GROPYUS AG, Barichgasse 40, 1030 Vienna, Austria (hereafter „GROPYUS AG“) herewith informs you about the processing of personal data within this website for which GROPYUS AG is responsible in the sense of the EU General Data Protection Regulation (GDPR). Questions regarding data protection can also be sent to datenschutz@gropyus.com.

Data protection officer of the GROPYUS Group is attorney Nikolaus Bertermann, daspro GmbH, Kurfürstendamm 21, D-10719 Berlin. You can reach the data protection officer by sending an e-mail to gropyus-dsb@daspro.de.

Below we have compiled the most important information on typical data processing for you. For certain data processing operations, which only concern specific groups, the information requirements are fulfilled separately. Where the term "data" is used, only personal data within the meaning of the GDPR are meant.

Visitors of the GROPYUS Website
- 1.1 Technically necessary cookies
- 1.2 Server log data
Communication Partners and Interested Parties
Customers and Contact Persons at Customers
Visitors of the GROPYUS Application Portal
Job Applicants
Participants in a Videoconference via Microsoft Teams
Rights of Data Subjects and Further Information

1. Visitors of the GROPYUS Website

1.1 Technically necessary cookies

We use cookies on our website. Cookies are small text files that can be stored on your device via the browser when you visit the website. When you call up a website again with the same device, we can read and process the information stored in cookies. In doing so, we use processing and storage functions of the browser of your device and collect information from the memory of the browser of your device.

In the structure of this privacy policy, we distinguish between technically necessary cookies, statistics cookies, marketing cookies, and external media from third-party providers. Cookies that are technically necessary for the function of the website cannot be deactivated via the cookie management function of this website. However, you can generally disable cookies in your browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that some functions of the website may not work or no longer work completely if you generally disable cookies in your browser.

a) Consent cookies

We use so-called consent cookies to store your consents, possible revocations of consents and objections to the use of cookies on our website.

(i) The purpose of the data processing is the storage of your cookie decisions (consent, revocation, opt-out). A change of the purposes is not planned.

(ii) The data processed are:

Protocol data: This is data that is technically generated when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. Log data may also be stored on servers of service providers (e.g. when retrieving third-party content).

Cookie decisions: Your decision on individual cookies or groups of cookies, time of decision and last visit.

(iii) The legal basis for the processing is our legitimate interest in the simple and reliable control of cookies according to your decision (Art. 6 para. 1 lit. f) GDPR).

(iv) The data is actively provided by you (cookie decision) or automatically by your browser (log data, timestamp).

(v) Recipients of the data are IT service providers, which we use within the framework of a processor controller agreement. In this context, data may also be transferred to third countries outside the EU and the EEA. One IT service provider processes data in Israel. For Israel, there is an adequacy decision of the EU Commission according to Art. 46 GDPR. In the case of several service providers, a transfer of data to the USA cannot be completely ruled out. We have concluded the EU standard contractual clauses (2021/914; Module 2 or Module 3) with these service providers. You can request a copy of the essential contractual content of the standard contractual clauses at any time.

(vi) The data will be deleted after one year.

(vii) It is not possible to use the website without disclosing personal data. Communication via the website is technically not possible without disclosing data.

b) Security and error cookies

We use various cookies to protect the website from attacks and malware and to detect malfunctions.

(i) The purpose of data processing is the implementation of technical and organizational measures to protect the website and to detect errors. A change of the purposes is not planned.

(ii) The data processed are:

Protocol data: This is data that is technically generated when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. Log data also accrue on servers of service providers (e.g. when retrieving third-party content).
Session data: Random user ID, pseudonymized usage data.

(iii) The legal basis for the processing is our legitimate interest in technical protection of the website and the detection and correction of errors (Art. 6 para. 1 lit. f) GDPR).

(iv) The data is actively provided by you (usage behavior) or automatically by your browser (log data, time stamp).

(vi) The data is predominantly deleted at the end of the session, but at the latest after three months.

(vii) It is not possible to use the website without disclosing personal data. Communication via the website is technically not possible without disclosing data.

c) Functional cookies

We use functional cookies in which your settings and any entries you make on the website are temporarily stored so that this information can also be used on other pages of our website, e.g. language settings.

(i) The purpose of the data processing is the provision of cross-page functions such as language settings. A change of the purposes is not planned.

(ii) The data processed are:

Protocol data: This is data that is technically generated when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. Log data also accrue on servers of service providers (e.g. when retrieving third-party content).
Setting values and inputs: Your settings and inputs and the time of the decision.

(iii) The legal basis for the processing is our legitimate interest in the simple and reliable control of user input on the website (Art. 6 para. 1 lit. f) GDPR).

(iv) The data is actively provided by you (decision, settings) or automatically by your browser (log data, timestamp).

(vi) The data is deleted at the end of the session, after three months or after one year at the latest, depending on the function.

(vii) It is not possible to use the website without disclosing personal data. Communication via the website is technically not possible without disclosing data.

d) Cookies for user login

We use cookies on our website to enable selected users to access non-public content on our website. This requires authentication and identification, which must be mapped technically. We also use cookies to technically enable access to password-protected

pages.

(i) The purpose of the data processing is to provide you with access to non-public content on the Website or to password-protected pages, for which you must authenticate and identify yourself. There are no plans to change the purposes.

(ii) The data processed are:

Protocol data: This is data that is technically generated when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
User ID: Username or random strings of letters and numbers used to verify that a login is authentic.
Encrypted version of the password: to allow future visits to the site without re-entering the password.

(iii)The legal basis for the processing is our legitimate interest in technically enabling access to non-public content and password-protected pages (Art. 6 para. 1 lit. f) GDPR).

(iv)The login data is entered by you, further data is automatically provided by your browser.

(vi) The data will be stored for one year.

(vii) Without disclosing personal data, the use of the non-public areas of the website is not possible.

1.2 Server log data

When using the website, certain information is sent to the server of our website by the browser used on your device for technical reasons. This data is stored and processed on our server.

(i) We process the following data for the purpose of providing the contents of the website that you have visited, to ensure the security of the IT infrastructure used, to correct errors, to enable and simplify searches on the website, and to manage cookies. A change of purpose is not planned.

(ii) The data processed is HTTP data: HTTP data is protocol data that is generated for technical reasons when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type, and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g., when requesting third-party content).

(iii) The legal basis for the processing is our legitimate interest in the operation of an internet presence and the communication with communication partners in accordance with Article 6 (1) (f) GDPR.

(iv) The data is automatically transmitted by the browser of the website visitor.

(v) Recipients of the personal data are IT service providers, which we use as processors within the framework of a data processing agreement

(vi) IP addresses are saved for 30 days and then deleted.

(vii) Without disclosure of personal data such as the IP address, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible

2. Communication Partners and Interested Parties

The company of the GROPYUS Group to which you specifically address your communication request is responsible for data processing in the context of communication. GROPYUS AG is responsible for processing data in the context of a general contact form without specification of a particular company of the GROPYUS Group.

(i) The purpose of the processing is the preparation and execution of a contractual relationship or other communication. A change of purpose is not planned.

(ii) Processed data are name, contact data, communication details, the time stamp of communication as well as technical metadata of communication.

(iii) The legal basis for processing is Article 6 (1) (b) GDPR (contract or contract initiation) in the case of contracts with natural persons, whereas for contracts with legal persons, Article 6 (1) (f) GDPR (legitimate interest, namely communication with contact persons relevant to the contract) and in all cases Article 6 (1) (c) GDPR (statutory obligations, in particular, tax and commercial law provisions). For simple communication, the legal basis is Article 6 (1) (f) GDPR (legitimate interest, namely documentation of communication processes).

(iv) Contact data is actively provided by the data subject. Communication metadata and communication data are automatically collected.

(v) Contact and contract data can be transmitted to other service providers, business partners, as well as offices and authorities if necessary for the execution of the contract or order. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems.

(vi) Data of contract partners and service providers will be deleted ten calendar years after termination of the contract or order. Inquiries and communication will be deleted automatically after ten calendar years.

(vii) The processing of contact data of the service providers and business partners is necessary to execute the contract or order. If the data is not provided, the communication may be considerably disturbed. For interested parties, the provision of data is obligatory. Without the provision of data, communication is not possible.

3. Customers and Contact Persons at Customers

The company of the GROPYUS Group with which you have a contractual relationship is responsible for data processing in the context of communication with customers and contact persons at customers.

(i) We process your data for the purpose of performing the contractual relationship and processing payments. This also includes consulting, support, and information about new services. A change of purpose is not planned.

(ii) The processed data are name, address data, information on the company, and payment data, as well as contractual relevant communication data.

(iii) The legal basis for processing the data of customers who are natural persons is Article 6 (1) (b) GDPR (contract) and Article 6 (1) (c) GDPR (legal obligations). The legal basis for the processing of contact data for customers who are not natural persons is Article 6 (1) (f) GDPR (legitimate interest, namely communication with the customer). The legal basis for information on services is Article 6 (1) (f) GDPR (legitimate interest, namely advertising. The legal basis for the transfer of payment information to payment providers is Article 6 (1) (f) GDPR (legitimate interest in centrally controlled payment processing by a payment service provider).

(iv) The data is provided either by yourself or your supervisor.

(v) Recipients of data may be banks and payment providers for the processing of payments and creditworthiness checks. In individual cases, data may be transferred to debt collection service providers, lawyers, and courts. We also use service providers as processors within the framework of a data processing agreement for the provision of services, in particular for the provision, maintenance, and servicing of IT systems.

(vi) All contractual and booking relevant data are stored for a period of ten calendar years after termination of the contract in accordance with tax and commercial law retention periods.

(vii) The provision of data is obligatory for customers based on statutory and contractual regulations. The contractual relationship cannot be established and performed without providing data.

4. Visitors of the GROPYUS Job Board

GROPYUS AG operates a job application portal for all companies of the GROPYUS Group. When using the application portal, the information on the GROPYUS website (see section 1. above) applies in addition to the following information.

4.1 Technically required cookies

We use cookies on the website of the GROPYUS Job Board. Cookies are small text files that can be stored on your device via the browser when you visit the website. When you visit a website repeatedly with the same device, we can read and process the information stored in cookies. In doing so, we use the processing and storage functions of the browser of your device and collect information from the memory of the browser of the end device.

In the structure of this Privacy Policy, we differentiate between technically required cookies and content from third-party providers. Cookies that are technically required for the functioning of the website cannot be deactivated via the cookie management function of this website. However, you can generally deactivate cookies at any time in your browser. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that some functions of the website may not function or no longer function properly if you generally deactivate cookies in your browser.

a) Session Cookies

We use so-called session cookies. These allow us to save your Job application account as well as your individual settings and certain actions for the duration of your visit (e.g., login, language setting).

(i) The purpose of data processing is to enable the login function and individual settings (e.g., language). A change of purpose is not planned.

(ii) The processed data are data on your Job Board account and language selection.

(iii) The legal basis for the processing is our legitimate interest in providing the individual sessions to you, including the respective language setting (Article 6 (1) (f) GDPR).

(iv) The data is automatically transmitted by your browser.

(v) Recipients of the personal data are IT service providers, which we use as processors within the framework of a data processing agreement.

(vi) The data will be deleted after the end of the session.

(vii) Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.

b) SAP Cookies (Career Site Builder Cookies)

We also use SAP cookies to ensure the technical function of the GROPYUS Job Board.

(i) The purpose of data processing is to ensure the technical function of the GROPYUS Job Board (requests to the correct data center, load balancing). A change of purpose is not planned.

(ii) The processed data is H TTP data: HTTP data is protocol data that is generated for technical reasons when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type, and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g., when requesting third-party content).

(iii) The legal basis for the processing is our legitimate interest in the technical provision of the GROPYUS Job Board (Article 6 (1) (f) GDPR).

(iv) The data is automatically transmitted by your browser.

(v) Recipients of the personal data are IT service providers, which we use as processors within the framework of a data processing agreement.

(vi) The data will be deleted after the end of the session.

(vii) Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.

5. Job Applicants

The company of the GROPYUS Group to which you specifically apply is responsible for data processing in the job application process. GROPYUS AG is responsible for the processing of data in the context of initiative applications or job postings without specification of a particular company of the GROPYUS Group. You can reach the company responsible in each case by post at the address given in the job posting.

(i) The purpose of data processing is the selection of job applicants for employment. We also use anonymized data for statistical evaluations. A change of purpose is not planned.

(ii) The processed data are name, contact data, communication details, login data on the Job Board (if applicable), interview notes, job application documents including certificates and curriculum vitae, the time stamp of communication, as well as technical metadata of communication.

(iii) The legal basis is Article 6 (1) (b) (initiation of the employment contract) in conjunction with Article 88 GDPR and the national regulations on employee data protection at the headquarters of the GROPYUS Group company to which you are applying. If we transfer your application documents to other affiliated companies, the legal basis for this is Article 6 (1) (f) GDPR (legitimate interest in group-internal job applicant management). If we are currently unable to offer you a position, but your application is suitable for other positions in the future, and you do not object to further storage, the legal basis for further storage is Article 6 (1) (f) GDPR (legitimate interest in retaining suitable job applications).

(iv) The job application data will be transferred internally to the responsible employees in charge of the decision-making. In this context, the data may also be passed on to other affiliated companies of the GROPYUS Group, provided that you do not object to such transfer. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems.

(v) Application data is deleted six months after the end of the specific application process. If job applicants are also considered for future positions and do not object to further storage of their data, the data will remain stored for up to 12 months after the end of the job application process.

(vi) The provision of personal data is necessary for the examination of the job application and, if applicable, the subsequent conclusion of an employment contract. A job application cannot be considered without the provision of personal data.

6. Participants in a Video Conference via Microsoft Teams

The company within the GROPYUS Group that organizes the video conference is responsible for data processing in the context of the videoconference via Microsoft Teams.

(i) We process the data of participants for the purpose of organizing, conducting, and documenting video conferences via Microsoft Teams. If we separately indicate this in the context of the individual video conference and obtain your consent in this regard, a recording of the video conference is made. There are no plans to change these purposes.

(ii) The data of the participants processed in the context of the video conference are:

Participant data Name and surname, e-mail address

Conference data Meeting metadata: Topic, IP address, device/hardware information

Telephone data: For dial-in with telephone, information on incoming and outgoing telephone number, country name, start and end time, additional connection data if necessary.

Communication data Within the online event, your communication data in the form of questions, requests to speak or vote, as well as chat content will be processed. You always decide whether and in what form you want to participate.

Image, sound, and video data (and, in case of consent, the corresponding recordings): Within the video conference, image, sound, and video data of the participants will be processed. However, each person is always free to decide whether they want to switch on their camera and microphone or whether they just want to communicate via the chat window. If we have obtained your consent in this regard, the online event will be recorded, including the image, sound, and video data of the participants.

(iii) The legal basis for the processing of data of participants for the purpose of conducting the video conference is your consent pursuant to Art. 6 (1) lit. a GDPR. The legal basis for making recordings is also your consent pursuant to Art. 6 (1) lit. a GDPR.

(iv) The participant data is actively provided by the participants. The conference data is actively provided by the data subject or automatically by the browser or device of the data subject. The image, sound, or video data and communication data are collected automatically, and the recordings of the image, sound, or video data are made by the responsible GROPYUS Group company.

(v) The recipients of the name, communication data, and image, sound, and video data are always the other participants of the video conference. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems, in particular the service provider Microsoft Ireland Operations Ltd. However, in the event of disruptions and malfunctions, Microsoft may also access the servers in Germany from so-called third countries such as the USA in order to carry out maintenance work. In third countries and especially in the USA, there is no level of data protection comparable to the provisions of the GDPR. The basis for data processing in the USA is your consent (Art. 49 (1) lit. a GDPR. It is possible that US authorities may access personal data without us or you being informed. Enforcement of your rights is probably not possible in the USA.

(vi) The participant data will be deleted after ten years (statutory retention periods). The conference data and communication data will usually be deleted 24 months after the video conference has taken place unless otherwise specified in the context of the individual video conference. The image, sound, and video data, as well as the corresponding recordings and the selected archived material, will not be deleted. However, the excess raw material of the recordings will be deleted 24 months after the online event has taken place. In addition, you can request the deletion of your personal data at any time unless we are legally or contractually obliged or entitled to further process the data.

(vii) The provision of data is contractually obligatory for participation in the video conference. Without the provision of data, participation in the video conference is not possible. The provision of communication, image, sound, and video data, as well as the production of image, sound, and video recordings, is not obligatory for participation in the video conference.

7. Rights of Data Subjects and Further Information

(i) We do not use any methods of automated individual decision-making.

(ii) You have the right to request information at any time about all your personal data, which we are processing.

(iii) If your personal data is incorrect or incomplete, you have the right to have it rectified and completed.

(iv) You can request the erasure of your personal data at any time, as long as we are not bound by legal obligations that require or allow us to continue processing your data.

(v) If the applicable legal requirements are met, you can request a restriction to the processing of your personal data.

(vi) You have the right to object to the processing insofar as the data processing is based on profiling or direct marketing purposes.

(vii) If the processing is carried out on the basis of the balancing of interests, you may object to the processing by stating reasons arising from your particular situation.

(viii) If the data processing takes place on the basis of your consent or a contract, you have the right to a transfer of the data provided by you, insofar as the rights and freedoms of others are thereby not impaired.

(ix) If we process your data on the basis of a declaration of consent, you have the right to revoke this consent at any time with future effect. The processing carried out prior to revocation remains unaffected by the revocation.

(x) Moreover, you have the right to file a complaint at any time with a data protection supervisory authority if you believe that data processing has been carried out in violation of the applicable law.

Version: May 31, 2022

Link zum Impressum