The purpose of this privacy policy is to provide you with information concerning the processing of personal data when using our website and related services. This privacy policy applies to all websites or services that refer to this privacy policy.

1.1.     Processing of Personal Data

Personal data (in short data) within the meaning of Art. 4 of the EU General Data Protection Regulation (GDPR) are all information relating to an identified or identifiable natural person, e.g. name, address, email address, etc.

1.2.     Controller

Responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is: Beiersdorf AG, Beiersdorfstr. 1-9, 22529 Hamburg, Germany (see our imprint).

Contact details of the data protection officer: Dataprotection[at]Beiersdorf.com[MM/H1]  or under the postal address of the controller for the attention of the “data protection officer”.

Specific data processing activities might occur under the responsibility of other controllers. It is indicated in the respective description of those activities below, where this is the case. 

1.3.     Rights of the Data Subject

As data subject affected by the data processing activity, you have the following rights with regard to your personal data in accordance with the legal provisions:

·        Right of access;

·        Right to rectification and to erasure;

·        Right to restriction of processing;

·        Right to data portability; and

·        Right to object.

Furthermore, you have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data.

When we work on your above-mentioned right, we may ask you for proof of your identity. For more information on how we process your data, see 3.1[Link].

1.4.     Recipients (general information)

Additionally to the recipients that are listed within the recipients paragraph of each section below, we transfer the collected data to the relevant internal departments for processing and to other affiliated companies within the Beiersdorf Group or to external service providers, contract processors in accordance with the purposes required. We also forward the data to the following recipients:

-Platform/hosting providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-Analytical service providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-IT support service providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-Authorities: In the event of a legal obligation, we reserve the right to disclose information about you if we are required to surrender it to competent authorities or law enforcement bodies acc. to: Art. 6 (1) c GDPR (legal obligation).

Further information can be found within the recipients paragraph of each section.

When visiting and using our website we already collect personal data. You can find within this section more information about website specific processes and tools especially from external partners. Further information about processes which can also occur in an offline context can be found in section 3.

2.1      Hosting

Purpose/Information:
When visiting and using our website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server, which are technically necessary for us to display our website to you and to guarantee stability and security.

Used Cookies/Tools: Type A. More information can be found in the “Cookies/Tools” section [Link to cookie section 2.5].

Recipients:
-Platform/hosting providers will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

-Service Provider for IT-Support will have access to personal data from a third country (countries outside the European Economic Area). As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4. [Link to section 1.4]

Deletion:
The deletion of the log files takes place after 7 days.

Legal basis:
Art. 6 (1) f GDPR (legitimate interest)

2.2      Login / Account

Purpose/Information: 
This website might provide you with a login profile and an account. With this account you are able to gain access to our collaboration and innovation area in which you can provide the necessary data.

Used Cookies: Type A. More information can be found in the “Cookies/Tools” section [Link to cookie section 2.5].

Recipients: 
Platform/Hosting provider. Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4. [Link to section 1.4]

Deletion / Withdrawal:  
An automatic deletion your account takes place after 24 months of inactivity, unless you manually delete it earlier.

Legal basis: 
Art. 6 (1) a GDPR (consent) 

2.3      Cookies/Tools

This website uses cookies or other technologies/tools like pixels, local storage, tags, IDs or external services (hereinafter referred to as “Cookies/Tools”) and are used on when visiting and using our website. Cookies are small text files that are stored by your browser on your device to save certain information or image files, such as pixels. The next time you visit our website on the same device, the information saved in the cookies will subsequently be accessed on your device and transmitted either to our website (“First Party Cookie”) or to another website to which the cookie belongs (“Third Party Cookie”).

Through the information saved and returned, the respective website can recognise that you have already accessed and visited it with the browser you use on that device. We use this information to be able to design and display the website in an optimum way in line with your preferences. In that respect, only the cookie itself is identified on your device. Beyond this extent, your personal data will only be saved upon your express consent or if it is strictly necessary to be able to use the service offered to and accessed by you accordingly.

This website uses the following types of cookies/tools, the scope and functionality of which are explained below:

·       Type A: Technical/Audience Measurement – to ensure that the demanded service can be provided including basic analysis. (No consent necessary acc. to ePrivacy Directive 2002/58 EC).

·       Type B: Functional and Performance – Additional tools to measure the performance/attractiveness of our website and to provide further additional (personalised) functionalities.

·       Type C: Marketing – Cross websites tools for marketing profiling based on user behaviour.

You can find more information on in the description of the tools implemented on our websites in this privacy policy. In case this website is using a consent management platform you can additionally find further information in there.

In addition to the online use of our website, we offer various other services, for which we process your personal data also in an offline context.

3.1      Contacting/Communication/Collaboration

Purpose/Information:  
When communicating and/or collaboration with us, e.g. by email or via contact form on our website or a data exchange platform, the data you provide (your email address, if applicable your name and your telephone number, or personal data submitted during the conversation) will be stored and processed by us in order to e.g. answer your questions, requests or for the purpose of business related correspondence.

We may ask you when you contact us by telephone whether the telephone call may be recorded for quality assurance and training measures. If you agree to the recording, we will process all information that you share with us during the call (communication content, possibly also sensitive (health) data, as well as your phone number and other personal data).

When processing data arising in the course of communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal verification or in accordance with the respective communication request.

The provision of your personal data is required for the performance of the contract or a situation similar to a contract. You are not obliged to provide your personal data. If your personal data is not provided, you cannot use the described service.

Business partner only:
With regard to the cooperation with our suppliers, we have implemented an internal evaluation process which, in our legitimate interest, is intended to improve the business relationship by developing an "action plan". As a rule, we only process information about the company, but conclusions can be drawn about you as the contact person, if the communication with suppliers is examined with regard to response times, reliability and transparency.

Specific processing purposes are listed in the “Recipients and sources” section below based on the third parties used in the process.

Recipients and sources:
 We transfer the data to the following recipients:

-        Customer/Consumer service providers

-        Platform/hosting provider

Transfers to third countries are possible. As an appropriate safeguard standard contractual clauses pursuant to Art. 46 GDPR were concluded. For third countries/companies which fall under an adequacy decision, the adequacy decision also applies. Additionally binding corporate rules were approved at a platform/hosting provider. For more information (such as a copy of the guarantees), you can contact us as mentioned under 1.2.

Further recipients can be found in the general recipients section 1.4. [Link to section 1.4]

Business partner only:
In order to combat terrorism, we are obliged by law to carry out a comparison with sanctions lists. Therefore, we also process your data to meet legal requirements for comparison with these lists. Furthermore, we process your data in the Beiersdorf Group for the prevention and investigation of criminal offences and other misconduct, the assessment and control of risks, for internal communication and for corresponding administrative purposes. If an affiliated company reports a need to work with you as a supplier, we will share our experiences from working with you with the affiliated company.

We will compare your data against published lists of misleading suppliers (e.g. warning lists of World Intellectual Property Organization and Bundesanzeiger Verlag GmbH) to make an informed decision about potential payments. We also regularly check your creditworthiness in certain cases (e.g. when concluding contracts). Our legitimate interest is the minimization of the financial risk. We cooperate with credit agencies (e.g. Dun & Bradstreet Deutschland GmbH (“D&B”), Germany) from which we receive the necessary data.[MM/H2]  For this purpose, we transmit your name and contact details or the D&B D-U-N-S® number assigned to your company to the credit agencies. In our legitimate interest in faster data entry, D&B provides us with addresses of our business partners. EcoVadis SAS, France provides us with a sustainability risk assessment to meet legal requirements and in our legitimate interest. Depending on the result, a longer sustainability assessment may result.

In addition, as part of our anti-corruption review, we check the ranking of the country of domicile in the Corruption Perceptions Index of Transparency International e.V., Alt-Moabit 96, 10559 Berlin, Germany. Depending on the result, there may be a longer anti-corruption check, in which we may process your data in order to check whether a cooperation could be associated with corruption risks for us in our legitimate interest in minimizing risk.

It may be necessary to transfer your personal data to prospective buyers as part of a company transaction. In the course of due diligence, usually anonymised data is processed. However, it may be necessary in specific individual cases to process personal data. Our legitimate interest lies in the execution of the company transaction.

Deletion /Objection:
We delete the data arising in this context once storage is no longer necessary, unless statutory retention obligations exist or periods of limitation must be observed.

In case of consumer inquiries through our internal consumer management tool the personal data will be usually deleted after one year, if no other legal retention periods apply. As an exception, the data will be kept longer if the data is necessary for the establishment, exercise or defence of legal claims.

Call recordings are stored for a maximum of 90 days.

You can object to these processes according to the requirements under 4 [LINK to 4].

Legal basis:
Art. 6 (1) a GDPR in conjunction with Art. 9 (2) a GDPR (consent: telephone recording)

Art. 6 (1) b GDPR in conjunction with Art. 9 (2) f GDPR (when processing in the context of a contract or a situation similar to a contract)

Art. 6 (1) c GDPR (when processing is necessary for compliance with a legal obligation)

Art. 6 (1) f GDPR in conjunction with Art. 9 (2) f GDPR (when processing according to the legitimate interest described above)

If you have given your consent (Art. 6 (1) a GDPR) to the processing of your data, you can withdraw your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us.

If we base the processing of your personal data on the weighing of interests (Art. 6 (1) f GDPR), you may object to the processing. This is the case if processing is not necessary in particular to fulfil a contract with you, which is described by us in the description of the functions / services. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue processing.

Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your objection under the above-mentioned contact details for the controller.