Privacy Policy

The CHIRON Group SE (hereinafter referred to as the »CHIRON Group«) takes your justified concerns regarding data privacy very seriously, and complies with the provisions of the General Data Protection Regulation (GDPR), the Telemediengesetz (German Telemedia Act) and any other applicable data protection regulations.

The CHIRON Group handles the data that you send to us carefully and diligently. Any collection, processing or use of data, in any form, is always performed within the scope of legal provisions or with your express consent.

Privacy protection is vitally important for the future of Internet-based business models and for the development of an Internet-based economy. This policy underlines the commitment of the CHIRON Group to protecting privacy. Below you can find information about how the CHIRON Group handles personal data on this website.

This Privacy Policy applies to this website and to all other websites that refer to this Privacy Policy. It may be the case that different data protection provisions apply to individual companies within the CHIRON Group. We therefore ask that you carefully read the Privacy Policies of all CHIRON Group websites that you visit.

The controller pursuant to Art. 4 (7) of the General Data Protection Regulation (GDPR) is:

CHIRON Group SE

registered in the Commercial Register of the Stuttgart Local Court (Amtsgericht), HRB 750831
Kreuzstraße 75
78532 Tuttlingen, Germany
Email: [email protected]
Tel. +49 (0) 7461 940-0

You can contact our data protection officer at:

CHIRON Group SE
Data protection officer
Kreuzstraße 75
78532 Tuttlingen, Germany
E-Mail: [email protected]

Global data protection standards

Our handling of personal data is based on international principles and standards concerning transparency regarding the use of personal data, observing and granting rights of choice, access rules, data integrity rules, data protection rules, data transfer rules and rules regarding monitoring the lawfulness of data processing. In particular, CHIRON Group is compliant with the General Data Protection Regulation (GDPR).

Consent

By using this website, you agree to the electronic storage and use of your data as described below. Changes to this Privacy Policy are always announced on this website so that you are always kept informed about the data which the CHIRON Group stores and how it is used.

In addition, where required by applicable data protection laws, we will ask for your express permission for further processing of the personal data collected on this website or provided by you.

Recording and processing personal data

The CHIRON Group would like to better understand your wishes and interests and provide you with the best possible service. For this reason, the CHIRON Group collects and uses personal data in the manner described below, in compliance with applicable data protection law.

If you visit our website, we record your IP address and use cookies and other Internet technologies (hereinafter referred to as »automated tools« and »integrated web links«) that enable us to gather general information about users of our website and their interests. An explanation of the technologies we use and the types of information we collect with them is provided below.

We also record and process data that you voluntarily share with us, for example, if you register for events, subscribe to our newsletter, participate in online surveys, discussion groups or forums, or make purchases.

What data do we collect and why?

The CHIRON Group uses the data collected as part of our efforts to provide you with consistent personal support. The CHIRON Group uses your data exclusively as described in this policy or when collected. Any subsequent changes to the intended use of your data is subject to your express permission, unless the change is otherwise justified by applicable legal provisions.

We process your data for the following purposes, among others:

  • To maintain our relationship with you, e.g. via our databases in which we amalgamate data about you from various sources in order to gain an overview of our collaboration with you; this is also intended to enable us to better understand your preferences and improve and individualize our communications with you;

  • To process and deliver services and products ordered by you;

  • To perform tasks required to prepare or fulfill contracts;

  • To provide proof of business transactions;

  • To provide you with suitable and up-to-date information regarding our products and services;

  • To improve the quality of our products and services by adjusting them to meet your specific needs;

  • To answer your queries and provide you with efficient support;

  • To manage communication and collaboration with you;

  • To track our activities (e.g. measurement of collaboration or purchases, number of meetings/appointments, topics discussed, documents presented);

  • To invite you to events sponsored by or used by us (e.g. speeches, conferences);

  • To manage our IT resources, including infrastructure management and business continuity;

  • To safeguard the commercial interests of the company and ensure compliance and reporting (e.g. compliance with our guidelines and local legal provisions, taxes and deductions, compliance with internal contribution limits, management of alleged misconduct or fraud, completion of audits and defense against legal disputes);

  • For archiving and record-keeping;

  • For processing job applications;

  • For invoicing and accounting; and

  • For other purposes as required by law and authorities.

  • In certain cases, we are legally obligated to provide data to government agencies (institutions or authorities) upon request. The legal basis for processing is Art. 6 (1)(c) GDPR or Section 24 (2)(1) BDSG (German Federal Data Protection Act).

  • In some cases, contractual partners require the personal data of our customers. This generally occurs as part of contract fulfillment (e.g. in the event of complaints). This is expressly prescribed by law. In the event of this, the CHIRON Group remains responsi-ble for protecting your data – potentially alongside the data processor. The business partner in question will work in accordance with our instructions, which the CHIRON Group ensures via strict contractual provisions.

  • To meet statutory obligations concerning recording, documentation, and reporting to responsible authorities.

IP Addresses

IP addresses are used for the analysis of malfunctions, management of the website, and gathering demographic information. We also use IP addresses and, where applicable, other information that you provide us on this website to determine which of our pages are accessed by our visitors and which topics interest them. We use the insights we gain as a result to optimize the information we provide you about our products and services. The CHIRON Group only records such data in anonymized form and will never link it to the profile of a registered user without that user's permission. By default, only the domain name is recorded when our website is accessed.

The CHIRON Group only records data in connection with your visit to the CHIRON Group website. We do not record personal data when you visit websites belonging to other companies or organizations that are not part of the CHIRON Group.

Cookies

a) We use cookies on our website(s). These are small files created automatically by your browser and stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your end device and do not contain viruses, trojans or other malware. Cookies store information produced in conjunction with the specific end device used in each case. However, this does not mean that they enable us to directly learn about your identity. One use of cookies is to make your use of our services more convenient. To this end, we use session cookies to determine whether you have already visited individual pages of our website. These cookies are automatically deleted when you leave our website.

b) In addition, to optimize the user experience of our website, we also use temporary cookies that are stored on your end device for a defined length of time. If you visit our website again in order to use our services, the fact that you have already visited us will be automatically detected along with the inputs and settings you have previously entered, so that you do not need to enter them again.

c) We also use cookies to record statistical information about the use of our website and for evaluation for the purpose of optimizing the services we offer for you. These cookies enable us to automatically detect that you have previously visited our website when you access it a second time. These cookies are automatically deleted after a defined length of time in each case.

d) These cookies process data and are required for the specified purposes in order to safeguard our legitimate interests as well as the interests of third parties in accordance with Art. 6 (1)(f) GDPR.

e) Most browsers accept cookies automatically. However, you can configure your browser to prevent cookies being stored on your computer or to provide you with a prompt to accept before a new cookie is stored. Fully deactivating cookies may, however, mean that you are not able to make full use all of the functions of our website.

E-mail addresses

If you provide us with your e-mail address directly or via the contact form, we will also contact you via e-mail. We will not pass on your e-mail address to third parties outside of the CHIRON Group. You can decide at any time that you no longer wish to receive any e-mails from the CHIRON Group.

Depending on your e-mail program settings, information may be sent to the CHIRON Group automatically when you send an e-mail to the CHIRON Group.

Settings and registration for events

Our website contains order forms that you can fill out to request information, products and services.

Use of external service providers

We work together with service providers who process specific data on behalf of us. This is performed exclusively in accordance with applicable data privacy law in each case. In particular, we have agreements in place with processors for data processing on our behalf that are in compliance with Article 28 of the GDPR.

Information regarding newsletter distribution and consent

The information below provides clarification about the content of our newsletter as well as the processes for subscription, distribution and statistical evaluation as well as your right to object. By subscribing to our newsletter, you agree to receive the newsletter and to the processes described here.

Newsletter data

If you wish to receive the newsletter offered on our website, we need your e-mail address as well as information that enables us to check that you are the owner of the provided e-mail address and that you consent to receive the newsletter. No further data is gathered, except on a voluntary basis. This data is used exclusively for the purposes of sending the requested information, and we do not disclose it to third parties.

Processing of the data entered in the newsletter subscription form is performed exclusively on the basis of your consent (Art. 6 (1)(a) GDPR).

You can revoke the consent you give for storage of your data and e-mail address and for the use of this data for sending the newsletter at any time, for example by using the »Unsubscribe« link in the newsletter. This revocation does not affect the legality of any data processing that has already taken place.

The data that you provide to us for the purposes of subscribing to the newsletter is stored until you unsubscribe from the newsletter, and is deleted once you unsubscribe from the newsletter. Data stored for other purposes (e.g. e-mail addresses for the members only area) is not affected by this.

Double Opt-In and recording

Subscription to our newsletter uses a double opt-in process. This means that once you subscribe, you will receive an e-mail asking you to confirm your subscription. This confirmation is necessary to prevent users subscribing using e-mail addresses belonging to others. Subscriptions to the newsletter are recorded in order to provide evidence of the subscription process for the purposes of meeting legal obligations. This includes storage of the time at which the subscription and confirmation were made, as well as the IP address.

Newsletter distribution with CleverReach

This website uses CleverReach for distribution of newsletters. This is a service provided by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. CleverReach is a service that enables the organization and analysis of distribution of the newsletter. The data provided by you for the purposes of subscribing to the newsletter (e.g. e-mail address) is stored on the CleverReach servers in Germany and/or Ireland.

Using CleverReach to send our newsletters enables us to analyze the behavior of newsletter recipients. This includes, among other things, analyzing how many recipients opened the newsletter message and how often each of the links in the newsletter were clicked. Using the process known as conversion tracking, we are also able to analyze whether a predefined action (e.g. purchasing a product on our website) occurred after a newsletter link was clicked.

Further information about data analysis using CleverReach newsletters is available here: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/.

Data processing is performed on the basis of your consent (Art. 6 (1)(a) GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. This revocation does not affect the legality of any data processing that has already taken place.

If you do not wish for any analysis to be performed by CleverReach, you must unsubscribe from the newsletter. We provide a link to do so in every newsletter message. You can also unsubscribe from the newsletter directly on the website.

The data that you provide to us for the purposes of subscribing to the newsletter is stored until you unsubscribe from the newsletter, and is deleted from our servers and the CleverReach servers once you unsubscribe from the newsletter. Data stored for other purposes (e.g. e-mail addresses for the members only area) is not affected by this.

You can find more information about the CleverReach privacy policy here: https://www.cleverreach.com/de/datenschutz/.

Formation of a contract regarding data processing on our behalf

We have entered into a contract with CleverReach for data processing performed on our behalf, which incorporates the strict provisions of German data protection authorities in full for the use of data by CleverReach.

Disclosure of personal data

We do not disclose your personal data to third parties except for the purposes listed below. We will only disclose your personal data to third parties if:

a) You have given your express consent for us to do so in accordance with Art. 6 (1)(a) GDPR, Section 26 (2) of the Bundesdatenschutzgesetz (BDSG, German Federal Data Protection Act),

b) Disclosure is necessary in accordance with Art. 6 (1)(f) GDPR for asserting, exercising or defending against legal claims and there is no reason to assume that you have an overriding protected interest in the nondisclosure of your data,

c) In the event of a legal obligation for disclosure in accordance with Art. 6 (1)(c) GDPR, or

d) If it is legally permitted and necessary for execution of a contractual relationship with you or for precontractual measures at your request in accordance with Art. 6 (1)(b) GDPR, Section 26 (1) BDSG (German Federal Data Protection Act).

We have no intention of transferring your personal data to a third country or international organization, and automated decision-making, including profiling, will not take place, unless otherwise specified below in this Privacy Policy.

If necessary, the CHIRON Group will transfer data to business partners, service providers, third parties or subcontractors. This may be necessary to provide you with a service or transaction you have requested, such as order handling, for customer service purposes or to inform you about services or products.

Your personal data will not be transferred, disclosed or otherwise provided to third parties for marketing purposes without your prior consent.

The CHIRON Group may be obligated to disclose your data and associated information as a result of a court order or official order. We also reserve the right to use your data to assert or defend against legal claims.

In the event of a takeover or merger with another company, disclosure or transfer of personal data to potential or actual acquirers may be necessary. In such a case, the CHIRON Group will endeavor to ensure the highest possible level of data protection.

In accordance with applicable law, we reserve the right to store and transfer personal and other data to investigate and combat illegal activities and fraud attempts or infringements of the CHIRON Group terms of service.

Data transfer to third countries

The adoption of the European General Data Protection Regulation (GDPR) created a unified basis for data protection in Europe. Your data is therefore predominantly processed by companies subject to the GDPR. However, if processing takes place using services provided by third parties outside of the European Union or the European Economic Area, these third parties must meet the special requirements of Art. 44 et seq. GDPR. This means that processing takes place on the basis of special guarantees, such as the determination of a data protection level equivalent to EU requirements that has been officially recognized by the EU Commission, or compliance with officially recognized contractual obligations, known as »Standard contractual clauses«.

Analysis tools

The tracking measures listed below and used by us are implemented on the basis of Art. 6 (1)(f) GDPR. The use of the subsequent measures is intended to ensure that our website is designed in a way that meets the needs of its users and is continuously optimized. We also use these tracking measures to record statistical information about the use of our website and for evaluation in order to optimize the services we offer for you. These interests are considered to be justified in accordance with the aforementioned provision. The relevant data processing purposes and data categories can be found in the more detailed descriptions of the tracking tools below.

Privacy Policy for the use of Fathom Analytics

This website uses the Fathom analysis service. Fathom is not based on »cookies«. It does not create cookies or save any personal information about you. This means that Fathom is fully GDPR-compliant. The use of Fathom is based on Art. 6 (1)(f) GDPR. The site operator has a legitimate interest in anonymized analysis of user behavior in order to optimize their web services and marketing campaigns. The Fathom Data Privacy Notice can be found here: https://usefathom.com/privacy

Links to social media platforms

The CHIRON Group website occasionally uses links to social media platforms such as Facebook, Instagram, LinkedIn and XING on certain pages.

These links can create a brief connection between your Internet browser and the servers of the social media platform in question, at which point the content of that platform is transferred from there to your Internet browser.

As a result, the operator of the social media platform will learn your IP address. In some cases, the operators of social media platforms will also attempt to save cookies onto your computer which will be deleted once your Internet browser is closed.

If you are logged into the social media platform at the same time, information about your visit to the CHIRON Group website could be associated with your user account at the social media platform in question, and stored, processed and used by the operator of that social media platform.

The CHIRON Group website contains links to the social media networks www.facebook.com and www.instagram.com. You can only use the page if you have a Facebook user account and/or an Instagram user account and are logged into that account. You can learn about how Facebook processes and uses the data that you disclose as a user of facebook.com and how you can limit its disclosure at www.facebook.com/about/privacy/.

Privacy Policy for TikTok

We use services by »TikTok« on our website (for EU: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland).

If you have not given your consent with the Consent Manager, you have the option to subsequently give consent via the »two-click process«. If you access a page in which a TikTok video is embedded, a connection is only established to the TikTok servers when you click on the button to confirm. If you do so, TikTok will create cookies and use your visit data for its own purposes. If you are logged into TikTok at that time, the information regarding the video you viewed will be assigned to your TikTok user account. You can prevent this by logging out of your user account before visiting our website.

There is a risk that your data could be processed in the USA and transferred to there, i.e. to a third country outside of the European Union (EU) or the European Economic Area (EEA). There is no adequacy decision by the EU Commission indicating that there is a level of data protection equivalent to the European standard present in the USA. According to the European Court of Justice (ECJ), there is a particular risk that data could be processed by US agencies for monitoring purposes without you noticing. The legal basis for processing of your data is your consent in accordance with Article 49 (1)(a) GDPR. This consent can be revoked with effect for the future at any time.

You can find further information about this in the TikTok Privacy Policy at https://www.tiktok.com/legal/privacy-policy.

The legal basis for this data processing is your consent in accordance with Art. 6 (1)(a) GDPR. You can revoke your consent at any time with effect for the future by opening your cookie settings and changing them accordingly.

Privacy Policy for Facebook

This website uses technologies by Facebook Ireland Limited (»Facebook«, 4 Grand Canal Square, Dublin 2, Ireland). Facebook is a service for Internet advertisements that enables advertisers to reach targeted users with advertisements on Facebook directly as well as in the Facebook advertising network. Using the »Custom Audiences« remarketing function, users of the website are shown »Facebook ads« that contain interest-based advertisements when they visit Facebook or other pages that use this process. The purpose of this is to increase the attractiveness of our website via targeted marketing and to place advertisements. If you have a Facebook account, this can be recognized by the set Facebook Pixel which transfers the collected usage data to Facebook. The Facebook Pixel is a piece of JavaScript code. Facebook uses tracking cookies in order to display targeted Facebook advertisements based on information regarding user behavior and information about devices. This data is stored for a maximum of 180 days. Further information about the purpose and scope of data collection and further processing and use of this data by Facebook as well as the setting options available for you to protect your privacy can be found in the Facebook Privacy Policy. If you do not wish to receive interest-based advertisements, you can deactivate this function in your browser.

We have no influence over the information that Facebook processes or amalgamates. It may be possible for you to be identified by Facebook if data can be associated with your Facebook account or you are logged into a Facebook account, for example.

You can find out about and change the relevant settings regarding Facebook advertising at https://www.facebook.com/about/basics/advertising.

Instructions for doing so are available here: https://www.facebook.com/about/basics/advertising/ad-preferences. Users who are logged into Facebook can deactivate and adjust these functions here: https://www.facebook.com/settings/?tab=ads#_.

The data collected in this context may be transferred to a server in the USA for analysis and saved there by Facebook. In the event that personal data is to be transferred to the USA, we will first obtain your express permission for this data transfer via the cookie banner in accordance with Art. 49 (1)(a) GDPR.

Privacy Policy for the use of LinkedIn

Plugins by the LinkedIn social network operated by the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter referred to as »LinkedIn«) are integrated into our website. The LinkedIn plugins on this website can be recognized by the LinkedIn logo or the »Share button« (hereinafter referred to in general as »LinkedIn plugins«). If you visit our website, the LinkedIn plugins will establish a direct connection between your browser and the LinkedIn server. Via this connection, LinkedIn receives the information that you have visited this website using your IP address. If you clock on the LinkedIn »Share button« while you are logged into your LinkedIn account, you can link the content of this website to your LinkedIn profile. This enables LinkedIn to associate your visit to this website with your user account. Please note that we as the operator of the site do not receive any information about the content of the data transferred, nor about how it is used by LinkedIn. Details regarding data recording (purpose, scope, further processing, use) and your rights and setting options can be found in the LinkedIn Privacy Policy. This information is available on the LinkedIn website at: http://www.linkedin.com/static?key=privacy_policy&trk=hb_ft_priv.

Privacy Policy for the use of Xing

The »XING Share Button« is used on this website. If you visit this website, your browser will establish a brief connection to the servers of XING AG (»XING«), the provider of the »XING Share Button« functions (including a visitor counter). XING does not store any personal data about you or your visit when you access the website. XING does not store IP addresses and does not use cookies to monitor your visitor behavior with regard to the »XING Share Button«. For further information and the latest version of the »XING Share Button« Privacy Policy, please visit the following website: https://dev.xing.com/plugins/share_button/privacy_policy

Privacy Policy for Instagram

Functions and content of the Instagram service, provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, may be incorporated into our online services. These may include content such as images, videos or text and buttons that enable users to indicate whether they like certain content or subscribe to the creators of the content or to our contributions. If users are members of the Instagram platform, Instagram may associate the content and functions listed above to the Instagram profile of the user. Instagram privacy policy: http://instagram.com/about/legal/privacy/.

Privacy policy for iFrames by FAMIGO

On our website, we use iFrames (a location marketing tool) from FAMIGO GmbH at In der Spöck 10, 77656 Offenburg, Germany (»FAMIGO«). This iFrames tool is only used to enable the provision and display of content such as graphics from FAMIGO. For this purpose, FAMIGO collects the following log files: browser type and browser version, operating system used, referrer URL, host name of the accessing computer, time of the server request. The log files are stored for a period of 90 days. Use for other purposes is excluded. The hosting of the database, as well as the cloud solution, takes place at secured data centers in Germany. An AV contract has been concluded with FAMIGO.

The legal basis for the processing of personal data is Art. 6 para. 1 s. 1 lit. f GDPR.

Privacy Policy for Microsoft Teams

We use the »Microsoft Teams« service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA (hereinafter referred to as »Microsoft Teams«) to hold online meetings, video conferences and/or webinars. In the event of usage of Microsoft Teams, a variety of data is processed.

The scope of the processed data depends on the data that you share before or while taking part in an online meetings, a video conference or a webinar. During usage of Microsoft Teams, data of the participants in the communication is processed and stored on Microsoft Teams servers. This data may include but is not limited to your login details (name, e-mail address, phone number (optional) and password) and meeting data (topic, participant IP address, device information, and description (optional)).

In addition, visual and audio contributions by participants as well as voice input in chats can be processed. The processing of personal data required to perform a contract with you (this also applies for processing operations required to complete precontractual measures) uses Art. 6 (1)(b) GDPR as its legal basis.

If you have given us your consent for the processing of your data, processing is performed on the basis of Art. 6 (1)(a) GDPR. Any consent given can be revoked with effect for the future at any time. Otherwise, the legal basis for data processing as part of holding online meetings, video conferences or webinars is our legitimate interest in accordance with Art. 6 (1)(f) GDPR in effectively holding the online meeting, webinar or video conference.

Further information about data usage by Microsoft Teams is available in the Microsoft Teams privacy statement at: https://privacy.microsoft.com/en-US/privacystatement

Links to other websites

Our website may contain links to websites belonging to third-party providers. The CHIRON Group is not responsible for the data protection practices or content of websites outside of the CHIRON Group.

Data retention

The CHIRON Group only retains personal data for as long as necessary for the purpose or legal provisions for which it was collected.

Information regarding data processing for the application process in accordance with Art. 13 GDPR

The application data you send to us is processed and stored electronically until the end of the application process.

Collecting and storing personal data as well as the type and purpose of and its use.

If you contact us as part of your application, we will collect the following information:

Title, first name, last name, a valid e-mail address

Address

Phone number (landline and/or mobile phone)

Information that we need for the application process

This data is collected in order to enable us to correspond with you. Data processing is performed on the basis of your application and is required for the stated purposes for the reasonable processing of your application in accordance with Art. 6 (1)(b) GDPR. Your personal data will not be transferred to third parties.

Access to data

The data you disclose will be treated as confidential. As part of a specific application, only persons who are involved with the recruitment process for that vacancy will have access to the data you disclose. These include but are not limited to members of the personnel department of the CHIRON Group SE, company management and the relevant division manager.

Erasure of data

We store and use your data only for as long as necessary for making a decision regarding establishment of an employment relationship with you. If your application is rejected, the application process is concluded.

In general, your personal data will be deleted automatically six months following the conclusion of the application process. This does not apply if statutory provisions prevent deletion, if further storage is necessary for the purpose of providing evidence, or if you have given consent to further storage in accordance with Art. 6 (1)(a) GDPR.

Privacy policy for voice recordings of incoming telephone calls to the service number, where consent to recording has been granted

This policy provides information about how and why we process your personal data pursuant to the General Data Protection Regulation (GDPR) in relation to the possible recording of telephone conversations – provided you have consented to this – and about your rights in this regard:

We process data in the following categories, which make reference to you, or may make reference to you:

Communication content and communication connection data/metadata, such as your consent, start time of the call, duration of the call, end time of the call and, if applicable (i.e. if transmitted) the number you are calling from

We process your data (purposes of the processing),

•           for training purposes,

•           to improve the quality of our service.

The legal basis for this data processing is your consent, pursuant to Article 6(1a) GDPR.

The data that we process is collected directly from you without exception.

If you have provided us with your data, there is no legal or contractual obligation associated with this provision of data, nor is it required in order to enter into a contract.

Once the conversation has ended, the recordings are stored as mp3 files for a maximum of 30 days. After this time, the files are automatically erased.

Your data is processed by means of commissioned data processing, primarily by the service provider who delivers our customer service. It is only accessed by other parties, e.g. by forwarding to recipients, if this is required for the operation of technical infrastructure. All our service providers are obligated to comply with the provisions of the GDPR.

Privacy policy for sweepstakes

We attach great importance to the protection of your personal data and compliance with data protection requirements. In the following, we will show you in particular which personal data we process, for which purpose and on which legal basis.

1. Who is responsible for the data processing?

The responsible party for the data processing is the CHIRON Group SE in Tuttlingen, Germany. The external data protection officer for CHIRON Group SE can be contacted at [email protected].

2. What categories of personal data do I use?

As part of your participation in the sweepstakes, we process the contact data (name, company name, e-mail address, telephone number) provided by you, as well as the log data generated through the use of our IT systems. In addition, we process the data provided by you in the event of a win:

  • First and last name

  • E-mail address

  • Company name

  • Telephone number

 

To accept the prize, the winner must indicate the publication of his name (first name and first letter of the surname or Instagram profile name) on our Instagram channels.

3. Where does this data come from?

The data comes directly from you because the data was collected in the course of your participation in the sweepstakes.

4. For what purposes will my data be processed? What legal basis

does the company rely on for this?

a. Art. 6 para. 1 lit. b) GDPR

We process personal data in the course of the contract initiation and fulfillment of the sweepstakes contract concluded between you and us. The processing is carried out to provide contractually guaranteed services, such as the fulfillment of any claim to the transfer of the prize offered as part of the sweepstakes.

The legal basis for this is Art. 6 para.1 lit. b) GDPR. In the context of the performance and execution of the contract, we process the data that you have provided to us upon conclusion of the contract or in the course of the contractual relationship. In particular, this includes your master data (name, surname, date of birth, address, e-mail address).

b. Art. 6 para.1 lit. a) GDPR

If you have given us your consent to process your data, then we will process the data

for the purposes stated in the declaration of consent. You can revoke your consent

at any time.

c. Art. 6 para.1 lit. f) GDPR

We also process your data to protect our legitimate interests or those of third parties. This applies, in particular, with regard to internal communication between affiliated companies and other administrative purposes.

5. Will the data be shared?

Within our company or group of companies, those employees who need the data to fulfill their contractual or legal obligations are given access to the data. In addition, the service providers we use may also receive data from us for these purposes:

6. What rights do I have?

Insofar as we cite our legitimate interest (Art. 6 para. 1 f) GDPR) as the basis for lawfulness, you have the right to object according to Art. 21 GDPR.

According to Art. 21 GDPR, you have the right

to object to the processing of personal data at any time. We will then no longer process your personal data for direct marketing purposes or any related profiling.

We will also not process your personal data for other purposes after an objection, unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims (cf. Art. 21 para.1, para. 6 GDPR, so-called »limited right of objection«). In this case, you must provide reasons for the objection that arise from your particular situation.

7. Am I entitled to a right of appeal?

Yes, you have the option of contacting us directly or a competent data protection supervisory authority with a complaint.

We attach great importance to transparency. Therefore, please do not hesitate to contact us at any time if you have any questions.

8. How long will my data be stored?

Participants' data will be treated with absolute confidentiality and deleted after a period of four weeks.

 

For those participants who have won a prize in the sweepstakes, your personal data will be deleted or destroyed four weeks after the prize has been handed over or sent to you. An exception applies to winners of prizes that must be redeemed by a certain date (e.g., vouchers). In such cases, the data will be deleted after the redemption date at the latest.

For participants who have not won: If you have not won a prize in the sweepstakes, your personal data will be deleted or destroyed four weeks after the drawing of the winners.

We will retain the personal data for this period because, in individual cases, subsequent drawings may be necessary (e.g., if a winner has provided an incorrect contact number and can therefore not be reached).

Special features in the case of participation by e-mail: We would like to point out that if you participate in the sweepstakes by e-mail, then this e-mail will be stored and archived in our company for a period of 10 years.

We will process and store your personal data for the period of the existing contract. If the data is no longer required for the fulfillment of contractual or legal obligations, then we regularly delete the data, although we must comply with the statutory retention obligations (esp. § 257 HGB and § 147 para. 1 AO). These may last up to 7 years. Insofar as data is to be retained to secure the enforcement of legal claims, the limitation periods may be up to 30 years, whereby the regular limitation period is three years.

If we use your data for advertising purposes, we will only process the data until you have objected to its use or revoked your consent, or until its use is no longer legally permissible.

9 Do I have to give you my data?

Within the scope of our contractual relationship, you must provide those personal data that are necessary for the execution of the contract and its fulfillment or that we are legally obligated to process. Failure to provide it would result in us regularly not being able to conclude the contract with you.

Rights of the data subject

You have the right,

a) in accordance with Art. 15 GDPR, to obtain access to the personal data processed by us. In particular, you can obtain information about the purposes of processing, the categories of personal data concerned, the categories of recipient to whom your personal data has been or will be disclosed, the planned period for which the personal data will be stored, the existence of a the right to request rectification, erasure, restriction of processing or to object to processing, the existence of a right to lodge a complaint, the origin of the data where it was not collected by us, and the existence of automatic decision-making, including profiling, and where applicable meaningful information about the details of such;

b) in accordance with Art. 16 GDPR, to obtain without undue delay the rectification of inaccurate personal data or to have incomplete personal data stored by us completed;

c) in accordance with Art. 17 GDPR, to obtain the erasure of personal data stored by us, unless the processing of such data is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;

d) in accordance with Art. 18 GDPR, to obtain restriction of processing of your personal data where the accuracy of the data is contested by you, the processing is unlawful and you oppose the erasure of the personal data, where we no longer need the personal data but you require it for the establishment, exercise or defense of legal claims, or where you have objected to processing pursuant to Art. 21 GDPR;

e) in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to have the data transmitted to another controller;

f) in accordance with Art. 7 (3) GDPR, to withdraw the consent that you have given us at any time. This would mean that we would no longer be permitted to continue data processing based on such consent in the future; and

g) in accordance with Art. 77 GDPR, to lodge a complaint with a supervisory authority. In general, you can lodge a complaint with the supervisory authority associated with your habitual residence or place of work, or the place of our company.

The supervisory authority responsible for data protection for the CHIRON Group SE is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (The state representative for data protection and information freedom of Baden-Württemberg)

Postfach 10 29 32, 70025 Stuttgart, Germany

Königstraße 10a, 70173 Stuttgart, Germany

Tel.: +49 711 615541-0

Fax: +49 711 615541-15

E-Mail: [email protected]

Website: www.baden-wuerttemberg.datenschutz.de

To exercise any of the rights listed above or for any questions regarding data protection, you can contact the controller in accordance with para. 1 above or send an e-mail to [email protected].

Right to object

If your personal data is processed on the basis of legitimate interest in accordance with Art. 6 (1)(f) GDPR, you have the right, in accordance with Art. 21 GDPR, to object to the processing of your personal data where there are grounds for doing so resulting from your specific situation or the objection concerns direct marketing. In the latter case, you have a general right to object, which we will honor without the need to indicate a specific situation. If you wish to exercise your right to revoke your consent or to object, simply send an e-mail to [email protected].

Data security

a) For security within the context of your visit to our website, we use the commonly used SSL (Secure Sockets Layer) method in conjunction with the highest level of encryption supported by your browser. In general, this is 256 bit encryption. If your browser does not support 256 bit encryption, we will instead use the 128 bit v3 technology. You can determine whether an individual page of our website is transmitted with encryption by checking whether the key or lock symbol in the bottom status bar of your browser is closed. Any data entered into the registration form in our career section is likewise only transmitted to us in an encrypted form.

b) We otherwise use technical and organizational security measures to protect your data against accidental or intentional tampering, partial or complete loss, destruction or unauthorized access by third parties. Our security measures undergo continuous development to ensure they remain up to date with technological developments.

Changes to this Privacy Policy

We will update this Privacy Policy if necessary for reasons relating to current circumstances, such as changes to applicable data protection regulations.

Data from: May 9, 2023

Source: German version of this privacy policy. This is a non-binding convenience translation; the original German remains the only legally binding version.