The protection of your private rights and freedoms is important to us; we only use your data for the purposes intended. Since it is important to us that you know at all times to what extent we collect, use and, if necessary, transfer your data to third parties, we will inform you in detail below about the processing of your personal data collected by us or stored by us. When processing personal data, we strictly adhere to the provisions of the EU General Data Protection Regulation (GDPR) and, if applicable, other data protection-relevant provisions.
Name and address of the controller
Serum Life Science Europe GmbH
Dr. Leander Grode
Ahrensburger Strasse 1
30659 Hannover
Germany
Phone: +49 511-1699080
E-mail: info@sls-eu.com
Name and address of the data protection officer
Jörg ter Beek
Cortina Consult GmbH
Hafenweg 24
48155 Münster
Germany
E-mail:
dsb.sls-eu@cortina-consult.deWebsite:
https://cortina-consult.com/If you have any questions regarding the processing of your personal data, if you wish to exercise your rights as a data subject (such as the right to information, correction, blocking or deletion of data) or if you wish to withdraw your consent, please contact our data protection officer directly.
General deadlines for data deletion
After the purpose of storage has ceased, the retention periods are generally at least six or ten years. As a rule, data is deleted immediately in accordance with our deletion concept, provided that this does not conflict with any retention obligation, necessity for contract fulfillment or a legitimate interest.
Data security information
We secure our website and other systems by technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons. Despite regular checks, however, complete protection against all dangers is not possible.
Rights of data subjects
The EU General Data Protection Regulation (GDPR) provides for extensive rights for data subjects in Chapter III, which we explain to you accordingly below with regard to the processing of your personal data:
- Right to information
This requirement concerns in particular information on the following details of data processing:
- Processing purposes
- Data categories
- Recipients or categories of recipients, if applicable
- If applicable, the planned storage duration or the criteria for determining this duration.
- Note on the respective right of correction, deletion, restriction or objection
- Existence of the right to complain to a supervisory authority
- If applicable, origin of the data (if not collected from you)
- If applicable, existence of automated decision-making including profiling, including meaningful information about the logic involved, the scope and the effects to be expected
- If applicable, (planned) transfer to a third country or international organization
- Right to rectification
We will correct any erroneous data immediately, provided that you inform us of the circumstance accordingly.
- Right to erasure (right to be forgotten)
Provided that the processing is no longer necessary and one of the following conditions is met:
- Discontinuation of the purpose of processing
- Withdrawal of their consent and absence of any other legal basis for processing
- Objection to processing without an important reason to the contrary
- Unlawful processing
- Required to fulfill a legal obligation
- Data collection was carried out in accordance with Art. 8 (1) GDPR
Within the scope of the deletion request, we will, if necessary, pass on your request to those third parties to whom a transfer of your data had previously taken place.
- Right to restriction of processing
Provided that one of the following conditions is met:
- You dispute the accuracy of your data (restriction can be made for the duration of the review on our side)
- In the event of unlawful processing and if the data is not to be deleted, restriction of processing shall take the place of deletion
- If the processing purposes cease to apply, at the same time you need your data for the assertion, exercise or defense of legal claims
- After you have lodged an objection pursuant to Art. 21 (1) GDPR and for the duration of the examination as to whether our legitimate reasons outweigh yours.
- Right to data portability
If it is technically possible and does not affect the rights and freedoms of other persons, we will - at your request - transfer your data to another recipient (responsible party).
- Right to object
If we collect or have collected and process personal data from you (on the basis of Art. 6 (1) e or f or Art. 9 (2) a GDPR), you have the right to object to the data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be ineffective, e.g. if we can demonstrate compelling interests worthy of protection for the processing that outweigh your interests or processing serves the assertion, exercise or defense of legal claims. If we process your personal data for the purpose of direct marketing, you have the right to object to such processing at any time. This also applies to profiling, insofar as it is related to such direct advertising. You also have the right to object to processing of your data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
- Automated decisions in individual cases including profiling
If we collect or have collected and process personal data from you, you have the right not to be subject to any decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. Exceptions to this requirement apply if the decision is necessary for the conclusion or performance of a contract between you and us or you have expressly consented to the processing. In any case, we will take reasonable steps to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain the intervention of a person on our part, to express our own point of view and to contest the decision.
- Right to revoke consent under data protection law
You have the right to revoke consent to the processing of personal data at any time.
- Right to complain to a supervisory authority
A list of the supervisory authorities responsible in Germany can be found on the website of the Federal Commissioner for Data Protection or at the following link: https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.
Legal basis of processing
We process personal data in accordance with the requirements of the GDPR, depending on the type and purpose of the processing as follows:
| Permitted use | Specification of the GDPR |
| Informed consent | Art. 6 para. 1 a |
| Performance of a contract | Art. 6 para. 1 b |
| Implementation of pre-contractual measures | Art. 6 para. 1 b |
| Fulfillment of legal obligations | Art. 6 para. 1 c |
| Protection of vital interests | Art. 6 para. 1 d |
| Safeguarding our legitimate interest | Art. 6 para. 1 f |
Our legitimate interest
Our legitimate interest, as defined in Article 6 (1) f GDPR, is based on the performance of our business activities in order to maintain our ability to operate and secure the employment of our employees.
Depending on the processing, purposes, legal basis and other information may vary; you will find the exact allocation of information in the following chapter.
Employment contract
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (details: employee data (surname, first name, address, salary, vacation days, bonus payment)) | - Working time recording
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party in accordance with Article 6(1)(f) GDPR and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. |
| Recipient (if applicable) | Re 1) External (Details: The data is transferred externally to the Serum Institute of India Pvt. LTD. There is no internal disclosure). |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Yes |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | no |
| Consequences of non-compliance (in case of failure to provide the required data) | The employment contract cannot be concluded without the data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Working time recording
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (details: employee data (first and last name, e-mail address, employee-related regular working hours, project-related working hours, activities performed and associated project)) | - Working time recording
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 5 para. 1 subpara. 1 lit. B, lit. f GDPR (principles for the processing of personal data), Art. 6 para. 1. 1 lit. F GDPR (lawfulness of processing), § 26 para. 1 BDSG (data processing for the purposes of the employment relationship), 6 para. 1 lit. f GDPR (lawfulness of processing), § 16 para. 2 ArbZG (notice and working time records), § 147 para. 1 no. 2, para. 3 AO (regulatory provisions for the retention of documents). |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Yes |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Employment references
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Preparation of an employment reference
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG and Section 109 para. 1 GewO |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
BEM
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Health data (details: health data (e.g. sick notes, patient data)) 2) Employee data (details: employee data (personnel master data, contact data, emergency data)) | - Possibility of company integration management
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 Consent pursuant to Art. 6 para. 1 lit. a GDPR has been given. The requirements for consent pursuant to Art. 7 para. 1-4 GDPR are met. DSGVO i.V.m. § Section 26 sentence 1 BDSG and Section 167 para. 2 SGB IX |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) Re 2) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (Details: The data was collected directly from the data subject by: e.g. questionnaire, contract, contact form, online store, conversation) Re 2) Direct collection (Details: The data was collected directly from the data subject by: e.g. questionnaire, contract, contact form, online store, conversation (please adapt)) |
Consultant qualification
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Applicant data (details: applicant data (personal details, contact details, CV, photo, certificates)) | - Qualification certificates of external consultants
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. c) GDPR in conjunction with GCP (guideline for good clinical practiceI E6(R2) 2.8, 5.5.1) |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Company doctor
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Health data (details: health data (e.g. sick notes, patient data)) | - Provision of a company doctor
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Application process
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Applicant data (details: applicant data (personal details, contact details, CV, photo, certificates)) | - Application process
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Consent pursuant to Art. 6 para. 1 lit. a GDPR is given for long-term storage. The requirements for consent pursuant to Art. 7 para. 1-4 GDPR are met. Art. 88 sentence 1 GDPR i.V.m. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Documentation of the qualification of the investigator
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Proof of qualification of the investigator
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. c) GDPR in conjunction with GCP (guideline for good clinical practiceI E6(R2) 5.6.1) |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Yes |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Event messages
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Health data (details: health data (e.g. sick notes, patient data)) | - Reporting of medical incidents (events) during a study
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with Art. 2 Clinical trials Regulation EU No 536/2014 |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Yes |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Termination
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Contact data (details: contact data (name, telephone, fax, e-mail)) 2) Employee data (details: employee data (personnel master data, contact data, emergency data)) | - Drafting notices of termination
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG and Section 622 BGB or Section 622 BGB |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) Re 2) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) Re 2) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
List of project participants
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Contact lists of those involved in the project
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. a) or lit. f) GDPR |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Payroll accounting
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Payroll accounting
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Medical Review
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Health data (details: health data (e.g. sick notes, patient data)) | - Medical review/study reports
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. c GDPR i.V.m. § Section 13 para. 1 GCP-V in conjunction with GCP (guideline for good clinical practice)I E6(R2) 5.16, 5.17.3, I E2F |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Yes |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Microsoft 365 - Office applications as client applications, incl. Outlook and Exchange Online
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Contact details (details: contact details (name, telephone, fax, e-mail)) | - Secure use of the applications and services provided by Microsoft in the MS 365 package
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Performance of a contract (Art. 6 para. 1 b)Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | Re 1) Other recipients (Details: Microsoft Ireland Operations Limited) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | no |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, it may not be possible to fulfill the tasks or contracts; this data is also required to ensure security. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation (please adapt)) |
Employee appraisal
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Staff appraisals
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Proof of parental status
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Proof of parental status
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | The legal basis for processing results from Art. 6 para. 1 subpara. 1 lit. c, § 55 para. 3 sentences 3 and 4 SGB XI (obligation to provide proof) in conjunction with § 8 para. 2 no. 11 BVV, § 28p para. 1 sentence 1 SGB IV (retention period and form). |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
New customer
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Contact data (details: contact data (name, telephone, fax, e-mail)) 2) Employee data (details: employee data (personnel master data, contact data, emergency data)) | - Signing a confidentiality agreement
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. b) or lit. f) GDPR |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) Re 2) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) Re 2) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
New customer acquisition
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Contact details (details: contact details (name, telephone, fax, e-mail)) | - potential new customers are identified and contacted
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. f) GDPR |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Emergency contact
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| - Management of emergency contacts for employees
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 2 para. 1, Art. 4 no. 1, 2 GDPR, Art. 2 para. 2 lit. c) GDPR |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | no |
| Consequences of non-compliance (in case of failure to provide the required data) | There is an obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
Personnel file
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Personnel files in paper and written form
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Personnel questionnaire
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Collection of necessary personnel master data for new employees
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Audit
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Billing data (details: billing data (e.g. consumption and performance values)) 2) Working time data (details: working time data (actual working time, planned working time, breaks, vacation, special leave, absences, sick days, overtime)) 3) Employee data (details: employee data (personnel master data, contact data, emergency data)) | - Time recording for work purposes
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 6 para. 1 subpara. 1 lit. b) GDPR |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) Re 2) External (Details: Service providers, other organizations, other third parties) Re 2) Internal (Details: Internal department) Re 3) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (Details: The data was collected directly from the data subject by: e.g. questionnaire, contract, contact form, online store, conversation) Re 2) Direct collection (Details: The data was collected directly from the data subject by: e.g. questionnaire, contract, contact form, online store, conversation) Re 3) Direct collection (Details: The data was collected directly from the data subject by: e.g. questionnaire, contract, contact form, online store, conversation) |
Travel expense report
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Transferring travel data to a form
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Travel management
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Contact details (details: contact details (name, telephone, fax, e-mail)) | - Travel management (hotel room bookings, rail or air ticket bookings, visas, etc.)
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with Section 26 sentence 1 BDSG. § Section 26 sentence 1 BDSG Legal basis for the obligation to apply for a visa Art. 6 para. 1 subpara. 1 lit. c GDPR in conjunction with the national laws of the country of entry |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Allocation of keys
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Contact details (details: contact details (name, telephone, fax, e-mail)) | - Every employee receives a security token
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Seminar registration
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Contact details (details: contact details (name, telephone, fax, e-mail)) | - Registration for seminars is bundled in one place
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Submitting clinical trial related data to Clinical Trial Information System (CTIS)
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Health data (details: health data (e.g. sick notes, patient data)) 2) Participant data (details: participant data (name, address, telephone, e-mail)) | - Data Subject Rights in CTIS
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Article 9(2)(h) GDPR) Conditions for the consent of a child regarding information society services (Article 8 GDPR) |
| Recipient (if applicable) | Re 1) External (details: service providers, other organizations, other third parties) Re 1) Internal (details: internal department) Re 2) External (details: service providers, other organizations, other third parties) Re 2) Internal (details: internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) Re 2) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Vacation
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Leave application in the form of a form
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
User Administration for databases of the European Medicines Agency (EMA)
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) All company data (Details: Billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, resume, name/first name/address/title, social security data, contract and contract master data, payment data, timekeeping data, payroll data, correspondence, various) | - User Administration CTIS
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | The processing is necessary to protect the legitimate interest of the controller or a third party pursuant to Article 6 (1) (f) GDPR and no interests or fundamental rights and freedoms of the data subject are overridden. The processing is necessary according to Art. 6 para. 1 lit. b GDPR |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Yes |
| Consequences of non-compliance (in case of failure to provide the required data) | All users must agree to the applicable data protection regulations when creating their EMA account for CTIS, otherwise a user account cannot be created. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (Details: The data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Insurance
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Employee data (Details: Employee data (personnel master data, contact data, emergency data)) | - Possibility of international health insurance
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) Internal (Details: Internal department) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |
Job interview
| Purpose of the processing of general data | | Data type | Purpose of the survey |
|---|
| 1) Applicant data (details: applicant data (personal details, contact details, CV, photo, certificates)) | - Data processing in connection with job interviews
|
|
| Legal basis (according to Art. 6 / 9 GDPR) | Art. 88 sentence 1 GDPR in conjunction with. § Section 26 sentence 1 BDSG |
| Recipient (if applicable) | Re 1) External (details: service providers, other organizations, other third parties) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No |
| If known: Duration of data storage | 6 months, Section 61b (1) ArbGG in conjunction with. § Section 15 (4) AGG |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Re 1) Direct collection (details: the data was collected directly from the data subject through: e.g. questionnaire, contract, contact form, online store, conversation) |