1. What is this Privacy Policy about?
2. Who are we?
3. What is “personal data” and what does “processing” mean?
4. When, for whom, and for what purpose does this Privacy Policy apply?
5. What personal data do we process and for what purposes?
6. To whom do we disclose your personal data?
7. When do we transfer personal data abroad?
8. Do we engage in profiling and automated individual decision-making?
9. How do we protect your personal data?
10. How long do we store your personal data?
11. What rights do you have regarding the processing of your personal data?
12. What else should you be aware of?
13. Changes to this Privacy Policy
1. What is this Privacy Policy about?
Data protection is a matter of trust, and your trust is important to us. That is why we have published this Privacy Policy. In light of the new European General Data Protection Regulation (“GDPR”), it explains what personal data we process and how we do so. Although the GDPR is a regulation of the European Union, it is relevant to us. Swiss data protection law is heavily influenced by European law, and the upcoming revision of the Swiss Federal Act on Data Protection (FADP) will incorporate many provisions of the GDPR. In addition, companies outside the EU must comply with the GDPR under certain circumstances. However, we want to ensure the high level of protection provided by the GDPR for all individuals whose personal data we process, and have therefore decided to align this privacy policy entirely with the GDPR.
It is important to us that you are fully informed about the processing of your personal data. With this privacy policy, we therefore inform you how and why we collect, process, and use your personal data. It is important to us that you understand:
- what personal data we collect about you;
- when we collect your personal data;
- for what purpose we use your personal data;
- how long we retain your personal data;
- who has access to your personal data; and
- what rights you have regarding your personal data.
You will find relevant information and explanations below. Further details can be found in the table at the end of this Privacy Policy. If you have any questions, please feel free to contact us at any time. You can find our contact information under → Section 2.
2. Who are we?
The following company (“we” or “us”) is responsible for data processing under this Privacy Policy:
Galderma SA
Zählerweg 10
6300 Zug
Switzerland
Phone: +41 58 455 85 00
Fax: +41 58 455 85 90
3. What is “personal data” and what does “processing” mean?
Personal data (or “personal information”) refers to any information that can be associated with a specific natural person, i.e., a human being. This includes, for example, the following information, provided it can be attributed to a specific person:
- contact information, e.g., name, address, email address, phone number;
- other personal details, e.g., gender, date of birth and age, marital status, nationality, passport number;
- employment-related details, e.g., occupation, title, position, education, previous employers, skills and experience, licenses and certifications, and memberships;
- Purchasing information, e.g., details regarding purchases, orders, purchase history, preferred shopping locations and times, shopping carts, preferences, and affinity for certain product categories;
- Financial information, e.g., credit card number, account details, creditworthiness, assets, and income; Health data, information regarding physical and mental impairments, treatments, and medication;
- Image, audio, and video recordings;
- And records of your visits to our website and your use of apps.
Personal data also includes any other information that we can associate with a specific individual. In Switzerland, data or information relating to a specific legal entity (e.g., details of a contract with a company) is also considered personal data.
Certain types of personal data are classified by law as particularly sensitive and are subject to special protection. These include “sensitive personal data” (also referred to as “special categories of personal data”). This includes the health data, genetic data, and biometric data that we process. Furthermore, this includes, in particular, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; data concerning sexual life or sexual orientation; and, finally, data regarding criminal convictions and offenses, as well as, under certain circumstances, data regarding social welfare measures.
We do not necessarily process all of the personal data mentioned in this section. Specific details regarding the personal data we process can be found under → Section 5 and in the → table at the end of this Privacy Policy.
“Processing” refers to any handling of your personal data. This includes, for example, the following activities:
- collection;
- recording, storage, and retention;
- organization, structuring, and management;
- modification and alteration;
- reading and retrieving;
- using;
- disclosing;
- comparing and linking;
- restricting;
- deleting and destroying; and
- sharing and transferring.
This Privacy Policy applies to all of these activities, provided they involve personal data. It therefore governs everything we do with personal data.
4. When, for whom, and for what purpose does this Privacy Policy apply?
This Privacy Policy applies to all processing of personal data in connection with all our business activities across all our business divisions. It applies to the processing of both historical and future personal data. This means that we process personal data in accordance with this Privacy Policy not only for data we receive in the future, but also for data we already hold. Additional privacy provisions may apply to certain services. In such cases, we will notify you of these provisions in an appropriate manner.
This Privacy Policy applies to the processing of personal data of all data subjects. This includes, for example, the following individuals:
- Individuals who write to us or contact us in any other way (e.g., by phone, fax, email, mail, or online);
- Visitors to our premises;
- Customers in online stores;
- Users of online services and apps;
- Visitors to our website;
- Recipients of information and marketing communications;
- Participants in contests, sweepstakes, and customer events;
- Participants in surveys;
- Individuals who submit an application for project funding;
- Contact persons of our business partners; and
- Job applicants
- In connection with pharmacovigilance information (see Section 5 Pharmacovigilance), this also includes information provided by a third party reporting an adverse event. These third parties may include healthcare professionals, lawyers, market research agencies, Galderma field representatives, relatives, or other members of the public.
5. What personal data do we process and for what purposes?
Depending on the context and purpose, we process a wide variety of personal data. You can find more details in this section and in the → table at the end of this Privacy Policy. Among other things, we process personal data—including health data and, in some cases, other special categories of personal data—in the following situations and for the following purposes:
- Communication: We process personal data when you contact us or when we contact you, e.g., when you send us medical inquiries via our contact form and when you write to us or call us. In such cases, information such as your name, contact details, and the content and timing of the relevant communications is generally sufficient for us. We use this data so that we can provide you with information, process your request, and communicate with you. We may also forward communications to the appropriate departments across the group. Service providers and their selected employees may only access and use your personal data on our behalf for the specific tasks assigned to them based on our instructions and are obligated to treat your personal data confidentially and securely.
- Vigilance: Ensuring your safety is of utmost importance to Galderma, and we take the safe use of all our products and our legal obligations to monitor the safety of all products we market or have in development very seriously. This is referred to as our vigilance obligations. In this section of the Privacy Policy, we also describe how we collect and use your personal data when you contact us with general questions about the use of our product. The scope of data collection in connection with adverse events, provided you submit such data, is outlined in the table at the end of the Privacy Policy.If you report an adverse event to us that affects you or a third party, we are required to collect your personal data to ensure that adverse events are traceable and available for follow-up actions. Therefore, we must retain sufficient information about reporters so that we can contact you after receiving the report. This data is also listed in the table at the end of the Privacy Policy.
- Purchase of Products and Use of Services: We also receive and process personal data when you use our services, e.g., when you purchase goods from us or obtain a service. For this purpose, we require, for example, your name, address, and email address.
- Visiting Websites; Using Apps: As you navigate and interact with our websites or newsletters, we use automated data collection technologies to gather certain information about your actions. This includes information such as which links you click, which pages or content you view and for how long, and other similar information and statistics about your interactions, such as content response times, download errors, and the duration of visits to specific pages. This information is collected using automated technologies such as cookies and web beacons, as well as through third-party tracking for analytics and advertising purposes. You have the right to object to the use of such technologies. Cookies are often necessary for the website to function. However, this information is often not personal data because we cannot readily associate it with you. We use this data for IT security purposes, as well as to improve the user-friendliness of the website and its features, and to personalize the content. For these purposes, we also use analytics services such as Google Analytics. You can find more details about this processing in the table at the end of this privacy policy. There, you will also learn how you can prevent this processing.
- Customer Events: When we organize customer events, we also process personal data. This includes the names and addresses of participants or interested parties, as well as additional information such as your date of birth, depending on the event. We process this information to organize the events, but also to contact you directly and get to know you better.
- Business partners: We collaborate with various companies and business partners, such as research firms, suppliers, commercial buyers of goods and services, cooperation partners, and service providers (e.g., IT service providers). In doing so, we also process personal data regarding the contact persons at these companies, such as name, position, and title. Depending on the area of activity, we may also be required to conduct a more detailed review of the relevant company and its employees, e.g., to perform a security check. In such cases, we collect additional information. We will notify you separately in each instance. We may also process personal data about you to improve our customer focus, customer satisfaction, and customer loyalty (Customer Relationship Management).
- Administration: We process personal data for our internal and group-internal administration. For example, we may process personal data in the context of IT or real estate management. We also process personal data for accounting and archiving purposes and, in general, for the review and improvement of internal processes.
- Job Applications: We also process personal data when you apply for a position with us. For this, we generally require the standard information and the details specified in the job posting.
- Legal Protection: We process personal data in various contexts to protect our rights, e.g., to enforce claims in court, in pre-litigation or out-of-court proceedings, and before authorities in Switzerland and abroad, or to defend ourselves against claims. For example, we may have the prospects of a lawsuit assessed or submit documents to an authority. It is also possible that authorities may require us to disclose documents containing personal data.
The → table at the end of this privacy policy describes in more detail what types of personal data we collect about you, how this data is used, for what purposes and on what legal basis, and whether you are required to provide us with personal data.
6. To whom do we disclose your personal data?
Our employees have access to your personal data when necessary for the purposes described and for the performance of their duties. They act in accordance with our instructions and are bound by confidentiality and professional secrecy when handling your personal data.
We may also share your personal data with other companies within the Galderma/Nestlé Skin Health Group (the Group) for various processing purposes. As a result, your personal data may be processed and linked for the respective purposes together with personal data originating from another company within the Group.
We may also disclose your personal data to third parties if we wish to utilize their services. This applies in particular to services in the following areas:
- Local authorities (see Section 5: Vigilance)
- IT services, e.g., services in the areas of data storage (hosting), cloud services, sending email newsletters, data analysis, etc.
- Consulting services, e.g., services provided by tax advisors, attorneys, management consultants, and recruitment and placement consultants
- Administrative services, e.g., in the area of property management
- Credit reporting and debt collection, e.g., if you wish to make a purchase on account or if overdue receivables remain unpaid
- External agencies for promotions and sweepstakes, conducting staff training or continuing education
- Online service providers for social media activities
- Through the selection of processors and appropriate contractual agreements, we ensure that data protection is maintained throughout the entire processing of personal data, including by third parties.
It is also possible that we may review or carry out transactions such as business combinations or the acquisition or sale of individual parts of a company or its assets. In this context, it may be necessary to transfer personal data to another company. In such cases, for confidentiality reasons, it is not always possible to inform you in advance if your personal data is affected. However, we will inform you in each individual case as early as possible, and we will strive to process as little personal data as possible.
The disclosure of personal data is possible in other cases as well. For example, we may also disclose personal data as follows:
- We may disclose your personal data to third parties (e.g., government authorities) if required by law. We also reserve the right to process your personal data to comply with a court order or to assert or defend legal claims.
- We may share personal data with affiliated companies as part of our internal group administration.
- We may share personal data about you with former employers if you apply for a position with us (reference checks). However, we will not do so without first asking for your consent.
7. When do we transfer personal data abroad?
The recipients of your personal data (→ Section 6) may be located abroad—including outside the EU or the European Economic Area (“EEA,” which includes, for example, the Principality of Liechtenstein). The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or in the EU or the EEA. We refer to countries without such protection as “third countries.” Should we transfer your personal data to such a third country, we will ensure the protection of your personal data in an appropriate manner. One way to do this is by entering into data transfer agreements with the recipients of your personal data in third countries that ensure the necessary data protection. These include agreements that have been approved, issued, or recognized by the European Commission and the Federal Data Protection and Information Commissioner, known as standard contractual clauses. Similarly, transfers to recipients who have joined the U.S. Privacy Shield Program are permitted.
Please contact us if you would like a copy of our data transfer agreements or further information regarding the protection of your personal data when transferred to a third country (→ Section 2).
8. Do we carry out profiling and automated individual decision-making?
“Profiling” refers to a process in which personal data is processed automatically to evaluate, analyze, or predict personal aspects, such as work performance, financial situation, health, personal preferences, interests, reliability, behavior, location, or changes in location. We often carry out profiling, e.g., when selecting job applicants, when vetting contractual partners, etc.
“Automated individual decision-making” refers to decisions that are made automatically, i.e., without significant human intervention, and that have negative legal consequences or other similarly negative effects on you. We do not make such decisions automatically.
9. How do we protect your personal data?
We employ appropriate technical and organizational security measures to safeguard the security of your personal data, protect it against unauthorized or unlawful processing, and mitigate the risk of loss, accidental alteration, unintended disclosure, or unauthorized access. However, the electronic transmission of information in particular entails security risks that cannot be entirely ruled out. Therefore, if you transmit information in this manner, you do so at your own risk.
10. How long do we store your personal data?
We store your personal data for as long as necessary for the purpose for which we collected it. We also store your personal data for a longer period if we are subject to a legal retention obligation. For certain documents, for example, a ten-year retention period applies (for instance, vigilance data must be retained for at least ten years after the sale of the last batch), and for others, a retention period of 25 years. We also store personal data if we have a legitimate interest in doing so, e.g., when statutes of limitations are running, when we need personal data to enforce or defend against claims, and for archiving purposes and to ensure IT security. A limitation period of ten years often applies; in some cases, it is five years or one year. Afterward, we delete your personal data. In certain cases, we ask for your consent if we wish to store personal data for a longer period (e.g., for job applications that we would like to keep on file). How do we process personal data of children?
We do not intend to process personal data of children. We take special care to protect children, and if we process personal data of children based on consent, we ask the parents or legal guardians for their consent. If consent for a child has been given by their parents or legal guardians, the adult is free to revoke this consent at a later time.
11. What rights do you have regarding the processing of your personal data?
| Law | Subject | Comments |
|---|---|---|
Right to information | You have the right to receive transparent, clear, and comprehensive information about how we process your personal data and what rights you have in connection with the processing of your personal data. This Privacy Policy fulfills that obligation. If you would like further information, please feel free to contact us (→ Section 2).
|
|
Right of access | You have the right to request access to your personal data stored by us at any time and free of charge, provided that we are processing such data. This allows you to verify what personal data we are processing about you and to ensure that we are using it in accordance with applicable data protection regulations.
| In certain cases, the right of access may be restricted or denied, in particular:
|
Right to rectification | You have the right to have inaccurate or incomplete personal data corrected and to be notified of the correction. We also notify all our recipients of the changes made, unless this is impossible or would involve a disproportionate effort.
|
|
Right to erasure | You have the right to have your personal data erased. You may request the erasure of your personal data if:
| In certain cases, the right to erasure may be excluded, particularly if the processing is necessary:
|
Right to restrict processing | In the cases specified in Article 18 of the GDPR, you have the right to request that the processing of your personal data be restricted. This may mean, for example, that personal data is (temporarily) blocked for users, or that published personal data is (temporarily) removed from a website.
We also inform all our recipients of the changes made, unless this is impossible or would involve a disproportionate effort. |
|
Right to appeal | You have the right to lodge a complaint with a supervisory authority regarding the way in which your personal data is processed. You have the right to withdraw your consent at any time. Under Article 21 of the GDPR, you may also object to the processing of your data in certain other cases, such as where data is processed for direct marketing purposes. If you withdraw your consent or effectively object to further processing, we may no longer process your personal data for these purposes. However, processing activities carried out in the past on the basis of your consent do not become unlawful as a result of your withdrawal. Providing information and processing your requests is free of charge, unless your request is manifestly unfounded or excessive (in particular due to its repetitive nature); in which case we may charge a reasonable fee (taking into account the processing costs for providing the information or carrying out the requested measures) or refuse to process the request. We will normally respond within one month of receiving your request. Should the processing of your request nevertheless take longer, we will inform you accordingly.
|
|
12. What else should be noted?
Legal basis: We endeavour to specify the applicable legal basis for each instance of data processing. This is derived in particular from Article 6 of the GDPR. Accordingly, the processing of personal data is permitted in particular where
- it is based on valid consent that has not been withdrawn
- it serves to fulfil a contract with the data subject or for pre-contractual measures at their request
- it is necessary to comply with a legal obligation
- it is necessary to protect the vital interests of the data subject or another person
- it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
- it is necessary for the purposes of the legitimate interests pursued, provided that the interests or fundamental rights and freedoms of the data subject do not override those interests.
- The processing of special categories of personal data (see → Section 3) is subject to stricter restrictions (Article 9 GDPR). It is permitted, inter alia
- with the explicit consent of the data subject
- where it is necessary for compliance with specific obligations under labour and social securitylaw
- where it relates to personal data which the data subject has manifestly made public
- where it is necessary for the defence of legal claims.
You will find details of the legal bases on which the relevant processing is typically based in the → table at the end of this privacy policy. However, due to the complexity of many data processing operations, it cannot be ruled out that, in individual cases – depending on the circumstances – other legal bases may also apply.
Obligation to provide personal data: We are also obliged to inform you whether you are legally or contractually obliged to provide personal data, or whether this is necessary for the conclusion of a contract, and what the consequences of non-disclosure would be. You will also find relevant information in the → table at the end of this privacy policy. As a rule, the disclosure of personal data is voluntary.
Personal data of third parties: In certain circumstances, you may wish to or be required to provide us with personal data relating to third parties. We would like to point out that, in such cases, you are obliged to inform the individuals concerned about this data transfer and about this privacy policy, and to obtain their consent for the transfer.
13. Changes to this Privacy Policy
This Privacy Policy may be updated from time to time if we change our data processing practices or if new legislation comes into force. We will actively inform individuals registered with us of such changes, provided this can be done without disproportionate effort. In general, however, the version of the Privacy Policy in force at the start of the relevant data processing operation shall apply to that processing.
Table: Reason for data collection; scope, purpose and obligation to provide data; legal basis for processing
Communication with us
Vigilance
Visiting our website (general)
Visiting our website (cookies)
Visiting our website (beacons)
Visiting our website (Google Analytics)
Visiting our website (social plug-ins)
Subscription to electronic newsletters
Participation in customer events
Contact with our company as a business partner
Administration
Job applications
Legal defence
| Reason for data collection | Personal data processed | Purpose of processing and obligation to provide date | Legal basis |
|---|---|---|---|
Communication with us | We collect personal data when you contact us in writing, electronically or by telephone. In doing so, we process contact and communication details, which include, in particular, the following personal data:
The content of the communication depends largely on you. If you report to us any adverse effects or incidents relating to our medicinal products (or other personal data requiring special protection), we will also process this information. Telephone calls with us may be recorded, in which case you will be informed in advance.
| We process your personal data in this context for the following purposes:
You are, of course, under no obligation to provide us with specific information. However, we are often only able to respond if you provide us with certain minimum details
| Your interaction with our customer service team is initiated by you, which we interpret as consent to the processing of your personal data (Article 6(1)(a) and, where applicable, Article 9(2)(a) of the GDPR). If you do not wish for the conversation to be recorded for quality assurance and training purposes, you may terminate the conversation at any time and correspond with our customer service team by other means (e.g. via email). Processing by customer service is also in our legitimate interest (Article 6(1)(f) GDPR), as this enables us to improve the quality of our products and services, avoid errors in our processes and achieve higher customer satisfaction.
|
Vigilance | We collect the relevant pharmacovigilance data when you report adverse effects and incidents relating to our medicinal products to us. In doing so, we process the following personal data in particular, provided that this information is provided:
Some of this information is considered by law to be “sensitive personal data” about you. This includes the following categories of personal data:
This information will only be processed intentionally where it is relevant and necessary for the proper documentation of the event you experienced and to meet our vigilance requirements. These requirements exist to enable us and the relevant supervisory authorities to diagnose, manage and prevent such adverse events in the future. Furthermore, we may collect your sensitive personal data if you voluntarily provide it to us. If you report an adverse event to us that affects you or a third party, we are obliged to collect your personal data to ensure that adverse events can be traced and are available for follow-up measures. The following data is collected in relation to the reporter:
| In this case, we process your personal data for the following purposes:
In accordance with our pharmacovigilance obligations, we pass on your data to our offices in Switzerland, France and Sweden in order to comply with our legal requirements. To protect your privacy during the processing and transmission of the data, we have taken measures to reduce the possibility of the data being linked back to you by pseudonymising the data. In particular, we may use and disclose your data: A) For purposes required by law:
B) If you give your consent:
C) To the extent necessary for purposes that are in our legitimate interests. These interests are:
Contacting you: In the event that new effects and consequences relating to the medicines you are using become known that are significant for your health, we will process your information in order to contact you and inform you of the possible effects and consequences.
| Medicines: We are legally obliged to report adverse reactions to our products to the relevant authorities (Swissmedic). The reporting obligations are set out in Articles 35, 36, 38 and 39 of the Medicinal Products Ordinance (812.212.21, VAM) and in the applicable directives and guidelines on the Swissmedic website (www.swissmedic.ch). Cosmetic products: The reporting obligations for safety reporting on cosmetic products are set out in § 84 LGV (817.02 Ordinance on Foodstuffs and Consumer Goods (LGV)). Medical devices: The European guidelines for a vigilance and reporting system for medical devices (MEDDEV 2.12/1) also apply in Switzerland. The person who first places the device on the market is responsible for reporting to Swissmedic. However, reports may be submitted by the manufacturer, even if they are based abroad, by their European representative or by their Swiss distribution partner.
Processing is therefore necessary for legitimate interests (Article 6(1)(f) of the GDPR). We can improve our medicinal products, medical devices and cosmetic products, as well as our services, thanks to the information you provide. This is important for us so that we can compete successfully in the market. Improving our medicinal products is also in the interests of patients and consumers.(Art. 6(1)(c) GDPR).
|
Visit on our website (general) | As you navigate and interact with our websites or newsletters, we use automated data collection technologies to gather certain information about your actions. This includes information such as which links you click on, which pages or content you view and for how long, and other similar information and statistics about your interactions, such as content response times, download errors and the duration of visits to specific pages. This information is collected using automated technologies such as cookies and web beacons, and is also gathered through the use of third-party tracking for analytical and advertising purposes. You have the right to object to the use of such technologies.
| We process your data in this context for the following purposes:
| The processing referred to is in our legitimate interests (Article 6(1)(f) of the GDPR).
|
Visit on our website (social plugins) | Our website uses social plugins, such as Facebook Feeds. This displays buttons from the respective providers, such as Facebook’s “Like” button or Google’s “+1” button. When you visit a website that uses such a plugin, your browser establishes a direct connection to the provider’s servers. The content of the plugin is transmitted directly from the provider to your browser and integrated into the website in question. As a result, the provider receives the following personal data in particular:
If you are logged in to the provider’s site at the same time, the provider can associate the visit with your personal profile. If you interact with a plugin—for example, by clicking the “Like” button or posting a comment—the corresponding information is transmitted directly from your browser to the provider and stored there. It may also be published on your profile with the provider and displayed to your contacts.
| Please refer to the privacy policies of the respective providers for information on the purpose and scope of data collection, as well as the further processing and use of your data by the provider, and your related rights and settings options for protecting your privacy. If you do not want the provider to collect data about you via our website, you must log out of the provider’s service before visiting our website. Even when logged out, the providers collect anonymized data via the social plugins and set a cookie on your device. This data can be associated with your profile if you log in to the provider’s service at a later time. If you wish to prevent this, you must delete the corresponding cookies. You can also completely prevent the plugins from loading by using add-ons for your browser, such as “NoScript” or “No-Script Suite.”
| The processing purposes mentioned are based on our legitimate interests (Article 6(1)(f) of the GDPR). It is very important to us to make our website appealing and to increase interaction with our users. The use of social plugins is an important means of achieving this.
|
Subscription to electronic newsletters
| When you subscribe to an electronic newsletter, we process the following personal data in particular:
We may also process information regarding your use of the newsletters, in particular the following personal data:
We may also analyze your personal data and link it to other personal data, such as non-personal statistical information and other personal data we have collected about you, in order to derive information about your preferences and affinities for certain products or services. | We process your personal data so that we can send you the newsletter. This also includes informing you of changes and providing you with further information about our newsletter offerings. We process personal data regarding your use of the newsletter to get to know you better and to tailor our offerings more specifically to your needs. This data processing is voluntary on your part. However, if you do not provide us with your email address, we will not be able to offer you this service. You can revoke your consent to receive electronic newsletters at any time by unsubscribing from this service. You can do this via a link in every message.
| We consider your subscription to our electronic newsletter to constitute your consent to the processing of the personal data provided for the specified purposes (Art. 6(1)(a) GDPR).
|
Participation in customer events | When we invite you to customer events, we process personal data such as your name, contact information, whether you attend or not, and other event-specific data, such as your date of birth. We may also analyze your personal data and link it to other personal data, such as non-personal statistical information and other personal data we have collected about you, in order to derive insights into your preferences and affinities regarding specific products or services. | We process your personal data for the following purposes:
Participation is always voluntary, but in most cases it is not possible without the processing of personal data.
| We process your personal data after you have given us your consent (Article 6(1)(a) of the GDPR) to inform you about relevant events, or if you have registered for one of our events. This processing is also in our legitimate interest (Article 6(1)(f) of the GDPR), as it allows us to contact you personally and get to know you better. This enables us to better tailor our services to your needs and interests and to expand and improve our offerings. This is important for us so that we can successfully compete in the market.
|
Contact our company as a business partner | If you work for a company that supplies or purchases goods or services from us, or that otherwise collaborates with us (or if you are a self-employed individual), we process personal data about you, such as your name, title, function, area of responsibility, career history, and your interactions with us. We process further personal data, including potentially sensitive personal data, when assessing whether we want to or can collaborate with your company (e.g., for security checks). If you work on our premises, we also process additional contact information, potentially including details about your nationality and residency status, passport details and copies of identification documents, information about criminal records and legal proceedings, information about user accounts and their use, badge number and assignment, information about your use of our IT infrastructure, and video recordings (if you are in a video-monitored area). We will inform you separately about such data processing or request your consent. | The processing of this personal data serves the following purposes:
When we process personal data in order to utilize services from third parties, we generally do so for the following purposes:
We may also process your personal data for customer relationship management purposes, i.e., to get to know you and your company better and thereby improve our customer focus and increase customer satisfaction and loyalty (Customer Relationship Management, "CRM"). You are not obligated to provide us with the aforementioned data. However, we rely on such data to be able to work with you. In exceptional cases, we are even legally obligated to process such data. We will inform you accordingly. If you do not wish to provide us with the necessary information, we may not be able to work with you. | The processing described above is in our legitimate interest (Article 6(1)(f) GDPR) because it allows us to use external services and thus increase our efficiency. We also have a legitimate interest in preventing misuse of our goods and services and ensuring an appropriate level of security when we use services or collaborate with other companies. This may require background checks and security audits. Customer relationship management is also in our legitimate interest. If we process particularly sensitive personal data for the aforementioned purposes, we generally do so for the establishment, exercise, or defense of legal claims or with your explicit consent (Article 9(1)(a) and (f). |
Administration | For our internal administration and management, we process personal data about our customers, business partners and third parties, e.g. in the context of managing our IT, our real estate (e.g. for creating a tenant index or to determine the market rent) and other assets. | We process this personal data in particular for the following purposes:
These purposes may relate to us or to companies affiliated with us. | The processing for the aforementioned purposes may be necessary for the performance of contracts (Article 6(1)(b) GDPR). It is also in the legitimate interest of the controller (Article 6(1)(f) GDPR). |
Job application | When you apply for a position with us, we process your contact details and the information you provide (e.g., application, contact details, CV, qualifications, certificates, etc.; possibly also particularly sensitive personal data). Depending on the position and your profile, further personal data may be required during the application process. | When you apply to us, we process your personal data to assess your suitability for the position and to discuss potential employment with you. With your consent, we may also keep your application on file even if we – or you – decide against hiring you, in anticipation of a possible future opportunity. Providing the aforementioned personal data is voluntary; however, we cannot process an application without the necessary personal data. | The processing of your data for the aforementioned purposes is necessary for our legitimate interests (Article 6(1)(f) GDPR). The personal data we collect allows us to better tailor our services to your needs and interests and to expand and improve our offerings. This is important for us to remain competitive in the market. If we process particularly sensitive personal data, we will request your explicit consent (Article 9(2)(a) GDPR).
|
Protection of rights | We process a wide range of personal data to protect our rights, for example, to enforce claims in court, out of court, or before authorities both domestically and internationally, or to defend ourselves against claims. For instance, we may assess the prospects of success in litigation or submit documents to an authority. Authorities may also request that we disclose documents containing personal data. In addition to contact information of the individuals concerned, we process other personal data depending on the circumstances, such as information about events that have given rise to, or could give rise to, a dispute. This may also include particularly sensitive personal data. | We process this personal data for the following purposes:
| The processing for the aforementioned purposes may be necessary for the performance of contracts (Article 6(1)(b) GDPR). It is also in our legitimate interest (Article 6(1)(f) and Article 9(2)(f) GDPR |