Data protection law information for the website

Dear Sir/Madam,

we inform you with the following data protection information about the processing of your personal data in the context of the use of our website.

A. The party responsible for data processing

CRONIMET Holding GmbH
Südbeckenstr. 22
76189 Karlsruhe
Telefon +49 721 95225-0
mail@cronimet.de

B. Data protection officer

CRONIMET Holding GmbH
Datenschutzbeauftragter
Südbeckenstr. 22
76189 Karlsruhe
Telefon +49 721 95225-0
datenschutz@cronimet.de

C. Purposes and legal basis of processing, data categories

1. Website access

If you only use our website for informational purposes, for instance if you do not register on the website or provide us with any information in some other manner (for instance via e-mail or using a contact form), we collect the following technical information (log file data):

• operating system of the device you use to visit our website

• browser (type, version & language settings)

• accessed quantity of data

• current IP address of the device you use to visit our website

• date and time of the access

• URL of the last visited website (referrer)

• URL of the (sub-)page you access on the website

• Internet service provider for the accessing system.

This data must be collected for technical reasons, in order to display our website and ensure it remains stable and secure. We (and our service providers) do not typically know who is using which IP address. We do not combine this data with any other data.

The legal basis for this processing is Art. 6 para. 1 sent. 1 lit. f GDPR. Since we must collect this data to provide our website and we must store it in log files to operate our page and protect ourselves from misuse, our legitimate interest in data processing outweighs any user rights.

2. Contact by e-mail or contact form

When you contact us via e-mail or using a contact form, we store the data you provide (your e-mail address, and your name and telephone number if provided) to answer your questions and process your inquiry. The legal basis for this processing is Art. 6 para. 1 sent. 1 lit. f GDPR.

If we request information through our contact form and this information is not necessary to contact you, it will always be marked as optional. We use this information to better understand your inquiry and process your question. Such information is provided on a solely voluntary basis, and with your consent (Art. 6 para. 1 sent. 1 lit. a GDPR). Insofar as this includes information on communication channels (e.g. e-mail address, telephone number), you also agree that we may contact you via this communication channel in order to answer your inquiry. Of course, you can revoke this consent at any time with future effect.

Any data we collect in order to contact you is deleted once we no longer need it for this purpose, once we have processed your inquiry in full and we no longer need to communicate with you, or once you request that we stop communication. As a controller under data protection law, our company has implemented many different technical and organisational measures to ensure the most seamless protection possible for the personal data we process via our website. However, web-based data transmissions may always be subject to gaps in security. It is not possible to guarantee absolute protection. Non-encrypted e-mails are never entirely secure. Because of this, we request that you never send sensitive data in a non-encrypted e-mail. Instead, either use encrypted communication channels (e.g. our contact form) or send us your data by post.

3. Applications

You can apply online via our application portal at https://cronimet.softgarden.io/de/vacancies. Your online application will be forwarded there directly to the HR department via an encrypted connection and will of course be treated confidentially.

You can also apply to our company electronically, e.g. via e-mail or web form. Please note that e-mails sent unencrypted will not be protected against unauthorized access.

Your data will be used for the processing of your application and the decision on the establishment of an employment relationship. The legal basis is § 26 para. 1 in conjunction with para. 8 sent. 2 Federal Data Protection Act (“BDSG”). Furthermore, your personal data may be processed insofar as this should be necessary for the defense of asserted legal claims against us arising from the application process. The legal basis for this is Art. 6 para. 1 sent. 1 lit. f GDPR. The stated purposes also constitute the legitimate interest in the processing.

If an employment relationship is formed between you and us, we may, in accordance with § 26 para. 1 BDSG, further process the personal data already received from you for the purposes of the employment relationship if this is necessary for the performance or termination of the employment relationship or for the exercise or fulfillment of the rights and obligations of the employee representative body resulting from a law or a collective agreement, a works agreement or a service agreement.

Your application data will not be processed beyond the described use.

Your personal data will be deleted after completion of the application process after 6 months at the latest, provided that no other legitimate interests on our part oppose deletion or you have not given us consent for longer storage. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (“AGG”).

4. Friendly Captcha

We use the “Friendly Captcha” service of Friendly Captcha GmbH, Am Anger 3–5, 82237 Woerthsee on our websites. We use Friendly Captcha to protect our website from spam and bots. In order to find out whether entries on the website are made by a human or automatically by a programme, Friendly Captcha analyses various information:

• the request headers user-agent, origin and referrer

• the puzzle itself, which contains information about the account and the website key to which the puzzle relates

• the version of the widget

• a timestamp.

An anonymised counter per IP address is stored to dynamically scale the puzzle difficulty on the edge network. The IP address is anonymised and the information is stored separately from the other personal data.

We use Friendly Captcha to ensure the security of our website and therefore base the data processing on Art. 6 para. 1 sent. 1 lit. f GDPR. You can find further information under https://friendlycaptcha.com/de/legal/privacy-end-users/

5. Cookies

Cookies are data that are stored on your computer by a website you visit and allow your browser to be reassigned. Cookies transmit information to the entity that sets the cookie. Cookies can store various information, such as your language preference, the duration of your visit to our website or the entries you have made there. Cookies cannot execute programs or transfer viruses to your computer. They serve to make the internet more user-friendly and effective.

There are different types of cookies: session cookies are sets of data that are only temporarily held in memory and are deleted when you close your browser. Permanent or persistent cookies ae automatically deleted after a specified duration, which may vary depending on the cookie. The information can also be stored in text files on your computer with this type of cookie. However, you can also delete these cookies at any time via your browser settings.

The legal basis for possible processing of personal data by means of cookies and their storage period may vary. Insofar as you have given us your consent, the legal basis is Art. 6 para. 1 sent. 1 lit. a GDPR. Insofar as the data processing is based on our overriding legitimate interests, the legal basis is Art. 6 para. 1 sent. 1 lit. f GDPR. The stated purpose them corresponds to our legitimate interest./p>

We use cookies to ensure the proper operation of the website and to provide basic functionality.

You can delete cookies already stored on your end device at any time. If you want to prevent cookies from being stored, you can do this via the settings in your internet browser. You can find instructions for common browsers here: Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge Browser, Safari, Safari mobile. Alternatively, you can also install ad blockers. Please note that individual functions of our website may not work if you have disabled the use of cookies.

6. Social Bookmarks

Social bookmarks of the following providers are integrated on our website:

• Facebook (provider: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA), https://de-de.facebook.com/policy.php

• Xing (provider: New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany), https://privacy.xing.com/de/datenschutzerklaerung

• LinkedIn (provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland), https://de.linkedin.com/legal/privacy-policy

• Instagram (provider: Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA), https://help.instagram.com/519522125107875/?maybe_redirect_pol=0

Social bookmarks are Internet bookmarks that allow users of such a service to collect links and news reports. These are only integrated on our website as a link to the corresponding services. These plugins usually collect data from you by default and transmit it to the servers of the respective provider. To ensure the protection of your privacy, we have taken technical measures to ensure that your data cannot be collected by the providers of the respective plugin without your consent. When you call up a page on which the plugins are integrated, they are initially deactivated. Only by clicking on the respective icon are the plugins activated and you thereby give your consent for your data to be transferred to the respective provider.

The legal basis for the use of the plugins is Art. 6 para. 1 sent. 1 lit. a GDPR. For information on the handling of your personal data when using these websites, please refer to the respective privacy policies of the providers.

D. Recipients or categories of recipients of personal data

As a matter of principle, your personal data will not be transferred to third parties unless we are legally obliged to do so, or the transfer of data is necessary for the performance of the contractual relationship, or you have previously expressly consented to the transfer of your data.

External service providers and partner companies, such as a shipping company commissioned with the delivery, only receive your data insofar as this is necessary to process your order/your request. In these cases, however, the scope of the transmitted data is limited to the necessary minimum. Insofar as our service providers process your personal data on our behalf, we ensure within the scope of processing pursuant to Art. 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the data protection information of the respective providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

We value the fact that your personal data is processed within the EU/EEA. However, we may use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, via EU standard contract clauses, Binding Corporate Rules, or special agreements to whose regulations the company can submit.

E. Duration of storage

Personal data is generally deleted after expiry of the legal (primarily trade and tax law) retention periods. If personal data is not affected by legal retention obligations, it will be deleted when it is no longer required for the purposes described in section C. above. A different retention period may apply if you consented when the data was collected.

F. Rights of data subjects

You have the right to receive information about your personal data we have saved, the right to arrange for incorrectly saved personal data to be corrected or – if relevant – to change or revoke your consent to data processing at any time, including without providing a reason with future effect, the right to restrict the processing of your personal data with future effect, to revoke the processing of your personal data with future effect or to demand the deletion of your personal data. Under the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which has been saved, in a structured, commonly used and machine-readable format and the right to transmit that data to another responsible party without hindrance on our part.

To exercise your rights, you may contact our data protection officer mentioned in section B above. In order to avoid possible cases of misuse, we may require that inquiries be accompanied by a handwritten signature or that the inquirer otherwise legitimize himself.

Furthermore, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

G. Changes to this privacy policy

Constant technological development, changes to our services or the legal situation and other reasons may require adjustments to our data protection notice. We therefore reserve the right to change this privacy policy at any time with effect for the future. The current version is available on our website. Please visit our website regularly and inform yourself about the applicable data protection provisions.

Data protection law information for business partners and prospective business partners

Dear Sir/Madam,

we inform you with the following data protection information about the processing of your personal data in the context of the contractual relationship or contract initiation.

A. The party responsible for data processing and contact details of the data protection officer

B. Following CRONIMET subsidiaries come also into question as a party responsible for data processing

You can reach the data protection officer by post at the above address by stating “Data protection officer” or by email via: datenschutz@cronimet.de.

C. Data categories, purposes and legal basis of processing

We process your personal data which we receive from you within the scope of the business relationships or contract initiation. This is generally contact data (name, address, telephone number and email address) and, if required as part of the business transaction, bank and payment (transaction) data (bank, account details, reference, and credit card information if applicable), information from publicly available sources, information databases and credit check agencies (e.g. Internet, trade register, credit agencies) as well as other data, which you voluntarily provide us with within the scope of processing a project or a contractual relationship within the scope of contract negotiations (e.g. business cards). We process your personal data exclusively within the scope of the legal terms, particularly under consideration of the regulations of the General Data Protection Regulation (“GDPR”) and the Federal Data Protection Act (“BDSG”). We process your personal data on the basis of the following described legal bases and for the purposes of

• contract negotiation, contract implementation and termination of the contractual relationship (Art. 6 para. 1 sent. 1 lit. b GDPR) e.g. fulfilment of a contract (e.g. delivery or performance of a service and payment transaction), general communication with business partners e.g. answering enquiries about products and services, contract negotiations etc.;

• based on consent given (Art. 6 para. 1 sent. 1 lit. a GDPR) e.g. despatch of newsletters or information correspondence, participation in marketing campaigns or surveys etc.;

• based on legal stipulations (Art. 6 para. 1 sent. 1 lit. c GDPR), e.g. to fulfil trade law or tax law retention obligations, to fulfil reporting or information obligations towards authorities, etc.;

• based on a legitimate interest (Art. 6 para. 1 sent. 1 lit. f GDPR); e.g. measures for IT security or measures to ensure proper business operations, to protect the company code, for the protection of property and the investigation of criminal offences, to enforce legal claims or defend legal disputes, to ensure compliance requirements, etc.

As we also use the contact data of the person you have nominated to us as a contact partner, we ask you to pass on this information to the affected employees within your company.

D. Recipients or categories of recipients of personal data

We transmit your personal data to authorities/public bodies if required due to primary legal regulations. If necessary, we transmit your personal data to companies within our company group if required to fulfil the purposes stated above in section C. We employ external service providers for various business transactions as assignment processors in terms of Art. 28 GDPR. We have concluded order data processing contracts with these service providers to ensure that your personal data is protected. The above described recipients may also be located in countries outside of the European Economic Area (“third countries”). Third countries may not have the same level of data protection as in the European Economic Area. If data transmission takes place in a third country, we ensure that this transmission only takes place according to the terms of the legal regulations (chapter V GDPR).

E. Duration of storage

Personal data is generally deleted after expiry of the legal (primarily trade and tax law) retention periods. If personal data is not affected by legal retention obligations, it will be deleted when it is no longer required for the purposes described in section C. above. A different retention period may apply if you consented when the data was collected.

F. Rights of data subjects

You have the right to receive information about your personal data we have saved, the right to arrange for incorrectly saved personal data to be corrected or – if relevant – to change or revoke your consent to data processing at any time, including without providing a reason with future effect, the right to restrict the processing of your personal data with future effect, to revoke the processing of your personal data with future effect or to demand the deletion of your personal data. Under the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which has been saved, in a structured, commonly used and machine-readable format and the right to transmit that data to another responsible party without hindrance on our part.

In addition, you may contact our data protection officer mentioned in section B. above. In order to avoid possible cases of misuse, we may require that inquiries be accompanied by a handwritten signature or that the inquirer otherwise legitimize himself.

Furthermore, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

Data protection law information for video conferences

Dear Sir/Madam,

we inform you with the following data protection information about the processing of your personal data in the context of the participation in video conferences.

A. The party responsible for data processing and contact details of the data protection officer

B. Following CRONIMET subsidiaries come also into question as a party responsible for data processing

You can reach the data protection officer by post at the above address by stating “Data protection officer” or by email via: datenschutz@cronimet.de.

C. Purposes and legal basis of processing, data categories

We process your personal data that we receive from you in the course of using the video conferencing systems (in particular “Skype for Business”).

The following personal data are subject to processing:

• User details: First name, last name, phone (optional), email address, password (if “single sign-on” is not used), profile picture (optional), department (optional).

• Meeting metadata: Topic, description (optional), attendee IP addresses, device/hardware information.

• If recording (optional): MP4 file of all video, audio and presentation recordings.

• When dialling in with the telephone: information about the incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.

• Text, audio and video data: You may have the opportunity to use the chat, question or survey functions in an “online meeting”. To this extent, the text entries you make are processed in order to display them in the “online meeting” and, if necessary, to log them. To enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the “Skype” applications.

To participate in an “online meeting” or to enter the “meeting room”, you must at least provide information about your name.

Scope of processing:

• We use in particular “Skype for Business” to conduct “online meetings”. If we want to record “online meetings”, we will transparently communicate this to you in advance and – if necessary – ask for consent (Art. 6 para. 1 sent. 1 lit. a GDPR). The fact of the recording will also be displayed to you in the “Skype for Business” app.

If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will generally not be the case.

In detail, your personal data will be processed for the following purposes and on the basis of the following legal grounds:

• Art. 6 para. 1 sent. 1 lit. f GDPR: Our legitimate interest in these cases is the effective implementation of “online meetings”.

• Art. 6 para. 1 sent. 1 lit. b GDPR: Insofar as the “online meetings” take place in the context of contract initiation, contract execution and termination of contractual relationships, e.g. fulfilment of a contract (such as delivery or provision of a service and payment processing) or general communication with business partners (such as answering inquiries about products and services, contract negotiations, etc.).

• Art. 6 para. 1 sent. 1 lit. a GDPR: Giving consent when recording the video conference.

D. Recipients or categories of recipients of the personal data

The names of all participants are transferred to all participants by the software; if necessary, the software offers the separate option of entering the participant data. If the data subject has activated their camera and microphone, data is transferred to all other participants.

Personal data processed in connection with participation in “online meetings” will generally not be disclosed to third parties unless it is specifically intended for disclosure. Please note that, as in the case of face-to-face meetings, content from “online meetings” is often used precisely to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.

In addition, your personal data will be transferred to the processors commissioned to carry out the video conferences and, if applicable, to their subcontractors. Insofar as our service providers process your personal data on our behalf, we ensure within the scope of processing pursuant to Art. 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the data protection information of the respective providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

We value the fact that your personal data is processed within the EU/EEA. However, we may use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection comparable to the standards within the EU is established at the recipient before transferring your personal data. This can be achieved, for example, via EU standard contract clauses, Binding Corporate Rules, or special agreements to whose regulations the company can submit.

E. Duration of the storage of personal data

Your personal data will be processed for the duration of the fulfilment of the purposes set out in section C. above; the data processing is necessary for the duration of the video conference, for example. Personal data is generally deleted after expiry of the legal (primarily trade and tax law) retention periods. If personal data is not affected by legal retention obligations, it will be deleted when it is no longer required for the purposes described in section C. above. A different retention period may apply if you consented when the data was collected.

F. Rights of data subjects

You have the right to receive information about your personal data we have saved, the right to arrange for incorrectly saved personal data to be corrected or – if relevant – to change or revoke your consent to data processing at any time, including without providing a reason with future effect, the right to restrict the processing of your personal data with future effect, to revoke the processing of your personal data with future effect or to demand the deletion of your personal data. Under the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which has been saved, in a structured, commonly used and machine-readable format and the right to transmit that data to another responsible party without hindrance on our part.

In addition, you may contact our data protection officer mentioned in section B. above. In order to avoid possible cases of misuse, we may require that inquiries be accompanied by a handwritten signature or that the inquirer otherwise legitimize himself.

Furthermore, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

G. Changes to this privacy policy

Constant technological development, changes to our services or the legal situation and other reasons may require adjustments to our data protection notice. We therefore reserve the right to change this privacy policy at any time with effect for the future. The current version is available on our website. Please visit our website regularly and inform yourself about the applicable data protection provisions.

Data protection law information for social media channels

Dear Sir/Madam,

we inform you with the following data protection information about the processing of your personal data in the context of our social media channels. If you have any further questions regarding the handling of your personal data, please do not hesitate to contact our data protection officer.

A. The party responsible for data processing

CRONIMET Holding GmbH
Südbeckenstr. 22
76189 Karlsruhe
Telefon +49 721 95225-0
mail@cronimet.de

B. Data protection officer

CRONIMET Holding GmbH
Data protection officer
Südbeckenstr. 22
76189 Karlsruhe
Telefon +49 721 95225-0
datenschutz@cronimet.de

C. Social media channels

We operate the following social media websites to draw attention to ourselves:

• LinkedIn

• Instagram

• TikTok

• Facebook

• YouTube

• Xing

• Kununu.

The operators of the following social media channels share responsibility with us:

• LinkedIn

• Instagram

• TikTok

• Facebook

• YouTube

• Xing

• Kununu.

Where our influence on data processing ends, the limit of our responsibility is reached. At these points, it is not possible for us to influence the data processing by the operator of the social media channel. We are therefore unable to provide any information about what personal data is processed by them. For further information on the processing of the collected personal data and the possibilities to object, we refer to the corresponding data protection declarations of the channel operators.

D. Data processing by us

Submitted data such as comments, videos, pictures, likes, public messages that you leave on our social media channels may be published by the social media platforms. These will only be used or processed by us for the following purposes.

Personal data transmitted to us via social media by private message, such as documents or communication data, will not be published by us, but it cannot be ruled out that the social media operator will process or publish this data.

We would like to point out that we do not wish to receive applications via messengers, such as Facebook Messenger, as these cannot guarantee the protection of your personal data to the extent that is required and desired on our part.

We also reserve the right to delete content should this be necessary. We may share your content on our site if this is a function of the social media platform and permissible and communicate with you via the social media platform.

The legal basis for our data processing within the framework of the social media channels is Art. 6 para. 1 sent. 1 lit. f GDPR. The data processing is carried out in the interest of our public relations work and timely communication.

The social media providers are partly located in the USA and other countries outside the EU and the EEA. The data may therefore also be processed by the provider of the respective platform in countries outside the EU and EEA. Please note that companies in these countries may be subject to data protection laws that do not offer the same level of protection for your personal data as is the case in the member states of the EU.

We would also like to point out that we have no influence on the scope, type and purpose of the data processing by the provider of the social media platform. You can find more information about the processing of your data by the social media providers in the privacy policy of the respective platform provider.

E. Data processing by social media channels

On our website, you will find links to other company websites on social media platforms. You can recognise links to the websites of the social media services by the respective company logo, for example. If you follow these links, you will reach our corporate presence on the respective social media platform. When you click on a link to such a platform, a connection to the platform's servers is established. This transmits to the servers of the platform that you have visited our website.

In addition, further data is transmitted to the provider of the platform. This may include the following data:

• address of the website on which the activated link is located

• date and time the website was accessed or the link was activated

• information on the browser and operating system used

• IP address.

We expressly draw your attention to the fact that the social media provider stores the data (e.g. IP address, preferences and personal interests, behavior on the platform, any personal information stored on the platform, etc.) of users and uses it for business purposes.

We would like to point out that the respective operator of the social media platform uses web tracking methods. We would also like to point out that web tracking could also take place regardless of whether you are logged in and/or registered with the social media platform. It is not possible for us to influence the web tracking methods of the platforms. If, for example, you would like to switch off the web tracking, you must arrange this on the respective website of the operator.

If you are a member of the social media channels and are logged into your user account, the social media provider can associate your visit to our page with your user account. If you would like to prevent the provider from linking data about your visit to our fan page with your membership data stored with the platform, you must

• log out of the social media platform before each visit to our fan page,

• delete the cookies stored on your device and

• close and restart your browser.

In this way, according to the social media providers, all information through which you can be identified by social media providers is deleted.

It cannot be ruled out that the provider of the social media platform uses your data to create a profile about you, for example, and thus generates tailored advertising for you.

For more information on data processing by the provider of the social media platform and further objection options, you can view the privacy statements of the respective operators here:

• LinkedIn:

  https://de.linkedin.com/legal/privacy-policy

  and

  https://de.linkedin.com/legal/cookie-policy

• Instagram:

  https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

• TikTok:

  https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE

  and

  https://www.tiktok.com/legal/tiktok-website-cookies-policy?lang=de-DE

• Facebook:

  https://de-de.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0

• YouTube:

  https://policies.google.com/privacy?hl=de

• Xing:

  https://privacy.xing.com/de/datenschutzerklaerung

• Kununu:

  https://www.kununu.com/de/info/agb#h3-datenschutz

  and

  https://privacy.xing.com/de/datenschutzerklaerung

In cases where we are jointly responsible for processing with the operator, you will find the main content of the joint processing of your data here:

• LinkedIn:

  https://www.linkedin.com/help/linkedin/answer/a1338708?lang=de

  and

  https://legal.linkedin.com/pages-joint-controller-addendum

• Facebook:

  https://www.facebook.com/legal/terms/page_controller_addendum

  and

  https://www.facebook.com/policy.php

Instagram, TikTok, YouTube (Google), Xing and Kununu unfortunately do not currently provide an addendum or similar.

F. LinkedIn

We operate our LinkedIn company page to inform you and to communicate with you as a user, interested party or potential employee/applicant.

The provider of the platform is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

In accordance with LinkedIn's terms of use, which each user must agree to when creating a LinkedIn profile, we may identify subscribers to our site and view their profiles or other shared information. For example, your LinkedIn name and profile picture are visible to us (and other LinkedIn users) when you visit our company page or comment on our posts. We therefore only collect personal data that has become an obvious part of our LinkedIn company page through your participation.

LinkedIn uses small text files that are stored on the various end devices of the users (cookies) to store and further process this information. According to LinkedIn, the cookies used by LinkedIn are for authentication, security, settings, personalised advertising features and services, and analysis and research. You can view details of the cookies used by LinkedIn here: https://de.linkedin.com/legal/cookie-policy

The operation of the LinkedIn company page, including the processing of users' personal data, is legal based on Art. 6 para. 1 sent. 1 lit. f GDPR in order to safeguard our legitimate interests in providing information and interaction opportunities via LinkedIn for and with our users and visitors. For the LinkedIn retargeting cookie and applications via our LinkedIn company page, your consent serves as the legal basis, Art. 6 para. 1 sent. 1 lit. a GDPR. Further legal bases for data processing may arise in individual cases from Art. 6 para. 1 sent. 1 lit. b GDPR. We delete personal data as soon as the purpose of the data processing has been achieved and there are no further legal grounds against the deletion of the data. In the case of data transfers outside the EU or EEA, LinkedIn states that it guarantees an adequate standard of protection as defined in Art. 44 etc seq. GDPR. This is implemented in particular by concluding standard contractual clauses.

Further information on data processing can be found in LinkedIn's privacy policy here: https://de.linkedin.com/legal/privacy-policy

G. Instagram

We operate our Instagram company page to inform you and to communicate with you as a user, interested party, business partner or potential employee/applicant.

The platform provider is Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA.

When calling up Instagram profiles, personal data (e.g. IP address or information on the end device) may already be collected by Instagram. If you carry out an action on our Instagram company website (e.g. comments, posts, likes, etc.), it may be that you make personal data (e.g. clear name or photo of your user profile) public. Every user is free to publish personal data through activities. The user information is used, among other things, to provide us as operators of the company pages with statistical information about the use of the pages. However, since we generally or to a large extent have no influence on the processing of your personal data by Instagram, we cannot make any binding statements about the purpose and scope of the processing of your data.

The legal basis for the operation of our Instagram company page and the associated data processing is Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest is the interaction or communication with our users and visitors. The use of tracking and analysis tools by Instagram is based on Art. 6 para. 1 sent. 1 lit. a GDPR. To ensure appropriate safeguards for the protection of the transfer and processing of personal data outside the EU or EEA, the transfer of data to and processing of data by Instagram is based on appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular by concluding so-called standard data protection clauses pursuant to Art. 46 para. 2 lit. c GDPR.

Further information on data processing can be found in Instagram's privacy policy here: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

H. TikTok

We operate our TikTok company website to inform you and communicate with you as a user, interested party, business partner or potential employee/applicant.

The provider of the platform is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

TikTok may collect data when you visit our company website. In the context of interactive functions (e.g. commenting, sharing, rating), personal data is also processed by TikTok. Based on the processed user data, TikTok provides us with statistical evaluations and analyses. TikTok does not disclose full information about the processing of user data for its own purposes. Therefore, it is not possible for us to provide binding information on the processing of user data by TikTok.

The processing of your data when contacting or interacting with our company website or its content is carried out by us on the legal basis of Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest is the interaction or communication with our users and visitors. If data transfers to third countries outside the EU or the EEA occur, TikTok states that it takes appropriate safeguards within the meaning of Art. 44 et seq. GDPR.

Further information on data processing can be found in TikTok's privacy policy here: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE and https://www.tiktok.com/legal/tiktok-website-cookies-policy?lang=de-DE

I. Facebook

We operate our Facebook company page to inform you and to communicate with you as a user, interested party, business partner or potential employee/applicant.

The platform provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

Via the so-called “Insights” of the Facebook page, statistical data of different categories are available to us. These statistics are generated and provided by Facebook. As the operator of the company page, we have no influence on the generation and presentation of these statistics. We cannot disable this function or prevent the generation and processing of the data.

For a selectable period of time and for the categories “fans”, “subscribers”, “reached persons” and “interacting persons”, the following data is provided by Facebook in relation to our Facebook company page:

• Total number of page views, likes, page activity, post interactions, reach, video views, post reach, comments, shared content, replies, proportion of men and women, country and city origin, language, clicks on route planners, clicks on telephone numbers.

• Data on the Facebook groups linked to our Facebook company page are also provided in this way.

We use this data, which is available in aggregated form, to make our posts and activities on our Facebook page more attractive to users. In this context, we receive anonymised data on the users of our Facebook fan page. It is therefore not possible for us to draw any conclusions about your person. For example, we use the distribution according to age and gender for an adapted approach and the preferred visiting times of the users for a time-optimised planning of our posts. Information about the type of end devices used by visitors helps us to adapt the visual design of the posts accordingly. In accordance with the Facebook terms of use, which each user has agreed to when creating a Facebook profile, we can identify the subscribers and fans of the page and view their profiles as well as other information shared by them.

The processing of your data when contacting or interacting with our company website or its content is carried out by us on the legal basis of Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest is the interaction or communication with our users and visitors. If data transfers to third countries outside the EU or the EEA occur, Facebook states that it will take appropriate safeguards in accordance with Art. 44 et seq. GDPR.

Further information on data processing can be found in Facebook's privacy policy here: https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer

J. YouTube

We operate our YouTube company page to inform you and to communicate with you as a user, interested party, business partner or potential employee/applicant.

The platform provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

By using Google, your personal data will be collected, transferred, stored, disclosed and used by Google and transferred to, and stored and used in, the United States, Ireland and any other country in which Google does business, regardless of your country of residence. There is a transfer to Google-affiliated companies as well as to other trustworthy companies or persons who process them on behalf of Google. On the one hand, Google processes your voluntarily entered data such as name and user name, email address or telephone number. Google also processes the content that you create, upload or receive from others when using the services. This includes, for example, photos and videos that you save, documents and spreadsheets that you create, and comments that you write on YouTube videos. On the other hand, Google also evaluates the content you share to determine what topics you are interested in, stores and processes confidential messages that you send directly to other users, and can determine your location using GPS data, wireless network information or your IP address in order to send you advertising or other content. Google may use analysis tools such as Google Analytics for evaluation purposes. We have no influence on the use of such tools by Google and have not been informed about such potential use. If tools of this type are used by Google for our company page on YouTube, we have neither commissioned this nor supported it in any other way. Nor will the data obtained during the analysis be made available. Only certain data of the subscribers' profiles are visible to us via our account. Moreover, we have no possibility to prevent or turn off the use of such tools on our YouTube channel. Finally, Google also receives information when you view content, for example, even if you have not created an account. This so-called “log data” may be the IP address, browser type, operating system, information about the website you visited previously and the pages you viewed, your location, your mobile provider, the terminal device you use (including device ID and application ID) as well as the search terms you used and cookie information.

We have embedded YouTube videos in our newsroom on the website, which are stored on http://www.YouTube.com and can be played directly from our website. In principle, when you call up a page with embedded videos, your IP address is already sent to YouTube/Google and cookies are installed on your computer. However, we have embedded our videos in “extended data protection mode”, i.e. no data about you as a user is transmitted to YouTube/Google if you do not play the videos. Only when you click on the video to play it will the following data be transmitted: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transmitted, website from which the request came, browser, operating system and its interface, language and version of the browser software, hardware used (PC, smartphone, etc.), location (if Google Maps is activated). We have no influence on this data transmission. By visiting our website and playing the videos, YouTube/Google receives the information that you have accessed the corresponding sub-page of our website. If you are logged in to Google, this data is directly assigned to your account. If you do not wish this to be associated with your YouTube profile, you must log out before activating the button. We have no influence on the type and scope of the data processed by Google, the type of processing and use or the transfer of this data to third parties. We also have no effective control options in this respect.

The processing of your data when contacting or interacting with our company website or its content is carried out by us on the legal basis of Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest is the interaction or communication with our users and visitors.

You have options to restrict the processing of your data in the general settings of your Google account. In addition to these tools, Google also offers specific privacy settings on YouTube. For more information on data processing, please see the Google and YouTube privacy policy here: https://policies.google.com/privacy?hl=de&gl=de#infocollect and https://policies.google.com/technologies/product-privacy?hl=de&gl=de and https://policies.google.com/privacy?hl=de&gl=de#infochoices

K. Xing

We operate our Xing company page to inform you and to communicate with you as a user, interested party or potential employee/applicant.

The platform provider is Xing SE, Dammtorstraße 30, 20354 Hamburg, Germany.

While you are using Xing, user data is automatically processed by the provider. Through interactions on the platform (commenting, sharing content, etc.), further data processing may occur. We would like to point out that we, as the provider of our company website, have no knowledge of the content of the transmitted data or its use by Xing. We have no influence on the scope of the data that Xing collects.

The processing of your data when contacting or interacting with our company website or its content is carried out by us on the legal basis of Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest is the interaction or communication with our users and visitors. Further legal bases for data processing may arise in individual cases from Art. 6 para. 1 sent. 1 lit. b GDPR. If data is collected by Xing for the purpose of measuring and optimising advertising, the legal basis is Art. 6 para. 1 lit. a GDPR. We delete personal data as soon as the purpose of the data processing has been achieved and there are no further legal grounds against the deletion of the data. Should data transfers to third countries outside the EU or EEA occur, Xing guarantees an adequate standard of protection within the meaning of Art. 44 et seq. GDPR.

Further information on data processing can be found in Xing's privacy policy here: https://privacy.xing.com/de/datenschutzerklaerung

L. Kununu

We operate our Kununu company page to inform you and to communicate with you as a user, interested party or potential employee/applicant.

The provider of the platform is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

While you are using Kununu, the provider automatically processes user data. Through interactions on the platform (commenting, sharing content, etc.), further data processing may occur. According to Kununu, personal data is only collected, processed and/or used if the users have consented or if this is permitted by law. We would like to point out that we, as the provider of our company website, have no knowledge of the content of the transmitted data or its use by Kununu. We have no influence on the scope of the data that Kununu collects.

The processing of your data when contacting or interacting with our company website or its content is carried out by us on the legal basis of Art. 6 para. 1 sent. 1 lit. f GDPR. Our legitimate interest is the interaction or communication with our users and visitors. Further legal bases for data processing may arise in individual cases from Art. 6 para. 1 sent. 1 lit. b GDPR. If data is collected by Kununu for the purpose of measuring and optimising advertising, the legal basis is Art. 6 para. 1 sent. 1 lit. a GDPR. We delete personal data as soon as the purpose of the data processing has been achieved and there are no further legal grounds against the deletion of the data. Should data transfers to third countries outside the EU or EEA occur, Kununu (Xing) guarantees an adequate standard of protection within the meaning of Art. 44 et seq. GDPR.

For more information on data processing, please see Kununu's privacy policy here: https://www.kununu.com/de/info/agb and https://privacy.xing.com/de/datenschutzerklaerung

M. Rights of data subjects

You have the right to receive information about your personal data we have saved, the right to arrange for incorrectly saved personal data to be corrected or – if relevant – to change or revoke your consent to data processing at any time, including without providing a reason with future effect, the right to restrict the processing of your personal data with future effect, to revoke the processing of your personal data with future effect or to demand the deletion of your personal data. Under the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which has been saved, in a structured, commonly used and machine-readable format and the right to transmit that data to another responsible party without hindrance on our part.

To exercise your rights, you may contact our data protection officer mentioned in section B above. In order to avoid possible cases of misuse, we may require that inquiries be accompanied by a handwritten signature or that the inquirer otherwise legitimize himself.

Furthermore, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

N. Changes to this privacy policy

Constant technological development, changes to our services or the legal situation and other reasons may require adjustments to our data protection notice. We therefore reserve the right to change this privacy policy at any time with effect for the future. The current version is available on our website. Please visit our website regularly and inform yourself about the applicable data protection provisions.

Data protection law information for the career website

Dear Sir/Madam,

we inform you with the following data protection information about how we collect personal data as part of your application process and for what purpose the data is processed.

A. The party responsible for data processing and contact details of the data protection officer

This data protection law information applies to the career website and the applicant management system of

Following CRONIMET subsidiaries come also into question as a party responsible for data processing

You can reach the data protection officer of CRONIMET Ferroleg., CRONIMET Raw Materials, ERG-Edelstahl Recycling, CRONIMET Dortmund and Metalloy Metalle-Legierungen by post at the above addresses by stating “Data protection officer” or by email via: datenschutz@cronimet.de.

You can reach the data protection officer of CRONIMET Envirotec by post at the above address by stating “Data protection officer” or by email via: email@iitr.de.

B. Purposes and legal basis of processing, data categories

1. Processing of personal data carried out on behalf of a controller

For the efficient implementation of application procedures, we use an applicant management system of softgarden e-Recruiting GmbH, Tauentzienstr. 14, 10789 Berlin, Germany (contact: datenschutz@softgarden.de), which operates the applicant management as an order processor within the meaning of Art. 4 No. 8 GDPR. A contract for order processing in accordance with Art. 28 GDPR has been concluded with the provider, which ensures compliance with the provisions of data protection law.

We remain your first point of contact for exercising your data protection rights and for handling the application process. You can contact us directly or, if indicated, confidentially contact the data protection officer under the details of the data controller given above.

2. Subject of data protection

The subject of data protection is the processing of personal data, in this case in the context of applicant management. According to Art. 4 No. 1 GDPR, this includes all information relating to an identified or identifiable natural person (hereinafter “data subject”) that is required for the implementation of the application procedure as well as the initiation of an employment relationship, § 26 Federal Data Protection Act (“BDSG”).

In addition, within the scope of the use of the applicant management, data related to the use, so-called usage data, is also collected. Usage data is data that is required to operate our websites, such as information about the start, end and extent of use of our website, including login data. This processing is in accordance with the provisions of data protection and telemedia law.

In the context of the application process and/or the use of the system, processing activities may also take place that are either based on legitimate interest pursuant to Art. 6 para. 1 sent 1 lit. f GDPR or on the basis of your consent pursuant to Art. 6 para. 1 sent 1 lit. a GDPR. Processing activities that are subject to a legal obligation to process or a public interest, Art. 6 para. 1 sent 1 lit. c and lit. e GDPR, such as in the context of law enforcement or investigation of government agencies, also come into consideration.

Through individual settings in your web browser, the configuration of the corresponding cookie settings and their user behavior, you can determine and control the scope of processing yourself.

3. Visiting the career website

For operational and maintenance purposes and in accordance with the provisions of telemedia law, interaction is recorded (“system logs”), which are necessary for the operation of the website or processed for system security purposes, for example to analyze attack patterns or unlawful usage behavior (“evidence function”).

Your Internet browser automatically transmits the following data when you access the careers portal:

• Date and time of access,

• browser type and version,

• operating system used,

• amount of data sent,

• IP address of the access.

This data is not used for direct assignment within the scope of applicant management and is deleted again promptly in accordance with the legitimate retention periods, unless longer retention is required for legal or factual reasons, such as for evidentiary purposes. In individual cases, storage for the above-mentioned purposes may be considered. The legal basis is Art. 6 para. 1 sent 1 lit. f GDPR as well as telemedia law.

4. Session cookies

We store so-called “cookies” to provide you with an extensive range of functions and to make the use of our websites more comfortable. “Cookies” are small files that are stored on your computer with the help of your Internet browser. If you do not wish “cookies” to be used, you can prevent them from being stored on your computer by making the appropriate settings in your Internet browser. Please note that the functionality and scope of functions of our offer may be limited as a result.

We set the cookie JSESSIONID on the career website as a technically necessary session cookie. This stores a so-called session ID, with which various requests of your browser can be assigned to the common session. This allows your computer to be recognized when you return to our website. This session cookie is deleted when you log out or close the browser.

Optional cookies based on consent are only set after confirmation in the cookie banner. You can edit your cookie settings at any time by clicking on the lock icon at the bottom left of the career website.

5. Application process, transfer of data

As part of the application process, you can set up and manage an account in the career portal after configuring a user name and password. You can use further options in the softgarden applicant management system beyond the individual application and make your individual settings (e.g. inclusion in a talent pool).

For an efficient and promising application, you can provide the following information in particular as part of your application to us:

• Contact details (address, phone number),

• Curriculum vitae data, e.g. as follows

  • School education

  • Vocational training

  • work experience

  • Language skills

• Profiles in social networks (e.g. XING, LinkedIn, Facebook),

• Documents related to job applications (application photos, cover letter, references, work samples, etc.).

The legal basis for processing for the purposes of carrying out the application process and initiating an employment relationship is § 26 para. 1 BDSG. In addition, the use of the applicant management system by the controller is in the legitimate interest pursuant to Art. 6 para. 1 sent 1 lit. f GDPR. If consent within the meaning of Art. 6 para. 1 sent 1 lit. a GDPR is required for a specific processing activity, this will be obtained separately and transparently from you by the controller, unless this results from conclusive and voluntary behavior on your part in accordance with the transparency requirement, such as voluntary participation in a video interview.

Your data will not be passed on to unauthorized third parties as part of the applicant management process and will be processed for the purposes stated in this data protection declaration. Thus, the inspection by internal departments and specialist managers of the person responsible is in the legitimate interest, insofar as knowledge of the information from the application process is necessary and permissible for the selection of applicants or internal administrative purposes of the company. For this purpose, your details may be forwarded to third parties within the company by e-mail or within the management system. The legal basis may be § 26 para. 1 BDSG, Art. 6 para. 1 sent 1 lit. f as well as lit. a GDPR.

The transfer to third parties also takes place within the scope of commissioned processing pursuant to Art. 28 GDPR, i.e. within the scope of processing activities in which the controller has a legitimate interest in outsourcing processing activities that it is otherwise entitled to perform itself. For this purpose, the controller shall take the measures to ensure compliance with the data protection provisions.

In addition, disclosure to external third parties may take place for the defense of legal claims based on legitimate interest or in the context of the investigation of or disclosure to government agencies, to the extent required by law or if there is an obligation to disclose. The information obligations vis-à-vis data subjects within the meaning of Art. 13, 14 GDPR are ensured in advance of the relevant transfer, insofar as these are to be fulfilled separately.

6. Feedback module

Accompanying your application, we may ask you to submit your feedback after an interview and 3 months after you are hired. For this purpose, we will send you an invitation link that will lead you to the rating system to submit your feedback. The purpose of the processing is the further development and optimization of our recruiting and application processes as well as the corporate image.

For this purpose, the following data is processed automatically:

• Contact details (name, email),

• Position title of the job for which you have applied,

• Location of the position,

• Job category,

• Applicant ID.

The feedback itself is stored anonymously in the database. A personal reference is not established. In addition to a star rating for individual questions, you have the option of leaving comments here. We expressly ask you not to leave any personal data in the comments. The information collected in this way may be displayed together with your feedback on our rating page or transmitted to external partners such as kununu.

Participation is purely voluntary and takes place only with your consent, without which the submission of feedback is not possible. The legal basis is Art. 6 para. 1 sent 1 lit. a GDPR.

7. Salary statistics “Salary statistics” module

Softgarden will give you the opportunity to provide feedback about your salary expectations and salaries offered to you in different steps of the application process.

The information provided in this process will be processed anonymously and without any link to your name and contact details. Softgarden processes this data anonymously for its own purposes (statistics, analysis, studies) and is the controller for this processing within the meaning of Art. 4 No. 7 GDPR.

The processing only takes place with your consent through participation and on a purely voluntary basis. The legal basis is Art. 6 para. 1 sent 1 lit. a GDPR.

8. Social share buttons

It is possible to share the job ads on different social networks. For this purpose, different buttons are offered per network. After clicking on one of these buttons, you will be referred to the respective networks and will be taken to their login pages. These buttons do not represent plug-ins and do not transmit any personal data directly to the operators of the social networks.

Currently, the job ads can be shared on the following social networks:

• Facebook (https://de-de.facebook.com/privacy/explanation)

• Twitter (https://twitter.com/de/privacy)

• LinkedIn (https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-join-privacy-policy)

• Xing (https://privacy.xing.com/de/datenschutzerklaerung)

The legal basis is Art. 6 para. 1 sent 1 lit. f GDPR for statistical analysis and coverage measurement of job ads.

Under the links provided, you can also find out how the aforementioned social networks process your personal data. We expressly state that we have no influence on the processing of your personal data by the social networks. Please also see the data protection law information on our social media channels.

9. Online surveys “Easyfeedback”

At the end of the application process you may be shown an invitation to a survey by softgarden via a link. The survey takes place via a service of easyfeedback GmbH, Ernst-Abbe-Str. 4, 56070 Koblenz, Germany (https://easy-feedback.com/) in order to query the application experience. Softgarden conducts this survey as controller within the meaning of Art. 4 No. 7 GDPR and, according to its own information, processes the collected data anonymously for its own purposes (statistics, analysis, studies) as well as for the further development of softgarden products.

Softgarden states that the collection of the survey data is secured by default via the SSL encryption process and that softgarden does not establish any personal reference within the scope of the evaluation. The survey can be cancelled at any time. The data processed up to the point of cancellation may be used by softgarden for the purposes stated.

Softgarden states that your participation in the survey is purely voluntary and that by participating you declare your consent, without which your participation is not possible, Art. 6 para. 1 sent 1 lit. a GDPR. According to softgarden, the data is processed anonymously for evaluation purposes.

You can find more information about the data protection of easyfeedback in the following notes: https://easy-feedback.com/privacy/data-protection/

10. Talentpool

As part of your application or via the “Get in touch” button, you have the opportunity to recommend yourself for our talent pool. This processing is necessary in order to be considered automatically for further job postings, i.e. for similar or otherwise suitable positions. If you register for the talent pool via the “Get in touch” button, the following information will be requested:

• Salutation, academic title (optional),

• First name, last name, email address,

• Job fields of interest,

• Current career level,

• Preferred location(s),

• XING profile or curriculum vitae.

Inclusion in the talent pool is purely voluntary with your consent as well as through the use of an opt-in link. The legal basis is Art. 6 para. 1 sent 1 lit. a GDPR.

C. Automated decision making

Automated decision making does not take place. Should this be or become necessary, we will obtain transparent consent at the appropriate point in advance of processing.

D. Duration of storage and use of data

Your data will be stored for the duration of the application process and in accordance with legitimate retention periods after completion of the application process. In the event of a rejection, the data will be retained for a maximum of 6 months, provided that no other legitimate interests on our part oppose deletion or you have not given us consent for longer storage. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG). After the retention period has expired, the data is completely anonymized. The processing of anonymized data records is not subject to the material scope of the data protection provisions, so that anonymized data may be processed for statistical and analytical purposes, for the preparation of market studies or for product development.

E. Rights of data subjects

You have the right to receive information about your personal data we have saved, the right to arrange for incorrectly saved personal data to be corrected or – if relevant – to change or revoke your consent to data processing at any time, including without providing a reason with future effect, the right to restrict the processing of your personal data with future effect, to revoke the processing of your personal data with future effect or to demand the deletion of your personal data. Under the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which has been saved, in a structured, commonly used and machine-readable format and the right to transmit that data to another responsible party without hindrance on our part.

To exercise your rights, you can contact the data controller or data protection officer mentioned in section A. In order to avoid possible cases of misuse, we may require that inquiries be accompanied by a handwritten signature or that the inquirer otherwise legitimize himself.

Furthermore, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

F. Right of withdrawal in the case of consent

If you agreed to the processing by making a corresponding declaration of consent, you can revoke your consent at any time for the future. The withdrawal of consent shall not affect the lawfulness of using and processing based on consent before its withdrawal.

G. Changes to this privacy policy

Constant technological development, changes to our services or the legal situation and other reasons may require adjustments to our data protection notice. We therefore reserve the right to change this privacy policy at any time with effect for the future. The current version is available on our website. Please visit our website regularly and inform yourself about the applicable data protection provisions.

Data protection law information for the CRONnect-App

Dear Sir/Madam,

we inform you with the following data protection information about the processing of your personal data in the context of the use of our CRONnect-App.

A. Who is the party responsible for data processing and how can you contact us? What are the contact details of the data protection officer?

The party responsible for data processing is your CRONIMET contractual partner, i.e. the CRONIMET company of the CRONIMET Holding Group with which you are in business contact and whose employee contacted you for registration in the CRONnect-App and to whom you provided your data for the initial registration. The following CRONIMET companies come into question as a party responsible for data processing:

You can reach the data protection officer for CRONIMET Ferroleg., CRONIMET Raw Materials, CRONIMET Dortmund, Metalloy Metalle-Legierungen and for ERG-Edelstahl Recyclingof by post at the above address by stating “Data protection officer” or by email via: datenschutz@cronimet.de.

B. What categories of data are processed? What are the purposes and legal bases of the processing?

We process personal data in our CRONnect-App that we receive from you in the context of business relationships or contract initiation. This is usually your username, password, email address, language, role in the company, assignment to one or more business partners and optionally your landline and/or mobile phone number. The mandatory information is marked accordingly.

The creation of the user in the CRONnect-App with the mandatory and, if applicable, optional information is carried out by a CRONIMET employee with your consent. As a user, you will then receive the user name for the initial registration in an email together with the link to the CRONnect-App and the link to the password assignment. When you register for the first time, you will generate a secret password. As a user of the CRONnect-App, you can manage the following data in the user management at any time: password, language setting, landline and/or mobile phone number, default currency and default weight unit.

We process your personal data exclusively within the scope of the legal terms, particularly under consideration of the regulations of the General Data Protection Regulation (“GDPR”). We process your personal data in our CRONnect-App on the basis of the following described legal bases and for the purposes of

• contract negotiation, contract implementation and termination of the contractual relationship (Art. 6 para. 1 sent. 1 lit. b GDPR) in particular fulfilment of a contract such as overview of contracts, viewing of delivery deadlines, current status of deliveries, preparation of findings or weighing processes; general communication with business partners e.g. answering enquiries about goods and services;

• based on consent given (Art. 6 para. 1 sent. 1 lit. a GDPR), in particular to enter the above-mentioned mandatory information in the CRONnect-App for the registration and subsequent activation and use of the CRONnect-App;

• based on a legitimate interest (Art. 6 para. 1 sent. 1 lit. f GDPR); e.g. measures for IT security.

C. Who receives your personal data? Will personal data be transferred to a third country?

We transmit your personal data:

• if applicable, to the CRONIMET contact persons responsible for answering your enquiry,

• if applicable, to companies of our CRONIMET Holding group, if this is necessary to fulfil the purposes mentioned in section B. above,

• if applicable, to external service providers as processors within the meaning of Art. 28 GDPR in the context of the supply of the CRONnect-App. Data processing agreements have been concluded with these service providers to ensure the protection of your personal data.

The above described recipients may also be located in countries outside of the European Economic Area (“third countries”). Third countries may not have the same level of data protection as in the European Economic Area. If data transmission takes place in a third country, we ensure that this transmission only takes place according to the terms of the legal regulations (chapter V GDPR).

D. How long will your personal data be stored?

Personal data is generally deleted after expiry of the legal (primarily trade and tax law) retention periods. If personal data is not affected by legal retention obligations, it will be deleted when it is no longer required for the purposes described in section B. above. A different retention period may apply if you consented when the data was collected.

E. What are rights the of data subjects?

You have the right to receive information about your personal data we have saved, the right to arrange for incorrectly saved personal data to be corrected or – if relevant – to change or revoke your consent to data processing at any time, including without providing a reason with future effect, the right to restrict the processing of your personal data with future effect, to revoke the processing of your personal data with future effect or to demand the deletion of your personal data. Under the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which has been saved, in a structured, commonly used and machine-readable format and the right to transmit that data to another responsible party without hindrance on our part.

In addition, you may contact the party responsible or the data protection officer mentioned in section A. above. In order to avoid possible cases of misuse, we may require that inquiries be accompanied by a handwritten signature or that the inquirer otherwise legitimize himself.

Furthermore, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

F. What does the right of withdrawal mean?

If you agreed to the processing by making a corresponding declaration of consent, you can revoke your consent at any time for the future. The withdrawal of consent shall not affect the lawfulness of using and processing based on consent before its withdrawal.

G. Changes to this privacy policy

Constant technological development, changes to our services or the legal situation and other reasons may require adjustments to our data protection notice. We therefore reserve the right to change this privacy policy at any time with effect for the future. The current version is available on our website. Please visit our website regularly and inform yourself about the applicable data protection provisions.