Our handling of your data and your rights

With the following information we would like to provide an overview about the processing of your personal data by the MULTIVAC-Group (i.e., MULTIVAC Sepp Haggenmüller SE & Co. KG and MULTIVAC Export AG including each company`s affiliated subsidiaries) and your resulting rights. Which data is processed in detail and how it is used depends largely on the services requested by or agreed with you. Therefore, some statements contained in here may not apply to you.

 

Who is the responsible Data Processor?

Responsible for the processing of your data within the meaning of the General Data Protection Regulation (GDPR) is your contractual partner of the MULTIVAC-Group. In general, your contractual partner will be the responsible subsidiary of your country or region. You can find a list of our subsidiaries here:

However, in some cases your contractual partner may be directly MULTIVAC Sepp Haggenmüller SE & Co. KG or the MULTIVAC Export AG, each of them acting as the holding company of its subsidiaries.

You may contact the data protection officer of the responsible entity via mail at the addresses provided by the link above with the addition "Data protection officer" or by e-mail: dataprotection@multivac.com.

 

Type of personal data collected

We process your data, which we receive from you or third parties in the context of business relationships. Usually, these data are contact details (e.g. your name, address, telephone number and email address) and - insofar as necessary in the course of business - banking and payment (transaction) data (bank, account details, purpose, information from publicly available sources, information databases and information services (e.g. internet, commercial register, credit reporting agency) as well as other data that you may voluntarily provide to us as part of the execution of a project or a contractual relationship or as part of a contract initiation.

 

We process your data for the following purposes and on the following legal basis

We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the EU Data Protection Adjustment and Implementation Act:

To fulfill contractual obligations (Art. 6 Para. 1 b GDPR)

The processing of data takes place:

• for contract initiation, contract execution and termination of contractual relationships, e.g., fulfillment of a contract (such as delivery or provision of a service and payment processing)
• for general communication with business partners, such as responding to inquiries about products and services, contract negotiations, etc.

Due to legal requirements (Art. 6 Para. 1 c GDPR)

We are subject to various legal obligations that result in data processing. These include e.g.:

• to fulfill reporting or information obligations towards authorities
• commercial or tax retention requirements
• inquiries and requests from regulatory or law enforcement agencies
• compliance with duties regarding import and export regulations as well as embargos

In addition, the processing and disclosure of personal data may be necessary as part of official / judicial measures for the purpose of gathering evidence, prosecuting or enforcing civil law claims.

Based on given consent (Art. 6 Para. 1 a GDPR)

e.g., for sending newsletters or information letters.

Due to a legitimate interest (Art. 6 Para. 1 f GDPR)

If necessary, we process your data beyond the actual fulfillment of the contract

• to maintain business relationships with existing customers, suppliers and business partners, including (direct) marketing, newsletters for product information
• management of business contacts in our contact database
• to protect legitimate interests and claims of us or third parties, e.g., to assert legal claims and defense in legal disputes
• to implement measures for IT security or measures to ensure proper business operations
• as part of the internal audit, if this is necessary for the regular or event-related internal auditing and consulting activities that we carry out to evaluate and improve our effectiveness.

 

Recipients and categories of recipients of personal data

Inside our Company

Employees of the MULTIVAC-Group for the contact with you and the contractual cooperation (including the fulfillment of pre-contractual measures).

As part of order processing

Your data may be passed on to service providers who work for us as processors.  Data processing contracts have been executed with these service providers to ensure the protection of your personal data for both, service providers inside and outside the European Union.

Other third parties

Data will only be passed on to recipients outside of our company if the applicable data protection regulations are observed. Recipients of personal data can be, for example:

• Public bodies and institutions (e.g., financial or law enforcement authorities) if there is a legal or official obligation
• Public bodies and authorities to check on the preconditions of and to apply for Export Authorizations including requirements and restrictions regarding Embargo obligations
• Credit and financial service providers (processing payment transactions)
• Tax consultant or economic and income tax and auditor (statutory audit mandate), etc.

 

Transfer of data to a third country or international organization

Your data will in general be processed within the European Union (EU) and countries within the European Economic Area (EEA).

If necessary, we transfer and process your personal data to the companies within our group of companies to fulfill the above-mentioned purposes, always subject to the affiliated subsidiaries to adhere the conditions of the GDPR. This applies to both, subsidiaries within and without the EU and the EEA.

Transfer and processing of your personal data to a country or organization outside the EU or EEA may apply only in cases where there is a sufficient legal basis for MULTIVAC (e.g., your consent, to fulfill contractual or legal requirements) and always subject to the conditions provided by the par. 44 GDPR and subsequent.

 

Duration of storage

We process and store your personal data as long as this is necessary to fulfill our contractual and legal obligations. If data is no longer required for the fulfillment of contractual or legal obligations, data will be deleted periodically. A different retention period may apply if you have consented to this when the data was collected.

Exceptions may apply:

• as far as statutory retention requirements are to be fulfilled, e.g., commercial code and tax code are required. The periods for storage and documentation specified there are usually six to ten years
• to preserve evidence within the framework of the statutory statute of limitations

If the data processing takes place in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists. The exceptions mentioned apply here.

 

Data subjects' rights

Regarding your personal data you are entitled to: gain information about your processed personal data under Article 15 GDPR, to have your data rectified under Article 16 GDPR, to have your data deleted under Article 17 GDPR, to restrict further processing with effect for the future under Article 18 GDPR, and the right to object to the processing of your personal data with effect for the future under Article 21 GDPR. You are entitled, under the conditions specified in Art. 20 GDPR, to receive your personal data that has been stored in a structured, common and machine-readable format.

Without prejudice to any other administrative or judicial remedy, you as a data subject have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes data protection rules.

 

Status: March 21st, 2023