Technologiepark Heidelberg GmbH
Im Neuenheimer Feld 582
Postcode, city, country:
69120 Heidelberg, Germany
Commercial registry and registration number:
Mannheim District Court, HRB 332701
Dr. André H.R. Domin
+49 6221 5025700
Types of data processed:
Processing of special categories of data (Art. 9  of the GDPR):
No special categories of data shall be processed.
Categories of data subjects whose data is processed:
Hereinafter, data subjects shall be collectively referred to as “user”.
Purpose of processing:
Version: 24 May 2018
1. Applicable legal grounds
3. Security measures
3.1. In accordance with the provisions of Art. 32 of the GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, we shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These shall include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data as well as access, input, transfer, storage, availability, and separation of data concerning you. Moreover, we have established procedures that ensure that data subjects may exercise their rights, that data are erased, and that we react to threats to data. Furthermore, in accordance with the principle of data protection by design and by default (Art. 25 of the GDPR), we shall take the protection of personal data into account as early as the development or selection of hardware and software, as well as procedures.
4. Collaboration with commissioned data processors and third parties
4.1. Should we disclose, transfer, or otherwise grant access to the data to other persons and companies (commissioned data processors or third parties) in the course of our processing, this shall take place only on legal grounds (for example, if it is necessary to transfer the data to a third party such as a payment service provider in accordance with Art. 6  lit. b of the GDPR), because you have consented to it, because a legal obligation provides for this, or on the grounds of our legitimate interests (such as when appointing agents, web hosts, and so forth).
4.2. Should we appoint a third party to process data on the grounds of a “commissioned data processing contract”, this shall take place on the grounds of Art. 28 of the GDPR.
5. Transfers to third countries
Should we process data in a third country (that is, outside the European Union [EU] or European Economic Area [EEA]) or should this take place in the context of the utilization of third-party services or the disclosure or transfer of data to third parties, this shall take place only if it is done for the performance of our (pre)contractual obligations, on the grounds of your consent, due to a legal obligation, or on the grounds of our legitimate interests. Subject to legal or contractual permissions, we shall process or have the data processed in a third country only if the special requirements of Art. 44 ff. of the GDPR are met. This means that the processing shall take place on the grounds of special guarantees, such as official recognition that the third country ensures an adequate level of data protection (for example, the “Privacy Shield” in the USA) or compliance with officially recognized special contractual obligations (“standard contractual clauses”).
6. Rights of the data subject
6.1. You shall have the right to obtain confirmation as to whether or not personal data concerning you are being processed as well as access to these data, and further information and copies of the data in accordance with Art. 15 of the GDPR.
6.2. In accordance with Art. 16 of the GDPR, you shall have the right to have incomplete personal data concerning you completed and inaccurate personal data concerning you rectified.
6.3. In accordance with the provisions of Art. 17 of the GDPR, you shall have the right to erasure of personal data concerning you without undue delay or alternatively, in accordance with the provisions of Art. 18 of the GDPR, to restriction of processing of the data.
6.4. You shall have the right to receive the personal data concerning you, which you have provided to us, and transmit them to another controller in accordance with the provisions of Art. 20 of the GDPR.
6.5. Furthermore, in accordance with Art. 77 of the GDPR, you shall have the right to lodge a complaint with the competent supervisory authority.
7. Right to withdraw
You shall have the right to withdraw any given consent with future effect in accordance with Art. 7 (3) of the GDPR.
8. Right to object
You shall have the right to object to future processing of personal data concerning you at any time, in accordance with Art. 21 of the GDPR. You shall have the right to object to processing of personal data concerning you for direct marketing purposes in particular.
9. Cookies and the right to object to direct marketing
10. Erasure of data
10.2. In accordance with legal requirements, storage shall be for a period of six or 10 years pursuant specifically to Section 257 (1) of the German Commercial Code (HGB; trading books, inventories, opening balance sheets, financial statements, commercial letters, accounting records, and so forth) and for 10 years pursuant to Section 147 (1) of the German Fiscal Code (AO; books, records, management reports, accounting records, commercial and business letters, documents relevant for fiscal purposes, and so forth).
11. Provision of contractual services
11.1. We shall process user data (such as the name and address, as well as user contact data) and contractual data (such as the services availed of, contact names, and payment information) for the purpose of the performance of our contractual obligations and services in accordance with Art. 6 (1) lit. b of the GDPR.
11.2. Users may create an optional user account where they can view their specific orders. During the registration process, users shall be informed of the required mandatory information. The user accounts are not public and cannot be indexed by search engines. Should users have terminated their user account, their data concerning the user account shall be erased, provided that their retention is not required for commercial or fiscal purposes in accordance with Art. 6 (1) lit. c of the GDPR. In the event of termination, it shall be incumbent upon users to secure their data before the expiration of the contract. We shall be entitled to irretrievably erase all user data stored during the term of the contract.
11.3. In the course of registering and repeated logins, as well as the utilization of our online services, we shall store the IP address and time of the respective user action. This storage shall be on the grounds of our legitimate interests, as well as of protecting the user from misuse and other unauthorized use. In principle, these data shall not be transferred to third parties unless they are required to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 (1) lit. c of the GDPR.
11.4. Erasure shall take place after the expiration of legal warranty and comparable obligations. The necessity for data retention shall be reviewed every three years. In the event of legal archiving obligations, erasure shall take place after their expiration (the commercial retention obligation is six years and the fiscal retention obligation is 10 years). Information included in the customer account shall be retained until the account has been erased.
12.1. When contacting us (through the contact form or by email), the user’s information shall be used to process the contact request in accordance with Art. 6 (1) lit. b of the GDPR.
12.2. User information may be stored in our Customer Relationship Management system (hereinafter “CRM system”) or a comparable request management system.
12.3. We shall erase the requests should they no longer be necessary. We shall review their necessity every two years. Requests from customers holding a customer account shall be stored permanently. Please refer to the information included in the customer account for erasure. In the event of legal archiving obligations, erasure shall take place after their expiration (the commercial retention obligation is six years and the fiscal retention obligation is 10 years).
13. Collection of access data and log files
13.1. We shall collect data about each access to the server on which this service is located (server log files) on the grounds of our legitimate interests pursuant to Art. 6 (1) lit. f of the GDPR. The access data shall include the name of the retrieved website, file name, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, user’s operating system, referrer URL (the previously visited page), IP address, and requesting provider.
13.2. Log-file information shall be stored for security purposes (such as to clarify incidents of abuse or fraud) for a maximum period of seven days and then erased. Data that must be further stored due to their necessity for the purpose of evidence shall be excluded from erasure until the respective incident has been definitively clarified.
14. Online social media presences
14.1. On the grounds of our legitimate interests pursuant to Art. 6 (1) lit. f of the GDPR, we shall maintain online presences on social networks and platforms for the purpose of communicating with customers, prospective customers, and users that are active on such networks and platforms, and of informing them about our services. The terms and conditions and data processing guidelines of the respective operators of the accessed networks and platforms shall apply.
15. Cookies and measuring reach
15.1. Cookies are pieces of information that are transferred from our web server or third-party web servers to the user’s web browser and stored there for later retrieval. Cookies can be small files or other forms of information storage.
15.2. We use “session cookies”, which are only stored for the duration of the current visit to our online presence (for example, to enable the storage of your login status or the shopping cart function, and consequently the use of our online service at all). A randomly generated, unique identification number called a session ID is stored in a session cookie. A cookie also contains information about its origin and retention period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online service and logged out or closed your browser, for example.
15.4. In the event that users do not wish cookies to be stored on their computer, they should deactivate the corresponding option in their browser’s system settings. Stored cookies may be deleted through an option in the browser’s system settings. Disabling cookies may lead to restrictions in the functionality of this online service.
16. Google Analytics
16.2. Google is certified by the Privacy Shield Framework, which guarantees compliance with European data protection law (www.privacyshield.gov/participant).
16.3. On our behalf, Google shall use this information to analyze the use of our online service by users, to compile reports on the activities of this online service, and to provide us with other services related to the use of this online service and the Internet. Pseudonymous user profiles can be created from the processed data.
16.4. We shall only use Google Analytics with IP anonymization enabled. This means that Google shall truncate the user’s IP address if the user is located in a member state of the EU or EEA. Only in exceptional cases shall the full IP address be transferred to a Google server in the USA and truncated there.
16.5. The IP address transferred by the user’s browser shall not be merged with other Google data. Users may prevent the storage of cookies by selecting the appropriate settings in their browser. In addition, users may prevent Google from collecting and processing data obtained from the cookie related to their use of the online service by downloading and installing the browser add-on available at tools.google.com/dlpage/gaoptout.
16.7. Otherwise, personal data shall be anonymized or erased after a period of 14 months.
17.1. In the following, we shall inform you about the content of our newsletter as well as the registration, delivery, and statistical evaluation procedures, and your right to object. By subscribing to our newsletter, you shall consent to receipt of the newsletter and the procedures described.
17.2. Newsletter content: We shall send newsletters, emails and other electronic notifications containing advertising information (hereinafter “newsletters”) only with the consent of the recipient or if it is legally permissible. Provided that the content of the newsletter is specifically described in the course of registration, this shall apply to the consent of the user. Otherwise, our newsletters shall contain information about our products, services, promotions, and company.
17.3. Double opt in and logging: Registration for our newsletter shall involve a double opt-in process; that is, after registration, you shall receive an email asking you to confirm your registration. This confirmation is necessary to ensure that no one subscribes to the newsletter using someone else’s email address. Registrations for the newsletter shall be logged as evidence of the registration process in accordance with legal requirements. This shall include storing the log-in and confirmation times, as well as the IP address. Changes to your data stored by the mailing service provider shall likewise be logged.
17.5. Moreover, according to their own available information, the mailing service provider may use these data in pseudonymous form—that is, without allocating them to a user—to optimize or improve their own services in order to technically optimize the delivery and layout of the newsletter, or for statistical purposes, in order to determine the recipients’ countries, among others. However, the mailing service provider shall not use our newsletter recipients’ data to contact them directly or transfer the data to third parties.
17.6. Registration data: Your email address shall be sufficient to subscribe to the newsletter. We shall ask you to optionally include your name to address you personally in the newsletter.
17.7. Measuring performance: The newsletters contain a “web beacon”, which is an image file no larger than one pixel that is retrieved from the mailing service provider’s server when the newsletter is opened. Initially, technical information such as information about your browser and system, as well as your IP address and the time of retrieval shall be collected in the course of this retrieval. This information shall be used to technically improve the services based on the technical data or the target groups, and their reading behavior based on where the retrieval occurs (which can be determined from the IP address) or the time of access. The collection of statistical information shall include a record of whether the newsletters have been opened, when they were opened, and the links within them that have been clicked. For technical reasons, this information can be allocated to the individual newsletter recipients. However, it shall be neither our nor the mailing service provider’s intention to monitor individual users. Any evaluation shall better serve the purpose of identifying the reading habits of our users and adapting our content to them, or sending different content according to our users’ interests.
17.8. Sending the newsletter and measuring performance shall take place on the grounds of the recipients’ consent in accordance with Art. 6 (1) lit. a and Art. 7 of the GDPR in conjunction with Section 7 (2) (3) of the German Act Against Unfair Competition (UWG), or on the grounds of legal permissibility in accordance with Section 7 (3) of the UWG.
17.9. Logging of the registration shall be on the grounds of our legitimate interests in accordance with Art. 6 (1) lit. f of the GDPR and shall serve as evidence of the consent to receive the newsletter.
17.10. Cancellation or withdrawal: Newsletter recipients may cancel receipt of our newsletter at any time. That is, you may withdraw your consent. A link to cancel the newsletter shall be available at the bottom of each newsletter. This shall simultaneously cause your consent to the use of your data to measure performance to lapse. Regretfully, it shall not be possible to withdraw only from the use of your data to measure performance: The entire newsletter subscription must be cancelled. Cancellation of the newsletter shall result in erasure of your personal data, unless their retention shall be legally required or justified, whereby, in this case, their processing shall be restricted to only these exceptional purposes. In particular, we may store the canceled email addresses for up to three years on the grounds of our legitimate interests, as evidence of previously given consent, before erasing them from the newsletter mailing list. The processing of these data shall be restricted to the purpose of possible defense against a claim. You may submit an individual request for erasure at any time, provided that you simultaneously confirm that you had previously given your consent.
18. Integration of third-party services and content
18.1. We shall include third-party providers’ content and services within our online service in order to integrate their content and services, such as videos or fonts (hereinafter collectively “content”), on the grounds of our legitimate interests (that is, interests in the analysis, optimization, and commercial operation of our online service pursuant to Art. 6  lit. f of the GDPR). This shall always presume that the third-party providers of this content determine users’ IP addresses since they could otherwise not deliver the content to their browsers. Therefore, the IP address is required to display this content. We shall endeavor to use only such content for which the respective provider uses the IP address solely for the distribution of the content. Furthermore, third-party providers may use “pixel tags” (invisible graphics also known as web beacons) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. Furthermore, the pseudonymous information may be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, time of the visit, as well as other data on the use of our online service, and may also be linked to such information from other sources.
18.2. The following is an overview of third-party providers and their content, as well as links to their privacy policies, which include further information on the processing of data and opt-out options already mentioned here in some cases:
|Zweck||Cookie von Goolge für Website-Analysen, mit dem statistische und anonymisierte Daten darüber erfasst werden, wie der Besucher die Website nutzt.|
|Cookie Laufzeit||14 Monate|