Data Privacy Policy

This website is operated by HMS Analytical Software GmbH (HMS). In the following, we inform you about the processing of personal data during the use of this website. Use is generally possible without providing any personal data. If someone wants to use services of our company via our webpage, this might, however, require a processing of personal data.  


1. Name and Address of the Data Controller

Data Controller in the definition of the GDPR is:
HMS Analytical Software GmbH
Grüne Meile 29
69115 Heidelberg
Phone: +49 (6221) 6051 0
Email: info(at)

2. Contact Details of the Data Protection Officer

The Data Protection Officer of the data controller responsible for the processing is:
Ms. Elisabeth Kohm
HMS Analytical Software GmbH
Grüne Meile 29
69115 Heidelberg
Email: datenschutzbeauftragter(at)

Every Data Subject can contact our Data Protection Officer directly at any time for all questions and suggestions relating to data privacy.

3. Collection of General Data and Information

The website collects various general data and information on each retrieval by a Data Subject or an automated system. This general data and information is stored in the logfiles of the server. The following can be gathered: 

  1. Browser types and versions used, 
  2. Operating system used by the accessing system, 
  3. Website from which an accessing system was referred to our website (so-called referrer), 
  4. Sub-pages, to which an accessing system navigates on our website, 
  5. Date and time of an access to the website, 
  6. Internet protocol address (IP address), 
  7. Internet service provider of the accessing system, 
  8. Other similar data and information, which serve for the defense against risks in the event of attacks on our information technology systems. 

                When using this general data and information, HMS does not draw any conclusions as to the identity of the Data Subject. This information is in fact needed to 

                1. deliver the contents of our website correctly, 
                2. optimize the contents of our webpages and its marketing, 
                3. ensure the permanent functionality of our information technology systems and the technology of our website, 
                4. provide the information required for criminal prosecution to the law enforcement authorities in the event of a cyberattack. 

                      These collected data and information are therefore analyzed by HMS statistically on the one hand and, on the other hand, with the objective to increase data protection and data security at our company. The anonymous data in the server logfiles is separated from all Personal Data specified by the Data Subject. 

                      Google Tag Manager is used on this website. Google Tag Manager is a solution of Google Inc. by means of which businesses can manage website tags via an interface. Google Tag Manager is a cookie-less domain. Google Tag Manager ensures the triggering of other tags, which on their part might gather data as the case may be. We inform of this separately. Google Tag Manager does not access this data. Insofar as a deactivation was set by the user at the domain or cookie level, this will stay in effect for all tracking tags, which are implemented with Google Tag Manager. 

                      In addition, when the website is used, cookies, web beacons and/or pixel (or comparable functions for the transmission of event data) will be stored on your computer if this is required for technical purposes or you have consented to the storing. Cookies are small text files that are stored on your hard drive as attributed to the browser you use and by means of which the people setting the cookie (we in this case) receive certain information. A cookie typically includes the name of the domain from which the cookie originates, the “lifetime” of the cookie and a value, which is usually a randomly generated unique number. Cookies cannot execute any programs or transmit viruses to your computer. The purpose of the use is to make our website more user friendly and effective on the whole. Some elements on our webpage require that the retrieving browser can also be identified after switching pages. 

                      To manage cookies and your consent to them, we use a solution of Usercentrics GmbH. Within the scope of commissioned data processing, we therefore transmit Personal Data (consent data) to Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich, which is the commissioned data processor. We understand consent data to mean the following data: Date and time of the visit or consent/refusal, device information. The data is processed for the purpose of compliance with legal obligations (duty to present evidence according to Art. 7(1) GDPR) and the related documentation of consents and therefore based on Art. 6(1) lit. c) GDPR. The local storage is used for the storing of data. The consent data is stored for 3 years. The data is stored in the European Union. You can find more information about the gathered data and contact options at Details regarding the cookies used and the possibility to consent to the use of cookies can be found in the consent Settings. 

                      This stored information is separated from any other data that may have been given to us. In particular, the data of the cookies is not linked with your other data if such has been transmitted

                      4. Gathering of Personal Data during Personalized Use and Contact Option via the Website

                      If you contact us via our contact options (e.g. by e-mail), we store your name and contact details as well as your request. The data is processed to process your request and communicate with you. We use your e-mail to be able to reply to you by e-mail (legal basis Art. 6 para. 1 sentence 1 lit. b or f GDPR). 

                      The Personal Data is processed within the European Union, except for the data gathered by the third-party providers named below: 

                      • Google Analytics 
                      • LinkedIn Insight Tag 
                      • Youtube Video 

                      5. Routine Deletion and Blocking of Personal Data

                      The data controller processes and stores the Personal Data of the Data Subject only for the period required to reach the purpose of the storing or insofar as the legislator of European directives and regulations or another legislator has provided for this in laws or regulations that apply to the data controller. If the purpose for the storing no longer applies or if a storage period prescribed by the legislator of European directives and regulations or by another competent legislator expires, the Personal Data will be routinely blocked or deleted in accordance with legal regulations. 

                      7. No Automated Decision-Making

                      As Data Controller, we omit automated decision-making. 

                      8. Rights of Data Subjects

                      The user and other Data Subjects have the following rights in relation to us as relates to their Personal Data: 

                      • Right of access by the data subject to the relevant personal data (Art. 15 GDPR) 
                      • Right to rectification (Art. 16 GDPR) 
                      • Right to erasure (Art. 17 GDPR) 
                      • Right to restrict the processing (Art. 18 GDPR) 
                      • Right to object to the data processing if the data processing takes place based on Art. 6(1) lit. e) or lit. f) GDPR (Art. 21 GDPR); in this regard, also see the following information on the right to object pursuant to Art. 21 GDPR. 
                      • Right to data portability (Art. 20 GDPR) 
                      • Right to revoke a consent previously given without affecting the legitimacy of the processing that has taken place up until revocation if the data processing is based on a consent pursuant to Art. 6(1) lit. a) or Art. 9(2) lit. a) GDPR. 

                      You furthermore have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us (Art. 77 GDPR). 

                      Each Data Subject whose Personal Data is being processed has the right to object at any time, for reasons arising from their particular situation, to the processing of their Personal Data based on Art. 6 (1) lit. e) or lit. f) GDPR. This also applies to profiling based on these provisions. HMS no longer processes personal data in the event of an objection, unless we can demonstrate compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the affected person, or the processing serves to assert, exercise or defend legal claims. To exercise the right to object, the Data Subject can contact the data protection officer of HMS directly. The Data Subject additionally has discretion, notwithstanding Directive 2002/58/EC, to exercise their right to object regarding the use of the services of the information society by means of automated procedures in which technical specifications are used. 

                      8. Legal Basis for the Processing

                      Art. 6 (1) lit. a) GDPR serves as the legal basis for our company to implement processing actions for which we obtain consent for a certain purpose of processing. If the processing of Personal Data is necessary for the performance of a contract to which the Data Subject is a party, as this is the case, for example, in processing that is required for the delivery of our performance, the processing is based on Art. 6 (1) lit. b) GDPR. The same applies to such processing actions that are required to conduct pre-contractual measures, for example, in cases of queries about our services.  

                      If our company is subject to a legal obligation requiring the processing of Personal Data, such as for the fulfilment of fiscal duties, the processing is based on Art. 6(1) lit. c) GDPR in connection with the respective legal basis, such as Section 147 of the German Fiscal Code (AO). Ultimately, processing activities could be based on Art. 6(1) lit. f) GDPR. This legal provision serves as the basis for processing activities when the processing is required to protect a justified interest of our company or of a third party, if there are no overriding interests, fundamental rights and freedoms of the Data Subject.  

                      9. Legitimate Interests of the Data Controller or a Third Party in the Processing

                      If the data processing is based on Art. 6(1) lit. f) GDPR, our justified interest is conducting our business operations for the benefit of all our employees and our company. 

                      10. Subcontractors and Recipients of Personal Data

                      In the context of the processing of Personal Data, we hire Data Processors and conclude agreements with these commissioned data processors in accordance with the requirements of Art. 28 GDPR. 

                      1. Microsoft Ireland Operations Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, is engaged as the Data Processor for the hosting of the website. 
                      2. As the commissioned data processor, we use Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich. 


                        11. Data Protection Supervisory Authority and Right to Lodge Complaint

                        You have the right to complain to a supervisory authority. This is regardless of any other administrative or judicial remedy. You can do this especially in the member state of your usual residence, your place of work, or the place of the alleged infringement. 

                        12. Additional Information regarding Data Protection of Job Applications and in Application Procedures

                        We process the information made available to us of persons, who apply for jobs at our company, to the extent this is required to determine their qualification for job openings (legal basis is Article 6(1)(b) of the GDPR). This applies to applications for concrete job postings as well as to speculative applications, and the following data or data categories, among others, can be concerned: 

                        • Personal details and contact information, e.g., name, email address and phone number, private address, date of birth, national identification number, gender, marital status, and citizenship. 
                        • Educational, performance and employment data, such as information about school and university degrees, professional experience and skills, and performance evaluations. 

                        If you make statements in your application documents, which contain special categories of personal data (e.g., information on marital status, which might permit conclusions as to your sexual orientation; information about your health; enclosure of a photo, which might permit conclusions of your ethnic origin or, if applicable, your eyesight and/or religion), we will process this data only to the legally permissible scope.  

                        If you provide us with special categories of personal data, they will only be processed if the processing is necessary for us to exercise the rights and fulfill the obligations arising from labor law and social security law, pursuant to Article 9(2)(b) of the GDPR. 

                        We store your data for the duration of the application process and beyond, but no longer than six months from the communication of a binding decision regarding your application, unless an employment contract is concluded. Longer storage only occurs with your explicit consent (legal basis Article 6para. 1lit. a  GDPR), if we are required to comply with a legal obligation (legal basis Article 6para. 1 lit. c GDPR), or if there are legitimate reasons, such as potential claims arising from the non-selection of your application ( ) (legal basis here also Art. 6 para. 1 sentence 1 lit. b GDPR). After this period, your data will be deleted or stored in archive systems without immediate access, as required by commercial and tax law for archival purposes. 

                        In case of job applications, which lead to an occupational training or employment contract being concluded, the data from the applicants’ data system will be transferred into our HR information system and be stored until the end of the employment contract, unless other regulations mandate longer storage periods. Applicants shall then be obligated to supplement data to establish an employment relationship, e.g., by indicating their social security data. Subsequently, the data will be transmitted to social insurance carriers and the tax office. 

                        The legal bases for the data gathering are Article 6 para. 1 lit. b GDPR as well as further legal requirements, which define the storage obligations if employment contracts are concluded, are, e.g., Sec. 147 AO [German Fiscal Code], Sec. 257 HGB [German Commercial Code], etc. 

                        You have the opportunity at any time to revoke your consent to the processing of Personal Data or object to any data processing that is not based on your consent. You can exercise the revocation or objection, for example, by sending an email to Bewerbung(at) All Personal Data that we have processed in the scope of your consent with us will be deleted then. 

                        You have the possibility to consent to the inclusion in the talent pool during the application process. If you grant this consent, we will include you in our talent pool. If you do not give your consent for inclusion in the talent pool, this will not have any effects on your concrete application. By giving your consent, you agree that we may contact you during this time by email to send you information about our company. This relates exclusively to information on current or new job openings, newly created positions and/or divisions, newly opened company operating sites and the growth of our company in general. 

                        The legal basis for being included in the talent pool and sending information by email is your consent according to Art. 6(1) lit. a) GDPR. The legitimacy of the processing that has taken place up until your revocation will not be affected by the revocation of your consent. 

                        Please send the revocation of your consent directly to: Bewerbung(at), so that the deletion can be implemented. For the application process, we involve the specialized software provider rexx systems GmbH, Süderstraße 75-79, 20097 Hamburg. Rexx systems GmbH works as a service provider for us, and it can obtain knowledge of your Personal Data, if applicable, in connection with the maintenance and updating of systems. We have concluded a data processing agreement with this provider to ensure that the data processing will take place in a permissible manner. 

                        Your data as part of your job application will be screened by the HR department upon receipt of your application. Suitable applications will then be forwarded to the person responsible at the department of the open position in the specific case. The further procedure will be discussed and agreed at such time. Generally, only persons have access to your data, who require the access for the regular process of our application procedure. The data is processed exclusively in computing centers located in the Federal Republic of Germany.