Sartorius ID Privacy Notice

The Sartorius AG, Otto-Brenner-Straße 20, 37079 Göttingen, Germany ("Sartorius", "we", "our" or "us") is the controller of the processing of your personal data in connection with your use of Sartorius ID as well as My Sartorius. The Sartorius Data Protection Officer and the Sartorius Group Data Protection Organization are available to you as a contact for all data protection-related matters and for exercising your rights. They may be contacted at dataprotection@sartorius.com.

2.1  Processing of protocol data on the website

If you just visit the My Sartorius landing page without registering or logging in, we only process the following log data:

• Your IP address,
• Geografical location,
• The operating system and web browser you are using; and
• The date and time of your visit.

We process this data on the basis of Art. 6 (1) (f) GDPR due to our legitimate interest in being able to properly display the website to you, as well as in the context of updates, security and troubleshooting measures, and to improve and further develop our online offerings. We will store the log data for a period of 90 days. After that period the personal data will be deleted.

2.2 Cookies

All relevant information on the processing of personal data in connection with cookies may be found in the Sartorius Cookie Notice.

2.3 Registration and use of the Sartorius ID

If you register for a Sartorius ID, you can sign in to numerous services, apps and websites of the Sartorius Group . The purposes of the processing, the processing and corresponding legal bases are described in detail below.

2.3.1.
If you visit My Sartorius using a Sartorius ID and log in, we process the following log data:

• Your IP address,
• Geografical location,
• The operating system and web browser you are using; and
• The date and time of events.

If you visit the My Sartorius landing page once you have registered or logged in, we also process your e-Mail address in the log data.

We process this data on the basis of Art. 6 (1) (f) GDPR due to our legitimate interest in being able to provide you with the website as well as our services and to optimize our online offering, to ensure technical operation, as well as to identify and eliminate malfunctions and to investigate criminal offenses. We will store the log data for a period of 90 days, provided that it is no longer required for the purposes described. We process these log files on the basis of Art. 6 (1) (f) GDPR due to our legitimate interest in being able to provide you with the website as well as our services and to optimize our online offering, to ensure technical operation, as well as to identify and eliminate malfunctions and to investigate criminal offenses. The log data is stored for a period of 90 days, provided that it is no longer required for the purposes described. Log files that require further storage for purposes of evidence are exempt from deletion until final clarification of the respective incident and may be disclosed to investigating authorities in individual cases in accordance with applicable legal provisions. This technical data of the server log files is stored separately from all personal data concerning you.

2.3.2.
To create a Sartorius ID, you must register with an e-mail address and a password. To verify your registration for the Sartorius ID, we use the so-called double opt-in procedure. An e-mail is sent to the given e-mail address with a request for confirmation. Processing takes place for the purpose of performance of the contract (provision of the "My Sartorius " service, Art. 6 (1) (b) GDPR).

2.3.3.
In addition to the e-mail address and password, you may have to provide further personal data for your Sartorius ID, which then will b stored and transmitted to services you register for with your Sartorius ID (cf. 2.3.4):

• Name,
• Form of address and title,
• Company,
• Address,
• Phone numbers,
• Preferred language,
• Sales Tax ID,
• Country-specific tax information.

This data is stored in the Sartorius ID for the performance of the contract (provision of the "Sartorius ID" service, Art. 6 (1) (b) GDPR).

2.3.4.
You can use your Sartorius ID to register for various services (e.g. websites or other digital services) provided by us or third parties. When you register for the first time, you may be asked to give your consent (Art. 6 (1) (a) GDPR) for the processing or transmission of such of your data from your Sartorius ID that is necessary for the provision of the other services. Should Sartorius provide services on an ongoing basis against payment of a fee and you therefore enter into a continuing obligation, access to the personal data in your Sartorius ID is based on a contractual basis (Art. 6 (1) (b) GDPR) after you have granted authorization to access this data.

2.3.5.
You can request the deletion of your Sartorius ID by sending an informal e-mail to SartoriusID@sartorius.com. In this case, we will delete your personal data if and to the extent we are not obligated to store the data for other reasons, according to statutory provisions (in particular commercial or tax law regulations). In such a case, the data will be deleted at the latest after this legal reason has ceased to exist. To the extent data is still necessary for the settlement of claims arising from this or other contracts with us, deletion will take place at the earliest after the final conclusion of any such claims. You may also withdraw authorization to access your personal data for individual or all services you have logged into with your Sartorius ID. If Sartorius provides services on an ongoing basis in exchange for payment of remuneration, the withdrawal of authorization of data access may be made conditional upon the contract for the provision of services being terminated first; for services provided by third parties, this limitation does not exist. Withdrawal of authorization of data access shall only have effect for the future. The relevant service shall be notified of the withdrawal of consent. However, data which has already been transferred may continue to be processed by the relevant service where applicable. You can find information on this in the Privacy Notice for the relevant service you use. You will find an overview of the services you have logged into with your Sartorius ID in your Sartorius ID user account.

2.3.6.
We will store your personal data as long as your Sartorius ID exists. If you have not logged into a service with the Sartorius ID for a period of 3 years, we will delete this Sartorius ID together with your personal data to the extent we are not obligated to store the data for other reasons.

2.4 Customer service

You have the option to consult the My Sartorius team with queries regarding apps, services and websites from Sartorius Group (e.g. by post, email, contact form or telephone). In this context, Sartorius processes the personal data required to process your query and for the purposes of customer care (e.g. name, email address, address, telephone number, country and language). This processing is based on contractual obligations (including the performance of pre-contractual measures to process your inquiry, Art. 6 (1) (b) GDPR) and, if applicable, on Art. 6 (1) (f) GDPR due to our legitimate interests in forwarding your data within the Sartorius Group to the responsible internal functions to respond to your inquiry.

2.5 Compliance with statutory and regulatory requirements

In the case of direct sales and the provision of digital services, we process your personal data (first name, last name, address, country) for the purposes of preventing fraud and money laundering, of preventing, combating and resolving terrorist financing and property crimes, as well as for comparison with European and international anti-terror lists. Sartorius is required to do so in particular under statutory obligations (such as the Anti-Money Laundering Act or the European embargo and terrorism regulations). Under certain circumstances, Sartorius has a legitimate interest in observing and complying with obligations imposed by public and other competent government authorities - within or outside your country of residence - in order not to expose Sartorius and its representatives to criminal or civil sanctions.

The legal basis for the processing of your personal data for the stated purposes is Article 6 (1) (c) GDPR in the case of statutory obligations or Article 6 (1) (f) GDPR in the case of a legitimate interest.

For reasons of our fiscal and legal commercial retention obligations we store your personal data provided usually for seven years after contract fulfilment, but – if legally required – we may store your data up to a maximum of 30 years after collecting the data in order to comply with our legal obligations.

For the purposes mentioned above Sartorius may transfer or disclose your personal data to:

• Other companies of the Sartorius Group or third parties - e.g. sales partners or suppliers - if this is necessary in connection with the provision and operation of My Sartorius and your Sartorius ID or the establishment, performance or settlement of the business relationship;
• Third parties which provide IT services to Sartorius and which process such data only for the purpose of such services (e.g., hosting or IT maintenance and support services); and/or
• Third parties in connection with complying with legal obligations or establishing, exercising or defending rights or claims (e.g., for court and arbitration proceedings, to law enforcement authorities and regulators, to attorneys and consultants). We may transfer personal data to other companies of the Sartorius Group or third parties in the context of your usage of My Sartorius and your Sartorius ID.

In the event that we transfer your personal data outside the European Union (”EU”) or the European Economic Area (“EEA”), we ensure that your data is protected in a manner which is consistent with the GDPR. Therefore, and if required by applicable law, Sartorius transfers personal data to external recipients outside the EU or EEA only if the special requirements of Art. 44 ff. GDPR are fulfilled.

You can view the EU standard contractual clauses used at this link.

4.1
In general, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

4.2
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

4.3
Specific information about data retention in connection with the single purposes of data processing can be found in the corresponding Sections above.

My Sartorius can contain links to the websites of third parties − to providers who are not affiliated with us. After you click the link, we no longer have any influence on the collection, processing and utilization of any personal data that is transferred to third parties (for example, the IP address or the URL of the website on which the link is located), as our control of the conduct of third parties is then naturally withdrawn. We accept no responsibility for the processing of such personal data by third parties.

My Sartorius is not intended for children under the age of 16 years.

As our business evolves, we may change the structure of our business by changing its legal form, establishing, buying or selling subsidiaries, divisions or components. In such transactions, customer information may be transferred along with the part of the company being transferred. In any transfer of personal information to third parties to the extent described above, we will ensure that it is done in accordance with this Privacy Notice and applicable data protection law. Any disclosure of personal data is justified on the grounds that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary and that your rights and interests in the protection of your personal data are not overridden.

Under applicable data protection law, you may have specific rights in relation to your personal data. In particular, and subject to the statutory requirements, you may have the following data protection rights:

• Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy of these data.
• Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
• Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
• Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
• Right to data portability: You have the right to receive your personal data in a structured, common, and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
• Right to object: You might have the right to object to the processing of your personal data by us, in particular, if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
• Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority or other applicable privacy regulator about our processing of your data. This can be for example the data protection authority in your country of residence. A list of all data protection authorities in the European Union can be found here.
• Right to withdrawal: If data processing is based on your consent, you have the right to withdraw your consent at any time and free of charge, with effect for the future, via SartoriusID@sartorius.com via the contact details given in the imprint or via My Sartorius and such other methods as we may inform you from time to time, i.e., your withdrawal does not affect the lawfulness of the processing based on consent before its withdrawal.