Privacy Statements

Data protection information on the use of the LANXESS Biosecurity Solutions app

A. Foreword

We, LANXESS Deutschland GmbH (company) together with our subsidiaries (hereinafter jointly referred to as "the company", "we" or "us") take the protection of your personal data seriously and would like to inform you here about data protection in our company.
 
As part of our responsibility under data protection law, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR") in order to ensure the protection of personal data of the person affected by processing (we also refer to you as the data subject as "customer", "user", "you", "you" or "data subject").  
Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and Art. 14 GDPR). With this declaration (hereinafter: "data protection information"), we inform you about the way in which your personal data is processed by us.

B. General information

1. Definitions
The data protection information is based on the following definitions:

  • "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. The identifiability can also be provided by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).
  • "Processing" (Art. 4 No. 2 GDPR) means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed."Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • "Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data; this also includes other legal entities belonging to the group.
  • "Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
  • "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Amendment of the data protection information

(1) As part of the further development of data protection law and technological or organizational changes, our data protection information is regularly reviewed to determine whether it needs to be adapted or supplemented. You will be informed of any changes.
(2) This data protection information is available at 15.03.2024.
 
3. No obligation to provide personal data
We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case within the scope of the products presented below and offered by us, you will be informed of this separately.
 
C. Information about the processing of your data
1. The collection of personal data concerning you
(1) When you use our app, we collect personal data about you.
(2) Personal data is all data that relates to you personally (see above under General). For example, your name, your location data, your IP address, the device ID, your address and e-mail address are personal data. Images, films, audio recordings, but also your user behavior fall into this category.
 
2. Legal bases of data processing
(1) In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications:

  • Art. 6 para. 1 sentence 1 lit. a GDPR ("consent"): Where the data subject has voluntarily, in an informed and unambiguous manner, indicated by a statement or other unambiguous affirmative act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
  • Art. 6 para. 1 sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Art. 6 para. 1 sentence 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to retain data);
  • Art. 6 para. 1 sentence 1 lit. f GDPR ("Legitimate interests"): If the processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights of the data subject (in particular where the data subject is a minor).
    The storage of information in the end user's terminal equipment or access to information that is already stored in the terminal equipment is only permitted if it is covered by one of the following justifications:
  • § Section 25 (1) TTDSG: If the end user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;
  • § Section 25 (2) no. 2 TTDSG: If storage or access is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user.

(2) For the processing operations carried out by us, we indicate below the applicable legal basis in each case. Processing may also be based on several legal bases.
 
3. The data collected during the download
(1) When you download this app, certain personal data required for this purpose will be transmitted to the relevant app store (e.g. Apple App Store or Google Play).
(2) In particular, the e-mail address, the user name, the customer number of the downloading account, the individual device identification number, payment information and the time of the download are transmitted to the App Store during the download.
(3) We have no influence on the collection and processing of this data; it is carried out exclusively by the app store you have selected. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the app store.
 
4. Data collected during use
(1) Inevitably, we can only provide you with the benefits of our app if we collect certain personal data required for the operation of the app when you use it. 
(2) We only collect this data if this is necessary for the fulfillment of the contract between you and us (Art. 6 para. 1 lit. b GDPR). Furthermore, we collect this data if this is necessary for the functionality of the app and your interest in the protection of your personal data does not outweigh this (Art. 6 para. 1 lit. f GDPR) or if you consent to the collection and processing (Art. 6 para. 1 lit. a GDPR).
(3) We collect and process the following data from you: 

  • Device information: The access data includes the IP address, device ID, device type, device-specific settings and app settings as well as app properties, the date and time of the retrieval, time zone the amount of data transferred and the message as to whether the data exchange was complete, app crash, browser type and operating system. This access data is processed to enable the technical operation of the app
  • Data that you make available to us: To use the app, you need to create a user account. To do this, enter at least your login name.
  • Information with your consent: We process other information (e.g. GPS location data) if you allow us to do so.
  • Contact form data: When contact forms are used, the data transmitted through them is processed (e.g. gender, surname and first name, address, company, e-mail address and the time of transmission).

(4) If the processing of the data requires the storage of information in your terminal equipment or access to information that is already stored in the terminal equipment, Section 25 (1), (2) TTDSG is the legal basis for this.
 
5. Use of cookies
(1) We use cookies when operating our app. Cookies are small text files that are stored on the device memory of your mobile device and assigned to the mobile app you are using and through which certain information flows to the location that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make our app more user-friendly and effective overall, i.e. more convenient for you.
(2) Cookies may contain data that makes it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable. However, cookies cannot directly identify a user.
(3) A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. We only use the following cookies:

  • Technical cookies: These are absolutely necessary to move within the app, use basic functions and ensure the security of the app; they do not collect information about you for marketing purposes, nor do they store which websites you have visited;

(4) The legal basis for cookies that are absolutely necessary to provide you with the expressly requested service is Section 25 (2) No. 2 TTDSG.
(5) Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your express and active consent in accordance with Section 25 (1) TTDSG in conjunction with Art. 6 (1) sentence 1 lit. a GDPR. This applies in particular to the use of performance, advertising, targeting or sharing cookies. In addition, we only pass on your personal data processed by cookies to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

6. Analysis tools and advertising
(1) etracker

LANXESS uses the services of etracker GmbH from Hamburg, Germany (etracker.com) to analyze usage data. We do not use cookies for web analysis by default. If we use analysis and optimization cookies, we will obtain your explicit consent separately in advance. If this is the case and you give your consent, cookies are used to enable a statistical analysis of the reach of this app, to measure the success of our marketing measures and test procedures, e.g. to test and optimize different versions of our offer or its components. Cookies are small text files that are stored on the user's end device. etracker cookies do not contain any information that enables a user to be identified.

The data generated with etracker is processed and stored by etracker on 
behalf of LANXESS exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards. etracker has been independently audited and certified in this respect and has been awarded the ePrivacyseal data protection seal of approval.

Data processing is carried out on the basis of the legal provisions of Art. 6 para. 1 lit. f (legitimate interest) of the General Data Protection Regulation (GDPR). Our concern within the meaning of the GDPR (legitimate interest) is the optimization of our offer. Since the privacy of our visitors is important to us, the data that may allow a reference to an individual person, such as the IP address, login or device identifiers, are anonymized or pseudonymized as soon as possible. The data is not used in any other way, merged with other data or passed on to third parties.

Further information on data protection at etracker can be found here.
 
7. Period of data storage
(1) We delete your personal data as soon as it is no longer required for the purposes for which we collected or used it (see C. 4., 5., 6.). As a rule, we store your personal data for the duration of the usage or contractual relationship via the app. Your data will generally only be stored on our servers in Germany, subject to any disclosure in accordance with the provisions in F. 1., 2. and 3.
(2) However, data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings.
(3) Third parties engaged by us (see F. 1.) will store your data on their system for as long as is necessary for us in connection with the provision of the service in accordance with the respective order.
(4) Legal requirements for the storage and deletion of personal data remain unaffected by the above (e.g. § 257 HGB or § 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
 
8. Data security
(1) We use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties, taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and effects) for the data subject. Our security measures are continuously improved in line with technological developments.
 
9. No automated decision-making (including profiling)
We do not intend to use personal data collected from you for automated decision-making (including profiling).
 
10. Change of purpose
(1) Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the changed purpose of the data processing.
(2) In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.
 
D. Responsibility for your data and contacts
1. Person responsible and contact details
(1) We, LANXESS Deutschland GmbH, Kennedyplatz 1, 50569 Cologne, Germany, are responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR. 
(2) Our company data protection officer is available to you at any time at datenschutz@lanxess.com for all questions and as a contact person on the subject of data protection. 
(3) Please contact this contact point in particular if you wish to assert the rights to which you are entitled, which are explained in Chapter G, against us.
(4) If you have any further questions or comments on the collection and processing of your personal data, please also contact the aforementioned contacts.
 
2. Data collection when making contact 
(1) If you contact us by e-mail or via a contact form, we will store your e-mail address, your name and all other personal data that you have provided in the course of contacting us so that we can contact you to answer your question.
(2) We delete this data as soon as storage is no longer necessary. If there are statutory retention periods, the data will remain stored, but we will restrict the processing.
 
F. Data processing by third parties
1. Order data processing 
(1) We may use contracted service providers for individual functions of our app. As with any large company, we also use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR. 
(2) The following categories of recipients, which are usually processors, may have access to your personal data: 

  • We use data processing service providers for the operation of our app and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR, insofar as these are not processors;
  • Government bodies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. c GDPR;Persons engaged to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.

(3) In addition, we will only pass on your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
(4) If your personal data is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.
 
2. Requirements for the transfer of personal data to third countries 
(1) As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively to fulfill contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with Art. 44 ff. GDPR). We will inform you about the respective details of the transfer at the relevant points below.
(2) The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard by means of so-called adequacy decisions. In other third countries to which personal data may be transferred, however, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data pursuant to Art. 46 (1), (2) lit. c GDPR, certificates or recognized codes of conduct. 
 
3. Legal obligation to transmit certain data
We may be subject to a special legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public authorities (Art. 6 para. 1 sentence 1 lit. c GDPR).
 
G. Your rights
You have the following rights vis-à-vis us with regard to your personal data:

  • Right to information,
  • Right to rectification or erasure,
  • Right to restriction of processing,
  • Right to object to the processing,
  • Right to data portability.

In accordance with Art. 77 GDPR, you also have the right to complain to the competent supervisory authority about the collection and processing of your personal data.

If you wish to exercise your rights, please contact our data protection officer. All you need to do is send an e-mail to the e-mail address given above (under D.).