Data protection

This privacy policy provides clarification on the type, scope and purpose for processing personal data (hereinafter briefly “Data”) within the context of the services we provide and within our web presence and related websites, functions and content as well as any external web presence, such as our social media sites (collectively hereinafter referred to as “web presence”). With respect to the terms used, such as “Processing” or “Controller”, we hereby refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR). 

Controller

TETRAS GmbH

Kistlerhofstr. 111

81379 Munich, Germany

Represented by:

Milos Kucik, Managing Director

Phone: +49 89 716 7216 30

Email: tetras@tetras.de

Types of processed data

– Master data (such as names, addresses);
– Contact data (such as email address, phone numbers);
– Content data (such as text entries, photos, videos);
– Usage data (such as visited websites, interest in content, access times);
– Meta/ communication data (such as device information, IP addresses).

Data Subject Categories

Visitors and users of web presence (hereinafter, we refer collectively to data subjects as “Users”).

Purpose of processing

– The availability of a web presence, its functions and content;
– Responding to contact requests and communicating with users;
– Security measures;
– Reach measurement/ marketing.

Data sources

We receive the personal data from the data subjects themselves, either when they visit our website, use the contact form, initiate contact with us at trade shows, contact us by phone, send email requests or contact us in similar ways.

Moreover, we also collect data through publicly accessible sources such as Xing or LinkedIn profiles, entries in publicly accessible commercial registers, phone book and business directories or similar means of contact.

Relevant legal bases

We provide you with information on the legal basis of our data processing in accordance with Art. 13 GDPR. For users from the scope of validity of the General Data Protection Regulation (GDPR), i.e. from the EU and the EEA, the following applies, unless the legal basis is mentioned otherwise in the Privacy Policy: 

• The legal basis for the obtaining consent is Art. 6 (1) (a) and Art. 7 GDPR;
• The legal basis for processing data in order for us to satisfy our services and to implement contractual measures as well as responding to requests is Art. 6 (1) (b) GDPR;
• The legal basis for processing data to meet our legal obligations is Art. 6 (1) (c) GDPR;
• In the event that vital interests of the data subject or another natural person render the processing of personal data necessary, Art. 6 (1) (d) GDPR is the legal basis.
• The legal basis for when data processing is necessary for the performance of a task carried out in the public interest or in exercising official authority vested in us as the controller is Art. 6 (1) (e) GDPR. 
• The legal basis for processing data to pursue our legitimate interests is Art. 6 (1) (f) GDPR; 
• The processing of data for any purposes other than that for which the personal data have been collected is defined in accordance with the stipulations of Art. 6 (4) GDPR. 
• The processing of special categories of personal data (according to Art. 9 (1) GDPR) is defined based on the stipulations of Art. 9 (2) GDPR. 

Security measures

We take suitable technical and organizational measures in accordance with legal provisions, accounting for the state of the art, implementation costs and the nature, scope, circumstances and purposes for processing data as well as the different likelihoods and severity of the risk to the rights and freedoms of individuals to ensure a level of protection appropriate to the risk.

Such measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, disclosure, backup of availability and disconnection thereof. Moreover, we have also installed methods, which guarantee that the data subjects’ rights are exercised, data are erased and that there is a response to any threats to the data. Furthermore, we also account for the protection of personal data as early as during the development or choice of hardware, software and processes in accordance with the principles of data protection with the design of the technology and with privacy-enhancing default settings.

Cooperating with order processors, joint controllers and third parties

If, during the course of our processing of data, we disclose said data to other individuals or companies (order processors, joint controllers or third parties), transmit such data to them or grant access to the data otherwise, this will only be done on the basis of a legal permission (such as in cases where data must be transmitted to third parties, such as payment processors, or is required to fulfill the contract), users have granted their consent, there is a legal obligation to do so or on the basis of our legitimate interests (such as for when employing agents, web host providers, etc.). 

If we disclose, transmit or allow access otherwise to data of other companies within our corporate Group, this will be done especially for administrative purposes as a legitimate interest accounting for recital 48 (“small intra group exemption”).  

Transfers to third countries

If we process data in a third country (i.e. outside of the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or where we utilize third party services or disclose, or rather transfer data to other persons or companies, this will only serve to fulfill our (pre-)contractual obligations. Subject to legal or contractual permission, we process data or have data processed in a third country only if legal requirements exist. That is, the data are processed, for example, on the basis of specific guarantees, such as officially recognized definition of a data protection level equivalent to that of the EU (such as the “Privacy Shield” in the United States), in observance of officially recognized special contractual obligations or in exceptional scenarios according to Art. 49 (1) (c) GDPR.

Rights of data subjects

You have the right to request a confirmation on whether relevant data are being processed and to obtain information about such data and any other information and a copy of the data in accordance with legal requirements.

You have the right in accordance with legal requirements to request completion of the relevant data or correction of the incorrect data pertaining to your person.

You also have the right in accordance with legal requirements to have the relevant data erased without undue delay, or alternately to have the data processing limited in accordance with legal requirements.

You also have the right in accordance with legal requirements to receive the relevant data that you provided us with and to request that such data are transferred to other controllers. 

Moreover, you also have the right in accordance with legal requirements to file a complaint with the responsible supervisory authority.

Right of revocation

You have the right to revoke the consent you issued with effect for the future.

Right to object

You may object to the future processing of your personal data at any time in accordance with legal requirements. In particular, the objection can be made against the processing of your data for the purposes of direct marketing.

Cookies and the right to object for direct marketing

“Cookies” is a term used to reference small text files that are stored on the users’ computers. Different information can be stored within the cookies. A cookie serves primarily to store the information about a user (or the device on which the cookie is stored) during or even after the user’s visit to a web presence. Temporary cookies, “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an web presence and closes his/her browser. The contents of a shopping cart in an online shop or the login status may be stored in this kind of cookie. “Permanent” or “persistent” cookies are such that remain stored even after the browser is closed. For example, a login status can be stored if the user visits the page several days later. Likewise, a cookie of this kind may store the interests of the users, which are used for reach measurement or for marketing purposes. A “third-party cookie” refers to cookies that are offered by providers other than the controller that runs the web presence (otherwise, if this only relates to their cookies, they are referred to as “first-party cookies”).

We may use temporary and permanent cookies and provide clarification on this in our privacy policy.

If the users do not want to have cookies stored on their computer, they are asked to disable the corresponding option in their browsers’ system settings. Saved cookies can be deleted in the browser’s system settings. Excluding cookies may restrict some functions on this web presence.

You may generally object to the use of cookies used for the purposes of online marketing for a variety of services, especially in cases in which data are traced, on the US page http://www.aboutads.info/ or the EU page http://www.youronlinechoices.com/. Furthermore, you can keep cookies from being stored by disabling them in the browser settings. Please keep in mind that in some cases, the result will be that not all functions of the web presence can be used.

Erasing data

TETRAS shall be entitled, within the meaning of the mandatory provisions of applicable law, to retain, in any form whatsoever, the documents provided as follows:

1. Accounting documents for a period of 10 years from the date of issue
2. Business communications for a period of 5 years from the date of provision

TETRAS shall be entitled to keep the other Party to the Agreement in its internal database for as long as the required duration of database retention within the meaning of the mandatory provisions of applicable law.

If the data are not erased, because they are needed for other legally permissible purposes, the processing thereof will be restricted. This means that the data will be blocked and not processed for any other purpose. 

Changes and updates to the privacy policy

We ask that you regularly review the content of this privacy policy. We adjust the privacy policy as soon as the changes to the data processing we make require it. We will notify you as soon as the changes require an action on your part (for example your consent) or any other separate notification.

Processing for business purposes

In addition, we also process

– Contract data (such as subject of the contract, term, customer category).

– Payment data (such as bank details, payment history)

of our customers, prospects and business partners for the purpose of providing contractual performances, services and customer care or for marketing, advertising and market research purposes.

Contractual services

We process the data of our contract partners and prospects as well as other contract awarders, customers, clients or contract partners (commonly referred to as “contract partners”) in accordance with Art. 6 (1) (b) GDPR in order to provide them with our contractual or pre-contractual services. The data processed, their nature, scope, purpose and necessity of the processing thereof is determined based on the underlying contractual relationship. 

The processed data includes the master data of our contractual partners (such as their names and addresses), contact data (such as their email addresses and phone numbers) as well as contract data (such as the services used, content of the contract, contractual communication, names of contact persons) and payment details (such as bank details, payment history). 

We generally do not process specific categories of personal data, except if they are integral parts of the assigned processing or relate to processing pursuant to the contract. 

We process data that are required for the justification and fulfillment of the contractual services and notify of the necessity of their information, if this is not evident to the contractual partners. The data are only disclosed to third-party persons or companies if required by contract. When processing the data assigned to us as a part of a contract, we act in accordance with the instructions of our client and with legal requirements. 

When utilizing our online services, we may store the IP address and the time of the respective user action. Data are stored on the basis of our legitimate interests, as well as the interests of your users to be protected against misuse or any other unauthorized use. As a general rule, we do not share data with third parties, unless doing so is required in pursuit of our claims according to Art. 6 (1) (f) GDPR or there is a legal obligation to do so pursuant to Art. 6 (1) (c) GDPR.

Data are erased if data are no longer required to fulfill contractual or legal due diligence or to handle any warranty and comparable obligations, whereas it will be reviewed every three years if keeping the data is necessary; otherwise legal storage obligations apply.

Administration, financial accounting, office organization, contact management

We process data during the course of our administrative tasks and in the organization of our business, as part of our accounting and in adherence to legal obligations, such as for archiving purposes. In doing so, we process the same data that we process in the course of rendering our contractual services. The basis for processing is Art. 6 (1) (c) and (1) (f) GDPR. The processing affects customers, prospects, business partners and website visitors. Data are processed for the purpose and in the interest of administration, financial accounting, office organization, data archiving, i.e. tasks intended to maintain our business activities, perform our duties and provide our services. Data with respect to contractual performances and contractual communication are erased to correspond to the information provided during these processing activities.

In doing so, we disclose or transfer data to the fiscal authority, consultants, such as tax consultants or certified public accountants as well as to other fee collecting agencies and payment service providers.

Moreover, we store information on suppliers, event organizers and other business partners on the basis of our business interests, for example for the purpose of making contact at a later time. Generally, we store such for the most part company related data permanently.

Customer portal

Customers receive access to the Tetras customer portal. To grant access, the customer submits the company name, the necessary data of the contact person (company name, contact person, email address) to Tetras and then the access data.  

Customers can be notified by email about any information relevant to their customer account, such as any technical changes. Access to the customer portal will be blocked once the cooperation has ended or the customer’s registered contact is no longer responsible for the project.

When the customer makes use of the customer portal, we store the IP address and the time of the respective user action. Data are stored on the basis of our legitimate interests, as well as those of the users to be protected against misuse or any other unauthorized use. As a general rule, we do not share data with third parties, unless doing so is required in pursuit of our claims or there is a legal obligation to do so pursuant to Art. 6 (1) (c) GDPR. The IP address is deleted at the end of the session.

Contact

When contacting us (e.g. via a contact form, by email, phone or via social media), the user’s information is collected for the purpose of processing the contact request pursuant to Art. 6 (1) (b) (as a part of contractual / pre-contractual relationships) and Art 6 (1) (f) (other requests) GDPR. The user’s information may be stored in a Customer Relationship Management (“CRM system”) or comparable request organization.

We delete requests once they are no longer necessary. We review every two years whether such requests are necessary; legal archiving obligations apply otherwise.

Hosting and sending email

The hosting services that we utilize are intended to make the following services available: The infrastructure and platform services, computing capacity, storage and database services, email delivery, security and technical maintenance services that we use to operate this web presence. 

Here, we or our hosting provider processes master data, contact data, content data, contract data, usage data, meta and communication data of customers, prospects and visitors to this web presence on the basis of our legitimate interests in an efficient and secure provision of this web presence pursuant to Art. 6 (1) (f) GDPR in conjunction with Art. 28 GDPR (conclusion of an order processing contract).

Collecting access data and log files

We, or rather our hosting providers, collect personal data on the basis of our legitimate interests as defined in Art. 6 (1) (f) GDPR each time the server on which this service is hosted is accessed (so-called server log files). Among the access data are the name of the retrieved web page, file, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, the referring URL (the previously visited page), IP address and the requesting provider.

For security reasons (such as for clarification of misuse or fraudulent actions) log file information is stored for a period of no more than seven days and is then erased. Data, which must be retained for longer periods of time for evidential purposes, are excluded from the erasure until the incident has ultimately been clarified.

Google Tag Manager

Google Tag Manager is a solution that allows us to manage so-called web site tags using a single interface (including integrating Google Analytics and other Google marketing services into our web presence). The Tag Manager itself (which implements the tags) does not process any of the user’s personal data. We hereby reference the following information on Google services with respect to how the users’ personal data are processed. Use policy: https://www.google.com/.

Google Analytics

We use Google Analytics, a Google LLC (“Google”) web analysis service, based on our legitimate interests (i.e. our interest in the analysis, optimization and commercial operation of our web presence as understood under Art. 6 (1) (f) GDPR). Google uses cookies. The information generated by the cookie about use of the web presence by the user is typically transmitted to a Google server in the United States and stored there.

Google is certified under the Privacy Shield Agreement and thus offers a guarantee to adhere to the European data protection regulations (https://www.privacyshield.gov/).

Google will use this information on our behalf in order to evaluate the use of our web presence by the users, to compile reports about online activities and to provide us with additional services associated with the web presence and Internet usage. In the process, pseudonym user profiles of the user may be created using the processed data.

We only use Google Analytics with enabled IP anonymization. This means that the user’s IP address will first be abbreviated by Google within any Member State of the European Union or any other contracting parties to the agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to the Google Server in the USA and abbreviated there.

The IP address transmitted by the user’s browser will not be consolidated with other Google data. Users may prevent cookies from being stored by making the relevant setting in their browser software; furthermore, users may also prevent Google from collecting the data generated by the cookie related to their use of the web presence and any processing of such data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/.

For more information on data usage by Google, settings and objection option, please refer to the Google Privacy Policy (https://policies.google.com/) and for the settings for displaying advertising impressions by Google (https://adssettings.google.com/).

The users’ personal data are erased or anomyzed after 14 months.

Google DoubleClick

We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) based on our legitimate interests (i.e. our interest in the analysis, optimization and commercial operation of our web presence as understood under Art. 6 (1f) GDPR).

Google is certified under the Privacy Shield Agreement and thus offers a guarantee to adhere to the European data protection regulations (https://www.privacyshield.gov/).

We use Google “DoubleClick”, an online marketing method, to place ads in the Google advertising network (such as in search engines, videos, on websites, etc.). DoubleClick features the ability to display ads in real-time based on assumed interests of users. This allows us to display more targeted ads for and within our web presence so that we present only such ads to users that might potentially be of interest to them. If, for example, a user is shown ads for products that the user showed an interest in on other online sites, this is referred to as “remarketing”. For these purposes, when accessing our website and those of others on which the Google Advertising Network is active, Google will immediately issue a Google code and so-called (re-)marketing tags (invisible graphics or a code, also known as ” web beacons “) are integrated into the website. A separate cookie, i.e. a small file, is stored on the user’s device with the help thereof (comparable technologies may also be used instead of cookies). Noted in this file are the various websites that the user visited, which content the user was interested in and which offers the user clicked on. It also contains technical information about the browser and the operating system, referencing websites, the time of the visit and additional information on how the online page was used. 

The users’ IP addresses are also collected, whereas they will be abbreviated within any Member State of the European Union or any other contracting parties to the agreement on the European Economic Area and only transmitted entirely to a Google server in the United States in exceptional cases, where they will be abbreviated. The aforementioned information may also be consolidated by Google with such information from other sources. If the user then visits other websites, targeted ads may be shown to the user based on his/her assumed interests and user profile.

The users’ data are processed under a pseudonym within the Google Advertising Network. This means, Google does not store and process the names or email addresses of the users, for example, but instead processes the relevant data cookie-related within user profiles using a pseudonym. So, from the perspective of Google, the ads are not managed and displayed for a specifically identified person but for the cookie owner, irrespective of who this cookie owner is. This does not apply if a user expressly allows Google to process the data without this kind of pseudonymization. The information collected on the user by Google Marketing Services are transmitted to Google and stored on Google servers in the United States.

For more information on data usage by Google, settings and objection options, please refer to the Google Privacy Policy (https://policies.google.com/).

Jetpack (WordPress Stats)

Based on our legitimate interests (i.e. our interest in the analysis, optimization and commercial operation of our web presence as understood under Art. 6 (1f) GDPR), we use the Jetpack plug-in (here the sub-function “WordPress Stats”), which integrates a tool used for the statistical analysis of which pages visitors access and is provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Jetpack uses so-called “Cookies”, text files that are stored on your computer, which allow your use of the website to be analyzed.

The information generated by the cookie about your use of this web presence is stored on a server in the United States. User profiles of the users may be created from the processed data, whereas they are only used for analysis purposes and not for advertising purposes. For more information, refer to the Automattic privacy policy: https://automattic.com/ and information on Jetpack cookies: https://jetpack.com/.

Web presence on social media

We manage web presences on social networks and other platforms to be able to communicate with active customers, prospects and users there and to be able to inform them of our services.

Please note that the users’ data may be processed outside of the area of the European Union. This may result in risks for users, because it may become more difficult for user to assert their rights. With respect to US providers certified under the Privacy Shield, we hereby note that under it, they are obligated to adhere to EU data policy standards.

Moreover, the users’ data are typically processed for market research and advertising purposes. This allows the creation of user profiles based for example on usage behavior and the users’ interests shown as a result. User profiles can then on their part be used to place ads inside and outside of the platforms, for example, which match the assumed interests of the users. Generally, cookies, which store the usage behavior and the interests of the user, are stored on computers of the users for this purpose. Furthermore, data may also be stored in user profiles irrespective of the devices used by the users (especially if users are members of the relevant platforms and are logged onto them).

The personal data of the users are processed on the basis of our legitimate interests in offering effective information to users and in communicating with users pursuant to Art. 6 (1) (f) GDPR. If the relevant platform providers request the users to provide their consent to the data processing described above, the legal basis for data processing is Art. 6 (1) (a) and Art. 7 GDPR.

For a more details on how data are processed and the objection options (opt-out options), please refer to the details of the providers shown in the links below.

In the case of information requests and the assertion of user rights, please note that it is more effective to claim them from the providers. Only the providers have access to the user data, may take appropriate action without undue delay and disclose information. However, if you still need help, please feel free to contact us.

– Facebook, pages, groups, (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the basis of an Agreement on jointly processing personal data – Privacy Policy: https://www.facebook.com/, especially for pages: https://www.facebook.com/, Opt-Out: https://www.facebook.com/, Privacy Shield: https://www.privacyshield.gov/.

– Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Privacy Policy:  https://policies.google.com/, Opt-Out: https://adssettings.google.com/, Privacy Shield: https://www.privacyshield.gov/.

– Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy Policy / Opt-Out: http://instagram.com/.

– Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy Policy: https://twitter.com/, Opt-Out: https://twitter.com/, Privacy Shield: https://www.privacyshield.gov/.

– LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy Policy https://www.linkedin.com/, Opt-Out: https://www.linkedin.com/, Privacy Shield: https://www.privacyshield.gov/.

Integrating third-party services and content

We use the content and services of third-party providers as a means to integrate their content and services, such as videos or fonts (hereinafter commonly referred to as “content”) based on our legitimate interests (i.e. our interest in the analysis, optimization and commercial operation of our web presence as understood under Art. 6 (1) (f) GDPR). 

This requires that the third-party providers of this content recognize the user’s IP address, because without the IP address they would be unable to send the content to their browsers. Thus, the IP address is required in order to show this content. We make every attempt to use such content whose providers use the IP address only for the delivery of the content. Furthermore, third-party providers may use so-called pixel tags (invisible graphics also known as “web beacons”) for statistics or marketing purposes. These pixel tags allow information to be analyzed, such as visitor traffic on each page of a website. The pseudonymized information may also be stored in cookies on the user’s device and contain, among other things, technical information on the browser and the operating system, referring websites, time of visit as well as other details on the use of our web presence and also be linked to such information from other sources.

YouTube

We integrate videos from the “YouTube” platform offered by the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/.

Google Fonts

We integrate fonts (“Google Fonts”) offered by the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/.

Google Maps

We integrate maps from the “Google Maps” service offered by the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Included in the data to be processed may be in particular IP addresses and the user’s location data, however which are not collected without their consent (typically provided when setting up the service in their mobile devices). This data may be processed in the United States. Privacy Policy: https://www.google.com/.

We are pleased that you have chosen to submit your application to us. In the following, we will explain how your personal data are processed as a part of the application process and make other information available to you that is relevant in connection with this.

1. Who is responsible for processing your personal data?

The controller is:

TETRAS GmbH

Kistlerhofstr. 111

81379 Munich, Germany

Controller:

Milos Kucik, Managing Director

Phone: +49 89 716 7216 30

Email: tetras@tetras.de

2. For what purpose and on what legal basis do we process personal data?

We process your personal data for the purpose of reviewing your application for an employment relationship to the extent that doing so is necessary for our decision to establish an employment relationship with us. The legal basis here is Art. 26 (1) in conjunction with (8.2) German Federal Data Protection Act (BDSG). Moreover, we can also process your personal data if this is necessary to defend against asserted legal claims against us arising from the application procedure. The legal basis here is Art. 6 (1) (f) GDPR, the legitimate interest is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG). If we establish an employment relationship with you, we may process your personal data that we have already received from you pursuant to Art. 26 (1) BDSG for the purposes of the employment relationship if this is necessary for the implementation or termination of the employment relationship or to exercise or meet the rights arising from the law or a collective bargaining agreement, a works council/ employment agreement (collective agreement) and the duties of the employee representation.

3. What personal data categories do we process?

We process such data in connection with your application. This relates to general data about you (such as your name, address and contact details), information about your professional qualifications and education or details about your professional advanced education or any other information that you transmitted in connection with your application. Moreover, we may also process any publicly available information relating to your profession, such as a profile on professional social media networks.

4. From which sources do your personal data originate if we do not collect it from you?

We only collect data that you make available over the course of application process.

5. What categories of recipient data are there?

We may transmit your personal data to companies affiliated with us insofar as this is permissible as part of the purposes and legal bases illustrated under clause 3. Furthermore, personal data are processed on our behalf on the basis of contracts according to Art. 28 GDPR, in particular by host providers or providers of applicant management systems.

6. Is there any intention to transmit personal data to a third country?

We have no intention of transmitting data to a third country.

7. How long will your data be stored?

We store your personal data for as long as is necessary to come to a decision about your application. If no employment relationship is established between you and our company, we may additionally continue to store your personal data insofar as necessary for us to defend against potential legal claims. In this case, the application documents will be erased six months after we have announced our rejection decision, unless storing such data for a longer period of time is necessary due to legal disputes.

8. What are your rights?

As an applicant with us, depending on the situation, you have the following data privacy rights in an individual case, which you may exercise by contacting us or our data protection officer at any time using the details provided under clauses 1 and 2.

a. Information

You have the right to obtain information from us on the personal data that we process as well as to request access to your personal data and/or copies of such data. This includes information about the purpose of the use, the category of the used data, its recipients and those authorized to access the data as well as, if possible, the planned duration of data storage or, if this is not possible, the criteria used to define such duration;

b. Correction, erasure or restriction of processing

You have the right to request that we correct any of your personal data that is incorrect without undue delay. Accounting for the purposes of processing, you have the right to request completion of any incomplete personal data – also in the form of a supplemental statement.

c. Right to object

If your personal data are processed on the basis of Article 6 (1) (f) GDPR, you have the right, at any time, to object to the processing of such data for reasons arising from your particular situation. We shall no longer process your personal data unless we are able to verify overriding reasons worthy of protection justifying the processing thereof that outweigh your interests, rights and freedoms, or if the processing thereof serves to establish, exercise or defend against legal claims.

d. Right of withdrawal

If the processing of your data is based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. For this purpose, you may contact us or our data protection officer at any time using the details provided above.

e. Right to erasure

You have the right to ask us to erase your personal data without undue delay; we shall be obliged to erase such data without undue delay, provided one of the following reasons applies:

• The personal data are no longer required for the purpose for which they were collected or otherwise processed;
• You object pursuant to number 8.c above to the processing of the personal data and there are no overriding legitimate reasons for the processing thereof;
• The personal data was unlawfully processed;
• The personal data must be erased for compliance with a statutory obligation as per the EU law or the law of the Member States to which we are subject.

This shall not apply if processing is required:

• To meet a legal obligation that requires processing under the law of the European Union or of the Member States to which we are subject.
• To assert, exercise or defend legal claims.

f. Right to restriction of processing

You have the right to obtain from us restriction of processing where one of the following requirements exists:

• You dispute the accuracy of your personal data, and do so for a period that allows us to verify the accuracy of the personal data;
• If the processing is unlawful and you reject the erasure of the personal data and instead request restriction of use of the personal data;
• We no longer need the personal data for the purpose of processing, yet you require said data to establish, exercise or defend legal claims; or
• An objection to the processing of your data has been filed pursuant to clause 8.c above for as long as it is not yet certain whether our legitimate reasons override your reasons. If the processing pursuant to this clause e has been restricted, then this personal data – except for its storage – may be processed only with your consent or for the purpose of asserting, exercising or defending legal claims or to protect the rights of another natural person or legal entity or for reasons of important public interest of the European Union or of a Member State. If you have affected a restriction of processing, we will inform you prior to removing the restriction.

g. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority – in particular in the Member State of your residence, your place of work or the place of the alleged violation – if you feel that the processing of your personal data is in violation of GDPR.

9. Requirement to provide personal data

The provision of personal data is neither required by law nor by contract, nor are you obligated to provide your personal data. However, you must provide your personal data in order to conclude an employment contract with us. This means that if you do not provide us with any personal data when submitting an application, we will not establish an employment relationship with you.

With the following information, allow us to provide you with an overview on how we process your personal data and of your rights under the data protection law. Which data will be processed in detail and it what manner it will be used depends for the most part on the applied for or agreed upon components of your employment relationship or contractual relationship otherwise.

Who is responsible for data processing and who can I contact?

The controller is:

TETRAS GmbH

Kistlerhofstr. 111

81379 Munich, Germany

Controller:

Milos Kucik, Managing Director

Phone: +49 89 716 7216 30

Email: tetras@tetras.de

What sources and data do we use?

We process personal data that we receive from our employees and other comparable data subjects during the course of the employment relationship.

In particular, the personal data includes:

• Personal details (such as name, address, contact details, date and place of birth and citizenship)
• Family details (such as marital status and information about children)
• Religious affiliation
• Health data (if relevant to the employment relationship, for example in the event of a severe disability)
• Authentication data (such as identification data)
• Tax ID number
• Information about qualifications and employee development (such as education, vocational training, language skills and advanced training)
• Information about employment relationships (such as hiring data, designation of the occupation and title)
• Payroll tax relevant data from the fulfillment of the contractual obligations (such as salary details)
• Information about employees’ financial situation (such as liabilities and salary garnishments)
• Social security data
• Data relating to a pension scheme or retirement fund
• Information about working hours (such as timekeeping, leave, sick days and data in connection with business travel)
• Authorization data (such as entry and access rights)

as well as any other data comparable to the aforementioned categories.

What do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

To meet contractual obligations (§ 26 BDSG)

Data are processed to establish, implement or terminate the employment relationship in fulfillment of a contract with you or to execute pre-contractual measures which are made on request.

On the basis of legal regulation (Art. 6 (1) (c), Art. 88 GDPR and § 26 BDSG)

As a company, we are subject to various legal obligations, i.e. legal requirements (such as social security law, employment law, in some cases professional laws for attorneys, tax laws) as well as stipulations under supervisory laws (such as bar associations). The purposes of the processing include, among other things, the verification of identity, the fulfillment of social security and control, reporting or documentation obligations under tax law as well as the management of risks within the company.

To the extent that special categories of personal data are processed pursuant to Art 9 (1) GDPR, in the context of the employment relationship, this serves the exercising of rights or the fulfillment of legal obligations under labor law, social security law and social protection (such as providing health information to health insurance providers, recording any severe disability to calculate additional leave and to calculate taxes for a severely disabled person). This is done on the basis of Art. 9 (2) (b) GDPR in conjunction with § 26 (3) BDSG new. In addition, the processing of health data may be necessary in order for us to assess your ability to work pursuant to Art. 9 (2) (h) in conjunction with § 22 (1) (b) BDSG new. In addition, the processing of special categories of personal data may be based on a consent according to Art. 9 (2) (a) GDPR in conjunction with § 26 (2) BDSG new (such as corporate integration management).

Who receives my data?

Within the company, those offices receive access to your data that require them in order to meet their contractual, legal and supervisory obligations and to protect the legitimate interests, such as the Human Resources.

The service providers and vicarious agents we employ may also receive your data for these purposes, unless the data are required to fulfill their respective service. All service providers are contractually required to treat your data as strictly confidential.
With respect to sharing data with recipients outside of the company, what must first be considered is that as an employer, we only share the required personal data in observation of the applicable data protection regulations. As a rule, we may only share information about our employees if we are required to do so by law, you have given your consent or we are otherwise authorized to share your data.

Under these conditions, recipients of personal data may be, for example:

• Social security agencies
• Health insurance providers
• Tax authorities
• Public offices and institutions (such as fiscal authorities and law enforcement) if a legal or official obligation exists
• Other companies for the purpose of settling payroll or comparable entities to which we transfer personal data for the purpose of conducting the contractual relationship (such as payroll processing)
• Auditors and accountants
• Service providers within the scope of their order processing relationships
• Other offices in additional companies within the Tetras Group

Other data recipients may include those for whom you have given us your consent to transmit your data to or to whom we have the authority to transfer personal data due to a balance of interests.

How long will my data be stored?

We process and store your personal data for as long as is necessary to satisfy our contractual and legal obligations. What must be considered here is that the employment relationship is a continuing obligation set up for a longer period of time.
Once data are no longer required to meet our contractual and legal obligations, they will be erased at regular intervals.

If data are processed to meet our legitimate interests or those of a third party, the personal data are erased as soon as this interest no longer applies.

What are my data privacy rights?

Each data subject has the right to information according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure according to Article 17 GDPR, the right to restriction of the processing according to Article 18 GDPR, the right to object according to Article 21 GDPR and the right to data portability according to Article 20 GDPR. With respect to the right to information and the right to erasure, the restrictions according to Sections 34 and 35 BDSG apply. Furthermore, you also have a right to lodge a complaint with the responsible data protection supervisory authority (Article 77 GDPR).

You may revoke your consent to allowing us to process your personal data at any time. This also applies to revoking declarations of consent that were given to us prior to the effective date of the General Data Protection Regulation, thus prior to May 25, 2018. Please keep in mind that said revocation only takes effect for the future. Any data processing that occurs prior to the revocation is not affected.

Is there an obligation to provide data?

During the course of the work relationship, you must provide such personal data as required to commence, conduct and terminate an employment relationship, and to meet the required contractual obligations associated with that, or such data that we are legally required to collect. Without this data, we are generally not able to conclude a contract or implement one with you.

In how far are decisions made automatically?

We do not use any fully automated or automatic decision-making processes pursuant to Article 22 GDPR when establishing, implementing or terminating the employment relationship.

With the following information, allow us to provide you with an overview on how we process your personal data and of your rights under the data protection law. Which data will be processed in detail and it what manner it will be used depends for the most part on the applied for or agreed upon components of your contractual relationship.

Who is responsible for data processing and who can I contact?

The controller is:

TETRAS GmbH

Kistlerhofstr. 111

81379 Munich, Germany

Controller:

Milos Kucik, Managing Director

Phone: +49 89 716 7216 30

Email: tetras@tetras.de

What sources and data do we use?

We process personal data that we receive from our translators during the course of the employment relationship. Tetras also uses personal data from public sources such as social networks (such as LinkedIn, Xing, etc.) and other publicly accessible directories (ProZ, BDÜ, etc.).

In particular, the personal data includes:

• Personal details (such as name, address, contact details and citizenship)
• Information about qualifications (such as education, professional experience and language skills)
• Terms and conditions of work
• Payment details and contact information

as well as any other data comparable to the aforementioned categories.

What do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR):

To meet contractual obligations (Art. 6 (1) (b))

Data are processed to implement pre-contractual measures and to conduct the contract concluded with the translator.

Based on legal regulations (Art. 6 (1) (c) GDPR)

As a company, we are subject to various legal obligations, i.e. legal requirements (such as tax laws). We process personal data within the scope of these legal requirements.

Who receives my data?

Within the company, those offices receive access to your data that require them in order to meet their contractual, legal and supervisory obligations and to protect the legitimate interests.

The service providers and vicarious agents we employ may also receive your data for these purposes, unless the data are required to fulfill their respective service. All service providers are contractually required to treat your data as strictly confidential.
With respect to sharing data with recipients outside of the company, what must first be considered is that as an employer, we only share the required personal data in observation of the applicable data protection regulations. As a rule, we may only share information about our employees if we are required to do so by law, you have given your consent or we are otherwise authorized to share your data.

How long will my data be stored?

TETRAS shall be entitled, within the meaning of the mandatory provisions of applicable law, to retain, in any form whatsoever, the documents provided as follows:

1. Accounting documents for a period of 10 years from the date of issue
2. Business communications for a period of 5 years from the date of provision
3. NDA and the Framework Cooperation Agreement for a period of 2 years from the termination, in writing, of the collaboration

TETRAS shall be entitled to keep the other Party to the Agreement in its internal database for as long as the Framework Agreement remains in force, as well as for the required duration of database retention within the meaning of the mandatory provisions of applicable law.

If data are processed to meet our legitimate interests or those of a third party, the personal data are erased as soon as this interest no longer applies.

What are my data privacy rights?

Each data subject has the right to information according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure according to Article 17 GDPR, the right to restriction of the processing according to Article 18 GDPR, the right to object according to Article 21 GDPR and the right to data portability according to Article 20 GDPR. With respect to the right to information and the right to erasure, the restrictions according to Sections 34 and 35 BDSG apply. Furthermore, you also have a right to lodge a complaint with the responsible data protection supervisory authority (Article 77 GDPR).

You may revoke your consent to allowing us to process your personal data at any time. This also applies to revoking declarations of consent that were given to us prior to the effective date of the General Data Protection Regulation, thus prior to May 25, 2018. Please keep in mind that said revocation only takes effect for the future. Any data processing that occurs prior to the revocation is not affected.

Is there an obligation to provide data?

During the course of the contractual relationship, you must provide such personal data as required to commence, conduct and terminate the contract or that we are legally required to collect. Without this data, we are generally not able to conclude a contract or implement one with you.

Issue date: March 2019

Tetras GmbH Privacy Policy

Guidelines for Transmitting Data to a Third Country

Transmitting personal data to third countries

Tetras is committed to providing high-quality language services.

The best suppliers of these services are in those countries in which the relevant language is spoken. Only by being fully in touch with a language is it possible to keep step with the changing application of a language and to master it fluently. Furthermore, it is precisely in these countries where we will be most likely to find a translator that offers language services in this language.

Not all countries are in the EU or are on the list of countries that the EU Commission deems as appropriate. For example, China, India, Japan, UAE are not on the list.

Your data may also be processed by employees who work for us or another entity outside of the EEA and who process data as data processors on our behalf. These employees may, for example, may be commissioned to complete your request, your order or to provide support services.

In this case, Art. 49 (1) (c) GDPR forms the legal basis for the data transmission. In certain situations, it also allows data to be transmitted outside of the EU. If a document to be translated contains personal data, we as a language service provider act according to these paragraphs.

If the files contain personal data, it is your responsibility to make the data subject aware of the fact that their data may be transmitted outside of the EU and outside of appropriate countries for the purpose of fulfilling the contract.

All of our translators in every country work pursuant to strict data privacy and security regulations and we always use protective measures when transmitting data.

You may object to the transmission of data to third countries. In this case, we will of course make every effort to find alternative providers located within the EU or in appropriate countries who can fulfill the order. However, this may have an adverse impact on delivery dates.