1. Background and terminology

This data protection declaration informs you about the type, scope, and purpose of the processing of
your personal data by the data controller under data protection law pursuant to Art. 13 and 14 of the
General Data Protection Regulation (GDPR).

Data protection legislation, in particular the GDPR, defines the following terms:

Data processor

The data processor is a natural or legal person, public authority, agency, or other body who processes
personal data on behalf of the data controller (Art. 4 no. 8 GDPR).

Cookies

A cookie is text information that can be stored in the browser of the viewer’s end device (computer, laptop, smartphone, tablet, etc.) for each website visited (web server, server). The cookie is either sent from the web server to the browser or generated in the browser by a script (JavaScript). When you return to this website at a later time, the web server can read out this cookie information directly from the server or transfer the cookie information to the server via a script on the website. (Source: Wikipedia)

Data security

Data security is the confidentiality, availability, and integrity of personal data; this is also referred to as technical and organizational measures (Art 32 GDPR).

Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 no. 2 GDPR).

Third country

Third country refers to countries outside the European Union for which the European Commission has not determined a level of data protection equivalent to that of the European Union (Art. 44 GDPR).

Personal data and data subjects

Personal data is all information that relates to an identified or identifiable natural person (data subject) (Art 4 no. 1 GDPR).

Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures to ensure that the personal data is not assigned to an identified or identifiable natural person (Art. 4 no. 5 GDPR).

Data controller

The data controller is the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of processing personal data (Art 4 no. 7 GDPR).

Web beacons

Web beacons (also known as tracking pixels or web bugs inter alia) are small graphics in HTML emails or on websites that enable log file recording and log file analysis, which are often used for the statistical evaluation of online marketing (source: Wikipedia).

2. Data controller

The data controller pursuant to data protection legislation is Perseus Technologies GmbH (“Perseus” & “we”) based in Hagelberger Straße 53-54 in 10965 Berlin.

3. Data protection officer

We have appointed a data protection officer. You can contact our data protection officer by writing to the “Data Protection Officer” at the address of the company headquarters, or via email at datenschutz@perseus.de.

4. Details of data processing for each category of data subjects

4.1. Website visitors

If you visit our website at perseus.de (“website”), we process your personal data as follows:

To do so, we use the services of third parties. These services also include the use of cookies (essential cookies, functional cookies, analysis cookies, statistics cookies, marketing cookies and other third-party cookies). Specific information on the individual cookies and individual setting options can be found under “Individual settings” in the consent management tool.

Here you can give your consent to processing and/or object to processing on the basis of legitimate interest. You can also adjust your preferences at a later point in time or withdraw your consent with effect for the future. Please note that without your consent, individual website features may not function properly.

4.1.1. Provision of website content

Purpose

  • Establishing the technical connection between the visitor’s device and our website (conducting the session)
  • Maintaining and improving the functionality of the website
  • Maintaining and improving information security and data security (confidentiality, availability, and integrity) of the website (data storage in log files)

Categories of data processed

  • IP address of the accessing system
  • Type and version of browser used on the end device
  • Internet service provider of the accessing system
  • Date and time of access as well as whether access was successful or not
  • Third-party websites from which the user’s system reached our website
  • Third-party websites that are accessed by the user’s system via our website

Categories of recipients

  • Website hosting – Winter Business Net GmbH, Feithstr. 68, 58095 Hagen

Third-country data transfer

  • no

Storage duration and criteria

  • Session: Data deleted at the end of the respective session
  • Log files: Data deleted after 90 days or anonymized

Legal basis

  • Art. 6 para. 1 b) and f) GDPR (performance of a contract and legitimate interest)

4.1.2. Contact

As a visitor to our website, you can use various options to contact us. Currently these include: Contact form, email, telephone, and live chat. Contact is primarily established via Freshworks applications. We use the following Freshworks systems: Freshsales as a customer relationship management system (CRM system), Freshdesk as a helpdesk system, and Freshchat as a chat system.

Purpose

  • Acceptance, checking, and processing of inquiries
  • Customer relationship management

Categories of data processed

  • Contact information via contact form, email, telephone, or social media: Name, email address, and optional telephone number
  • Connection data: IP address as well as date and time of contact form registration; if applicable, transfer to third parties via cookies (this can be managed via the consent management tool), email address, social media username, if applicable telephone number
  • Contents of the completed contact form, emails, live chats, and telephone calls may contain personal
    data

Categories of recipients

  • Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA
  • Email and telecommunications providers, social media channels

Third-country data transfer

  • To the USA to Freshworks
  • We have concluded an agreement with Freshworks based on the EU standard data protection clauses, thus enabling data to be transferred with appropriate safeguards pursuant to Art. 46 GDPR.

Storage duration and criteria

  • 3 months after completion of the respective enquiry

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

4.1.3. Appointment booking

We use the Calendly service to book appointments for subsequent live demonstrations of our services via our website.

Purpose

  • Booking appointments for live demonstrations for interested parties
  • Calendar and comment function

Categories of data processed

  • Contact details via booking form: Name, email address and company name
  • Content data of the contact (title, comment)

Categories of recipients

  • Calendly, Inc. , 115 E Main St., Ste A1B Buford, GA 30518, USA (“Calendly”)

Third-country data transfer

  • To the USA to Calendly
  • We have concluded an agreement with Calendly based on the EU standard data protection clauses, thus enabling data to be transferred with appropriate safeguards pursuant to Art. 46 GDPR.

Storage duration and criteria

  • 3 months after completion of the respective enquiry
  • In addition to the essential cookies, consent or refusal to the collection of the following data can be specified:
    • Performance cookies – data to measure performance, data is collected in aggregated and anonymised form
    • Functional cookies – enable the website to provide enhanced functionality and personalisation
    • Targeting cookies – cookies that can be set by advertising partners, do not store any direct personal data but are based on the unique identification of the browser and device

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

4.1.4. Website optimization and reach analysis (analysis and statistics)

We process the personal data of visitors to our website in order to optimize our website and conduct reach analysis. You can find detailed information on this type of data processing in the consent management tool under “Analysis and statistics”. The legal basis for processing is Art. 6 para. 1 f) GDPR (legitimate interest).

4.1.5. Social media and targeted advertising

On our website, we give you the option of sharing content directly via social media and networks. For social media sharing, we use so-called Shariff social media buttons, so that the content is shared within selected social networks while maintaining appropriate data protection. In contrast to the usual social plugins, which process data when you visit the website, Shariff only establishes direct contact with the respective social network when you actively click on a social button to share a post.

You can find detailed information on this type of data processing in the consent management tool under “Marketing and other third-party cookies”. The legal basis for processing is Art. 6 para. 1 a) GDPR (consent).

4.2. Perseus’ customers and their employees

If you are a Perseus customer who uses Perseus services or an employee of a Perseus customer (data subject group), we process your personal data as follows.

Insofar as Perseus processes personal data on behalf of customers (“processing on behalf”), Perseus’ customers and other recipients of Perseus services are entitled to adopt the description of services, inform their own data subjects and thus fulfill their own information obligations pursuant to Articles 13 and 14 GDPR.

In particular, the services or sub-services Perseus Phishing Check, Perseus Cyber Security Club and Incident Response Management may be provided by Perseus as part of the processing on behalf of customers or authorised recipients. In such cases, it is important to note that the legal basis provided for the processing is the same legal basis used by Perseus to process the data. The legal basis for the customer or the authorised users as the data controller as defined by data protection legislation, on whose behalf Perseus is processing the data, may differ from this.

This includes the following Perseus services:

Assessment

  • Perseus Phishing Check (PPC)
  • Security Baseline Check (SBC)
  • Cyber Risiko Dialog (CRD)

Awareness

  • Perseus Cyber Security Club (PCSS)
  • Threat Alert

Cyber Claims

  • Incident Response Management (IRM)

The following listing shows the details of the data processing, its purposes and legal bases, and if applicable, the legitimate interests, potential recipients or categories of recipients of the personal data, and any third-country transfers, as well as the storage period.

4.2.1. Assessment

Perseus Phishing Check (Order processing)

Purpose

In general:
  • For the purpose of maintaining information security (including cyber security) and data security (technical and organisational data protection) at the client’s premises
  • Analysing the awareness of employees
  • Raising awareness among employees
Specifically:
  • Provision of a web application for the administration of phishing checks
  • Performing phishing tests with employees of corporate clients
  • Distribution and evaluation of simulated phishing mails
  • Raising awareness of phishing

Categories of data processed

  • Names
  • Email address
  • Company name
  • Results of the phishing checks

Categories of recipients

  • Account administrators at the respective corporate customer/partner
  • Processor: Amazon Web Services Inc., Inboxroad

Third-country data transfer

  • USA (Amazon Web Services Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

  • The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

Security Baseline Check

Purpose

  • Contact
  • Booking an appointment
  • Execution SBC

Categories of data processed

  • Name
  • Email address

Categories of recipients

  • Contact persons of the customer/partner
  • Processors: Amazon Web Services Inc, TeamViewer GmbH, Google Ireland Ltd, Calendly, Inc.

Third-country data transfer

  • USA (Amazon Web Services Inc., Calendly Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

  • The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

Cyber Risiko Dialog

Purpose

  • Contract initiation, implementation and coordination for the CRD

Categories of data processed

  • Name
  • Email address

Categories of recipients

  • Contact persons of the customer/partner
  • Cooperation partner Intelliant GmbH
  • Processor: Amazon Web Services Inc

Third-country data transfer

  • USA (Amazon Web Services Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

  • The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

4.2.2. Awareness

Perseus Cyber Security Club (Order processing)

Purpose

  • Establishing, maintaining and improving cybersecurity and data protection compliance for customers and beneficiaries
  • Technical and organisational data protection (data security) and cyber security (information security) to ensure the confidentiality, availability and integrity of information and personal data
  • Implementation and evaluation of online training courses
  • Malware scan

Categories of data processed

  • File information, such as file path, file name, hash value of files, file owner, date and time stamp
  • Network information, such as host name, fully qualified domain name, IP address, MAC address
  • Process information, such as file path, process name, hash value of processes, process owner, date and time stamp
  • Account information, such as account name, full name of the account holder, membership of local groups, account status, language settings
  • Endpoint network activity, such as destination IP address, destination port, process name, image path, host name, source port/source IP address
  • Device identity, such as Distinguished Name (DN) of the device, membership of the device in groups from Active Directory, name of the last logged-in user account
  • Participation status and results of online training sessions (dashboard)

Categories of recipients

  • Administrators (e.g. supervisors, managers or IT employees) of the customer companies or authorised beneficiaries
  • Organisational units of the customer companies or beneficiaries that are required to provide evidence
  • Processors: Amazon Web Services Inc, Dynamic Edge Software Ltd, Google Ireland Ltd, Sendinblue SAS

Third-country data transfer

  • no

Storage duration and criteria

  • The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data will be stored until the deadlines expire and then deleted.
  • Malware scan: All emails received are automatically deleted after 5 days. This period is retained in order to guarantee checks in the event of downtimes as soon as the reason for the outage has been compensated. Furthermore, this period is required in order to be able to answer any queries from customers regarding the results.

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

Threat Alerts

Purpose

  • Provision of information on security vulnerabilities and cyber incidents

Categories of data processed

  • Name
  • E-mail address

Categories of recipients

  • Administrators (e.g. supervisors, managers or IT employees) of the client company or the authorised beneficiaries
  • Processor: Freshworks Inc (Freshdesk)

Third-country data transfer

  • USA (Freshworks Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

  • The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data will be stored until the deadlines expire and then deleted.

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

4.2.3. Cyber Claims

Purpose

In general:
  • Establishing, maintaining and improving cybersecurity and data protection compliance for customers and authorised beneficiaries
  • Technical and organisational data protection (data security) and cybersecurity (information security) to ensure the confidentiality, availability and integrity of information and personal data
Specifically:
  • Analysing and recreating security incidents
  • Issuing recommendations for action
  • Restoring systems, applications, information and data
  • Documentation of security incidents
  • Forensic preservation of evidence
  • Continuous improvement (“PDCA cycle”)

Categories of data processed

  • All personal connection and content data (master and transaction data) that is processed in the compromised systems of the customer or authorised party is potentially accessible
  • All personal data transferred to Perseus systems for analysis or forensic evidence preservation

Categories of recipients

  • Processor: SEC Consult Deutschland Unternehmensberatung GmbH and TeamViewer Germany GmbH

Third-country data transfer

  • No

Storage duration and criteria

  • The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of a contract)
  • Art. 6 para. 1 f) GDPR (legitimate interest)

4.2.4 Payment processing for Perseus services

For the purpose of payment processing, we use the external payment services Stripe, Quaderno, and FastBill.

Purpose

  • Payment processing (payments by credit card and SEPA direct debits)
  • Automatic creation of invoices
  • Semi-automatic creation of invoices

Categories of data processed

  • Inventory data
  • In particular account or payment card holder
  • Bank details incl. account or credit card number
  • Invoice amount
  • Transaction number
  • Contact details and contract information

Categories of recipients

  • Stripe Payments Europe Ltd, (Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland, “Stripe”)
  • Quaderno of the provider Recrea Systems, SLU (Fernando Guanarteme 111, 35010 Las Palmas, Spain, “Quaderno”)
  • FastBill GmbH (Wildunger Str. 6, 60487 Frankfurt a. M. “FastBill”) (no end customers, but other contractual partners)

Stripe, Quaderno, and Fastbill process your data on our behalf. In order to protect your data, we have concluded a data processing agreement with Stripe, Quaderno, and Fastbill.

Third-country data transfer

  • No

Storage duration and criteria

  • After the statutory retention requirements have expired, 6 and 10 years respectively

Legal basis

  • Art. 6 para. 1 b), c) and f) GDPR (performance of the contract, compliance with legal obligations, and legitimate interest)

4.3. Newsletter subscribers

If you are a newsletter subscriber who receives the Perseus newsletter, we process your personal data as follows.

The data you enter via the input mask provided for this purpose will be transmitted to us and processed when you register. It is mandatory to provide your email address when subscribing to the newsletter. The provision of any further data is voluntary and enables us to address you personally. At the time the message is sent, we save your IP address and the date and time of your registration via the contact form.

We use a double opt-in procedure to ensure that you only receive our newsletter if you really want to. To this end, we will send you a notification email. By clicking on the link contained in this email, you confirm that you actually want to receive our promotional emails or our newsletter.

4.3.1. Newsletter-Abonnement

We use the Mailchimp system to send newsletters to the email addresses provided by subscribers.

Purpose

  • To send our newsletter in a lawful manner

Categories of data processed

  • Email address (required on contact form)
  • The provision of any further data is voluntary and enables us to address you personally
  • At the time the message is sent, we save your IP address and the date and time of your registration
    via the contact form.

Categories of recipients

  • The Rocket Science Group LLC, 675 Ponce de Leon Ave. NE, Suite 5000, Atlanta, GA 30308, USA as data processor

Third-country data transfer

  • To the USA (Rocket Science)

We have concluded an agreement with Rocket Science based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

  • After unsubscribing from the newsletter (possible at any time)

Legal basis

  • Art. 6 para. 1 a) and b) GDPR (performance of the contract and consent)

4.3.2. Statistical evaluation of the newsletter

We carry out statistical evaluations of our newsletter mailing process and the response to our newsletter. We use the “MailChimp” and “Mandrill” systems. We evaluate user behavior in relation to newsletter subscriptions (e.g., when users open a message, which links they click on) and carry out statistical analysis of our newsletter campaigns.

Purpose

  • To design effective, secure, and reader-friendly newsletters
  • To secure the mailing process to the satisfaction of newsletter subscribers and thus to ensure customer acquisition

Categories of data processed

  • Email address
  • If applicable name and company
  • Technical information (time of retrieval, IP address, browser type, and operating system)

This data is collected in pseudonymized form only and is not linked to your other personal data.

Categories of recipients

  • The Rocket Science Group LLC (675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA, “Rocket Science”) as the data processor

Third-country data transfer

  • to the USA (Rocket Science)

We have concluded an agreement with Rocket Science based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

  • Evaluation data will be deleted after 12 months at the latest (after unsubscribing from the newsletter or deactivating the display of graphics in the email program)

Legal basis

  • Art. 6 para. 1 f) GDPR (legitimate interest)

4.4. Webinar participants

If you are a webinar participant, we process your personal data as follows.

You can participate in a webinar if you have registered for this in advance on our website. Webinars are implemented and followed up using the Zoom systems.

In the virtual seminar rooms, the personal data of lecturers and participants (collectively “participants”) is processed. The lecturers and participants are therefore data subjects pursuant to the GDPR.

When participants and lecturers log in and/or enter the virtual seminar rooms, they assign themselves a virtual name tag in order to identify themselves and to enable other webinar participants to address them.

When a webinar is held, the lecturers and participants transmit video data, audio, screen content, and chat messages to everyone involved in the webinar, provided that the respective feature is enabled or actively used by the lecturer or the participant. Data is only stored and processed for the purpose of transmission and in order to document the participants; apart from this, webinars are generally not saved once the transmission has ended.

Participants have the option of chatting one-on-one in virtual private rooms or with all participants in the main room. Only the two participants involved in a one-on-one chat or the participants in the respective webinar have access to the content of the chat messages.

We occasionally take the opportunity to record webinars and subsequently make the recorded content available to the participants, as well as to document the webinar internally. If we are going to record a webinar, we will announce this in the webinar itself so that participants can decide whether they want to enable or actively use video data, audio, screen content, and chat messages and thus make them available for the recording.

We collect personal data from participants about their presence in the virtual seminar room, the length of their stay, and their use of features. This corresponds roughly to how we would observe participants in a real room.

Webinar participants via Freshworks and Zoom

Purpose

  • To enable the technical implementation of webinars (transfer of names, camera images, audio, video content, and chat messages)
  • To record webinars
  • To issue participation certificates
  • To follow up after webinars (e.g., by providing seminar documents and evaluating lecturers)
  • To request feedback from participants and, where applicable, identify areas for improvement

Categories of data processed

  • Contact information via contact form, email, telephone. Or via social media: name, email address, and optional telephone number
  • Connection data: IP address as well as date and time of contact form registration; if necessary, transfer to third parties via cookies (this can be managed via the consent management tool), e-mail address, social media user name, if necessary telephone number
  • Contents of the completed contact form, emails, live chats, and telephone calls may contain personal data

Categories of recipients

  • Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA (“Freshworks”)
  • Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113 (“Zoom”)

Third-country data transfer

  • to the USA to Freshworks and Zoom

We have concluded agreements with Zoom and Freshworks based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

  • After the end of the respective webinar, the chat content is automatically deleted.
  • After we have aggregated and issued the attendance certificates, we delete the data from the virtual seminar room.

Legal basis

  • Art. 6 para. 1 a), b) and f) GDPR (consent, contract performance, and legitimate interest)

Participants are regularly given the opportunity to evaluate lecturers at the end of the webinars. We use the Google Forms service for this. Organizationally, it is impossible for us to see individual participants’ evaluations. We receive an aggregated evaluation of the lecturer.

Purpose

  • To request feedback from participants and, where applicable, identify areas for improvement

Categories of data processed

  • Response selection
  • IP addresses

Categories of recipients

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Third-country data transfer

  • To the USA to Google

We have concluded Agreements with Google based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

  • Manual deletion within 90 days of recording.

Legal basis

  • Art. 6 para. 1 f) GDPR (legitimate interest)

4.5. Applicants

If you are an applicant, we process your personal data as follows.

We use the Personio recruiting system as a technical platform.

Applicant management

Purpose

  • Participation in the application process for vacant positions
  • Handling of the application process
  • Implementation of pre-contractual measures

Categories of data processed

  • Name (first name and surname)
  • Email address
  • Telephone number
  • Desired salary
  • Availability
  • Documents provided (e.g., cover letter your resume and references)
  • Information contained in the uploaded data (e.g. date of birth, address, etc.)

Categories of recipients

  • Authorized employees from HR
  • Employees involved in the application process
  • Employees of Personio GmbH (processor)

Third-country data transfer

  • No

Storage duration and criteria

  • Once purpose of processing has ended
  • Storage period – 6 months from the end of the application process
  • If the applicant is rejected, the data is deleted or anonymized. If the applicant is hired, the data is transferred to the applicant’s personnel file

Legal basis

  • Art. 6 para. 1 b) GDPR (performance of contract).

5. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR. You have the following rights with respect to the data controller:

5.1. Right of access, Art. 15 GDPR

In accordance with Art. 15 GDPR, you have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you can request the following information from us: Purposes of the data processing; Categories of personal data being processed; Recipients and/or categories of recipients to whom your data has been or will be disclosed; planned storage period or, if specific information on this is not available, criteria for determining the storage period; Existence of your right to rectification or deletion of data, restriction of processing or objection to processing; Existence of your right to lodge a complaint with a supervisory authority; Source of your data, if not collected by us; Existence of automated decision-making including “profiling” and, where appropriate, meaningful information on its details; Transfer of personal data to a third country or to an international organization; appropriate safeguards in accordance with Art. 46 GDPR relating to the transfer.

5.2. Right to rectification

In accordance with Art. 16 GDPR, you have the right to demand the immediate correction or completion of any personal data stored by us.

5.3. Right to restriction of processing

In accordance with Art. 18 GDPR, you have the right to demand the restriction of processing of your personal data if you contest the accuracy of the data, or if the processing is unlawful but you refuse to have the data erased. You can also demand the restriction of processing if we no longer require the data, but you require it to assert, exercise or defend legal claims, or if you have objected to the processing in accordance with Art. 21 GDPR.

5.4. Right to erasure

In accordance with Art. 17 GDPR, you have your right to demand the erasure of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend erasure-rightlegal claims.

5.5. Right to information

In accordance with Art. 19 GDPR, if you have asserted your right to rectification, erasure or restriction of processing with respect to Perseus as the data controller, we are obliged to inform all recipients to whom your personal data has been disclosed of this rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to request that Perseus informs you about these recipients.

5.6. Right to data portability

In accordance with Art. 20 GDPR, you have the right to receive the personal data that you provided to us in a structured, common and machine-readable format or to request its transfer to another data controller.

5.7. Right to object

In accordance with Art. 21 GDPR, you have the right to object to the processing of your data at any time. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your personal data is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for this purpose; this also applies to “profiling” insofar as it relates to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for these purposes.

5.8. Right to withdraw your consent under data protection legislation

In accordance with Art. 7 para. 3 GDPR, you have the right to withdraw your consent to the processing of your data at any time. Your withdrawal of consent does not affect the legality of the processing carried out on the basis of this consent up to the point of withdrawal.

5.9. Right to lodge a complaint with a supervisory authority

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority responsible for your usual place of residence, place of work or the place of the alleged violation.

6. Status of and changes to this Privacy Policy

This Privacy Policy is valid as amended from time to time. You can visit our website at www.perseus.de/privacypolicy to access and print the current Privacy Policy at any time.

Last updated: January 2024