Arrange a consultation
|
Beratung vereinbaren

Data Privacy Policy

This website is operated by HMS Analytical Software GmbH (HMS). In the following, we inform you about the processing of personal data during the use of this website. Use is generally possible without providing any personal data. If someone wants to use services of our company via our webpage, this might, however, require a processing of personal data. The legal basis for our data processing can be found in the European General Data Protection Regulation (GDPR), its text and the associated recitals, which you can find here, for example. In the following information, we refer to the corresponding regulations as the respective legal basis for our processing.

 

1. Name and Address of the Data Controller

Data Controller in the definition of the GDPR is:
HMS Analytical Software GmbH
Grüne Meile 29
69115 Heidelberg
Germany
Phone: +49 (6221) 6051 0
Email: info(at)analytical-software.de

2. Contact Details of the Data Protection Officer

The Data Protection Officer of the data controller responsible for the processing is:
Ms. Elisabeth Kohm
HMS Analytical Software GmbH
Grüne Meile 29
69115 Heidelberg
Germany
Email: datenschutzbeauftragter(at)analytical-software.de

Every Data Subject can contact our Data Protection Officer directly at any time for all questions and suggestions relating to data privacy.

3. Collection of General Data and Information

The website collects various general data and information on each retrieval by a Data Subject or an automated system. This general data and information is stored in the logfiles of the server. The following can be gathered:

  1. Browser types and versions used,
  2. Operating system used by the accessing system,
  3. Website from which an accessing system was referred to our website (so-called referrer),
  4. Sub-pages, to which an accessing system navigates on our website,
  5. Date and time of an access to the website,
  6. Internet protocol address (IP address),
  7. Internet service provider of the accessing system,
  8. Other similar data and information, which serve for the defense against risks in the event of attacks on our information technology systems.

When using this general data and information, HMS does not draw any conclusions as to the identity of the Data Subject. This information is in fact needed to

  1. deliver the contents of our website correctly,
  2. optimize the contents of our webpages and its marketing,
  3. ensure the permanent functionality of our information technology systems and the technology of our website,
  4. provide the information required for criminal prosecution to the law enforcement authorities in the event of a cyberattack.

This collected data and information is therefore evaluated by HMS Analytical Software GmbH both statistically and with the aim of increasing data protection and data security in our company. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. The data of the server log files are processed separately from all personal data provided by a data subject.

Google Tag Manager is used on this website. Google Tag Manager is a solution of Google Inc. by means of which businesses can manage website tags via an interface. Google Tag Manager is a cookie-less domain. Google Tag Manager ensures the triggering of other tags, which on their part might gather data as the case may be. We inform of this separately. Google Tag Manager does not access this data. Insofar as a deactivation was set by the user at the domain or cookie level, this will stay in effect for all tracking tags, which are implemented with Google Tag Manager.

Furthermore, cookies, web beacons and/or pixels (or comparable functions for the transmission of event data) are stored on your computer when you use the website if this is technically necessary or if you have consented to the storage. Cookies are small text files that are stored on your hard disk and through which certain information flows to us.

To manage cookies and your consent to them, we use a solution of Usercentrics GmbH. Within the scope of commissioned data processing, we therefore transmit Personal Data (consent data) to Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich, which is the commissioned data processor. We understand consent data to mean the following data: Date and time of the visit or consent/refusal, device information. The data is processed for the purpose of compliance with legal obligations (duty to present evidence according to Art. 7(1) GDPR) and the related documentation of consents and therefore based on Art. 6(1) lit. c) GDPR. The local storage is used for the storing of data. The consent data is stored for 3 years. The data is stored in the European Union. You can find more information about the gathered data and contact options at https://usercentrics.com/privacy-policy/. Details regarding the cookies used and the possibility to consent to the use of cookies can be found in the consent Settings.

This stored information is separated from any other data that may have been given to us. In particular, the data of the cookies is not linked with your other data if such has been transmitted

4. Gathering of Personal Data during Personalized Use and Contact Option via the Website

If you contact us via our contact options (e.g. by e-mail), we store your name and contact details as well as your request. The data is processed to process your request and communicate with you. We use your e-mail to be able to reply to you by e-mail (legal basis Art. 6 para. 1 sentence 1 lit. b or f GDPR).

5. Routine Deletion and Blocking of Personal Data

Your personal data will be stored until the stated purposes have been achieved or for as long as we have a legitimate interest in storing it. Thereafter, the data will be deleted unless other agreements have been made with you or statutory archiving obligations (e.g. due to commercial or tax law) exist. If archiving is required by law, the data will be blocked for other access. Once the statutory retention periods have expired, the data will be deleted in accordance with data protection regulations. If you have consented to your data being processed, we will process your data indefinitely until you withdraw your consent or until the purpose for which you gave your consent no longer applies. Thereafter, the consent and processing data will be archived until the statute of limitations (regularly three years) for legal defense purposes (legal basis Art. 17 para. 3 lit. e GDPR).

6. No Automated Decision-Making

As Data Controller, we omit automated decision-making.

7. Processors and recipients of personal data

We use processors for the processing of personal data and conclude agreements with them in accordance with the requirements of Art. 28 GDPR.

  1. Microsoft Ireland Operations Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland, is used as the processor for hosting the website.
  2. We use Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich, Germany, as the processor for the administration of consent data.
  3. Our job advertisements are hosted by rexx systems GmbH, Süderstraße 75-79, 20097 Hamburg (see also the additional information for applicants below).

 

8. Rights of Data Subjects

As a data subject, you can assert certain rights under the law.

a) Right to confirmation and information

According to Art. 15 GDPR, you have the right to request confirmation from us as to whether personal data concerning you is being processed. In the event that we process such data, you have the right to receive information about your stored data free of charge. The information includes details about

  • the purposes of processing;
  • the categories of personal data that are processed;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • if possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining this duration;
  • the existence of a right to rectification or erasure of the personal data concerning you or to restriction of processing by the controller or a right to object to such processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • if the personal data are not collected from the data subject: all available information about the origin of the data;
  • the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

Furthermore, the data subject has the right to information about whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject also has the right to receive information about the appropriate guarantees in connection with the transfer. If you have any questions about the processing of personal data, for information, or to otherwise assert your rights, simply contact us using the contact details listed above.

b) Right to rectification

You have the right to have the data rectified and/or completed by the controller if the personal data concerning you that are processed are incorrect or incomplete. The controller must carry out the rectification immediately.

c) Right of objection

Your right of objection

 

You have the right to object at any time to the processing of personal data concerning you based on a balance of interests in accordance with Art. 6 (1) (f) GDPR for reasons arising from your particular situation. In the event of such an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

d) Right to erasure (right to be forgotten)

Conditions for erasure

You have the right to request the erasure of personal data concerning you. Please note that a right to immediate erasure (Art. 17 GDPR) ("right to be forgotten") only exists if one of the following reasons applies:

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You withdraw your consent on which the processing was based in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR, and there is no other legal basis for the processing.
  • You object to the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to processing for direct marketing purposes in accordance with Art. 21 (2) GDPR.
  • The personal data concerning you have been processed unlawfully.
  • The erasure of the personal data is necessary to fulfill a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data concerning you were collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

Further right to be forgotten

If we have made the personal data concerning you public and we are obliged to delete it in accordance with Art. 17 Para. 1 GDPR, we will take appropriate measures, including technical ones, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested that they delete all links to these personal data or copies or replications of these personal data.

Exceptions to deletion

In addition to the above requirements, please note that the following exceptions may justify a rejection of your request for erasure: The right to erasure does not exist if the processing is necessary

  • to exercise the right to freedom of expression and information
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the establishment, exercise or defense of legal claims.

e) Right to restriction of processing

You have the right to restriction of processing if you contest the accuracy of the personal data for a period that enables us to verify the accuracy of the personal data or if, in the event of unlawful processing, you refuse erasure and instead request that the processing of personal data be restricted. You also have this right if we no longer need the data or if you need this personal data to assert, exercise or defend legal claims. Finally, you can assert this right if you have objected to the processing in accordance with Art. 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons. If processing has been restricted, this data may only be processed with your consent or for the establishment, exercise or defense of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. The possibility of continued storage remains unaffected. If the restriction of processing has been restricted in accordance with the above-mentioned requirements, we will inform you before the restriction is lifted.

f) Right to data transfer

You also have the right to data portability of the data you have provided to us, which we have processed on the basis of an effective consent or whose processing was necessary to enter into or fulfill an effective contract, in a "structured, common and machine-readable format". You also have the right to request direct transmission to another controller, insofar as this is technically feasible. This right only exists to the extent that the rights and freedoms of other persons are not adversely affected.

g) Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

9. Additional Information regarding Data Protection of Job Applications and in Application Procedures

We process the information made available to us of persons, who apply for jobs at our company, to the extent this is required to determine their qualification for job openings (legal basis is Article 6(1)(b) of the GDPR). This applies to applications for concrete job postings as well as to speculative applications, and the following data or data categories, among others, can be concerned:

  • Personal details and contact information, e.g., name, email address and phone number, private address, date of birth, national identification number, gender, marital status, and citizenship.
  • Educational, performance and employment data, such as information about school and university degrees, professional experience and skills, and performance evaluations.
  • If you make statements in your application documents, which contain special categories of personal data (e.g., information on marital status, which might permit conclusions as to your sexual orientation; information about your health; enclosure of a photo, which might permit conclusions of your ethnic origin or, if applicable, your eyesight and/or religion), we will process this data only to the legally permissible scope.

If you provide us with special categories of personal data, they will only be processed if the processing is necessary for us to exercise the rights and fulfill the obligations arising from labor law and social security law, pursuant to Article 9(2)(b) of the GDPR.

If you provide us with special categories of personal data, these will only be processed if the processing is necessary for us to exercise the rights and fulfill the obligations arising from labor law and social security and social protection law, Art. 9 para. 2 lit. b GDPR.

We store your data for the duration of the application process and thereafter for a maximum of six months from notification of a binding decision regarding your application, unless an employment contract is concluded. Otherwise, data will only be stored for a longer period with your express consent (legal basis Art. 6 Para. 1 lit. a GDPR), if we have to comply with a legal requirement (legal basis Art. 6 Para. 1 lit. c GDPR) or if there are legitimate reasons, e.g. if claims are raised against the non-consideration of your application (legal basis here too Art. 6 Para. 1 Sentence 1 lit b GDPR).

After this time has elapsed, your data will be deleted or only stored in archive systems with no direct access options, as required by law, for commercial and tax archiving purposes. Should you withdraw your application, the application documents will be deleted immediately. We only store your name and the information that you have withdrawn your application; the legal basis is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

For applications that lead to the establishment of a training or employment relationship, the data from the applicant data system is transferred to our personnel information system and stored until the end of the employment relationship, unless other regulations prescribe longer retention periods. Applicants are then obliged to add data to establish an employment relationship, e.g. by providing social security data.

Data is then transferred to social security providers and the tax office. The legal basis for data collection is Art. 6 Para. 1 lit. b GDPR and other legal requirements that result in storage obligations in the case of the establishment of employment relationships, e.g. Section 147 AO, Section 257 HGB.

You have the option of consenting to be included in the talent pool during the application process. If you give this consent, we will add you to our talent pool. If you do not give your consent to be included in the talent pool, this will otherwise have no effect on your specific application. The legal basis for being included in the talent pool and sending information by email is your consent in accordance with Art. 6 Paragraph 1 Letter a of GDPR.

If you have given this consent, you can revoke it at any time with effect for the future. The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent until the revocation. Please send the revocation of your consent directly to: bewerbung@analytical-software.de so that the deletion can be carried out. We use the specialized software provider rexx systems GmbH, Süderstraße 75-79, 20097 Hamburg for the application process. rexx systems GmbH acts as a service provider for us and may also receive knowledge of your personal data in connection with the maintenance and care of the systems. We have concluded a data processing agreement with this provider which ensures that data processing is carried out in a permissible manner.

Your applicant data will be reviewed by the HR department after receipt of your application. Suitable applications will then be forwarded to the department heads for the respective vacant position. The further process will then be coordinated. In principle, only those people who need access to your data for the proper execution of our application process have access to it. The data is processed exclusively in data centers in the Federal Republic of Germany.

10. Legal Basis for the Processing

Art. 6 (1) lit. a) GDPR serves as the legal basis for our company to implement processing actions for which we obtain consent for a certain purpose of processing. If the processing of Personal Data is necessary for the performance of a contract to which the Data Subject is a party, as this is the case, for example, in processing that is required for the delivery of our performance, the processing is based on Art. 6 (1) lit. b) GDPR. The same applies to such processing actions that are required to conduct pre-contractual measures, for example, in cases of queries about our services.

If our company is subject to a legal obligation which requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third parties. In that case, the processing would be based on Art. 6 I lit. d GDPR. Ultimately, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis is used for processing operations that are not covered by any of the aforementioned legal bases if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override them. We are permitted to carry out such processing operations in particular because they were specifically mentioned by the European legislator. In this respect, he was of the opinion that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47, Sentence 2 GDPR).

11. Legitimate Interests of the Data Controller or a Third Party in the Processing

If the data processing is based on Art. 6(1) lit. f) GDPR, our justified interest is conducting our business operations for the benefit of all our employees and our company.

12. Duration for which the personal data is stored

The criterion for the duration of the storage of personal data is the respective statutory retention period. After this period has expired, the corresponding data is routinely deleted, provided that it is no longer required for contract fulfillment or contract initiation.

13. Subcontractors and Recipients of Personal Data

We use subcontractors for the processing of personal data and conclude a contract with these processors in accordance with the requirements of Art. 28 GDPR. Microsoft Ireland Operations Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland, is used as a subcontractor to host the website. We use Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich, Germany, as a processor for the management of consent data.

14. Data Protection Supervisory Authority and Right to Lodge Complaint

The data protection supervisory authority responsible for us is: Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart.

© 2024 HMS Analytical Software
chevron-down