Data protection

6. Concrete data processing with us

6.1 Your investor relationship with us

6.1.1 Shareholders and interested parties

Description: The processing of data relates in particular to shareholders or interested parties who contact us in connection with investments in our business model or our shares, communicate with us, receive/receive our corporate news by e-mail or attend, have attended or intend to attend shareholder events such as the Annual General Meeting or other investor events in the future.

If you have any questions regarding the content of the report, please contact the company's IR department. You can reach them by phone: 030 863 21 45 60 or e-mail: ir@mph-ag.de. Further contact details can be found under "Responsible" at the top of this page.

6.1.2 Contact the IR department of the company

Description: In order to obtain information about our company as an interested party or to be able to exercise your rights to information as a shareholder or proxy, the IR department will answer your enquiries, provided they do not conflict with the Corporate Governance Code. A collision is to be assumed regularly in the case of questions about current events, provided these have not yet been communicated by the company to the capital market. Enquiries can be made by telephone, fax, e-mail, the contact form on the company's website, by letter post or by appointment during a personal meeting.

The concrete processing of personal data in an e-mail depends on the thematic content of the e-mail and the resulting storage obligations. It is conceivable that we include your data in our contact directory for customers, business partners and other contact persons. You will find further information below under e-mail communication.

Contents from telephone calls are not recorded and answered as directly as possible. If the enquiry cannot be answered with the necessary care, e.g. due to lack of time, we may ask you to send us an e-mail for a later answer. Further information can be found below under telephone calls.

categories of data: Contact information (name, e-mail address, telephone number, address), information about your business interests with us, information about professional profiles, activity history, your IP address, time of communication and other information you provide to us in connection with your request.

Data recipient (third country transfer, if applicable): No third country transfer, unless you are in a third country or use a hosting provider based in a third country. Data recipients may also be telecommunications providers who are subject to telecommunications secrecy

We reserve the right to have our answer to your enquiry legally checked, which may involve forwarding your enquiry including your data to a lawyer.

Purpose + legal basis: The purpose is a legitimate interest in replying to your e-mail and passing on information to answer your request. The legal basis is compliance with the requirements of the German Stock Corporation Act. The lawfulness of data processing is accordingly derived from Art. 6 para. 1 lit. c DSGVO.

Storage period: Depends on the content of the correspondence; in principle, commercial law requires that business letters be stored for six years (§ 257 HGB). In case of (also expected) legal disputes, the retention period is up to 30 years. Telephone calls are not recorded, your telephone number remains stored pseudonymised in the IR telephone for a few days, call notes are only stored with your consent, used for further processing and disposed of when the processing purpose is fulfilled. The company uses a telephone reporting server of a service company, M1 Med Beauty Berlin GmbH, where the time and duration of the telephone call as well as the transmitted telephone number can be accessed for a period of two years.

6.1.3 Registration for and participation in the Annual General Meeting

Description: The company regularly organises and holds general meetings for the holders of the company's shares and processes data that are transmitted by you or other parties required to notify in the context of voting right notifications in accordance with the German Securities Trading Act. For the handling and execution of the general meetings, we use external service providers, e.g. service providers for the organisation of the general meeting, for printing and mailing of the shareholder notifications, as well as for the execution of the general meeting (essentially the verification of attendance, technical infrastructure for the voting and documentation of the general meetings) and legal advisors. We only provide the service providers commissioned with the processing of personal data that is necessary for the processing. They process the data exclusively in accordance with our instructions.

Shareholders and participants of the Annual General Meeting can view their data contained in the attendance register during the meeting and, if applicable, up to two years thereafter. If a shareholder requests that items be placed on the agenda, we will announce these items, stating the name of the shareholder, if the requirements under the German Stock Corporation Act are met.

Countermotions and election proposals from shareholders will also be published on the company's website in accordance with the provisions of the German Stock Corporation Act, stating the name of the shareholder, provided the requirements are met. Finally, we may be obliged to transmit your personal data to other recipients, such as when publishing voting rights notifications in accordance with the provisions of the German Securities Trading Act, or to authorities in order to comply with statutory notification requirements (e.g. to financial or law enforcement authorities).

categories of data: Contact details of shareholders, proxies and guests (name, e-mail address, telephone number, address), information about your shares in our company, content from submitted documents, activity history.

Data recipient (possibly transfer to third countries): No transfer to third countries. Shareholders and proxies can obtain information on other shareholders and proxies present by viewing the list of participants. Another recipient is a service company commissioned by us to handle the proceedings of the Annual General Meeting, Die Firma Link Market Services GmbH, Landshuter Allee 10, 80637 Munich, T. +49 (0)89 21 027-0, E. info@linkmarketservices.de. Link Market Services is bound by our instructions and has concluded a contract for processing orders in accordance with Art. 28 DSGVO.

Purpose + legal basis: The company uses appropriate data processing to create the conditions for compliance with shareholders' rights and for the dissemination of information. The data processing is carried out for the purpose of handling the registration and participation of shareholders in the Annual General Meeting (e.g. checking eligibility to attend, compiling the list of participants) and enabling shareholders to exercise their rights within the framework of the Annual General Meeting (including the granting and revocation of proxies). The legal basis for the processing of your personal data are extensive passages from the German Stock Corporation Act (AktG) in conjunction with Art. 6 (1) (c) DSGVO. A further legitimate interest exists if we wish to prevent or detect illegal activities, fraud or similar threats in order to protect ourselves from harm.

Duration of storage: Depending on the data processing, the storage obligations under stock corporation, commercial and tax law apply. In principle, commercial law requires business letters to be stored for six years (§ 257 HGB). In the case of (also expected) legal disputes, the retention period is up to 30 years.

6.1.4 Your participation in information events for investors

Description: The company regularly takes part in investor events. At these events, information about the company is communicated and, if interested, contact details are exchanged on a voluntary basis, e.g. for the forwarding of further information. This data can be stored in a CRM system for further processing.

categories of data: Contact details (name, e-mail address, telephone number, address), information about your business interests with us, data on professional profiles, activity history.

Data recipient (possibly transfer to third countries): No transfer to third countries. On request, registration in the company newsletter, for further information see there.

Purpose + legal basis: The purpose is the legitimate interest of the company in networking processes and investments by investors. The legal basis is Art. 6 para. 1 lit. b DSGVO.

Duration of storage: Depending on the data processing, the storage obligations under stock corporation, commercial and tax law apply.

6.1.5 Customer database (CRM)

Description: We maintain your data in our customer database in terms of Customer Relation Management (CRM). In CRM we store your contract and invoice data as well as the history of your customer relationship with us. From the CRM we control the communication with you, e.g. making appointments, marketing approvals, sending invoices or answering questions from you.

categories of data: Contact information (name, e-mail address, telephone number, address), information about your business interests with us, activity history.

Data recipient (possibly transfer to third countries): No transfer to third countries. On request, registration in the company newsletter, for further information see there.

Purpose + legal basis: Use of a CRM system that enables us to provide our customers with comprehensive support from the initial contact to invoicing. Legal basis is a legitimate interest, as the use of CRM increases the service level and reduces costs.

Storage period: We store your customer account for up to six years after the last customer contact has been completed. In this respect we fulfil the storage obligation for business letters under commercial law.

6.2 Direct communication with us

6.2.1 E-mail communication

Description: If you send us an e-mail, it will arrive in at least one of our e-mail boxes. The content of your e-mail and the metadata accompanying it (sender, time of dispatch, etc.) are stored on the own e-mail server of our service company, M1 Med Beauty Berlin GmbH, which is protected and secured according to the latest state of the art. In addition, after retrieval from the server, they may be stored in the e-mail programs on the devices that have access to the mailbox (computers, smartphones, tablets). The same applies to e-mails that we send to you.

The concrete processing of personal data in an e-mail depends on the thematic content of the e-mail. It is obvious that we include your data in our contact directory for customers, business partners and other contact persons.

E-mail standard is a transport encrypted dispatch, we do not offer a completely unencrypted dispatch. Transport encryption means that the communication is almost completely encrypted, but the e-mails are stored unencrypted on the servers of your mailbox provider.

As we use the M1 Med Beauty Berlin GmbH's own e-mail server, the encryption on our side corresponds to an end-to-end encryption. On your side, access to your email content depends on which provider you store your emails with and which third parties may access them. Depending on the national location of your provider, it depends on which state institutions are allowed to access your e-mails.

If you want end-to-end encryption, this also excludes access to the provider. Only the sender and recipient can read the contents of the e-mails.

categories of data: Name, e-mail address; time of delivery or dispatch; other meta data that typically occur in e-mail communication; other personal data in the content of the e-mail such as further contact data in e-mail signatures, enquiries, orders, offers or complaints by e-mail

Data recipient (possibly transfer to a third country): Our e-mail hosting service provider, who is obliged to protect your data by means of a contract processing agreement, is based in an EEA country. In this respect, no data transfer to countries outside the EEA takes place. If you use a hosting service provider outside the EEA for your mailbox or retrieve our e-mails from outside the EEA, this is not our responsibility.

Purpose + legal basis: Communication by e-mail. Depending on the content of the correspondence, the legal basis is preparation or fulfilment of a contract or a legitimate interest in answering your e-mail.

Storage period: Depends on the content of the correspondence; for example, commercial law requires business letters to be stored for six years, but longer storage periods may also result from other documentation obligations.

6.2.2 Phone calls

Description: When we call each other, our telephone system or our mobile phones record your number and the time of the call. These data in the call lists are continuously deleted from subsequent calls.

If the content of the interview suggests that this is the case, we create an interview note and document it in the appropriate place (e.g. in the customer database or for applicants and employees in the personnel department). It is conceivable that we include your data in our contact directory for further communication.

Sound recordings of conversations are only made in exceptional cases and after we have obtained your express consent.

categories of data: Telephone number; time of the call; content of the call, if applicable

Data recipient (possibly transfer to third countries): Telecommunications providers who are subject to telecommunications secrecy. There is no transfer to third countries.

Purpose + legal basis: communication by telephone. Depending on the content of the conversation, the legal basis is preparation or fulfilment of a contract or a legitimate interest in the exchange with you.

Duration of storage: Depends on the content of the call. Individual conversation notes may be subject to the commercial law retention obligation for business letters of six years.

6.2.3 Letter post

Description: If you send us a letter, we will regularly reply to it with a letter that we create on the computer and save as a file. We often scan your letter to archive it as part of a digital office tour. The specific processing of personal data in our correspondence depends on the thematic content of the letters and the resulting storage obligations. It is conceivable that we include your data in our contact directory for further communication.

categories of data: Name + address; personal information in the content of the letters, such as further contact data on your letterhead, enquiries, or other topics

Data recipient (possibly transfer to third countries): postal service provider. A transfer to third countries only takes place if the item is sent to an address outside the European Economic Area. In these cases data protection is guaranteed by international agreements on postal secrecy.

Purpose + legal basis: Communication by letter. Depending on the content of the correspondence, the legal basis is preparation or fulfilment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depends on the content of the correspondence; in principle, commercial law requires that business letters be stored for six years.

6.2.4 Fax (classic)

Description: We use a classic fax machine in the form of a telecopier. If you send us a fax, the document is provided by our receiving machine as a printout. The machine records the sender's details transmitted by you and documents them, together with the time of receipt, both on the printout and in the machine's journal. If we send you a fax, the journal records the recipient number, transmission time, page number and transmission success.

The security of the transmission corresponds to the security of modern telephone networks, which also transmit fax data as so-called voice/ fax over IP. Within the network of a single network provider (e.g. Deutsche Telekom), the data is encrypted, while unencrypted transmission takes place at the network transfer points.

categories of data: Telephone number, sender's name (if applicable), time of dispatch or receipt, number of pages, transmission success; personal contents of the document sent (if applicable)

Data recipient (possibly transfer to third countries): Telecommunications providers who are subject to telecommunications secrecy. A transfer to third countries does not take place or falls under international laws on telecommunications secrecy.

Purpose + legal basis: communication by fax. Depending on the content of the conversation, the legal basis is preparation or fulfilment of a contract or a legitimate interest in the exchange with you.

Storage period: Depends on the content of the document sent; in principle, commercial law requires business letters to be stored for six years.

6.2.5 Business cards

Description: If you give us your business card, we will transfer your data to our contact directory.

categories of data: Name, contact details (address, telephone, fax, e-mail), your company, your company's field of business, your job title, your area of responsibility, place, time and circumstance of contact as well as any special information about your availability or the business issues addressed

Data recipient (possibly transfer to third countries): We use the e-mail server of our service company, M1 Med Beauty Berlin GmbH, where contacts are also stored. A transfer to third countries does not take place.

Purpose + legal basis: to maintain contacts. Legal basis is a legitimate interest, since you have voluntarily handed over your business card to us.

Storage period: We store your data until you request us to delete them - unless a business relationship has been established between us in the meantime, which results in independent storage obligations for us regarding your contact data.

6.3 Visiting our Internet pages

6.3.1 Provision of our Internet pages

Description: In order for a web server to make our website available to your browser, the server must collect technical data about your device used for this purpose, your browser and your Internet access. This is called a log file or weblog. This is the same data that you necessarily leave behind with every Internet page that you call up. The central point is the IP address from which you access our pages. The web server sends the data you want to see to this Internet address.

We use Wordpress as our editorial system, which places a so-called session cookie in your browser for the technical delivery of the pages (PHPSESSID; storage period: end of the current visit to our pages)

categories of data: IP address from which our website was accessed; date and time of access; objects on our website accessed in the browser; type and version of the Internet browser; type and version of the operating system

Data recipient (possibly transfer to third countries): Our hosting service provider, who is bound to data protection by a contract processing agreement, has its headquarters and server locations in Germany. In the event of attacks on our pages, data is passed on to forensic experts and investigating authorities commissioned by us.

Purpose + legal basis: Provision of our website as well as investigations, should there be illegal access to our website (e.g. a hacker attack) Legal basis is a legitimate interest, as the operation of a website is not possible without the recording of the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide the investigators with indications as to how the attack took place. The session cookie is an essential cookie which does not require consent even under the ePrivacy Directive.

Storage duration: 7 days

6.3.2 Cookie management (Borlabs)

Description: For all cookies requiring your consent, we ask for your consent before storing them in your browser cache. The decisions you make will in turn be stored in a cookie on your device, so that we do not need to ask for your consent again when you visit our website again. You can revise your decision at any time by deleting the corresponding cookie (borlabs cookie, storage period 1 year) from your device via the settings of your browser.

categories of data: Consent status (yes/no per cookie for which we need your consent)

Data recipient (possibly transfer to third countries): None

Purpose + legal basis: legally compliant consent management for cookies. Legal basis is a legitimate interest, as saving the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages for repeated visits. According to the ePrivacy Directive, this cookie may also be set without your consent, as the choice of language is considered an essential function.

Storage duration: until the corresponding cookie is deleted from your browser cache or until the cookie's expiry date is reached

6.3.3 Cookie management

Description: For all cookies requiring your consent, we ask for your consent before storing them in your browser cache. The decisions you make will in turn be stored in a cookie on your device, so that we do not need to ask for your consent again when you visit our website again. You can revise your decision at any time by deleting the relevant cookie from your device via the settings of your browser.

categories of data: Consent status (yes/no)

Data recipient (possibly transfer to third countries): None

Purpose + legal basis: legally compliant consent management for cookies. Legal basis is a legitimate interest, as saving the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages for repeated visits. According to the ePrivacy Directive, this cookie may also be set without your consent, as the choice of language is considered an essential function.

Storage duration: until the corresponding cookie is deleted from your browser cache or until the cookie's expiry date is reached

6.3.4 Language setting (Polylang)

Description: We offer our website in several languages. We use the Polylang wordpress service, which uses the settings of your device to identify your preferred language choice and enables us to provide our website in the language that suits you best. In order to avoid having to go through the analysis of the language choice again when you call up each page, Polylang sets an appropriate cookie (pll_language, storage period 1 year).

categories of data: Language selection stored in the device

Data recipient (possibly transfer to third countries): None

Purpose + legal basis: To make the website available in your preferred language. Legal basis is a legitimate interest, as we can assume that you want to see the pages in the language you prefer. According to the ePrivacy Directive, this cookie may also be set without your consent, as language selection is considered an essential function.

Storage duration: until the corresponding cookie is deleted from your browser cache or until the cookie's expiry date is reached

6.3.5 Contact form

Description: Our website has a contact form. You can use it to send us messages, e.g. if you do not have your own e-mail address or do not want to use it for sending us messages. Your voluntary entries are technically sent to us as an e-mail (even if you have not entered an e-mail address as sender).

As soon as you send your message, the data processing corresponds to sending an e-mail to our central contact address. While you are on the website and enter your details in the form, the data processing is equivalent to accessing any of our websites.

categories of data: See the processing operations "Provision of a website" and "E-mail communication".

Data recipient (possibly transfer to third countries): See the processing operations "Provision of a website" and "E-mail communication".

Purpose + legal basis: Provision of a contact form as an additional way of contacting us. Depending on the content of your contact, the legal basis is the preparation of a contract fulfilment or a legitimate interest.

Storage period: See the processing operations "Provision of a web page" and "E-mail communication".

6.3.6 Online Fonts (Google Fonts)

Description: To enable an individual design of our internet pages, we use so-called web fonts. Your browser loads these fonts from the Internet to display our pages if the fonts have not yet been loaded in your browser's memory from a previous visit to a page with this font.

The fonts are available directly on our own server. In this respect, this is not an independent processing which goes beyond the processing "Provision of our Internet pages".

categories of data: IP address from which your device accesses the Internet, time of processing.

Data recipient (possibly transfer to third countries): None

Purpose + Legal basis: Provision of Google Fonts. Legal basis is a legitimate interest, since in the context of this processing only the IP address of your device is transmitted without further references to your use of the Internet.

Storage period: Data deletion by us is neither necessary nor possible, as we do not collect any data from you through the use of Google Fonts.

6.3.7 Analysis of user behaviour (Google Analytics)

Description: We use the web analysis service Google Analytics. On our behalf, Google creates statistical reports on the activities on our website, the regional origin of the visitors and technical parameters of the devices with which our pages are visited.

We use analytics with the extension "anonymizeIP" so that the IP addresses are only processed in a shortened form in order to exclude a direct personal reference. Through IP anonymisation, the end of your IP address is replaced by zeros by Google within the European Union before the data is transferred to the USA. Only in exceptional cases will the complete IP address be transferred to a Google server in the USA and shortened there.

We do not link the data that we collect via Google Analytics with personal data that we collect by other means. Google is also prohibited from using the data for its own purposes or combining it with data collected elsewhere. Google only provides us with the data in an anonymised and statistical form, so that we ourselves do not have our own access to data features that could enable the identification of individual persons.

Google Analytics uses cookies to bundle the usage data from your browser. This gives us the opportunity to determine the quota of returning visitors or to trace usage paths within our Internet pages.

The analytics cookies are named _ga (to recognise returning visitors), _gid (to be able to form statistical groups) and _gat (to reduce data comparison with advanced Google functions).

Comprehensive information on the use of the data collected by Google can be found in Google's privacy policy (https://policies.google.com/privacy) and in Google's information on cookies (https://policies.google.com/technologies/cookies).

categories of data: IP address from which the device goes online; location or country linked to the IP address as well as Internet service provider for Internet access; date and time of access; objects on our website that are called up (clicked on) in the browser; type and version of the Internet browser; type and version of the operating system; websites from which the user has reached our website; websites that the user calls up from our website; Google ID-code stored in the cookie; data from the user's browser.

Data recipient (possibly transfer to third countries): Google LLC, for us as a European organisation contactable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google is obliged to observe data protection in relation to us by means of a contract for order processing in accordance with Article 28 DSGVO. The information collected by the cookies is transferred to Google's servers in the USA and stored there. In cases where, despite the restrictions imposed, such as the anonymisation of IP addresses, personal data is transferred to the USA: In order to be able to guarantee that data is handled at EU data protection level, Google has committed itself to comply with the applicable data protection laws: https://privacy.google.com/intl/de/businesses/compliance/#! ?modal_active=none

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our Internet offering based on the findings of the analysis.

The legal basis is a legitimate interest, which arises from the fact that the personal reference of the collected data is greatly reduced, e.g. by anonymising IP addresses, that the data is not combined by us with other data collections and that visitors to our website have various options available to them to prevent the collection by Google Analytics cookies. Irrespective of this, in view of the requirements of the ePrivacy Directive, we ask for your consent to the use of Google cookies via our cookie manager.

Storage period: 14 months (Justification: This storage period enables us to export annual reports).

6.3.8 Use of a Content Delivery Network (Cloudflare)

Description: Some of our Internet pages are made available via a so-called Content Delivery Network (CDN) as a particularly resilient form of Internet hosting. For us, Cloudflare is used as CDN. Cloudflare with its specialised technology makes it possible that internet pages can be delivered quickly worldwide, even with heavy traffic. In addition, Cloudflare offers special security functions that make internet hosting particularly stable against attacks.

For full use of its security functions Cloudflare works with cookies. These cookies are regarded as essential cookies, as their function serves only the reliable provision of the internet pages. The names of the Cloudflare cookies are _cfduid, _cfruid

categories of data: IP address from which the device goes online; date and time of access; objects on our website that are called up in the browser; type and version of the Internet browser; type and version of the operating system; websites from which the user has accessed our website; websites that the user calls up from our website

Data recipient (possibly transfer to third countries): Cloudflare Inc., 101 Townsend Street, San Francisco, California 94107, USA. Cloudflare is obligated to us to observe data protection via a contract for order processing according to article 28 DSGVO. As far as data is transferred to Cloudflare's servers in the USA, Cloudflare has concluded standard data protection clauses with us and thus guarantees a handling of the data on EU data protection level.

Purpose + legal basis: The purpose of the data transfer to Cloudflare is to be able to provide our internet pages securely and quickly. Legal basis is a legitimate interest, as Cloudflare uses the data solely to increase and secure the performance of our internet hosting. In this respect, the Cloudflare cookies are also essential cookies, the use of which does not require consent according to § 15 TMG.

Storage duration: The storage duration is the responsibility of Cloudflare. A data deletion by us is not necessary, as we ourselves do not collect any data from you by using the Cloudflare cookies.

6.4 IR Communication

6.4.1 Registration to receive company news

Description: You can subscribe to our e-mail newsletter to receive our corporate news and ad hoc announcements at the same time as the capital market. All you need to do is enter your e-mail address. Further details such as your name are voluntary and enable us to personalise the sending of e-mails with a direct form of address.

We use the DGAP news distribution list, https://www.dgap.de/, which is customary in the stock market. If you register directly with DGAP, this company is responsible for processing your data.

If you instruct us directly to enter your name in the distribution list, we require a written communication as proof of legality, preferably by e-mail.

If you register online for the newsletter, you will receive a one-time e-mail from us to the e-mail address you have provided, in which we ask you to confirm your registration. In this way we want to avoid that you are registered for our newsletter by someone who does not or should not have access to this address. This two-stage procedure is called Double-Opt-in for double consent.

By registering for our newsletter, you consent to us sending you e-mails on the topics described on the registration page, both in terms of data protection and competition law.

The registration process is controlled via a so-called i-Frame. This means that we display content from our newsletter provider on our company website and includes a confirmation via a ReCapcha, which is the responsibility of the newsletter provider

You can revoke your registration and thus your consent for the future at any time. You can do this by clicking on the corresponding link at the end of each newsletter we send out.

We record the use of our newsletter via so-called counting pixels and campaign URLs for the internet links in the newsletter. The counting pixel calls up the DGAP newsletter server when you open the e-mail. The call of the internet links in the newsletter is recorded via the campaign assignment in the web analysis.

categories of data: E-mail address, documentation of the e-mail verification (double opt-in), time of your registration, usage data (opening the e-mail + clicking on internet links), other voluntary information such as your name (to be able to address you personally), your company/institution, function and other contact details;

Data recipient (possibly transfer to a third country): No transfer to a third country, unless you are in a third country or use an Internet service provider based in a third country. Our service provider in Germany for newsletter dispatch, who is obliged to data protection by a contract processing agreement: EQS-Group AG, Karlstraße 47, 80333 Munich, the owner of the portal dgap.de, phone number +49 (0) 89 21 02 98-0, e-mail: contact@eqs.com.

Purpose + legal basis: Provision of an e-mail newsletter Newsletter to inform capital market participants and to optimise our newsletter content. Legal basis is your consent.

Storage period: After revoking your consent by clicking on the "Unsubscribe" link in the newsletter or contacting the company, your registration data will be deleted immediately.

6.4.2 Dispatch of catalogues and other information documents

Description: We send information about the services of our company, in particular interim and annual reports to various groups of recipients. You send us the address data for this purpose directly. With the exception of the use of e-mail or fax transmission, this data is not stored. We do not offer a repeated sending.

Recipients include individuals and companies (natural and legal persons) who have requested to receive such information.

categories of data: Name + address, consent, organisation + function/position, business area

Data recipient (possibly transfer to third countries): None. A transfer to third countries only takes place if the shipment is sent to an address outside the European Economic Area. In these cases data protection is guaranteed by international agreements on postal secrecy.

Purpose + legal basis: Information about our company. The legal basis is a legitimate interest, as company information by mail is generally permitted under the relevant competition law provisions. The legal basis is a request for documents available to us.

Duration of storage: The address data will not be stored separately for the sending of advertising material, with the exception of the request via e-mail or fax transmission (see there for the duration of storage).

6.5 Suppliers and service providers

6.5.1 Business relationship

Description: As a customer, we process personal data from our suppliers and service providers who are self-employed or partnerships, or our contacts in such organisations, in order to be able to communicate with you about the processing of the order.

In addition to communication in terms of content, your data is typically processed in the separately described processing operations for "communication with us" (see there).

categories of data: Contact, contract and invoice data

Data recipients (possibly transfer to third countries): tax consultants, auditors, lawyers in their function as professional secrets.

Purpose + legal basis: Proper management. The legal basis is the fulfilment of the contract as well as legal obligations and legitimate interests.

Duration of storage: Invoice data must be stored for 10 years in accordance with tax law; contract data must be stored for different periods depending on the type of contract. In the case of copyright, such periods extend up to 70 years after the death of the author.

6.5.2 Mention in publications

Description: In our publications we name authors by name in accordance with the right of the authors to be named. The naming also extends to the accompanying marketing and public relations work. If authors represent an institution relevant to the publication, their affiliation to this institution is also stated. In some publications, professional contact details of the authors are also published as a service to readers.

categories of data: Name, academic title; partly institution and professional contact details

Data recipient (possibly transfer to third countries): none

Purpose + legal basis: to identify authorship. Legal basis for the name is fulfilment of the author contract. For the contact details, the legal basis is a legitimate interest, as only professional contact details of relevant contact persons are published here.

Storage period: After delivery of printed publications, subsequent deletion by us is not possible.

6.6 Staffing

6.6.1 Applications

Description: If you apply for a job with us, we will process your application documents until the application procedure is completed, solely for the purpose of deciding on your employment. We restrict access to your documents to those persons whom we can reasonably include in the decision on your recruitment. If you are hired, your application documents will be transferred to your personnel file. If you are not hired, we will either ask you for your consent to be included in our pool of candidates or send your documents back or destroy them as soon as you can no longer expect to appeal against our decision under anti-discrimination law.

categories of data: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, CV, certificates and references, training certificates and professional qualifications, notes on job interviews (by telephone and in person), results of recruitment tests if applicable

Data recipient (possibly transfer to third countries): None

Purpose + legal basis: basis for decisions on filling posts. The legal basis is preparation for the fulfilment of a contract (employment contract) and subsequently a legitimate interest in defending against negative decisions.

Storage period: 6 months after completion of the original application procedure

6.6.2 Candidate pool

Description: If we are currently unable to offer you a suitable position, but would like to consider you again in the selection process for future vacancies, we ask for your permission to keep your application documents beyond the end of the current application process. If we are unable to get back to you for more than two years, we will ask for your consent again for further storage or return or delete your documents.

categories of data: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, CV, certificates and references, training certificates and professional qualifications, notes on job interviews (by telephone and in person), results of recruitment tests if applicable

Data recipient (possibly transfer to third countries): None

Purpose + legal basis: basis for decisions on future appointments. Legal basis is consent.

Storage period: 2 years since last contact or last consent

6.7 General infrastructure

6.7.1 Visitor WLAN

Description: We provide visitors with access to our WLAN network and thus to the Internet. When you log on to the access point for the WLAN network, which is required for this purpose, the unique identification of your device as well as the usage times are recorded.

For all services that you access while using our network on the Internet, the IP address of our network is logged. If investigations are made into activities that originate from our IP address, we are partly obliged to make the documentation of use available in the so-called log file of our access points.

categories of data: MAC address of the machine, usage times

Recipients of data (possibly transfer to third countries): Normally no recipients; authorities responsible for investigations and possibly private holders of a right to information or forensic experts commissioned by us

Purpose + legal basis: Log files such as this one serve to enable and strengthen IT security in our company. The legal basis is a legitimate interest, as we only access the WiFi logfile when a security analysis is required. An allocation of the WiFi data to specific devices and thus their owners is only possible for us with considerable effort and regularly only with the help of police investigations.

Storage period: Our WLAN log file is regularly deleted, at least once a year.

6.7.2 Video surveillance

Description: Video cameras are installed in the access area to our business premises and within our business premises. Appropriate signs are installed and inform about the use of the cameras before you step into the field of vision of the lenses.

The cameras record the events within their field of vision around the clock (24/7).

categories of data: Video recordings

Data recipient (possibly transfer to third countries): M1 Med Beauty Berlin GmbH is commissioned as service provider for the administration of the records.

Purpose + legal basis: Video surveillance is used to prevent and prosecute attacks against the health and lives of workers and against the property of the organisation and workers. Video surveillance also serves to prevent unauthorised access to particularly security-relevant areas of our business premises or, in the case of unauthorised access, to clear up the situation. The justified interest in video surveillance results from the special danger situation or the special security requirements for our organisation.

Storage duration: Video surveillance recordings are automatically deleted by the corresponding NAS system after 72 hours.

6.7.3 IT Administration

Description: We use service providers for the administration, maintenance and care of our information technology. These service providers do not deal with the content of the personal data processed by us. However, during the maintenance of databases and other system units, it may happen that personal data is taken note of by the service providers. All of our service providers have been expressly committed to confidentiality through appropriate contracts and in accordance with the sensitivity of the data to which they have access.

categories of data: Any type of data

Data recipient (possibly transfer to third countries): IT service providers who are obliged to data protection by a contract processing agreement or another form of confidentiality obligation. A transfer to third countries does not take place.

Purpose + legal basis: To use competent service providers for professional IT administration. The legal basis is a legitimate interest, as the service providers have been committed to data protection through adequate confidentiality obligations.

Storage duration: Independent storage does not take place.

6.7.4 Disposal of data media and documents

Description: The deletion or destruction of data also constitutes data processing. We shred paper documents with personal data that are worthy of protection or dispose of them via the locked bins of a professional document shredder. The quality level of the shredder used and the level of document destruction agreed with the service provider corresponds to the risk or confidentiality classification of the documents to be destroyed.

Storage media (hard disks, e.g. from servers, computers, smartphones, tablets, USB sticks, memory cards) on which personal data worthy of protection was previously stored will be securely deleted by our IT administration by overwriting them several times, at least three times, completely if they are no longer to be used to store this data. The level of the deletion or destruction process corresponds to the risk or confidentiality classification of the data previously stored on the medium.

categories of data: Any type of data

Data recipient (possibly transfer to third countries): Service providers for the professional destruction of paper documents and storage media, who are obliged to comply with data protection by means of contract processing agreements. A transfer to third countries does not take place.

Purpose + legal basis: Risk-based destruction or deletion of personal data. The legal basis is the legal obligation to minimise and delete data from the DSGVO:

Storage duration: No storage beyond deletion/destruction takes place.