as is the case, for example, whenprocessing operations are necessary for the supply of goods or to provide any other service, theprocessing is based on Article 6(1) lit. b GDPR. The same applies to such processing operationswhich are necessary for carrying out pre-contractual measures, for example in the case of inquiriesconcerning our products or services. Is our company subject to a legal obligation by whichprocessing of personal data is required, such as for the fulfilment of tax obligations, the processingis based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data may be necessaryto protect the vital interests of the data subject or of another natural person. This would be the case,for example, if a visitor were injured in our company and his name, age, health insurance data orother vital information would have to be passed on to a doctor, hospital or other third party. Thenthe processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could bebased on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are notcovered by any of the abovementioned legal grounds, if processing is necessary for the purposesof the legitimate interests pursued by our company or by a third party, except where such interestsare overridden by the interests or fundamental rights and freedoms of the data subject whichrequire protection of personal data. Such processing operations are particularly permissiblebecause they have been specifically mentioned by the European legislator. He considered that alegitimate interest could be assumed if the data subject is a client of the controller (Recital 47Sentence 2 GDPR).
11. The legitimate interests pursued by the controller or by a third party
Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interestis to carry out our business in favour of the well-being of all our employees and the shareholders.
12. Period for which the personal data will be stored
The criteria used to determine the period of storage of personal data is the respective statutoryretention period. After expiration of that period, the corresponding data is routinely deleted, aslong as it is no longer necessary for the fulfilment of the contract or the initiation of a contract.
13. Provision of personal data as statutory or contractual requirement; Requirement necessary toenter into a contract; Obligation of the data subject to provide the personal data; possibleconsequences of failure to provide such data
We clarify that the provision of personal data is partly required by law (e.g. tax regulations) or canalso result from contractual provisions (e.g. information on the contractual partner). Sometimes itmay be necessary to conclude a contract that the data subject provides us with personal data, whichmust subsequently be processed by us. The data subject is, for example, obliged to provide us withpersonal data when our company signs a contract with him or her. The non-provision of thepersonal data would have the consequence that the contract with the data subject could not beconcluded. Before personal data is provided by the data subject, the data subject must contact anyemployee. The employee clarifies to the data subject whether the provision of the personal data isrequired by law or contract or is necessary for the conclusion of the contract, whether there is anobligation to provide the personal data and the consequences of non-provision of the personal data.
14. Existence of automated decision-making
>As a responsible company, we do not use automatic decision-making or profiling.