Sartorius Events Mobile Application Privacy Notice

1. Identity and contact details of the controller and the Data Protection Officer

Sartorius AG, Otto-Brenner-Straße 20, 37079 Göttingen, Germany ("Sartorius", "we", "our" or "us"), as controller of personal data, is responsible for the processing of your personal data in connection with your use of the Sartorius  Events Mobile Application ("App").

The Data Protection Officer of Sartorius and the Sartorius Group Data Protection Organization are available to you as a contact for all data protection-related matters and for exercising your rights. They may be contacted at the above address or at dataprotection@sartorius.com.

2. Processing of personal data

When using the App, Sartorius may process the following categories of personal data for the purposes and on the legal bases specified below.

Unless expressly stated otherwise upon collection of the personal data, the legal bases specified below in accordance with the GDPR shall also include any applicable corresponding local laws.

2.1 Information collected when downloading the App

Before you can download and install this App, you may need to enter into a usage agreement with an App Store operator (e.g. Google, Apple) to access its portal (e.g. Google Play, Apple App Store - "App Stores"). The App Store operator collects and processes data in connection with the use of the App Store, such as user name, email address and individual device identification number as the responsible Controller. We process the data only to the extent necessary to download the App to your device. We are not party to the usage agreement with the App Store operator and have no influence on its data processing. In this respect, the privacy policy of the respective App store operator applies.

2.2 Registration and authentication

2.2.1 To receive access to event content within the App, you need to register for an event at the Sartorius Event Platform with your e-mail address and to agree to the use of your registration data for the App when registering. Further information on data processing in connection with the Sartorius Event Platform can be found in the Sartorius Event Platform Privacy Notice.

2.2.2 If you log in to the App, we process the following log data:

• Your e-mail address
• The event reference number.

We process this log data on the basis of Art. 6 (1) (b) GDPR for the fulfillment of the contract for the use of the App.

2.3 Participation in Events

2.3.1 If you participate in one of our events, Sartorius may process the following categories of personal data about you:

• Activity data, such as events you have participated in, interactions you have had with us, documents you downloaded;
• User content such as, posts, comments, photos, videos, audio data or any other content generated by you;
• Personal life data, such as allergies, meal preferences, intolerances, smoker/non-smoker;
• Travel information, such as travel plans or preferences, e.g., regarding your accommodation;
• Financial data;
• Photos and videos taken by Sartorius, or third parties contracted by Sartorius;
• Other data voluntarily provided by you, e.g., via forms or personal communications.

n addition, we collect data for aggregated statistics, part of these statistics are the number of registrations, booking information and viewer numbers across all participants for an event.

2.3.2 This data is processed to plan, organize, implement and improve events, this includes for example:

• Organizing the event, e.g., adapting the event to your interest or contacting you on a personalized basis before, during and after the event. This may include sending automated and manual e-mails, as well as calls from Sartorius representatives or designated agents. You may also set up and manage live appointments with exhibitors, or other meeting attendees, before or during the event;
• Ensuring technical requirements, e.g., size the platform and streaming activity to provide a stable service;
• Processing your comments and feedback that you provided us with, e.g., by participating in surveys, sending us requests, answering your chat questions, your In-app messages, peer-to-peer videos, and group chats with other attendees; post comments and photos to an in-app conversation wall;
• Documenting an event internally and externally as well as in press and marketing activities, e.g., on the Sartorius intranet, on the Sartorius website, in social media or print media;
• Settling the event: For tax and accounting reasons, some personal data is required for post-event processing, e.g., for internal accounting purposes such as the charging of costs, accommodation, or provision costs in connection with the event. This also includes other activities that are required of us by law, such as internal documentation based on compliance regulations;
• Personalizing your event experience, e.g., customizing future events to your interests, presenting more relevant content according to your areas of interest, making suggestions to complete or improve your preferences; auto-populate registration forms for 90 days; provision of the creation of your own agenda variations with tracks, dates, and categories;
• Conducting analytics, e.g., using data to understand the effectiveness of existing events, measure attendance and engagement with an event, its processes, and its contents, improving our future event portfolio, evaluating, and optimizing our services, reviewing technical requirements (streaming quality, download rates, etc.);
• Conducting advertising or marketing activities, e.g., displaying ads, sending marketing communications.

2.3.3 This data is processed with your consent (Art. 6 (1) (a) GDPR), to perform a contract, take steps at your request prior to entering into a contract (Art. 6 (1) (b) GDPR), to comply with a legal obligation (Art. 6 (1) (c) GDPR) or because of our legitimate business interests (Art. 6 (1) (f) GDPR):

• Regarding ensuring technical requirements, it is our legitimate business interest to ensure the functionality and the technical stability of our events;
• Regarding conducting analytics, it is our legitimate business interest to improve our event portfolio, provide participants with relevant information and maintain contact, establish, and expand a long-term business relationship and gain new potential customers;
• Regarding events for journalists, analysts, and investors we process your personal data based on our legitimate interest in carrying out public relations;
• Regarding event photos and videos, we process your personal data based on our legitimate interest to document our events and to support marketing activities.

Where Sartorius relies on its legitimate interests for processing personal data, Sartorius has determined that, after a balancing of interests, its legitimate interests are not overridden by your interests and rights or freedoms. More information on the balancing of interests can be obtained by contacting the Sartorius Group Data Protection Organization.

2.4 Use of the App

2.4.1 When using the App without logging in, you can view future and past events. We do not log any personal data in this case.

2.4.2 The App does not use cookies.

3. External links

This Privacy Notice only applies to this App, not to websites or applications offered and operated by third parties. The App may provide links to other websites or applications of third parties which may be of interest to you. After you click the link, we no longer have any influence on the collection, processing and utilization of any personal data that is transferred to third parties, as our control of the conduct of third parties is then naturally withdrawn. We are not responsible for privacy practices or the content of external websites or applications.

4. Permissions

Certain functions of this App can only be used if the corresponding permissions are granted. Permissions are interfaces to the operating system of your end device, through which the App can access data stored on your end device.

The App works with the following permissions:

• Internet access: to store your entries on our servers;

• Access to device's file manager and image gallery: to upload images use some functions of the App;
• Access to device's camera: To capture images.
• Access to device's microphone: To capture sound recordings.

You can manage and disable permissions within the settings of your operating system. Please note that after deactivating a permission, you may no longer be able to use all of the App's features.

5. Transfer and disclosure of personal data

For the purposes mentioned above, Sartorius may transfer or disclose your personal data to:

• Service providers

We employ companies of the Sartorius Group and other specialized companies (e.g.  hosting service providers, IT service providers) to process data on our account and our instructions.

• Other third parties

We transfer personal data to other third parties in connection with complying with legal obligations or establishing, exercising or defending rights or claims (e.g., for court and arbitration proceedings, to regulators, law enforcement and government authorities, to attorneys and consultants).

If we transfer personal data to service providers or Sartorius Group companies outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contractual clauses) are in place. You can request information on this and on the level of data protection at our service providers in third countries using the contact information above.

6. Retention periods

6.1 In general, Sartorius will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected or otherwise process it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

6.2 To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

6.3 Specific information about data retention in connection with the single purposes of data processing can be found in the corresponding Sections above.

7. Corporate transactions

As our ­business evolves, we may change the structure of our business by ­changing its legal form, establishing, buying or selling ­subsidiaries, ­divisions ­or ­components. In such ­transactions, customer information ­may be transferred along with the ­part of the ­company ­being transferred­. In any transfer of ­personal ­information to third parties to the ­extent ­described above, ­we will ensure that it is ­done in accordance with this ­Privacy Notice and applicable data ­protection law.

Any disclosure of ­personal ­data is justified on the grounds that we ­have ­a ­legitimate interest in ­adapting ­our ­corporate form to the ­economic and ­legal circumstances ­as ­necessary and that your rights and ­interests in the protection of your ­personal ­data within the meaning of Art. 6 (1) (f) GDPR are not overridden.

8. Children

To use this App, you must be at least 16 years old.

9. Your rights

Under applicable data protection law, you may have specific rights in relation to your personal data. In particular, and subject to the statutory requirements, you may have the following data protection rights:

• Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy of these data.
• Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
• Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
• Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
• Right to data portability: You have the right to receive your personal data in a structured, common, and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
• Right to object: You might have the right to object to the processing of your personal data by us, in particular, if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
• Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority or other applicable privacy regulator about our processing of your data. This can be for example the data protection authority in your country of residence. A list of all data protection authorities in the European Union can be found under https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
• Right to withdrawal: If data processing is based on your consent, you have the right to withdraw your consent at any time and free of charge, with effect for the future, i.e., your withdrawal does not affect the lawfulness of the processing based on consent before its withdrawal.

Status of this Privacy Notice: November 2023