Among other things, we use Microsoft products or Microsoft Office 365 incl. Teams for (non-exhaustive list)

• Creation of various documents within the scope of the services to be provided, including the creation of business correspondence with clients, business partners and job applicants
• Communication via e-mail (Exchange/Outlook)
• Online (video) communication internally and with clients, business partners and, if necessary, job applicants (via teams)

For information on the resulting data processing, see the following sections Clients, Business Partners and Job Applicants.

The Microsoft products used (hereinafter MSO) are (like all other software) installed on our own servers located in Liechtenstein. No storage takes place online, but the use of MSO does not exclude the possibility that data may be stored by Microsoft. However, when using MSO, Microsoft restricts data processing to data that is necessary for the provision of a functioning website and for the use of Microsoft content and services, i.e. contact data (e.g. e-mail address) or data in connection with online forms (e.g. applications, notifications).

With regard to the storage locations, it should be noted that only those services are used whose storage locations ensure an adequate level of data protection. This means that storage may only take place in the EEA or in third countries that have an adequate level of data protection. According to Art. 45 GDPR, an adequate level of data protection can be assumed if this is ensured by an adequacy decision or standard data protection clauses. The storage locations are Switzerland (Teams) and the EU (other services). A secure level of data protection is ensured there. In Switzerland, a secure level of data protection is ensured on the basis of the adequacy decision 2000/518/EC applicable there.

When using the above-mentioned services, i.e. for MSO, Microsoft Ireland Operations Limited (“Microsoft”) acts as a data processor pursuant to Art. 4 No. 817 in conjunction with 28 GDPR. The Framework Agreement between NSF and Microsoft specifically set forth the following data protection provisions:

• Microsoft shall not engage any other Processor without NSF’s prior specific or general written consent. In the event of a general written authorization, Microsoft will notify NSF of any intended changes regarding the addition or substitution of additional Processors to allow NSF to object to such changes (see Article 28(2) of the GDPR).
• – Microsoft’s processing is subject to these provisions of the GDPR under European Union or the respective member state law. These are binding on Microsoft with respect to NSF. The subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of data subjects, and NSF’s obligations and rights will be set forth in Customer’s License Agreement, which will incorporate the provisions of the GDPR. In particular, Microsoft is required to:
• process Personal Data only in accordance with documented instructions from NSF. If Microsoft is required, on the basis of legal principles, to transfer Personal Data to a third country or to an international organization, Microsoft will inform NSF of that legal requirement prior to processing, unless the legislation prohibits such transfer of information on the grounds of important public interest;
• ensure that individuals authorized to process Personal Data undertake to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality;
• take all necessary measures in accordance with Art. 32 GDPR (“security of processing”);
• support NSF as far as possible by appropriate technical and organizational measures and respond to requests to exercise the rights of the Data Subject as set out in Chapter III of the GDPR;
• assist NSF in complying with its obligations under Articles 32 to 36 of the GDPR;
• upon termination of the services, delete or return to NSF, at NSF’s request, all Personal Data related to the Processing. Existing copies will be deleted unless EU or Member State legislation requires the retention of the Personal Data;
• provide NSF with all necessary information to demonstrate compliance with the obligations described in Art. 28 GDPR and enable and support audits (including audits carried out by NSF or an auditor appointed by NSF).

For certain technical data processing processes, we rely on the support of external service providers who have access to your personal data in order to provide these services. These service providers are carefully chosen and meet high data protection and data security standards. They are bound to strict confidentiality and only process data on our behalf and in accordance with our instructions. In such cases, we comply with the legal requirements and in particular conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

We work together with companies and other parties that have particular expertise in specific fields or certain specialist subjects (e.g. tax advisors, lawyers, consulting firms, logistics providers). These parties are either subject to a professional duty of confidentiality or are sworn to secrecy by us. Insofar as disclosure of personal data to these parties should be necessary, the legal basis for this, depending on the content of the collaboration in question, is Article 6 (1) 1 (b) or (f) GDPR.

Apart from in the cases explained in this privacy policy, we only share your data with third parties without your express consent if we are required to do so by law or an administrative or judicial order.

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the processing takes place in the context of using the services of third parties or disclosing or transferring the data to other persons, offices or companies, this only occurs in accordance with the legal requirements.

Subject to express consent or a contractually or legally required transfer, we only process or have the data processed in third countries with a recognised level of data protection, contractual obligations through so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

We have taken comprehensive technical and organisational provisions to protect your personal data from unauthorised access, misuse, loss and other outside interference. To this end, we regularly check our security measures and bring them into line with the state of the art.

The measures include, in particular, the safeguarding of confidentiality, integrity and availability of data by controlling the physical and electronic access to the data, as well as access to, input of, disclosure of, assurance of availability and separation of the data. In addition, we have established procedures to ensure respect for data subjects’ rights, the erasure of data and a rapid response to data threats. Moreover, we take personal data protection into account as early as the development or choice of hardware, software and procedures, in accordance with the principle of data protection, through privacy by design and privacy by default.

You have the following rights with regard to your personal data, which you may exercise with us:

• Right of access (Art. 15 GDPR),
• Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR),
• Right to restriction of processing (Art. 18 GDPR),
• Right to object to the processing (Art. 21 GDPR),
• Right to withdraw your consent (Art. 7 (3) GDPR),
• Right to receive the data in a structured, commonly used and machine-readable format (“data portability”) and the right to transmit those data to another controller, when the conditions of Art. 20 (1) (a, b) GDPR are met (Art. 20 GDPR).

You can exercise your rights by notifying the responsible company or the data protection officers that we have appointed.

You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data performed by us (Art. 77 GDPR).

The contact details of the competent data protection body in Liechtenstein are as follows:

Data protection body Liechtenstein

Städtle 38
Postfach 684
FL – 9490 Vaduz
+423 236 60 30
info.dss@llv.li

The specific data processed and the ways in which they are used are significantly determined by the services and products to be provided or agreed in each case. The asset management company is legally bound to protect your privacy and confidentiality and for this reason takes a variety of technical and organisational data protection provisions for all data processing.

Within the context of our business relationship, we rely on processing personal data that are required for establishing and conducting the business relationship and fulfilling the related legal or contractual obligations and providing services or executing orders. Without these data, we are generally unable to enter into or maintain a business relationship, process an order or offer services and products.

Which data are processed (data categories) and what sources do they come from (origin)?

We collect and process personal data that we receive in the context of our business relationship with our customers. Personal data may be processed in each phase of the business relationship and differ according to the group of people.

As a general rule, we process personal data that are provided to us by you by means of submitted contracts, forms, your correspondence or other documents. Insofar as they are necessary for providing services, we also process personal data that are generated or transmitted due to the use of products or services or that we have permissibly received from third parties (e.g. a trust company), public bodies (e.g. UN and EU sanctions lists). Finally, personal data from publicly available sources (e.g. commercial register and register of associations, press, Internet) may be processed.

In addition to customer data, if necessary we also process personal data from other third parties involved in the business relationship, such as data from (other) authorised persons, representatives, legal successors or economic beneficiaries of a business relationship. Please also inform any third parties about this data protection notice.

By personal data we particularly mean the following data categories:

Master data

• Personal data (e.g. name, date of birth, nationality)
• Address and contact details (e.g. physical address, telephone number, email address)
• Identification data (e.g. passport or ID details) and authentication data (e.g. specimen signature)
• Data from publicly available sources (e.g. tax numbers)

Further basic data

• Information about services and products used (e.g. investment experience and investment profile, minutes of the consultation, data regarding transactions carried out)
• Information about household composition and relationships (e.g. information about spouses or life partners and further family information, authorised signatory, legal representatives)
• Information about the financial features and the financial situation (e.g. portfolio and account number, source of the assets)
• Information about the professional and personal background (e.g. profession, hobbies, wishes, preferences)
• Technical data and information about electronic communications with the asset management company (e.g. records of access or changes)
• Image and audio files (e.g. video or telephone records)

For what purposes and on what legal basis are your data processed?

We process personal data in accordance with the provisions of the GDPR and the Data Protection Act for the following purposes or on the basis of the following legal grounds:

• To fulfil a contract or implement pre-contractual measures (Art. 6 (1) (b) GDPR) in the context of the performance and brokerage of asset management, investment advice and the remaining financial services that can be rendered by an asset management company. The purposes of the data processing are primarily determined by the concrete service or the concrete product (e.g. securities) and may include, among others, needs analyses, advice, asset management and support as well as executing transactions.
• To fulfil legal obligations or in the public interest (Art. 6 (1) (c) GDPR), particularly compliance with legal and regulatory provisions (e.g. compliance with the GDPR, the Data Protection Act, the Asset Management Act, due diligence and anti-money laundering regulations, market abuse regulations, tax laws and agreements, monitoring and reporting obligations, risk management). Should you not provide us with the necessary data, we have corresponding regulatory obligations to fulfil and are, if necessary, obliged to terminate the business relationship.
• To protect the legitimate interests of us or third parties (Art. 6 (1) (f) GDPR) for precisely defined purposes, in particular for determining product development, marketing and advertising, business review and risk management, reporting, statistics and planning, crime prevention and detection, video surveillance to safeguard householders’ rights and protect against danger, telephone recordings.
• On the basis of your consent (Art. 6 (1) (a) GDPR), which you gave us for providing asset management services or due to orders such as disclosing data to the asset management company’s service providers or contracting parties. You have the right to withdraw your consent at any time. Withdrawing consent only applies to the future and does not affect the legitimacy of the data processed before the withdrawal.

We reserve the right to continue to process personal data collected for one of the abovementioned purposes, as well as for the remaining purposes, if this is compatible with the original purpose or is authorised or required by law (e.g. reporting obligations).

Who has access to personal data and how long are they stored?

Parties both inside and outside the asset management company may have access to your data. Within the asset management company, offices or employees may only process your data if they require them to fulfil our contractual, legal and regulatory obligations and to protect legitimate interests. In compliance with the corresponding legal provisions, other companies, service providers or vicarious agents may also receive personal data for these purposes. Processors may be companies in the following categories: asset management services, distribution agreements, IT services, logistics, printing services, advice and consulting, as well as distribution and marketing. Moreover, recipients of your data in this context may be other financial services institutions or similar institutions, to which we transfer personal data in order to conduct the business relationship (e.g. custodian banks, brokers, stock exchanges, information centres).

In the case of a legal or regulatory obligation, public bodies and institutions (e.g. supervisory authorities, fiscal authorities, etc.) may also receive your personal data.

Data will only be transferred in countries outside the EU or EEA (so-called third countries) if

• this is required in order to implement pre-contractual measures or fulfil a contract, provide services or process orders (e.g. execute securities transactions),
• you have given us your consent (e.g. for customer support by another company),
• this is necessary for important reasons of public interest (e.g. due to money laundering prevention), or
• this is prescribed by law (e.g. transaction reporting obligations).

However, these are only countries that the EU Commission has determined have an adequate level of data protection or we implement measures in order to ensure that all recipients have an adequate level of data protection. To this end, if necessary, we conclude standard contractual clauses, which in this case are available on request. We process and store personal data throughout the duration of the business relationship, unless there are mandatory obligations to erase certain data at an earlier date. It should be noted that our business relationships may last for years. In addition, the duration of data storage depends on the necessity and purpose of the data processing in question. If the data are no longer required to fulfil contractual or legal obligations or protect our legitimate interests (the purpose has been achieved) or if consent that has been granted is withdrawn, these data are regularly erased, unless further processing is necessary due to contractual or legal retention periods and documentation obligations or on the grounds of preserving evidence throughout the applicable statutory limitation periods.

Is there automated decision-making, including profiling?

In principle, our decisions are not solely based on automated personal data processing. Should we use these methods in specific cases, we will inform you thereof separately in accordance with the legal requirements.

There are business areas in which personal data are at least partially processed by automated means. The aim is to assess certain personal aspects insofar as legal and regulatory provisions require us to do so (e.g. money laundering prevention) and needs analysis for services and products or in the context of risk management.

The asset management company reserves the right to analyse and assess customer data (including data from involved third parties) by automated means in the future, in order to identify customers’ key personal features or predict developments and establish customer profiles. These serve in particular for business reviews, individual consulting and providing offers and information, which the asset management company makes available to the customer if necessary.

Which data protection rights do you have?

With regard to your personal data, you have the following data protection rights pursuant to the GDPR:

• Right of access: You can request information from the asset management company about whether and to what extent your personal data are being processed (e.g. categories of personal data being processed, purpose of processing, etc.).
• Right to rectification, erasure and restriction of processing: You have the right to request the rectification of inaccurate or incomplete personal data concerning you. In addition, your personal data must be erased if these data are no longer required for the purposes for which they were collected or processed, you have withdrawn your consent or these data are being unlawfully processed. You also have the right to request restriction of processing.
• Right to withdraw consent: You have the right to withdraw your consent to the processing of your personal data for one or more specific purposes at any time if the processing is based on your express consent. This also applies to the withdrawal of declarations of consent given before the GDPR came into effect, i.e. before 25 May 2018. Please note that the withdrawal only applies to the future. Processing operations that occurred before the withdrawal are not affected by it. The withdrawal also has no impact on data processing on other legal grounds.
• Right to data portability: You have the right to receive your personal data that you have provided to the controller in a structured, commonly used and machine-readable format and have these data transferred to another controller.
• Right to object: You have the right to informally object to data processing on a case-by-case basis on grounds relating to your particular situation, if the processing is in the public interest or to protect the legitimate interests of the asset management company or a third party. In addition, you have the right to informally object to the use of personal data for advertising purposes. If you object to the processing of your personal data for direct advertising, we will no longer process your personal data for this purpose.
• Right to lodge a complaint: You have the right to lodge a complaint with the competent Liechtenstein supervisory authority (see under “General” for contact details). You can also contact another supervisory authority in an EU or EEA member state, such as your usual place of residence, place of work or the place where the alleged infringement took place.

Information or objection requests should preferably be made in writing to the data protection officer. The latter is also at your disposal as the contact person for any other data protection matters.

We process personal data in the context of collaboration with service providers, suppliers and other business partners (hereinafter “business partners”).

Who is a data subject?

We process data from business partners and their employees.

Which data are processed?

We process the following categories of personal data, if they are necessary for establishing or conducting contractual relations with the business partner:

• contact information, in particular first name and surname, any title, address, telephone number, email address,
• professional information,
• bank details

What are the sources of the data we process?

If we do not receive personal data directly from the data subjects (e.g. in the context of correspondence with contact persons at the business partner), the data routinely comes from the business partner as the employer of the data subjects.

For which purposes are the data processed?

We process the data to establish, conduct and execute the contractual relationship with the business partner. The legal basis for this processing, insofar as the business partner’s personal data are processed, is Art. 6 (1) 1 (b) GDPR; furthermore Art. 6 (1) 1 (f) GDPR.

How long are personal data stored?

Personal data are processed and stored for the duration of the valid business relationship, provided there are no special shorter data erasure periods. After the end of the business relationship, these data are kept for at least ten years due to legal provisions. Longer data storage occurs solely on the basis of legal or contractual data retention obligations or for evidence purposes within the statute of limitation.

Which data are processed on visiting our web pages?

On accessing the individual pages of the website in this sense only access data are transferred to our provider, so that the website can be displayed to you. They are the following data:

• browser type / browser version,
• operating system used,
• language and version of browser software,
• hostname of the accessing terminal,
• IP address,
• website from which the request has come,
• content of the request (specific page),
• data and time of the server request,
• access status/HTTP status code,
• referrer URL (the previously visited page),
• data volume transferred,
• time zone difference to Greenwich Mean Time (GMT).

We use these data to be able to make the website accessible, potentially identify and solve any technical problems and prevent misuse of the offering and prosecute if necessary. In addition, we use these data in anonymised form, i.e. without the possibility of identifying the user, for statistical purposes and to improve the web pages. The legal basis for processing personal usage data is Article 6 (1) 1 (f) GDPR.

How are cookies used?

We use cookies on our website. Cookies are small text files that are stored on the user’s data carrier and exchange certain settings and data with our system via the browser. A cookie normally contains the name of the domain from which the cookie data were sent and information on the age of the cookie and an alphanumerical identifier. The information stored in the cookies is not used to identify the user and is not combined with other personal data stored about the user. 

The cookies used enable coverage analysis, i.e. evaluating visitor traffic to our website and may include visitor behaviour or interests.

With the help of coverage analysis, we can for example identify which content is used most or invites reuse. We can also understand which areas require optimisation.

In addition to web analysis, we can also use test procedures, e.g. to test and optimise different versions of our online offering or its components.

For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures with the same purpose may be used. This information may include, for example, content viewed, web pages visited and elements and technical data used there, such as the browser used, computer system used and information on times of use.

Users’ IP addresses are also stored. However, we use an IP-masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. In general, within the framework of web analysis, A/B testing and optimisation, no plain user data (such as email addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

User data are processed on the basis of our legitimate interests (i.e. interest in efficient, cost-efficient and recipient-friendly services) pursuant to Art. 6 (1) (f) GDPR.

Services and service providers used:

Matomo

On this website, we use “Matomo” software, a service from the provider InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand.

Website: www.matomo.org; data erasure: The cookies have a maximum retention period of 13 months.

You can object to the processing. Your right to object is based on grounds relating to your particular situation. We will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR). In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons on the basis of which we will continue the processing.

How do we use social plug-ins?

So-called social plug-ins (“plug-ins”) from social networks are used on our websites. For data protection reasons, we have deliberately chosen not to use direct plug-ins from social networks on our websites. Instead, we use the so-called “wrapper” solution. In this way, you can determine whether and when data are transferred to the operators of the respective social networks. Therefore in principle, when you visit our websites, no data are automatically transferred to social networks such as LinkedIn. Only when you actively click the respective button does your internet browser connect to the servers of the respective social network, i.e. by clicking the respective button (e.g. share) you consent (Art. 6 (1) (a) GDPR) to your Internet browser establishing a connection to the servers of the respective social network and transferring usage data to the respective operator of the social network.

The plug-in provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of their website. Such an evaluation takes place, in particular (even for users who are not logged in) to provide needs-based advertising and in order to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, although you must contact the respective plug-in provider to exercise this right. Via the plug-ins, we offer you the opportunity to interact with social networks and other users so that we can improve our offering and make it more interesting for you as a user.

Services and service providers used:

LinkedIn plug-ins and content

LinkedIn plug-ins and content- This may include content such as images, videos or text and buttons, with which users can share the content of this online offering on LinkedIn. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;

website: https://www.instagram.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Displaying content from external platforms

This type of service allows users to view and interact with content hosted on external platforms directly through this application.
This type of service may still collect web traffic data for the pages where the service is installed, even if users do not use it.

Services and service providers used:

Google Web Fonts

To ensure a consistent presentation, we use typefaces from Google Fonts provided by Google. However, these are installed locally and there is no connection to Google’s servers.

How are data that you enter in a contact form processed?

On our website, there is the option to contact us via a form. You must state your form of address (Ms/Mr), first name and surname, country, language, email address and a message. You may also voluntarily state your title, company and telephone number.

Personal data transferred to us in this context are solely used to handle the inquiry in question.

The legal basis for the processing is Art. 6 (1) 1 (f) GDPR or Art. 6 (1) 1 (b) GDPR if the purpose of the contact is to conclude a contract.

We only process personal data from the input mask to process the contact. In the case of contact via e-mail, this also comprises the required legitimate interest in processing the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

The legal basis for processing the data is Article 6 (1) 1 (b) GDPR.

You can object to the processing. Your right to object is based on grounds relating to your particular situation. We will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR). In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons on the basis of which we will continue the processing.

Data collection and online survey management

This type of service allows this application to manage the creation, deployment, management, distribution and analysis of online forms and surveys in order to collect, store and reuse data from all responding users.
The personal data collected depends on the information requested and provided by users in the corresponding online form.

These services may integrate with a variety of third-party services to allow the provider to take further steps with the processed data – e.g., managing contacts, sending messages, analytics, advertising, and payment processing.

Services and service providers used:

Typeform (TYPEFORM S.L)

Typeform is a form builder (for creating online forms) and a data collection platform provided by TYPEFORM S.L..

Personal data processed: Email; Last name; First name; Data transmitted during the use of the service.

Place of processing: Spain – Privacy Policy.

What happens if you subscribe to a newsletter?

On our website, users have the option of subscribing to a newsletter and giving consent to the processing of personal data required for this purpose. To sign up for the newsletter, the user must provide their email address, first and surname and the form of address to which the newsletter should be sent. Further information may be provided voluntarily. These data are solely used to send the newsletter and shall not be passed on to third parties. The legal basis for processing the data is Article 6 (1) 1 (a) GDPR. The user has the right to withdraw their consent at any time without affecting the legitimacy of the processing carried out on the basis of the consent before the withdrawal. In this case, they no longer receive the newsletter. The purpose of the processing is direct marketing (by email or post)

On registration, the IP address of the accessing system and the date and time of the registration as well as the email verification are also collected. These data are solely processed for the purpose of being able to retrace potential misuse of an email address. The legal basis for processing the data described above is Article 6 (1) 1 (f) GDPR.

The subscribed newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in emails in HTML format. The embedded tracking pixel enables us to identify whether and when the newsletter was opened by the recipient and which links in the newsletter were clicked by the recipient. The data collected in the tracking pixels contained in the newsletters are anonymously stored and processed for statistical purposes in order to optimise the newsletter distribution and adapt the content of future newsletters even better to the recipient’s interests.

In principle, our newsletter registration makes use of a so-called double opt-in procedure. This means that, after signing up, you receive an email in which you are asked to confirm your registration. This confirmation is necessary so that no one can sign up with someone else’s email address. Please note that you can object to the receipt of direct marketing and data processing for the purposes of direct marketing at any time. In this regard, you have a general right to object without stating grounds (Art. 21 (2) GDPR). After exercising your right to object, we will erase your data in connection with existing customer advertising. To this end, click the unsubscribe link in the email in question or send us your objection. You can also prevent tracking by deactivating image display in your email program by default. In this case, the newsletter is not fully displayed and you may not be able to use all the features. If you manually activate image display, the abovementioned tracking occurs.

Services and service providers used:

Mailchimp

Email marketing platform; service provider: “Mailchimp” – Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; website: https://mailchimp.com; privacy policy: https://mailchimp.com/legal/privacy/.

How long are your personal data stored?

Unless longer periods of storage are required by law, personal data concerning visitors to our website are erased if such data are no longer required for the purposes described in this data protection notice. Usage data are regularly stored for a period of 30 days. Cookies are stored for 30 days for the specified purposes. As before, you can independently erase cookies via your browser. Data entered in contact forms are erased as soon as the relevant inquiry has been fully processed. We store newsletter order data until any cancellation of the newsletter.

Are external hosting services used?

In order to be able to provide our online offering securely and efficiently, we use the services of an external web hosting provider, from whose servers the online offering can be accessed. We may use infrastructure and platform services, computer capacity, storage capacity, database services, security services and technical maintenance services for these purposes. In this respect, all data that are required to operate and use our website are processed.

The data processed within the framework of the provision of the hosting offering may include all information relating to the users of our online offering that is collected within the scope of use and communication. This routinely includes the IP address, which is necessary in order to be able to deliver the contents of online offerings to browsers, and all entries made within our online offering or from websites.

We use external hosting services to run this website. By using external hosting services, we aim to make our website available in an efficient and secure manner. The legal basis for the processing is Art. 6 (1) 1 (f) GDPR.

You can object to the processing. Your right to object is based on grounds relating to your particular situation. We will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR). In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons on the basis of which we will continue the processing.

The application procedure presupposes that applicants provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information contained therein.

Legal basis

The legal basis for the processing is Art. 6 (1) (b) GDPR on the initiation or execution of contractual relationships. Furthermore, we may process your personal data if this is required to fulfil legal obligations (Art. 6 (1) (c) GDPR) or defend legal claims asserted against us. The legal basis thereof is Art. 6 (1) (f) GDPR.

Which data are concerned?

In principle, the required information includes personal information such as name, address, a contact option and proof of the qualifications required for a particular position. On request, we will additionally be happy to inform you which information is required.

Applicants can send us their applications by email to an address set up specifically for this purpose. Please note, however, that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport but not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of the application between the sender and the receipt on our server.

Applicants are welcome to contact us about how to submit their application or send it to us by post.

Sources of data

We process personal data that we receive from you by post or email within the framework of initial contact or your application or that you convey to us by email/post.

Automated decision-making

We do not perform any automated evaluation of your data (Art. 22 GDPR). Should such methods be used in specific cases, we will inform the data subjects to the extent provided by law.

Data recipients

We pass on your personal data within our company solely to the divisions and persons who require these data to fulfil the contractual and legal obligations or pursue our legitimate interest.

Data retention period / erasure:

In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is unsuccessful, the applicants’ data are erased. Applicants’ data are also erased if an application is withdrawn, to which applicants are entitled at any time. Subject to a justified withdrawal by the applicants, the erasure will take place at the latest after the expiry of a period of six months, so that we can answer any follow-up questions regarding the application and comply with our duty of proof under the regulations on equal treatment of applicants.

Right to object

If the processing of your personal data takes place to protect legitimate interests in accordance with Art. 6 (1) (f) GDPR, you have the right pursuant to Art. 21 GDPR to object to the processing of this data at any time on grounds relating to your particular situation. We will then no longer process this personal data, unless we can demonstrate compelling legitimate grounds for the processing. These must override your interests, rights and freedoms, or the processing must be for the establishment, exercise or defence of legal claims.