Privacy Policy of Obermark AG

As of December 14, 2023

 

1. SUBJECT MATTER AND SCOPE OF APPLICATION

This Privacy Policy provides information about which personal data is collected during individual processing operations and how and for what purposes this personal data is processed.

This Privacy Policy provides information about data processing when visiting the website, but also in other contexts, e.g. about the processing of data when participating in video conferences and when applying for jobs.

Your personal data will always be processed in accordance with the statutory data protection regulations and this Privacy Policy.

2. CONTROLLER

Controller is Obermark (S.à r.l.), 6 rue Gabriel Lippmann, 5365 Munsbach, Luxembourg, e-mail: info@obermark.com, Tel.: +352 20 600 20 680 (hereinafter „Obermark“).

In the case of individual processing operations, the respective Obermark company is the controller if the respective processing operation is not carried out centrally for the entire Obermark group by one controller, but if the data processing is carried out locally for the respective Obermark company. This is the case, for example, with video conferences and job applications.

3. VISITING OUR WEBSITE

3.1 Hosting and Log Files

The website is hosted by a service provider on the basis of a data processing agreement in the EU.

Each time the website is accessed, the system automatically collects data and information from the computer system of the accessing end device. The following data is recorded or logged:

  • IP address of the calling computer
  • Operating system of the calling computer
  • Browser version of the calling computer
  • Name of the retrieved file/website
  • Date and time of retrieval
  • Transferred amount of data
  • Referring URL

This data is processed in order to be able to present the website, to ensure the security, availability and integrity of the website (e.g., detection and defense against DoS attacks or access by bots), to improve the quality and presentation of the website, to be able to identify and correct errors and for statistical purposes. This data is regularly deleted after a few days.

The legal basis for this data processing is the legitimate interest of the Controller in the above-mentioned purposes.

3.2 Cookies

Cookies may be used on the website. Cookies are pieces of information that are transferred from our web server or third-party web servers to the browser of the website visitor and stored there for later retrieval. Cookies can be small files or other types of information storage. Information is stored in cookies that is generated in connection with the specific end device used. Cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. A cookie also contains information about its origin and the storage period. However, this does not mean that the identity of the website visitor can be obtained directly from a cookie.

When you visit the website, cookies may be set that are absolutely necessary for the operation of the website. These absolutely necessary cookies may, for example, be cookies that are required to display the website with a content management system or that are used to recognize language settings.

Optional cookies that are not absolutely necessary are not set.

4. PROSPECTS, INVESTORS AND SERVICE PROVIDERS

If you contact us, e.g. by email, or via a live chat, the information you provide will be processed for the purpose of handling your inquiry.

We need the information requested in a live chat in order to process your inquiry, address you correctly and send you an answer.

We process your data as part of the provision of our contractual services. This may involve processing inventory data (e.g. surname and first name of the contact person(s), address), contact data (e.g. email address, telephone number), contract data (e.g. subject matter of the contract, term), payment data and data that is collected as part of the provision of services and/or is necessary for the provision of services.

Inquiries and customer relationships are regularly processed in our CRM system. The data processed (surname, first name, title, postal address, date of birth if applicable, your specific interest in our activities and your interactions with us) may also be used by us for information purposes in compliance with legal requirements. The legal basis for this data processing is the Controller's legitimate interest in communicating with interested parties, investors and service providers, visitors to the website and other third parties, in maintaining relationships with interested parties, investors and service providers. If takes place in the context of the performance of a contract, the legal basis for the processing is the fulfillment of the contract or the implementation of pre-contractual measures.

5. ONLINE MEETINGS AND WEBINARS

When participating in an online meeting or a webinar offered or conducted by the Controller, the personal data of the participants is processed.

When participating in an online meeting or webinar, various categories of data are processed. The scope of the data also depends on what data the participants provide about themselves and as part of their participation.

When participating in an online meeting or a webinar, at least a name must regularly be provided when registering. However, a pseudonym can also be used. The IP address of the participants is also processed to enable participation. Login information and device/hardware information is also processed. Furthermore, if specified, the participant's email address and profile picture will be processed. In the case of participation by telephone, the telephone number and, if applicable, the IP address are processed, if transmitted.

When participating in an online meeting or a webinar, if the participant has activated the microphone and/or a camera on the end device, the participant's image and sound data will be processed as part of the participation. If the screen is shared, the information from this screen share is also processed. Participants are free to activate the microphone, camera or screen share.
Audio and video recordings of online meetings or webinars can be created. In this case, the data of all audio, video and presentation recordings will be processed. There will always be a reference to the recording if one is made and, if necessary, the explicit consent of the participants will always be obtained for the recording.

It is also possible to use the chat, question or survey functions in online meetings or webinars. In this respect, the text entries made by the participants are processed in order to display them in the respective online meeting or webinar and, if necessary, to record them.

An external service provider is used as a data processor to conduct and, if necessary, record online meetings and webinars.
Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this processing is the fulfillment of the contract or the implementation of pre-contractual measures, provided that the implementation and participation in the online meeting or webinar within the framework of an existing contractual relationship is necessary for the fulfillment of the contract or is aimed at the conclusion of a contract. This is regularly the case for employees, interested parties, investors and service providers. Otherwise, the legal basis for processing is the Controller's legitimate interest in efficient communication, both internally and with external stakeholders.

6. JOB APPLICATIONS

6.1 Application Process

We collect and process personal data from applicants for the purpose of carrying out the application process.

If we conclude an employment contract with an applicant, the data transmitted will be processed for the purpose of implementing the employment relationship in compliance with the statutory provisions. If no employment contract is concluded, the application documents will be deleted immediately after the end of the application procedure, provided that there is no overriding legitimate interest in deletion, such as the defense against claims or the preservation of evidence in accordance with equal treatment and anti-discrimination laws.

The legal basis for this storage and processing is the implementation of pre-contractual measures.

6.2 Talent Pool

If the applicant has consented to a longer storage of his/her data, we will store the data submitted as part of the application in our talent pool for a further 2 years after the end of the application process to identify future positions of potential interest to the applicant and, if necessary, contact the applicant in this regard. After this period, the data will be deleted.

Such consent to the storage of application data in our talent pool can be withdrawn at any time for the future. To do so, please send us an email to the contact details provided above.

The legal basis for the storage of application documents in our Talent Pool is, where applicable, the explicit consent of the applicant, which can be revoked at any time.

6.3 Compliance/Sanctions Screening

Applicants who are shortlisted as part of the application process may be subject to an initial compliance check. The compliance check involves a comparison of the applicant's name and address with relevant sanctions lists, in particular on the basis of the EU anti-terrorism regulations.

To carry out the compliance/sanctions list screening, we use an external service provider as a data processor on the basis of a data processing agreement.

The legal basis for this storage and processing is, if there is a legal obligation to carry out a compliance/sanctions list screening, the fulfillment of the legal obligation. In individual cases, depending on a balancing of interests, compliance/sanctions list screening can also take place if there is no mandatory legal obligation. In this case, the legal basis is our legitimate interest in avoiding potential sanctions by foreign authorities.

7. MERGERS AND ACQUISITIONS (M&A)

If we are involved in a restructuring, acquisition, asset sale, merger, financing, transfer of services to another provider, due diligence, your personal data may be transferred to third parties to the extent legally permitted in connection with and as part of the relevant legal process, subject to the basic principles of data protection law.

8. AGE RESTRICTION

This website is not intended or designed for use by children under the age of 16. We do not knowingly collect personally identifiable information from or about anyone under the age of 16.

9. RECIPIENTS OF DATA

Within the Controller's organization, access to data is granted to those internal departments or organizational units that need it to perform their tasks, if necessary to fulfill contracts, for data processing based on the consent of the data subject(s) or to protect overriding legitimate interests.

Data will only be passed on to third parties in accordance with legal requirements. Your data will only be passed on to third parties if this is necessary for contractual purposes or to safeguard our overriding legitimate interest in the effective performance of our business operations.

If we use service providers or third-party providers to provide the website or other services, we take suitable legal precautions and appropriate technical and organizational measures to ensure the protection of your personal data.

10. DATA SUBJECT RIGHTS

Within the scope of the legal requirements, data subjects have the following rights with regard to the processing of personal data:

10.1 Right of Access

Data subjects have the right to request information about the personal data processed about them.

10.2 Right to Rectification

Data subjects have the right to request the rectification of inaccurate personal data concerning them. They also have the right to request the completion of incomplete personal data.

10.3 Right to Erasure

Data subjects have the right to request the erasure of personal data concerning them.

10.4 Right to Restriction of Processing

Data subjects have the right to request that the processing of personal data concerning them be restricted.

10.5 Right to Object to Processing

Data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or which is based on a legitimate interest. In this case, the data will no longer be processed unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

In addition, data subjects have the right to object at any time to the processing of personal data concerning them for the purpose of direct marketing; this also applies to any profiling insofar as it is associated with such direct marketing.

10.6 Right to Withdraw a Consent

Data subjects have the right to withdraw their consent if they have given their consent for processing.

10.7 Right to Data Portability

Data subjects have the right to receive the personal data concerning them, which they have provided to a Controller, in a structured, commonly used and machine-readable format ("data portability") and the right to transmit those data to another Controller.

10.8 Exercising the Rights

The rights of data subjects can be exercised by notifying the Controller or, where applicable, the Data Protection Officer using the contact details provided above.

10.9 Right to Lodge a Complaint with the Data Protection Supervisory Authorities

If data subjects believe that the processing of personal data concerning them breaches data protection law, they have the right to lodge a complaint with a data protection supervisory authority.

11. MANDATORY INFORMATION AND PROFILING

The provision of personal data is neither legally nor contractually required. There is no obligation to provide personal data, however, the provision of personal information is necessary for the conclusion of a contract insofar as certain information is mandatory in order to conclude (and execute) a contract.

Automated decision-making, including profiling, is not carried out.

12. RETENTION AND DELETION

We adhere to the principles of data avoidance and data economy and only store your personal data for as long as is necessary to achieve the respective purpose of the data processing purposes or as stipulated by the storage periods provided by law.

If the purpose of storage no longer applies or if a storage period provided for by law expires, the personal data will be routinely anonymized or deleted in accordance with the statutory provisions.

13. INFORMATION SECURITY

We take appropriate technical and organizational measures in accordance with the state of the art to ensure a level of protection for the personal data we process that is appropriate to the risk of the respective processing and to protect the data we process against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

Our website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as inquiries or payment data that you send to us.

Our employees receive regular training on data protection and information security and are committed to confidentiality and data protection.

A restrictive rights and roles concept on a "need to know" basis ensures that employees only have access to the personal data they absolutely need to perform their duties.

14. AMENDMENT OF THIS PRIVACY POLICY

We reserve the right to amend this Privacy Policy from time to time so that it always complies with current legal requirements and/or in order to implement changes to our services in the Privacy Policy, e.g. when introducing new services. When visiting the website or using our services, the current privacy policy always applies.