1. Content, scope and responsiblity

The following statement provides you with information about the processing of your personal data when you visit our website, www.sovanta.com, when you contact us or when you subscribe to our newsletter. This data privacy statement also applies to our blog, Blog Archives – sovanta AG. Some separate processing operations take place there, which we likewise explain below. Personal data include all information that relates to an identified or identifiable individual.

On our website and our blog, we have integrated various tools with which we can process data of our website visitors without them actively providing us with such.

Below, we explain to you in detail how we collect which data on which legal basis. Furthermore, we outline which rights you have and for how long your data are stored. Your data are processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the German federal data protection act (Bundesdatenschutzgesetzt – BDSG) and the German telemedia act (Telemediengesetz – TMG) as well as any other applicable statutory regulations.

The body responsible for the data processing is:

sovanta AG
X-House
Mittermaierstr. 31
69115 Heidelberg
Germany
Tel.: +49 (0)6221 18733-0
info@sovanta.com

You can contact our Data Protection Officer at:

sovanta AG
Data Protection Officer X-House
Mittermaierstr. 31
69115 Heidelberg
Germany
privacy@sovanta.com

2. Processing of your data when visiting our website using log files

On the basis of Art. 6 para. 1 sentence 1 lit. f GDPR, based on both our legitimate interest and that of our host provider in improving the stability and functionality of our website, our website uses so-called log files in which access data are stored every time a page is opened. The dataset stored here includes the following data:

• Your anonymised IP address, the date, the time, which file was accessed, the status, the enquiry made to the server by your browser, the volume of data transmitted and the website (referrer) from which you arrived on the requested page, as well as
• the product and version information of the browser used, your operating system and your home country.

The log data is used in anonymised form only, i.e. with no attribution or reference to your person, only for the purpose of being able to detect and if necessary to prevent attacks on our website. We reserve the right to store full IP addresses in individual cases and to analyse these if certain facts arise to the suspicion that users are using our websites and/or services illegally or uncontractually. The IP address will be anonymised as soon as we no longer require it.

3. Processing of your data if you contact us or in the event that an input form is used

If you provide us with personal data by contacting us e.g. by email, we process your data in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR for the purpose of performing a contract or in order to take steps prior to entering into a contract at your request, or in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR on the basis of our legitimate interest in responding to your enquiry.

To enable email communication for general requests and communication through email addresses with the “sovanta.com” extension, we use Microsoft Outlook. Microsoft processes your contact information, for example, email address and the content of your email. Microsoft stores your personal data on servers based in the European Economic Area (EEA). However, we cannot exclude that Microsoft accesses and therefore transfers your personal data to the United States. We have concluded a data processing agreement pursuant to Art. 28 para. 3 GDPR and EU standard contractual clauses with Microsoft.

4. Processing of your data in the case of enrolment or registration for and conducting seminars/webinars/events

a) Enrolment or registration for events

Via our website, we offer seminars, webinars and other events (hereafter “events”). All data that we request for enrolment are used by us in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR for the purpose of performing a contract or in order to take steps prior to entering into a contract, at your request, namely for completion of your enrolment for the respective event. Here, we request data that must essentially be provided and that we need for participation, which include your forename and surname and your email address, as well as data that you can enter voluntarily. When you enter additional data, we store those as well.

b) Conducting events using Zoom

To conduct events, we use the cloud-based video conferencing service Zoom. Zoom is a product by our service provider Zoom Video Communications, Inc, 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. b GDPR for the purpose of fulfilling a contract or carrying out pre-contractual measures. When participating in events, your name, profile picture (optional), e-mail address and meeting data are processed, among other things. We have concluded a data processing agreement pursuant to Art. 28 para. 3 GDPR and EU standard contractual clauses with Zoom. Please note that data processing by Zoom takes place in the USA, among other places. For more information on data processing by Zoom, please refer to Zoom’s privacy policy: Privacy | Zoom.

c) Conducting events using Microsoft Teams

To conduct events, we may use the cloud-based video conferencing service Microsoft Teams. Microsoft Teams is a feature of Microsoft 365 by our service provider Microsoft Ireland Operations Limited, One Microsoft Place, South County Industrial Park, Dublin 18, D18 P521, Ireland. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. b GDPR, if we conduct the online meetings with our business partners as part of the fulfilment or initiation of a contract. Art. 6 para. 1 sentence 1 lit. f GDPR is the relevant legal basis if we process the data to fulfill our legitimate interest.

When using Microsoft Teams, various personal data and categories of data are processed. The scope of the data depends on the information you provide before or during participating in an online meeting. This may include user information (name, email address, profile picture), meeting metadata (date, start and end time, meeting ID) or text, video and audio data. In addition, you can optionally use the chat function during an online meeting. In this case, the text entries you make are processed in order to display them in the online meeting.

We have concluded a data processing agreement pursuant to Art. 28 para. 3 GDPR with Microsoft. Microsoft stores your personal data in the European Union. However, we cannot exclude that the parent company Microsoft Corporation accesses your personal data and thus transfers them to the United States. For more information on data processing by Microsoft, please refer to Microsoft’s privacy policy: Microsoft Privacy Statement – Microsoft privacy.

5. Processing of your data if you consent to receiving further informations

On the contact form, if you consent to receiving further communications from us, we process all the data you have entered on the contact form for the purpose of sending further communications, although we store the message text only if we are able to send you more targeted communications because of this. In addition, we store your IP address in order to be able to prove your consent.

You will receive further communications about products, services and other content that may be of interest to you and that are connected with sovanta. We use a third-party provider to send these further communications. This provider has been carefully selected by us and we have concluded data privacy regulations with the same, so that we maintain ownership of your data. We analyse the click and opening rates of our communications, i.e. we record who has opened the newsletter and clicked on which link in it.

You can unsubscribe from the further communications at any time by contacting us by email or by post at the aforementioned address (see point 1 above). The revocation of your consent by unsubscribing from the further communications has no effect on the legality of the data processing up to the time of revocation. If you unsubscribe from the further communications, the data stored by us for the purpose of sending the further communications will be erased unless the erasure is in breach of retention obligations under data protection law. The processing of the data takes place in Europe and the USA.

6. Processing of your data by means of cookies and tags

When you use our offer via our website, we use cookies. Cookies are small text files that are stored on your end device (laptop, tablet, smartphone or similar) when you use our website.

a) Cookies necessary for the operation of the website

For the operation of the website, we use technically necessary cookies to provide basic functionalities. The purpose of using these cookies is to simplify the use of websites for users. The legal basis for the processing of data from technically necessary cookies is § 25 para. 2 No. 2 of the New German Telecommunications-Telemedia Data Protection Act (TTDSG) in conjunction with Art. 6 para. 1 sentence 1 lit. f GDPR on the basis of our legitimate interest in a user-friendly design of our website.

b) Cookies not necessary for the operation of the website

Furthermore, we use non-essential (optional) cookies to improve the offers on our website on the basis of statistical evaluations or to optimise our marketing measures. The legal basis for this processing is your consent pursuant to § 25 para. 1 p. 1 of the TTDSG in conjunction with Art. 6 para. 1 sentence 1 lit. a GDPR. Data processing with the help of these cookies only takes place if we have received your consent for this in advance.

c) Personalisation of cookie settings

Before cookies are set, you will be asked through a cookie banner to make a selection as to which cookies may be set. This allows you to adjust the settings according to your personal preferences. Later, you can revoke or change these settings at the bottom of our website.

d) Data processing by HubSpot

For the purposes of analysis on our website and in our blog, we use a service from HubSpot Inc., 25 First St., 2^nd floor, Cambridge, Massachusetts 02141, USA (“HubSpot”). Cookies set here (see b) are stored on your computer and allow us to analyse your visit to the website. On our behalf, HubSpot analyses the information recorded (e.g. IP address, geographical location, browser type, visit duration and pages viewed) in order to generate reports on the visit and on the visited pages of sovanta AG. Further information about how HubSpot works can be found in the data privacy statement of HubSpot Inc., which is available at: http://legal.hubspot.com/de/pr….

You can prevent participation in this tracking process and thus object to the processing of your data for direct marketing purposes by preventing the setting of cookies and other tracking tools with a corresponding setting in your browser software.

7. Processing of personal data from applicants

a) Application process

If you apply to us electronically, i.e. by email our through the contact form on our career page, we will collect and process your personal data for the purpose of conducting the application procedure and carrying out pre-contractual measures. In this context, you transmit personal data, which we will use and store exclusively for the purpose of your job search / application process.

In particular, the following data is collected during this process:

• name (first and last names)
• email-address
• phone number (optional)

Furthermore, you can choose to upload additional documents such as a cover letter, your CV and certificates. These may contain additional personal data, e.g. date of birth, postal address etc. We conduct several rounds of interviews during the application process. Only authorized HR staff and/or staff involved in the application process have access to your data.

Your personal data is stored, as a rule, exclusively for the purpose of filling the vacancy for which you have applied. The legal basis for processing your personal data is Art. 6 para. 1 sentence 1 lit. b and Art. 88 para. 1 GDPR in connection with § 26 para. 1 sentence 1 BDSG. According to this law, the processing of data required in connection with the decision to establish an employment relationship is permitted.

Your data will be stored for a period of six months after the application process has been concluded. This is usually done to fulfill legal requirements and/or defending ourselves against any claims arising from legal provisions in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.

Once the storage periods have expired or in the course of exercising your right to deletion and/or objection, we are obliged to delete or anonymize your data. In this case, the data is only available to us as data without direct personal reference for statistical analysis (e.g. number of applications per period).

Should you be offered and accept a position with us during the application process, we will store the personal data collected as part of the application process for at least the duration of your employment.

b) Data processing in the “Talent Pool”

In addition, we reserve the right to ask for your consent to include your data in our “Talent Pool” for 6 months after the end of the application process in order to identify any other interesting positions for you. The legal basis for including you in the “Talent Pool” is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent for being part in our “Talent Pool” at any time (see Section 13 – “Your rights”).

c) Contact

When you contact us via one of our contact options, for example, email, post, or telephone, we process the data you provide (for example your email address and the content of your enquiry) necessary for us to answer your question. If your enquiry contains optional personal data, e.g. your name, we will process that data in order to provide improved support. The legal basis for the collection of data in the context of contacting requests is Section 26 para. 1 BDSG, if an employment relationship exists or is intended.

We delete the data collected in this context after storage is no longer required (depending on the respective purpose of the contact) or restrict processing if there are statutory retention obligations.

To enable email communication through the email address career@sovanta.com, making video calls and sending appointment requests, we use Microsoft Office 365 products, e.g. Teams or Outlook. Microsoft processes your contact information, for example, email address and the content of your email. Microsoft stores your personal data on servers based in the European Economic Area (EEA). However, we cannot exclude that Microsoft accesses and therefore transfers your personal data to the United States. We have concluded a data processing agreement pursuant to Art. 28 para. 3 GDPR and EU standard contractual clauses with Microsoft.

d) Employer Rating Platform Kununu

As a part of employer branding, we interact with current and former employees as well as applicants who anonymously review the company on the employer rating platform Kununu. Kununu is a product by NEW WORK SE, Am Strandkai 1, 20457 Hamburg, Germany. Kununu processes your voluntarily entered data and, if applicable, evaluates content shared or viewed by you.  Information on what data is processed by Kununu and for what purposes can be found in Kununu’s privacy policy: Privacy at XING.

8. Social-Media-pages by sovanta

In the following, we inform you about the handling of your personal data when visiting our social media pages Facebook, Twitter, Instagram, YouTube or LinkedIn. The processing of your personal data is carried out on the one hand by us and on the other hand by the respective social media platform.

a) Processing of your personal data by sovanta

As the operator of a social media site, we process the content you share on our pages, e.g. via posts, comments or direct messages. Furthermore, we process the data from the stored information of your publicly viewable profile, e.g. your profile picture and your name, if you leave a comment on one of our pages. We would like to point out that you should never share sensitive personal data with us through social media sites, as this simultaneously involves a transfer of the data to the respective social media platforms and the data may be transferred to unsafe third countries outside the European Union. The purpose of the data processing is our external presentation and the provision of a contact option with customers, partners and interested persons who want to learn more about our company. The legal basis for processing the data is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest is to improve the user experience of our social media pages.

b) Processing of your personal data by the social media platforms

The extent of the processing of personal data depends on the respective operator of the social network, may therefore differ and is not necessarily comprehensible to us. The details about the collection and storage as well as the type, scope and purpose of the use of your data by the operator can be found in the privacy statements of the respective operator:

• Facebook: Meta Privacy Policy – How Meta collects and uses user data
• Twitter: X Datenschutzrichtlinie
• LinkedIn: https://de.linkedin.com/legal/privacy-policy?
• Instagram: Meta Privacy Policy – How Meta collects and uses user data
• YouTube (Google): Privacy Policy – Privacy & Terms – Google

The operators bear the primary responsibility for data processing on the social media pages. We therefore recommend that you assert your data subject rights directly with the respective operators.

c) Notice regarding the joint responsibility for data processing when operating our Fanpage on Facebook

Sovanta and Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (hereinafter: “Facebook”) are jointly responsible for the processing of personal data of visitors to our Facebook Fanpage. When you visit the sovanta Fanpage, Facebook collects information as described in Facebook’s data policy under “What kinds of information do we collect?”.
In addition, Facebook uses cookies that are placed on your end device when you visit our Fanpage even if you do not have your own Facebook profile or are not logged into it during your visit to our Fanpage. These cookies allow Facebook to create user profiles based on your preferences and interests and to show you advertising (inside and outside of Facebook) that is tailored to these preferences and interests. Cookies remain on your end device until you delete them. Details on this can be found in Meta’s cookie policy.
The specific data processing depends on your particular use of the Facebook Fanpage, such as the types of content you view or interact with, or the actions you take (see under “Things you and others do and provide” in Meta’s data policy), as well as information about the devices you use (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under “Device Information” in Meta’s data policy).
As explained in Facebook’s data policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, called Page Insights, to Page operators to provide them with insights about how you interact with Facebook Pages and with connected content. The processing of personal data for Page Insights is subject to the Shared Responsibility Agreement (Page Insights Supplement Regarding Controller).

9. Use of YouTube plugins

In order to provide content in the best possible form, our website uses plugins from YouTube for the integration of video content. The provider of the video portal is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When a page with an integrated YouTube plugin is called up, a connection to YouTube’s servers is established. The plugin informs YouTube that you as a user have visited this website. If you are logged into your YouTube account, YouTube can assign your surfing behavior directly to your personal profile. You can prevent this by logging out beforehand.

To protect the data, we inform before playing embedded videos and the transfer of data to third-party providers. Website users can thus agree to YouTube’s privacy policy and view the content by clicking on it. The legal basis for the processing of the data is, with the consent of the user, Art. 6 para. 1 sentence 1 lit. a GDPR. For more information, please refer to the Google/YouTube privacy policy, the YouTube privacy policy and the YouTube privacy settings.

10. Use of Vimeo plugins

On our website (not in our blog), we use plugins from provider Vimeo, Inc. of registered office 555 West 18^th Street, New York, New York 10011, USA (“Vimeo”) for the integration of videos. On our website, if you open the internet pages that have such a plugin, a connection to the Vimeo servers is established and the plugin is shown. This transmits to the Vimeo server which of our internet pages you have visited. If you are logged in as a Vimeo member (which is naturally not necessary simply to view one of our videos), Vimeo assigns this information to your personal user account. When the plugin is used, e.g. by clicking on the start button of a video, this information is likewise assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our internet page and by deleting the corresponding cookies. Further information about data processing and information about data privacy from Vimeo can be found at Privacy Policy on Vimeo .

This data transmission to Vimeo takes place on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR on the basis of our legitimate interest in making our website provision more attractive for our website visitors and linking our website to our video channel with Vimeo.

11. Information about the security of your data

We have taken technical and organisational precautions to protect your data from loss, destruction, manipulation and unauthorised access. All our staff and everyone involved with our data processing are obliged to comply with GDPR, BDSG and other laws relating to data protection and to handle personal data confidentially.

In the case of collection and processing of personal data, the information is transmitted in encrypted form, in order to prevent misuse of the data by third parties. Our precautions are continuously reviewed in accordance with technological developments.

12. Categories of data recipient; data transmissions to a third country

In addition to the service providers mentioned in this data privacy statement, other service providers and agents employed by us in connection with the website and our systems, e.g. host providers, agencies, IT service providers or e.g. mail service providers for sending the newsletter, may have access to your personal data. If these service providers and agents are working on our behalf, however, they act only in accordance with instructions and have a corresponding contractual obligation to us, among others. This also applies for service providers based in a third country (a state outside the EU or EEA).

13. Your rights

You have the following rights with regard to personal data related to you:

• Right of access (Art. 15 GDPR),
• Right to rectification (Art. 16 GDPR),
• Right to erasure (Art. 17 GDPR, “right to be forgotten”),
• Right to restriction of processing (Art. 18 GDPR),
• Right to object to processing (Art. 21 GDPR),
• Right to data portability (Art. 20 GDPR).

If you have given us consent to process your data, you can revoke this consent at any time with effect for the future. The lawfulness of the processing of your data until revocation remains unaffected.

We will fulfil your aforementioned rights insofar as the legal requirements for asserting the rights are met. To assert your rights or for other data protection concerns, you can contact our data protection officer via the contact channels mentioned in point 1 above.

a) Your right to complain to a data protection supervisory authority

You also have the right to complain about our processing of your personal data to a data protection supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement if you consider that the processing of personal data related to you is carried out unlawfully. The supervisory authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Lautenschlagerstraße 20
70173 Stuttgart
Germany
Email: poststelle@lfdi.bwl.de
Telephone: +49 711 61 55 41 0

b) Additional information on your right of objection

In addition, we would like to point out that as far as a processing of your personal data takes place on the basis of the legitimate interest according to Art. 6 para. 1 sentence 1 lit. f GDPR and/or your personal data is processed for purposes of direct marketing, you have the right to object to the processing of your personal data at any time.

14. Duration of storage

Unless explicitly specified in this data privacy statement, we process and store personal data only for the period required in order to achieve the purpose of the processing or if specified in laws or regulations to which we are subject. If the storage purpose ceases to exist or if a statutory retention period expires, the personal data are blocked or erased routinely and in accordance with the statutory provisions.

15. Changes to this privacy policy

We will update this privacy policy from time to time, for example if we adapt our website or there is a change in the legal or regulatory requirements.