Data Privacy Policy

This website is operated by HMS Analytical Software GmbH. In the following, we inform you about the gathering of personal data during the use of this website. Use is generally possible without providing any personal data. If someone wants to use particular services of our company via our webpage, this might, however, require a processing of personal data. If the processing of personal data is required and if there is no legal basis for such processing, we will generally obtain the consent from the data subject. Personal data of a data subject, such as the name, address, email address or phone number is processed in all cases in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection laws that apply to HMS Analytical Software GmbH under the German Federal Data Protection Act (BDSG).

1. Definitions

This Data Privacy Policy uses the terms as defined in the GDPR. Our Data Privacy Policy is intended to be easy to read and comprehensible to the public, job applicants, as well as our customers and business partners. To ensure this, we would like to first explain the terms that are used:

1. Personal Data:
Personal Data is all information relating to an identified or identifiable natural person (referred to as the “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Data Subjects:
A Data Subject is any identified or identifiable natural person whose Personal Data is used by the data controller responsible for the processing.

3. Processing:
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. Restriction of Processing:
Restriction of Processing means the marking of stored Personal Data with the aim of limiting their processing in the future.

5. Profiling:
Profiling means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

6. Pseudonymization:
Pseudonymization means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person.

7. Data Controller or Entity Responsible for Processing:
Data Controller or Entity Responsible for Processing means the natural person or legal entity, authority, institution or other agency that alone or jointly with others determines the purposes and means of the processing of Personal Data. If the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by EU law or the law of the Member States.

8. Data Processor:
A commissioned data processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.

9. Recipient:
A Recipient means a natural or legal person, public authority, agency or another body, to which the Personal Data is disclosed, whether a third party or not. Authorities that may receive Personal Data within the scope of a particular inquiry pursuant to EU law or the law of the Member States, however, are not considered to be Recipients.

10. Third Party:
Third Party means a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process Personal Data.

11. Consent:
Consent means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

2. Name and Address of the Data Controller

Data Controller in the definition of the GDPR is:
HMS Analytical Software GmbH
Grüne Meile 29
69115 Heidelberg
Phone: +49 (6221) 6051 0
Email: info(at)

3. Contact Details of the Data Protection Officer

The Data Protection Officer of the data controller responsible for the processing is:
Ms. Elisabeth Kohm
HMS Analytical Software GmbH
Grüne Meile 29
69115 Heidelberg
Email: datenschutzbeauftragter(at)

Every Data Subject can contact our Data Protection Officer directly at any time for all questions and suggestions relating to data privacy.

4. Collection of General Data and Information

The website collects various general data and information on each retrieval by a Data Subject or an automated system. This general data and information is stored in the logfiles of the server. The following can be gathered:

  1. Browser types and versions used;
  2. Operating system used by the accessing system;
  3. Website from which an accessing system was referred to our website (so-called referrer);
  4. Sub-pages, to which an accessing system navigates on our website;
  5. Date and time of an access to the website;
  6. Internet protocol address (IP address);
  7. Internet service provider of the accessing system; and
  8. Other similar data and information, which serve for the defense against risks in the event of attacks on our information technology systems.

When using this general data and information, HMS Analytical Software GmbH does not draw any conclusions as to the identity of the Data Subject. This information is in fact needed in order to

  1. deliver the contents of our website correctly;
  2. optimize the contents of our webpages and its marketing;
  3. ensure the permanent functionality of our information technology systems and the technology of our website; and
  4. provide the information required for criminal prosecution to the law enforcement authorities in the event of a cyberattack.

This data and information collected in anonymized form is therefore analyzed by HMS Analytical Software GmbH statistically on the one hand and, on the other hand, with the objective to increase data protection and data security at our company to ultimately ensure an optimal level of protection for the personalized data that is processed by us. The anonymous data in the server logfiles is separated from all Personal Data specified by the Data Subject.

Google Tag Manager is used on this website. Google Tag Manager is a solution of Google Inc. by means of which businesses can manage website tags via an interface. Google Tag Manager is a cookie-less domain, which does not gather any Personal Data. Google Tag Manager ensures the triggering of other tags, which on their part might gather data as the case may be. We inform of this separately. Google Tag Manager does not access this data. Insofar as a deactivation was set by the user at the domain or cookie level, this will stay in effect for all tracking tags, which are implemented with Google Tag Manager.

In addition, when the website is used, cookies, web beacons and/or pixel (or comparable functions for the transmission of event data) will be stored on your computer if this is required for technical purposes or you have consented to the storing. Cookies are small text files that are stored on your hard drive as attributed to the browser you use and by means of which the people setting the cookie (we in this case) receive certain information. A cookie typically includes the name of the domain from which the cookie originates, the “lifetime” of the cookie and a value, which is usually a randomly generated unique number. Cookies cannot execute any programs or transmit viruses to your computer. The purpose of the use is to make our website more user friendly and effective on the whole. Some elements on our webpage require that the retrieving browser can also be identified after switching pages.

To manage cookies and your consent to them, we use a solution of Usercentrics GmbH. Within the scope of commissioned data processing, we therefore transmit Personal Data (consent data) to Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich, which is the commissioned data processor. We understand consent data to mean the following data: Date and time of the visit or consent/refusal, device information. The data is processed for the purpose of compliance with legal obligations (duty to present evidence according to Art. 7(1) GDPR) and the related documentation of consents and therefore on the basis of Art. 6(1) lit. c) GDPR. The local storage is used for the storing of data. The consent data is stored for 3 years. The data is stored in the European Union. You can find more information about the gathered data and contact options at Details regarding the cookies used and the possibility to consent to the use of cookies can be found in the consent settings.

This stored information is separated from any other data that may have been given to us. In particular, the data of the cookies is not linked with your other data if such has been transmitted.

5. Gathering of Personal Data during Personalized Use and Contact Option via the Website

Besides the purely informational use of our webpages, we offer different services that you can use if interested. For this purpose, you usually need to provide further personal data that we will use for the performance of the respective service. If additional voluntary information can be indicated, this will be marked accordingly. We will gather, process and use only the Personal Data, which is required for your use of the website and/or the performance of a contract concluded with us or data that you have provided yourself. This is, in particular, the following inventory data and usage data, which may be transmitted via forms on our website:

  • Name (comprising salutation, title, first name, last name and gender)
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Registration and login data of the user

Inventory data and usage data will be used by us to establish a contractual relationship with you, if applicable, and to arrange it substantively, change or terminate it in order to fulfil our contractual obligations, enable the user’s login on the website and contact you if you have so requested or if this is required or permitted under the law within the scope of the contractual relationship.

If a Data Subject contacts the data controller who is responsible for the processing via email or a contact form, the Personal Data transmitted by the Data Subject is stored automatically. Such Personal Data that is transmitted by the Data Subject on a voluntary basis to the data controller is stored for the purposes of processing or contact with the Data Subject. This Personal Data will not be transmitted to Third Parties.

The Personal Data is stored and processed within the European Union, except for the data gathered by the third-party providers named below.

6. Routine Deletion and Blocking of Personal Data

The data controller processes and stores the Personal Data of the Data Subject only for the period required to reach the purpose of the storing or insofar as the legislator of European directives and regulations or another legislator has provided for this in laws or regulations that apply to the data controller. If the purpose for the storing no longer applies or if a storage period prescribed by the legislator of European directives and regulations or by another competent legislator expires, the Personal Data will be routinely blocked or deleted in accordance with legal regulations.

7. No Automated Decision-Making/Profiling

As Data Controller, we omit automatic decision-making or profiling.

8. Rights of Data Subjects

The user and other Data Subjects have the following rights in relation to us as relates to their Personal Data:

  • Right of access by the data subject to the relevant personal data (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restrict the processing (Art. 18 GDPR)
  • Right to object to the data processing if the data processing takes place based on Art. 6(1) lit. e) or lit. f) GDPR (Art. 21 GDPR); in this regard, also see the following information on the right to object pursuant to Art. 21 GDPR.
  • Right to data portability (Art. 20 GDPR)
  • Right to revoke a consent previously given without affecting the legitimacy of the processing that has taken place up until revocation if the data processing is based on a consent pursuant to Art. 6(1) lit. a) or Art. 9(2) lit. a) GDPR.

You furthermore have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us (Art. 77 GDPR).

Each Data Subject whose Personal Data is being processed has the right to object at any time, for reasons arising from their particular situation, to the processing of their Personal Data based on Art. 6 (1) lit. e) or lit. f) GDPR. This also applies to profiling based on these provisions. HMS Analytical Software GmbH will then cease the processing of this Personal Data in the case of an objection, unless we can prove compelling reasons for the processing, which qualify for protection and which override the interests, rights and freedoms of the Data Subject, or if the processing serves the purpose of asserting, exercising or defending legal claims. If HMS Analytical Software GmbH processes Personal Data to engage in direct marketing, the Data Subject has the right to object at any time to the processing of Personal Data for such marketing. If the Data Subject declares to HMS Analytical Software GmbH that it objects to the processing for the purposes of direct marketing, HMS Analytical Software GmbH will stop processing the Personal Data for such purposes. Furthermore, the Data Subject has the right, for reasons arising from their particular situation, to object to the processing of Personal Data relating to them, which is carried out at HMS Analytical Software GmbH for scientific or historical research purposes or for statistical purposes according to Art. 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons that are in the public interest. To exercise the right to object, the Data Subject can contact the data protection officer of HMS Analytical Software GmbH directly. The Data Subject additionally has discretion, notwithstanding Directive 2002/58/EC, to exercise their right to object with regard to the use of the services of the information society by means of automated procedures in which technical specifications are used.

9. Legal Basis for the Processing

Art. 6 (1) lit. a) GDPR serves as the legal basis for our company to implement processing actions for which we obtain consent for a certain purpose of processing. If the processing of Personal Data is necessary for the performance of a contract to which the Data Subject is a party, as this is the case, for example, in processing that is required for the delivery of goods or the performance of another service or counter service, the processing is based on Art. 6 (1) lit. b) GDPR. The same applies to such processing actions that are required to conduct pre-contractual measures, for example, in cases of queries about our products or services. If our company is subject to a legal obligation requiring the processing of Personal Data, such as for the fulfilment of fiscal duties, the processing is based on Art. 6(1) lit. c) GDPR. In rare cases, the processing of Personal Data may become necessary to protect vital interests of the Data Subject or another natural person. This would be the case, for example, if a visitor were to suffer personal injury at our business and if thereupon their name, age, health insurance details and other vital information would have to be transferred to a doctor, hospital or other third party. In such a case the processing would be based on Art. 6(1) lit. d) GDPR. Ultimately, processing activities could be based on Art. 6(1) lit. f) GDPR. This legal provision serves as the basis for processing activities, which are not covered by any of the previously mentioned legal bases, when the processing is required to protect a justified interest of our company or of a third party, provided that there are no overriding interests, fundamental rights and freedoms of the Data Subject. Such processing activities are permitted to us in particular because they have been mentioned separately by the European legislature. It presented the opinion that a justified interest could be presumed if the Data Subject is a customer of the data controller (recital 47 sent. 2 GDPR).

10. Legitimate Interests of the Data Controller or a Third Party in the Processing

If the data processing is based on Art. 6(1) lit. f) GDPR, our justified interest is conducting our business operations for the benefit of all our employees and our company.

11. Storage Period for Personal Data

The criterion for the period of the storing Personal Data is the respective statutory retention period. After expiration of the period, the corresponding data will be routinely deleted, provided it is no longer required for the fulfilment of a contract or initiation of a contract.

12. Subcontractors and Recipients of Personal Data

In the context of the processing of Personal Data, we hire subcontractors and conclude agreements with these commissioned data processors in accordance with the requirements of Art. 28 GDPR.

  1. Microsoft Ireland Operations Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, is engaged as the subcontractor for the hosting of the website.
  2. As the commissioned data processor, we use Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich.

13. Data Protection Supervisory Authority and Right to Lodge Complaint

The data protection supervisory authority competent for us is: The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart.

14. Additional Information regarding Data Protection of Job Applications and in Application Procedures

We store the information made available to us of persons, who apply for jobs at our company, to the extent this is required in order to determine their qualification for job openings. This applies to applications for concrete job postings as well as to speculative applications, and the following data or data categories, among others, can be concerned:

  • Personal details and contact information, e.g., name, email address and phone number, private address, date of birth, national identification number, gender, marital status and citizenship;
  • Occupational training, qualification and employment data, e.g., information about degrees from schools and universities, professional experience and competencies, and performance evaluations.

If you make statements in your application documents, which contain special categories of personal data (e.g., information on marital status, which might permit conclusions as to your sexual orientation; information about your health; enclosure of a photo, which might permit conclusions of your ethnic origin or, if applicable, your eyesight and/or religion), we will process this data only to the legally permissible scope. If you make special categories of personal data available to us voluntarily, we will process them only with your consent. The legal basis for this is Art. 6(1) lit. a) GDPR, Sec. 26(2) BDSG.

The storage period is at most two years, unless you have consented to a longer period of storage. The application will be reviewed within this period and the information will be available until the end of the storage period, to be able to answer even subsequent questions in a qualified manner (e.g., requests for documents, rejections, etc.) No data will be gathered from Third Parties in the course of application processes, unless the Data Subject has consented to this. If no employment contract should be concluded between you and us, the application process will end on receipt of a rejection letter. In that case, we will delete your data at the latest 6 months after receipt of the rejection letter, unless you have consented to a longer storage period. This shall not apply insofar as the processing and storing of your Personal Data is required in the concrete case to enforce, exercise or defend against legal claims (duration of a lawsuit).

In case of job applications, which lead to an occupational training or employment contract being concluded, the data from the applicants’ data system will be transferred into our HR information system and be stored until the end of the employment contract, unless other regulations mandate longer storage periods. Applicants shall then be obligated to supplement data in order to establish an employment relationship, e.g., by indicating their social security data. Subsequently, the data will be transmitted to social insurance carriers and the tax office.

The legal bases for the data gathering are Art. 6(1) lit. f) GDPR and Art. 26 1) BDSG, as well as further legal requirements, which define the storage obligations in the event that employment contracts are concluded, are, e.g., Sec. 147 AO [German Fiscal Code], Sec. 257 HGB [German Commercial Code], Sec. 35(1) SRVwV [General Administrative Rule on Accounting of Social Security], etc.

You have the opportunity at any time to revoke your consent to the processing of Personal Data or object to any data processing that is not based on your consent. You can exercise the revocation or objection, for example, by sending an email to All Personal Data that we have stored in the course of your contact with us will be deleted then.

You have the possibility to consent to the inclusion in the talent pool in the course of the application process. If you grant this consent, we will include you in our talent pool. If you do not give your consent for inclusion in the talent pool, this will not have any effects on your concrete application. By giving your consent, you agree that we may contact you during this time by email to send you information about our company. This relates exclusively to information on current or new job openings, newly created positions and/or divisions, newly opened company operating sites and the growth of our company in general. In this context, there will not be any advertising for our products or services.

The legal basis for being included in the talent pool and sending information by email is your consent according to Art. 6(1) lit. a) GDPR. The legitimacy of the processing that has taken place up until your revocation will not be affected by the revocation of your consent.

If you consent to the inclusion in the talent pool, we will store and not delete your data for as long as we list you in our talent pool or until you inform us that you no longer want to be a part of the talent pool. If you have already been transferred into the talent pool and revoke your consent before the end of two years, we will delete your application from the talent pool within one month from your revocation. Please send the revocation of your consent directly to:, so that the deletion can be implemented. For the rest, we will delete your data from the talent pool on expiration of the two years. Please find further details about deletion in our Data Privacy Policy. For the application process, we involve the specialized software provider TFI GmbH, Lise-Meitner-Straße 5-9, 42119 Wuppertal, and its product Talention Analytics. TFI GmbH works as a service provider for us, and it can obtain knowledge of your Personal Data, if applicable, in connection with the maintenance and updating of systems. We have concluded a commissioned processing agreement with this provider to ensure that the data processing will take place in a permissible manner.

Your data as part of your job application will be screened by the HR department upon receipt of your application. Suitable applications will then be forwarded to the person responsible at the department of the open position in the specific case. The further procedure will be discussed and agreed at such time. Generally, only persons have access to your data, who require the access for the regular process of our application procedure. The data is processed exclusively in computing centers located in the Federal Republic of Germany.

15. Supplementary Information on Data Protection when Actively Searching for Candidates in Professional Social Networks

As part of our search for suitable candidates, we conduct research in professional social networks and use the personal data published there by potential candidates to check whether the person fits in with us and, if necessary, to make contact. This data is deleted after the selection process has ended, unless an application process follows. The basis for the research is our legitimate interest in filling positions with suitable people.
You have the right to object. The exercise of the revocation or objection can be made in particular via the respective professional, social network and to the person by whom you were approached for the purpose of filling the vacancy. All personal data that we have stored in the course of your contact will be deleted in this case.