Privacy Notices for Sartorius Online Offerings, Business Partner Representatives and Marketing Communication

These Privacy Notices provide information on the processing of your personal data in connection with your use of Sartorius Online Offerings, Business Partners and Marketing Communication. The personal data that we collect about you depends on the context of your interactions with us, the products, services, and features that you use, your location, and applicable law.

Personal data include any information related to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.1 Controller and Data Protection Officer

Sartorius AG, Otto-Brenner-Straße 20, 37079 Göttingen, Germany, e-mail: info@sartorius.com ("Sartorius", "we", "our" or "us"), as controller of personal data, is responsible for the processing of your personal data in connection with your use of a Sartorius website, application or online service (each a Sartorius Online Offering).

The Data Protection Officer of Sartorius and the Sartorius Group Data Protection Organization is available to you as a contact for all data protection-related matters and for exercising your rights. They may be contacted at dataprotection@sartorius.com.


1.2 Processing Purposes, Categories of Personal Data and Legal Basis plus Sources

When visiting a Sartorius Online Offering, Sartorius may process information which you have actively and volun-tarily provided about yourself, or which has been generated by us in connection with your use of Sartorius Online Offerings, and includes the following categories of personal data for the purposes and on the legal bases specified below:


Processing Purposes

Categories of Personal Data

Legal Basis for Processing

  • Provision of the website to the general public and for the purpose of making contact possible for customers and interested parties
  • IT-related data, such as your device and user identifier, in-formation on your operating system, sites and services ac-cessed during your visit, the date and time of each visitor request, passwords, log-in de-tails as well as data and logs about your use of Sartorius Online Offerings, Sartorius in-formation technology systems, application, or services
  • Contract Performance
  • Legitimate Interest (Balancing of interests: We have a legiti-mate interest in providing an internet presence for non-reg-istered users, in order to pro-vide general information about our company)
  • Collection of statistical information about the use of the website (so-called web analysis)
  • IT-related data
  • Legitimate Interest (Balancing of interests: We have a legiti-mate interest in receiving in-formation about the use of the website, in particular, to im-prove our offering)
  • Determining malfunctions and ensuring system security, including detecting and tracking unauthorized access attempts and accessing of our web servers
  • IT-related data
  • Contract Performance
  • Legitimate Interest (Balancing of interests: We have a legiti-mate interest in eliminating malfunctions, ensuring system security and detecting and tracking unauthorized access or attempted access)
  • Delivery of website content and increasing the delivery speed and security of our website
  • IT-related data
  • Legitimate Interest (Balancing of interests: We have a legiti-mate interest in delivering our website content and increasing the delivery speed and security of our website)
  • Safeguarding and defending our rights
  • IT-related data
  • Contact data, such as name, work address, work telephone number, work mobile phone number, work fax number and work e-mail address
  • Legal Obligation
  • Legitimate Interest (Balancing of interests: We have a legiti-mate interest in asserting and defending our rights)
  • Processing your enquiries, matters and feedback
  • IT-related data
  • Contact data
  • Contract Performance
  • Legitimate Interest (Balancing of interests: We have a legiti-mate interest in processing and considering your com-ments and feedback)


1.3 Cookies

In the context of Sartorius Online Offerings, cookies and tracking mechanisms ("Cookies") may be used. If used by us without your consent, these cookies are strictly necessary to provide certain functionalities of an Sartorius Online Offering to you or to provide you with a service that you requested via the Sartorius Online Offering. Other cookies (e.g., cookies for marketing purposes) will only be used if you have given your consent. You can find further information about the use of cookies by Sartorius in the Sartorius Cookie Notice.


1.4 External links

Sartorius Online Offerings may provide links to the websites or applications offered and operated bythird parties − providers who are not affiliated with us. After you click the link, we no longer have any influence on the collec-tion, processing and utilization of any personal data that is transferred to third parties after clicking the link (for example, the IP address or the URL of the site on which the link is located), as our control of the conduct of third parties is then naturally withdrawn. We are not responsible for privacy practices or the content of external web-sites or applications.

2.1 Controller and Data Protection Officer

The Sartorius Group company that you are or have, on behalf of yourself or your employer, bought or rented a product or a service from ("Sartorius Group company"), as controller of personal data, is responsible for the processing of personal data of (prospective) customers, suppliers, vendors and partners and their representa-tives (each a Business Partner Representative).

For the purpose of this notice, the "Sartorius Group" means Sartorius AG and entities directly or indirectly con-trolled by Sartorius AG.

The Data Protection Officer of Sartorius Group company, if appointed, and the Sartorius Group Data Protection Organization are available to you as a contact for all data protection-related matters and for exercising your rights. They may be contacted at dataprotection@sartorius.com.


2.2 Processing Purposes, Categories of Personal Data and Legal Bases plus Sources

In the context of your business relationship with the Sartorius Group company, it may process information which you have actively and voluntarily provided about yourself as a Business Partner Representative, or which has been generated by us, and includes the following categories of personal data for the purposes and on the legal bases specified below:


Processing Purposes

Categories of Personal Data

Legal Basis for Processing

Initiating contact to prepare for, perform, and end a business relationship between Sartorius and the business partner for which you work or possibly with you yourself such as

  • General communication
  • Processing orders and procurements based on contracts (e.g. nomination agreement, framework agreement, order)
  • Inquiries about current orders (change requests, capacity changes, etc.)
  • Appointment organization event/participant management
  • Invoicing between Sartorius and business partners, invoicing of service periods or invoicing of expenses or costs
  • Contact person for the business relationship, business divisions, specialty divisions, projects, collaboration between the business partners
  • Collaboration as part of the business relationship, projects
  • Contact data
  • Organizational data, such as company name, job position, place of work and country
  • Financial data, such as credit or payment information and bank account details (sole traders only)
  • Contractual data, such as pur-chase orders, contracts and other agreements between you and Sartorius (sole traders only)
  • Contract Performance (to initiate and execute Contracts (if you work for yourself))
  • Legitimate Interest (Balancing of interests: We have a legitimate in-terest in collaborations with busi-ness partners, feasible structures of processes within the business relationship, with contact persons being available, controlling and invoicing of the contractual ser-vices)

Execution and processing of procurement processes within Sartorius AG or between Sartorius AG and its group companies as well as internal processes for conducting the business rela tionship such as

  • Processing of orders and procurements based on contracts (e.g. nomination agreement, framework agreement, order)
  • Reporting
  • Administration
  • Satisfying tax law review and filing duties, archiving of data
  • Bookkeeping, receivables collection
  • Contact data
  • Organizational data
  • Contractual data
  • Financial data
  • Legal Obligation
  • Contract Performance (to initiate and execute Contracts (if you work for yourself))
  • Legitimate Interest (Balancing of interests: We have a legitimate in-terest in feasible structures of processes within the business re-lationship, fulfilment of statutory and regulatory requirements)

Creating and managing entry authorization to the work premises, offices, buildings, security of the work premises such as

  • Creating factory IDs and entry authorization
  • Identifying visitors and those authorized for entry
  • Visitor administration, issuing visitor passes
  • Video surveillance of the work premises
  • Contact data
  • Organizational data
  • Image material, such as video footage that is being recorded on a Sartorius Group company closed-circuit television system (“CCTV“) installed on the appli-cable Sartorius Group company premises or other video and re-lated security/monitoring sys-tems whether on Sartorius Group premises or not but to which we have a legitimate pur-pose in viewing/accessing
  • Contract Performance (to initiate and execute Contracts (if you work for yourself))
  • Legitimate Interest (Balancing of interests: We have a legitimate in-terest in protecting our business and trade secrets, protecting our house rules, checking entry au-thorization to our buildings and properties)

IT Administration such as

  • User administration (assignment of access, IT support, system access, authorization administration)
  • Processing of password resets
  • Proof of changes to information in applications
  • Clear identification of the user for secure operation of applications
  • Determination of disruptions and guaranteeing system security including uncovering and tracking impermissible access attempts and access to our web servers


  • Contact data
  • Organizational data
  • IT-related data
  • Contract Performance (to initiate and execute Contracts (if you work for yourself))
  • Legitimate Interest (Balancing of interests: We have a legitimate in-terest in identifying the person in connection with the allocation of authorisations, the unambiguous identification of the user for the access to IT-Systems for guaran-teeing the security and integrity of processes in connection with use of the Sartorius systems, trou-bleshooting and uncovering and tracking impermissible access or access attempts, abuse and unau-thorized access)
  • Legal Obligation (in the area of data security)

Project organization and management such as

  • Collaboration on projects
  • Exchange about projects with other business partner
  • Contact data
  • Organizational data
  • Further information necessarily processed in a project or contractual relationship with Sartorius or voluntarily pro-vided by the Business Partner, such as personal data relating to orders placed, payments made, requests, and project milestones
  • Contract Performance (to initiate and execute Contracts (if you work for yourself))
  • Legitimate Interest (Balancing of interests: We have a legitimate in-terest in collaborations with busi-ness partners)

Taxes such as

  • Determining and reporting cash-equivalent advantages from non-cash benefits
  • Legal documentation regard-ing recipients of hospitality and gifts
  • Contact data
  • Organizational data
  • Financial data
  • Legal Obligation (concerning taxes)

Gastronomy such as

  • Cashless payment
  • Site IDs card balance claim
  • Contact data
  • Organizational data
  • Financial data
  • Contract Performance (hospitality contract or payment function of the Site ID

Protecting and defending our rights and disclosure related to official/court actions such as

  • Exercising and asserting rights and claims
  • Disclosure related to official/court actions for purposes of collecting evidence, criminal prosecution, and enforcement of civil law claims
  • Processing data subject inquiries under GDPR
  • Disclosure in the context of regulatory /court actions in connection with securities trading
  • Contact data
  • Organizational data
  • Financial data
  • Legal Obligation (fulfilling statu-tory obligations)
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in asserting and defending our rights and fulfilling statutory and regulatory requirements)

Prevention, combating and clarification of the financing of terrorism and crimes that pose a threat to property, comparisons with European and international anti-terror lists such as

  • Comparison with anti-terror lists
  • Contact data
  • Organizational data
  • Financial data Information that are legally required for Business Partner compliance screenings or export control checks, such as date of birth, nationality, place of residence, ID numbers, identity cards and information about relevant and significant litigation or other legal proceedings against Business Partners
  • Legal Obligation (fulfilling statutory obligations)
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in fulfilling statutory and regulatory requirements)

Retention and archiving such as

  • Archiving based on storage obligations set forth under tax and commercial law
  • Organizational data
  • Financial data
  • Contractual data
  • Legal Obligation (fulfilling statutory obligations)
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in fulfilling statutory and regulatory requirements, internal guidelines and industry standards)

Prevention of fraud and money laundering and 

Fraud and money laundering

  • Organizational data
  • Financial data
  • Contractual data
  • Legal Obligation (fulfilling statutory obligations)

Compliance Audits such as

  • Compliance audits and documentation of compliance requests and compliance with legal requirements
  • Contact data
  • Organizational data
  • Financial data
  • Contractual data
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in auditing compliance with legal requirements, internal guidelines)

Statistical evaluations regarding company control, Cost recording and controlling such as

  • Reporting on business management metrics
  • Organizational data
  • Financial data
  • Contractual data
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in evaluations for controlling our business processes and cost control)

Conducting surveys and campaigns such as

  • Conducting surveys, marketing campaigns, market analyses, lotteries, competitions, and similar operations
  • Contact data
  • Organizational data
  • Legitimate Interest
  • Consent

Testing, developing, refining our products, quality assurance, product improvement such as

  • Research and development, quality assurance
  • Research (§ 27 BDSG)
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in testing, developing, refining our products, quality assurance, product improvement)
  • Consent

3.1 Controller and Data Protection Officer

Sartorius AG, Otto-Brenner-Straße 20, 37079 Göttingen, Germany, e-mail: info@sartorius.com ("Sartorius", "we", "our" or "us"), as controller of personal data, is responsible for the processing of your personal data if you wish to receive information about our products and services and you subscribe to such marketing communications.

The Data Protection Officer of Sartorius and the Sartorius Group Data Protection Organization is available to you as a contact for all data protection-related matters and for exercising your rights. They may be contacted at dataprotection@sartorius.com.


3.2 Processing Purposes, Categories of Personal Data and Legal Bases plus Sources

Where and as permitted under applicable law, Sartorius may process information which you have actively and voluntarily provided about yourself, or which has been generated by us for marketing communications purposes, and includes the following categories of personal data for the purposes and on the legal bases specified below:


Processing Purposes

Categories of Personal Data

Legal Basis for Processing

Customer and prospective customer care
  • Contact data
  • Organizational data
  • Consent

Customer surveys (including satisfaction surveys)

  • Contact data
  • Organizational data
  • Usage data to determine your personal interests, such as information about your visits on Sartorius websites that may include viewed articles, downloaded documents and date and time of access as well  as information on whether and when you opened a marketing e-mail Sartorius sent to you
  • Consent

Direct marketing purposes e.g.

  • trade show invitations, newsletters with further information and offers concerning Sartorius products and services), also by e-mail
​​​​​​​
  • Contact data
  • Organizational data
  • Usage data
  • Business-related social network data, i.e. publicly accessible business-related data about you, such as data published in business- or employment-oriented social networks or Internet sites, e.g. LinkedIn and Xing.
  • Consent (to receiving Sartorius marketing communication on the basis of your personal interests)
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in a consolidated customer profile, provided that the subsequent use for marketing and market research is in compliance with data protection and competition law requirements)

Maintaining an up-to-date customer profile as a basis for marketing and market research


  • Contact data
  • Organizational data
  • Usage data
  • Business-related social network data
  • Consent (to receiving Sartorius marketing communication on the basis of your personal interests)
  • Legitimate Interest (Balancing of interests: We have a legitimate interest in a consolidated customer profile, provided that the subsequent use for marketing and market research is in compliance with data protection and competition law requirements)


​​​​​​​3.3 Data Transfer

Sartorius may transfer your Data for the above-mentioned purposes to its Affiliated Companies listed here. The provider of the Sartorius marketing automation platform also has the technical ability to access your Data.


​​​​​​​3.4 Withdrawal of your consent

You have the right to revoke your consent at any time with effect for the future, for example by using the opt-out mechanism provided in the respective communication you received .


​​​​​​​3.5 Corporate transactions

As our ­business evolves, we may change the structure of our business by ­changing its legal form, establishing, buying or selling ­subsidiaries, ­divisions ­or ­components. In such ­transactions, customer information ­may be transferred along with the ­part of the ­company ­being transferred­. In any transfer of ­personal ­information to third parties to the ­extent ­described above, ­we will ensure that it is ­done in accordance with this ­Privacy Notice and applicable data ­protection law.

Any disclosure of ­personal ­data is justified on the grounds that we ­have ­a ­legitimate interest in ­adapting ­our ­corporate form to the ­economic and ­legal circumstances ­as ­necessary and that your rights and ­interests in the protection of your ­personal ­data are not overridden.

For the purposes mentioned above, Sartorius may transfer or disclose your personal data to:

  • Other companies of the Sartorius Group or third parties in the context of your usage of Sartorius Online Offerings or our business relationship with you;
  • third parties which provide IT services to Sartorius and which process such data only for the purpose of such services (e.g., hosting or IT maintenance and support services); and/or
  • third parties in connection with complying with legal obligations or establishing, exercising or defending rights or claims (e.g., for court and arbitration proceedings, to law enforcement authorities and regulators, to attorneys and consultants).

The recipients of your personal data may be located outside of the country in which you reside. Personal data published by you on Sartorius Online Offerings may be globally accessible to other registered users of the respective Sartorius Online Offering. 

Sartorius will retain your personal data for as long as reasonably necessary to fulfill the purposes we collected or otherwise process it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Under applicable data protection law, you may have specific rights in relation to your personal data. In particular, and subject to the statutory requirements, you may have the following data protection rights:

  • Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy of these data.
  • Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
  • Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
  • Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
  • Right to data portability: You have the right to receive your personal data in a structured, common, and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
  • Right to object: You might have the right to object to the processing of your personal data by us, in particular, if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
  • Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority or other applicable privacy regulator about our processing of your data. This can be for example the data protection authority in your country of residence. A list of all data protection authorities in the European Union can be found here.
  • Right to withdrawal: If data processing is based on your consent, you have the right to withdraw your consent at any time and free of charge, with effect for the future, i.e., your withdrawal does not affect the lawfulness of the processing based on consent before its withdrawal.

  


7.1 Applicable law

This section applies and provides you with further information if your personal data is processed by one of our companies located in the European Economic Area.

In these cases the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), inter alia, applies to the processing of your personal data and the following additions and/or deviations apply to this Privacy Notice:


​​​​​​​7.2 Legal basis of the processing

The legal basis in accordance with the GDPR for the processing of personal data, unless otherwise specified upon collection of the personal data, is:

  • Article 6 (1) (b) GDPR ("Contract Performance“) - exercising our rights and performing our obligations under any contract we make with you
  • Article 6 (1) (c) GDPR (“Legal Obligation“) - Compliance with our legal obligations
  • Article 6 (1) (f) GDPR (“Legitimate Interest“) - Legitimate interests pursued by us
  • Article 6 (1) (a) GDPR (“Consent“) - In some cases, we may ask if you consent to the relevant use of your personal data. In such cases, the legal basis for us processing that data about you may (in addition or instead) be that you have consented.

​​​​​​​7.3 International data transfers

If we transfer personal data to service providers or Sartorius Group companies outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contractual clauses) are in place. You can request information on this and on the level of data protection at our service providers in third countries using the contact information above.

​​​​​​8.1 Applicable law

This section applies and provides you with further information if the processing by one of our companies (i) occurs in Brazilian territory, (ii) concerns the data of individuals located in Brazilian territory, (iii) comprises personal data collected in Brazilian territory or (iv) has as its objective the offer or supply of goods or services to individuals located in Brazilian territory.

In these cases the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados - LGPD) applies to the processing of your personal data and the following additions and/or deviations apply to this Privacy Notice:


8.2 Retention Periods

As allowed under article 16 of LGPD we may retain your personal data to comply with legal or regulatory obligations (such as retention obligations under tax or commercial laws), during the legal statute of limitation period, or for the regular exercise of rights in judicial, administrative or arbitration proceedings.


​​​​​​​8.3 Your rights

Additionally to the rights mentioned in this Privacy Notice, you are entitled under LGPD to:

  • In case you understand your data is not being processed in accordance with the applicable data protection law or in an excessive way, request us to anonymize, block or delete unnecessary or excessive personal data or;
  • Request information regarding the public and/or private entities we shared your personal data with;
  • Be informed about the possibility of not giving your consent to process your data and the consequences of not giving the consent in case we request your consent to process your data;
  • Revoke at any time your consent to our processing of your personal data in case we request your consent to process your data.


​​​​​​​8.4 Legal basis of the processing

The legal basis in accordance with the LGPD for the processing of personal data, unless otherwise specified upon collection of the personal data, is:

  • Article 7 V LGPD (“Contract Performance“)
  • Article 7 II LGPD (“Legal Obligation“)
  • Article 10 I and II LGPD (“Legitimate Interest“)
  • Article 7 I LGPD (“Consent“).


​​​​​​​8.5 International transfers

Following the requirements defined in the Article 33 of LGPD, in the event that we transfer your personal data outside the Brazilian territory, we ensure that your data is protected in a manner which is consistent with the Brazilian General Data Protection Law, we will follow the applicable law and decisions imposed by the proper authority.


​​​​​​​8.6 Your competent data protection contact

If this section applies, you may also contact our Brazilian Data Privacy Organization at dataprotection.br@sartorius.com.


​​​​​​​

​​Each Sartorius company established in Canada (“Sartorius in Canada Entity“) maintains your personal data on secure servers that are accessible to authorized employees, representatives or agents who require access for the purposes descried in this privacy notice. If you have any questions about how a Sartorius in Canada Entity processes your personal data, including with respect to its use of service providers outside of Canada, or if you would like to exercise any of your rights in respect of your personal data under the control of a Sartorius in Canada Entity, you may contact the Sartorius Group Data Protection Office at dataprotection@sartorius.com.

10.1 Applicable law

This section applies and provides you with further information if the processing by one of our companies is located within the borders of People’s Republic of China (“PRC“) or concerns the data of individuals within the borders of PRC.

In these cases the People’s Republic of China Personal Information Protection Law (PIPL) applies to the processing of your personal data and the following additions and/or deviations apply to this Privacy Notice:


​​​​​​​10.2 Processing of sensitive personal information

According to the PIPL, sensitive personal information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc. as well as the personal information of minors under the age of 14.

In addition to payment data we will, in principle, not process your sensitive personal information. In case your sensitive personal information will be processed, we will notify you about the necessity of processing and effects on the individual’s rights and interests, and obtain your specific consent if applicable.


​​​​​​​10.3 Transfer and disclosure of personal data

Following the requirements defined in the Article 23 of PIPL, additionally to the contents mentioned in section 3, we, in principle, will not transfer or share your personal information to third party controllers, unless (1) obtain your specific consent if applicable, or (2) to fulfill the statutory duties under local laws and regulations.


​​​​​​​10.4 International Transfer

You acknowledge that your data will be transferred and proceed outside of PRC. We will follow the applicable laws and decisions imposed by the competent authority and ensure that your data is protected in a manner which is consistent with the PIPL. If you or the company you work for is a Business Partner, please be aware that Sartorius is a multi-national company, and for the purpose of concluding or fulfilling the contract/agreement with you or the company you work for, you understand and agree that we may transfer your personal information to foreign affiliated companies.


​​​​​​​10.5 Legal Basis of the processing

The legal basis in accordance with the PIPL for the processing of personal data, unless otherwise specified upon collection of the personal data, is:

  • PIPL Article 13(2) ("Contract Performance")
  • PIPL Article 13(3) ("Legal Obligation")
  • PIPL Article 13(6) ("Legitimate Interest") - to process publicly available data
  • PIPL Article 13(1) ("Consent").


​​​​​​​10.6 Usage by Children

This Sartorius Online Offering is not directed to children under the age of fourteen (14). We will not knowingly collect personal data from children under the age of fourteen (14) without prior parental consent if required by applicable law. We will only use or disclose personal data about a child to the extent permitted by law, to seek parental consent, pursuant to local law and regulations or to protect children.

11.1 Applicable law

This section applies and provides you with further information if the processing by one of our companies is (i) located within the borders of South Africa or (ii) is carried out in South Africa, unless it is only forwarding personal information through South Africa.

In these cases South Africa’s Protection of Personal Information Act, 2013 (POPIA) applies to the processing of your personal data and the following additions and/or deviations apply to this Privacy Notice:


​​​​​​​11.2 Processing your personal data

In terms of section 1 of POPIA, “personal data“ or “personal information“ includes “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing, juristic person.“


​​​​​​​11.3 Legal Basis of the processing

The corresponding legal grounds and conditions for lawful processing of personal data in South Africa are contained in Sections 8 to 25 of POPIA, and relate to “Accountability“; “Processing limitation“; “Purpose specification“; “Further processing limitation“; “Information quality“; “Openness“; “Security safeguards“ and “Data subject participation“.

The legal basis in accordance with the POPIA for the processing of personal data, unless otherwise specified upon collection of the personal data, is:

  • POPIA section 69 (1) (a) (“Consent“) - to the processing of personal information of a data subject for the purposes of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, sms’s or e-mail is prohibited
  • POPIA section 69 (1) (b) (“Legitimate Interest“) - to process personal information for the purpose of direct marketing of existing customers of the responsible party, subject to further conditions.


​​​​​​​11.4 International Transfer

We may transfer your personal data to a place of jurisdiction other than the one in which it was collected and/or need to save it there, and we hereby inform you that this place of jurisdiction may not have comparable data protection legislation.


​​​​​​​11.5 Your right to lodge a complain

You have the right to lodge a complaint regarding a breach of POPIA with the information regulator under:

Complaints: complaints.IR@justice.gov.za

General enquiries: inforeg@justice.gov.za

​​​​​​12.1 Applicable law

This section applies and provides you with further information if your personal data is processed by one of our companies located in the United Kingdom under the Data Protection Act 2018 and/or the UK GDPR (meaning Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018).

In these cases the Data Protection Act 2018 and/or the UK GDPR applies to the processing of your personal data and the following additions and/or deviations apply to this Privacy Notice:


12.2 Data Controller

The specific company identified on this page as being the operator of this website is the data controller in the meaning of the UK GDPR for the processing activities described in this Privacy Notice.
In the course of our business relationship with you, we may share Business Partner contact information with affiliated Sartorius companies. We and these Sartorius companies are jointly responsible for the proper protection of your personal data (Art. 26 UK GDPR). To allow you to effectively exercise your data subject rights in the context of this joint controllership, we entered into an agreement with these Sartorius companies granting you the right to centrally exercise your data subject rights against Sartorius Aktiengesellschaft, Germany.

To exercise your rights, you may reach out to: dataprotection@sartorius.com


​​​​​​​12.3 Legal basis of the processing

The legal basis in accordance with the POPIA for the processing of personal data, unless otherwise specified upon collection of the personal data, is:

  • Article 6 (1) (b) UK GDPR (“Contract Performance“) - exercising our rights and performing our obligations under any contract we make with you
  • Article 6 (1) (c) UK GDPR (“Legal Obligation“) - Compliance with our legal obligations
  • Article 6 (1) (f) UK GDPR (“Legitimate Interest“) - Legitimate interests pursued by us
  • Article 6 (1) (a) UK GDPR (“Consent“) - In some cases, we may ask if you consent to the relevant use of your personal data. In such cases, the legal basis for us processing that data about you may (in addition or instead) be that you have consented.


​​​​​​​12.4 International data transfers

In the event that we transfer your personal data outside the United Kingdom, we ensure that your data is protected in a manner which is consistent with the UK GDPR. Therefore, and if required by applicable law, we take the following measures:

We transfer personal data to recipients outside the United Kingdom only if the recipient has (i) entered into UK Standard Contractual Clauses with us, or (ii) implemented Binding Corporate Rules in its organization. You may request further information about the safeguards implemented in relation to specific transfers by contacting dataprotection@sartorius.com.


​​​​​​​12.5 Your competent data protection authority

In case of data privacy related concerns and requests, we encourage you to contact our Data Privacy Organization at dataprotection@sartorius.com. Besides contacting the Data Privacy Organization, you always have the right to approach the competent data protection authority with your request or complaint. 
A list and contact details of local data protection authorities is available here.

​​​​13.1 US residents

If you are a U.S. resident, then please take note of the following:


​​​​​​​13.1.1 Do Not Track

At this time our Sartorius Online Offerings do not recognize or respond to “Do Not Track“ browser signals.  For more information on “Do Not Track“, please visit your browser’s support page.

​​​​​​​13.1.2 Usage by Children

This Sartorius Online Offering is not directed to children under the age of thirteen. We will not knowingly collect personal data from children under the age of thirteen without insisting that they seek prior parental consent if required by applicable law. We will only use or disclose personal data about a child to the extent permitted by law, to seek parental consent, pursuant to local law and regulations or to protect a child.

​​​​​​​13.1.3 State Rights

Depending on the US state in which you reside, you may have special rights with respect to your personal data. For information regarding any of those rights, please read below:


​​​​​​​13.2 Rights for specific States

​​​​​​​13.2.1 California, Virginia

​​​​​​​13.2.1.1 Scope

This section supplements the above Privacy Notice and sets forth information and describes rights that may be applicable to residents of the following US states:

  • California
  • Virginia

The purpose of this section is to provide information to residents of these US states, and to notify them of their rights under the law of their state of residence. This section is not applicable to and may not be relied upon by anyone who resides outside of the listed US states.  If you reside in one of the listed US states, (a) you may have additional rights with respect to your personal data, and (b) you should note the following.

​​​​​​​13.2.1.2 Categories of personal information

The Company may, through a variety of online and offline sources, collect the categories of personal information identified below and in the above Privacy Notice:

  • Personal identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, telephone number, passport number, state identification card number, insurance policy number, bank account number, credit card number, debit card number, financial information, medical information, or health insurance information
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
  • Geolocation data
  • Biometric and physical characteristics such as audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information

Such collected information may be used for the purposes described elsewhere within the above Privacy Notice.

​​​​​​​13.2.1.3 Sale and Disclosure

We disclose personal information for business purposes. The categories of personal information that we have disclosed for business purposes within the preceding 12 months include:

  • Personal identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, telephone number, passport number, state identification card number, insurance policy number, bank account number, credit card number, debit card number, financial information, medical information, or health insurance information
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
  • Geolocation data
  • Biometric and physical characteristics such as audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information

The categories of third parties with which we may share personal data are described in the above Privacy Notice. Please note that we do not engage in the sale of personal data to third parties at this time.

​​​​​​​13.2.1.4 Exercise of Applicable Rights; Appeal

In order to exercise any rights that may be available to you under the law of the state in which you reside (for example, any rights to deletion or disclosure of personal data or to appeal a decision that we have made with respect to your request), please contact us via dataprotection@sartorius.com.

Please note that any requests may be subject to verification of the identification of the requestor. The method we would use to verify your identity will be different depending on the manner and context in which your data was collected, and may require the provision by you of such personal information as may be necessary to match you to our records of you (if any). Depending on the laws of your state, you may be entitled to use an authorized agent to exercise your rights on your behalf and, if you choose to do so, such an agent may contact us in the same manner as described above, and will also be required to verify their own identity and their authority to act on your behalf.​​​​​​​

13.2.2 California

13.2.2.1 Scope

This section applies and provides further information to California residents and notifies them of their rights under California law. This section is not applicable to and may not be relied upon by anyone else besides California residents.

​​​​​​​13.2.2.2 California’s “Shine The Light“ law

California’s “Shine The Light“ law permits those of our customers who are California residents to annually request a list of their personal data (if any) that we have disclosed to third parties for direct marketing purposes in the preceding calendar year, and the names and addresses of those third parties. At this time, we currently do not share any personal data with third parties for their direct marketing purposes.

13.2.2.3 ​​​​​​​Sources

The sources from which the personal information may be collected may include:

  • the internet sites of the Company and its affiliates that you visit
  • the mobile applications of the Company and its affiliates that you use
  • you or your employer, such as via telephone, mail, email, or at trade shows, or in connection with potential employment or business opportunities
  • our customers, vendors, and suppliers
  • third parties from whom we receive contact data, such as LinkedIn.​​​​​​​


13.2.2.4 Rights

California residents have the right to request that we delete the personal data that we have collected about that resident. Please note that there are circumstances under which such a right of deletion does not apply, such as where it is reasonable for us to maintain the personal information to:

  • Complete the transaction for which the personal information was collected, provide a good or service requested or reasonably anticipated, or otherwise perform a contract with the resident.
  • Detect security incidents; protect against malicious, deceptive, fraudulent or illegal activity; or prosecute those responsible for that activity.
  • Debug to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another resident to exercise his or her right of free speech, or exercise another right provided for by law, or Comply with a legal obligation.
  • Comply with the California Electronic Communications Privacy Act.
  • Engage in public or peer-reviewed scientific, historical or statistical research in the public interest (when deletion of the information is likely to render impossible or seriously impair the achievement of such research) if the resident has provided informed consent.
  • To enable solely internal uses that are reasonably aligned with the resident's expectations based on the relationship with us.
  • To otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the resident provided the information.

California residents have the right to request that we disclose, with respect to that resident,

  • The categories of personal information we have collected.
  • The categories of sources from which we collected the personal information.
  • The purpose for collecting or selling personal information.
  • The categories of third parties with whom we share personal information.
  • The specific pieces of personal information we have collected.

California residents have the right to request correction of inaccurate personal information.

To exercise the rights that may be available to you as described above, please contact us at dataprotection@sartorius.com.

You have the right not to be discriminated against by us for exercising any of these rights.

Status of this Privacy Notice: July 2023