Data Protection | ETH Industry Day 2021

Data Protection Declaration Pursuant to the GDPR

I. Name and Address of the Controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States, as well as other data protection provisions is:

II. General Information on Data Processing
1. Scope of the processing of personal data
We generally only collect and use our users‘ personal data if this is necessary to provide a functional website, our content and our services. Our users‘ personal data is generally collected and used only after consent of the user. An exception applies in those cases in which obtaining previous consent is not possible for factual reasons and the processing of the data is permitted by statutory provisions.

2. Legal basis for the processing of personal data
To the extent we obtain consent of the data subject for processing operations of personal data, Article 6(1) sub-paragraph (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data. Article 6(1) sub-paragraph (b) of the GDPR serves as the legal basis for the processing of personal data that is required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are required in order to take steps prior to entering into a contract.
If the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, article 6(1) sub-paragraph (c) of the GDPR serves as the legal basis.
In the event that vital interests of the data subject or of another natural person make processing of personal data necessary, article 6(1) sub-paragraph (d) of the GDPR serves as the legal basis.
If the processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party, and the interests, fundamental rights and freedoms of the data subject do not override the aforementioned interest, then article 6(1) sub-paragraph (f) of the GDPR serves as the legal basis for the processing.

3. Erasure of data and retention period The personal data of the data subject will be deleted or made unavailable as soon as the reason for retention no longer applies. Date may also be retained if this is provided for by European or national legislature in regulations, laws or other rules under Union law to which the Controller is subject. Data is also blocked or deleted if a storage period prescribed by the stipulated norms expires unless there is a necessity for further retention of the data for entering into or performing a contract.

III. Provision of the Website and Preparation of Log Files
1. Description and scope of the data processing Each time you visit our website our system automatically collects data and information from the computer system of the calling computer. The following data is collected during this process:
> information about the browser type and the version used (possibly the operating system)
> information about the browser type and the version used (possibly the operating system)
> the user’s anonymized IP address (excluding the last byte)
> date and time of access
> the page called up

The data is also saved in our system’s log files. This does not involve the user’s IP addresses or other data that enable the assignment of data to a user. This data is not stored with other personal data of the user.

2. Legal basis for the data processing Article 6(1) sub-paragraph (a) of the GDPR is the legal basis for the temporary retention of data and log files.

3. Purpose of the data processing The temporary retention of the IP address by the system is necessary in order to allow delivery of the website to the user’s computer. To do so, the user’s IP address must remain saved for the duration of the session. The address is stored in log files in order to ensure the functionality of the website. In addition, the data enables us to optimize the website and to ensure the security of our IT systems. The data is not exploited for marketing purposes in this connection. Our legitimate interests in data processing pursuant to article 6(1) sub-paragraph (f) of the GDPR also rests in these purposes.

4. Duration of retention The data is deleted as soon as it is no longer required for satisfying the purpose for which it is collected. In the event the data is recorded for providing the website, this is the case when the respective session is ended. In the event the data is retained in log files, this is the case after no more than four weeks. Users‘ IP addresses are saved only in anonymized form such that a reference to the calling client is not possible.

5. Ability to object and remove data The recording of data for providing the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, the user has no ability to object.

IV. Use of Cookies
a) Description and scope of the data processing
Our website uses cookies. Cookies are text files that are saved in or by the web browser on the user’s computer system. If a user visits a website, a cookie may be saved to the user’s operating system. This cookie contains a characteristic string of characters that enables a unique identification of the browser when the website is visited again. We use cookies in order to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change. For example, language preferences are saved and transmitted in these technical cookies. When our website is called up, users are informed by an information banner about the use of cookies for analysis purposes and reference is made to this data protection declaration. In this connection, there is also a notice about how the storage of cookies can be prevented in the browser settings.

b) Legal basis for the data processing The legal basis for the processing of personal data using cookies is article 6(1) sub-paragraph (f) of the GDPR.

c) Purpose of the data processing The purpose of using technically necessary cookies is to simplify the use of websites for the users. Some functions of our website could not be offered without the use of cookies. For these functions, it is necessary that the browser can be recognized again even after a page change. The user data collected by technically necessary cookies is not used for the preparation of user profiles. Our legitimate interests in the processing of personal data pursuant to article 6(1) sub-paragraph (f) of the GDPR also rests in these purposes.

d) Duration of retention, ability to object and remove data Cookies are saved on the user’s computer and transmitted from it to our website. Therefore, you as the user also have full control over the use of cookies. By changing the settings in your web browser, you can restrict or deactivate the transfer of cookies. Cookies already saved may be deleted at any time. This can also be done automatically. If cookies for our website are deactivated, it is possible that all of the website’s functions cannot be fully used.

V. Contact Form and Email Contact

1. Description and scope of the data processing There is a contact form on our website which can be used for making contact electronically. If a user uses this option, the data entered in the input form will be transmitted to us and saved. This data comprises address data, in particular: contact person, form of address, title, first name, last name, company name, street, postal code, city, telephone, email, inquiry.

During the process of sending the inquiry, your consent to processing the data is obtained and a reference is made to this data protection declaration. Alternatively, you can make contact through the e-mail address provided. In this case, the user’s personal data submitted with the email is saved. The data is not passed on to third parties in this connection. The data is used exclusively for handling the conversation.

2. Legal basis for the data processing
When the user’s consent has been obtained, the legal basis for the processing of the data is article 6(1) sub-paragraph (a) of the GDPR. The legal basis for the processing of the data that is transmitted in the course of sending an email is article 6(1) sub-paragraph (f) of the GDPR. If the email contact is aimed at entering into a contract, then the additional legal basis for processing is article 6(1) sub-paragraph (b) of the GDPR.

3. Purpose of the data processing
The personal data from the input form serves solely for us to handle making contact. In the event contact is made by e-mail, this also constitutes the necessary legitimate interests in processing the data.
The other personal data processed during the sending process serve to prevent a misuse of the contact form and to ensure the security of our IT systems.

4. Duration of retention
The data is deleted as soon as it is no longer required for satisfying the purpose for which it is collected. For the personal data from the input form of the contact form and for the data that was sent by e-mail, this is the case when the respective conversation with the user ends. The conversation is ended when it can be deduced from the facts and circumstances that the matter in question has been conclusively clarified. The additional personal data collected during the sending process is deleted after a period of seven days at the latest.

5. Ability to object and remove data
The user may revoke his/her consent to the processing of personal data in the future at any time. If the user makes contact with us by e-mail, the user can object to the retention of his/her personal data at any time. In such a case the conversation cannot be continued. If you would like to withdraw your consent to the processing of your personal data by VITES GmbH, you can inform us of this at any time in writing by letter or by e-mail (unsubscribe@vites-gmbh.de). In such an event, all personal data that was saved in the course of making contact will be deleted.

VI. Rights of the Data Subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

6. Right of access
You can obtain a confirmation from the controller as to whether personal data concerning you is being processed. If there is such processing, you can request access to the following information from the controller:

(1) the purposes for which the personal data is being processed;
(2) the categories of personal data that is being processed;
(3) the recipients or categories of recipients to whom your personal data has been or will be disclosed;
(4) the envisaged retention period of your personal data, or if specific information thereon is not possible, the criteria used to determine the retention period;
5) the existence of the right to request rectification or erasure of your personal data, the existence of the right to restrict the processing of personal data by the controller, or the existence of a right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) any available information as to the source of the data where the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether your personal data is being transferred to a third country or to an international organization. In this connection, you can request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

7. Right to rectification
You have a right to rectification and/or completion by the controller if the processed personal data concerning you is incorrect or incomplete. The controller must make the rectification without undue delay.

8. Right to restriction of processing
You can request the restriction of processing of your personal data under the following conditions:
(1) if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise or defense of legal claims, or
(4) you have objected to the processing pursuant to Article 21(1) of the GDPR and it has not yet been verified whether the legitimate grounds of the controller override your legitimate grounds.

Where the processing of your personal data has been restricted, such data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. Where the processing was restricted pursuant to the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

9. Right to erasure
Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller is obligated to erase such data without undue delay where one of the following grounds applies:
(1) your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
(2) you withdraw your consent on which the processing is based pursuant to Article 6(1) sub-paragraph (a) or Article 9(2) sub-paragraph (a) of the GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
(4) your personal data has been processed unlawfully;
(5) your personal data has to be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject;
(6) your personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b) Information to third parties Where the controller has made your personal data public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of that personal data. c) Exceptions The right to erasure does not exist to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Article 9(2) sub-paragraph (h) and (i) as well as Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defense of legal claims.

10. Right to be informed
If you have exercised the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to report this rectification or erasure of the data or the restriction of processing to all recipients to whom your personal data was disclosed, unless this proves to be impossible or involves a disproportionate effort. You have the right to be informed by the controller about these recipients.

11. Right to data portability
You have the right to receive your personal data which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit that data to another controller without hindrance by the controller to which the personal data has been provided, where;

(1) the processing is based on consent pursuant to Article 6(1) sub-paragraph(a) of the GDPR or Article 9
(2) sub-paragraph (a) of the GDPR or on a contract pursuant to Article 6(1) sub-paragraph (a) of the GDPR; and(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This may not adversely affect the freedoms and rights of others. The right to data portability does not apply to a processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

12. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Article 6(1) sub-paragraph (e) or (f) of the GDPR, including profiling based on those provisions. The controller will no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override

your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims. Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

13. Right to withdraw the data protection declaration of consent
You have the right to withdraw your data protection declaration of consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

14. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This does not apply if the decision:

(1) is necessary for entering into, or performance of, a contract between you and the data controller;
(2) is authorized by European Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests; or
(3) is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless Article 9(2) sub-paragraph (a) or (g) applies, and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place. With regard to the cases referred to in (1) and (3), the data controller will implement suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

15. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.