We are Sinion Ltd, a company offering corporate services. In this Privacy Policy, we inform you about how we handle your personal data as part of our business operations. Any reference to data processing by “us” or “we” throughout this policy is referencing the applicable data controller for the respective data processing activity.
Data is considered personal if it relates to an identified or identifiable natural person. This includes, for example, your name, your address and your IP address. The provisions below serve to provide information as to the manner, extent and purpose in which we process your personal data.
Website
Visiting a website
If you visit one of our website/s for informational purposes, we process your IP address, information on the device and browser you are using (operating system, browser type and version, host name of the device), the referrer URL and time and date of your request. We process this data to display to you our website correctly, enable its core functions, and to ensure the stability and security of our site.
To provide our website and its basic functions (e.g. language settings, cookie settings), we place cookies on your device. A cookie is a small piece of data placed on your computer’s hard drive that permits it to identify a specific device or browser. Most of these cookies are session cookies that expire at the end of your browsing session. The cookie we use to determine your preferred language which is based on your location as well as the cookie we use to store your cookie settings for our website will both expire within 12 months.
The legal basis for this data processing is Art. 6 (1) (1) (b) GDPR, insofar as it serves to provide our website to you, and Art. 6 (1) (1) (f) GDPR, as we have a legitimate interest to ensure the security of our website, a user-friendly, effective and secure experience and smooth access to its key functions.
Communication between you and us, including newsletters
We may communicate with each other via various communication channels. In these cases, we may, inter alia, process your personal data for the following purposes:
Communication via different communication channels
You may contact us via various channels, including by post, email, fax or telephone. If we communicate, we share personal data with each other. Therefore, we may process your contact data and communication data (e.g. messages, conversations, shared files). The purpose of this data processing is to enable ongoing communication between us and to take care of your request. Based on the communication channel used, additional data may be processed. For example, if we communicate via video conferencing tools, such tools may additionally process technical and service-related data to ensure an uninterrupted connection for our communication. We also sometimes conclude contracts electronically or sign related documents electronically using an electronic signature tool. The legal basis for the processing relating to communication with you is Art. 6 (1) (1) (b) GDPR or, if the contact does not relate to the conclusion or performance of a contract, Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in having optimized and comprehensible communication and document approval processes with our customers, contract and business partners and respond to their requests.
(Potential) contract partners and their employees
You may be our contract partner, or you may be about to conclude a contract with us, or you may be employed by one of our (potential) contract partners. If you provide us with personal data of other individuals (e.g. your employees, your managing directors or others), please make sure that they are aware of this Privacy Policy and that you only provide us with their data if you are allowed to do so and such personal data is correct.
If there is a contract or contract negotiations between you and us or between your employer or company and us, we may process your personal data in connection with the contract conclusion and execution. This may include your name and your contact details as well as other data that is relevant for the contract (e.g. financial and accounting information) as far as this information relates to you personally. We may also process contact information of your employees who are in charge of handling the contractual relationship for you.
The purpose of this data processing is to prepare, conclude or execute the contract between you or your employer or company. The legal basis for the processing relating to contract conclusion or execution is Art. 6 (1) (1) (b) GDPR, or, if the contract is concluded with your employer or company, our legitimate interest in conducting and managing this contractual relationship with your employer or company, Art 6 (1) (1) (f) GDPR. Please note that if the services you provide to us include your appearance as a speaker in one of our events or calls and we have agreed on a recording of it, the data processed for contract execution (Art. 6 (1) 81) (b) GDPR) includes video, voice and/or image recordings and their subsequent use / distribution, as the case may be.
Job applicants
You may apply for a job with us, including via careers websites operated by us. Further, you may submit your application via third party platforms (e.g. Linkedin) where we advertise vacancies and request applications. In order to enable us to make you the best possible job offer and to fill open positions within the company and within affiliated companies in the best possible way, your application data will be shared with the relevant company with a suitable job opening, which is responsible for data processing in this case (Art. 6 (1) (1) (f) GDPR). This is in our interest as well as in the interest of the entities involved to be able to fill vacancies with the best possible candidates. We also do so with your best interest in mind to make you the best possible job offer.
In the case of your application, we process your name, contact details, information on your qualifications and previous work experience and other information to select a suitable candidate for the respective positions for the application process. This data processing is necessary to process job applications and, ultimately, to prepare an employment contract. We cannot consider you for a position without processing the aforementioned data. You may also provide us with information that has been marked as voluntary on our career website (e.g. on how you were attracted to the position you apply for). If you do so, we process this as part of your job application based on your consent (Art. 6 (1) (1) (a) GDPR). If your application is unsuccessful, your data will be deleted after the hiring process has been concluded, at the latest within 6 months.
If you are interested in receiving information about other positions in the future, we will retain and process your data for this purpose based on your consent (Art. 6 (1) (1) (a) GDPR). In this case, the data will be retained for 12 months, unless you revoke your consent at an earlier point.
Visiting our business premises, including video surveillance
If you visit our business premises, we process your name and the reason for your visit in order to enforce our access control measures to safeguard the security of our business operations. We cannot grant you access to our premises without processing this information. We process this data based on our legitimate interests to enforce suitable security measures (Art. 6 (1) (1) (f) GDPR). In limited specific cases, we may also be required by law to collect certain personal data for security, public health or other important reasons (such as information about the time and date of your visit for compliance with mandatory measures for protection against the Covid-19 pandemic). We process respective data based on Art. 6 (1) (1) (c) GDPR in connection with our relevant legal obligations.
To further ensure the safety and security of our buildings, assets, staff and visitors, we may operate a video surveillance system in certain areas of our business premises. If you visit our premises, these cameras might capture your image. We process data using video surveillance based on our legitimate interest to protect our business premises, property and information, as well as staff and visitors against threats (Art. 6 (1) (1) (f) GDPR). Video surveillance recordings are not evaluated in the regular course but only in exceptional cases, e.g. suspected criminal offences. The images are retained for a maximum of 72 hours. Thereafter, all images are deleted unless images need to be stored for further investigations or as evidence of a security incident.
Invitation to and participation in events
We may invite you to our events. For this purpose, we may process your name, contact details as well as relevant information on your relationship with us (e.g. business partner, press contact, etc.). The legal basis for this processing is either your consent to receive respective invitations (Art. 6 (1) (1) (a) GDPR) or our legitimate interests to maintain and further our relationship with you (Art. 6 (1) (1) (f) GDPR).
At our events, we may take photographs and, as part of this, potentially capture your image. The legal basis for this data processing is Art. 6 (1) (1) (f) GDPR as we have a legitimate interest in internally documenting our events. In case we intend to use images where you are clearly recognizable for marketing and press-related purposes, we will only do so with your consent (Art. 6 (1) (1) (a) GDPR).
Some of our events may be held digitally, e.g. as webcasts, video meetings, etc. In this case, we may process additional personal data, such as your IP address and technical information (e.g. browser version) to be able to provide you a secure and user-friendly access to the digital event. The legal basis for this data processing is Art. 6 (1) (1) (b) GDPR as well as Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in enabling digital events to run smoothly. If you participate in a digital event and we wish to record it (e.g. video, audio), we will only do so with your consent (Art. 6 (1) (1) (a) GDPR).
If you appear as a speaker or take an active role in one of our (digital) events, please take note of additional information on data processing as part of your contractual engagement in Section 3 above.
Press releases and media enquiries
We send out press releases and updates with information about development projects, business updates and other initiatives to journalists and press representatives we have met (e.g. you may have given us your business card at an event). If you are such a press representative, we process your contact data to provide you with such updates based on our legitimate interest to manage our public image (Art. 6 (1) (1) (f) GDPR).
You may also contact us to receive these updates by sending us your contact details (name, e-mail address, the name of your company/institution/employer) by e-mail to [[email protected]]. We will then add you to the respective mailing list for relevant topics or locations. The legal basis for this processing activity is Art. 6 (1) (1) (b) GDPR (provision of updates based on your request).
You can unsubscribe from receiving press releases at any time by sending us an email to the contact address provided above.
Whistleblowing system of Sinion
Sinion has implemented a whistleblowing system that enables employees[, business partners and service providers] to submit reports on relevant compliance violations via different reporting channels[, including the possibility to submit these reports anonymously, if you wish to do so]. You may find information about the different reporting channels on our website. We offer reporting via post, email, telephone and personal meetings [as well as a digital reporting system. You may access the aforementioned digital reporting system here: [●]. Under this hyperlink, you will also find more detailed information on the functioning of this system, security measures and data protection in connection with the digital reporting system.]
We may process personal data contained in reports from the whistleblowing system as well as any follow-up communication relating to the reported incident, including on potential witnesses and any accused persons, as part of our investigations and potential subsequent measures (e.g. disciplinary measures). If a potential whistleblower reaches out via post, telephone, email or personal meeting, they may voluntarily provide information on their contact details (such as address, telephone, email) for follow-up communication [which could reveal their identity]. The selected individuals handling the communication and investigations receive regular training on confidentiality and data protection and are bound to confidentiality. As part of the investigation and, depending on which group entity is affected by the incident, some data may be processed by said relevantly affected group entity.
We process this personal data based on our legitimate interests (Art. 6 (1) (1) f GDPR) to have reporting channels that enable us to receive and investigate reports on potential criminal offenses, serious compliance violations and other cases of abuse throughout the company.]
Data processing for IT and IT security related purposes
We maintain and use IT systems for processing personal data (such as email systems). Furthermore, we are obliged to protect the personal data we hold for you, our business and contract partners and our employees. We may process your personal data to facilitate the use and management of our IT systems that are accessible to you (such as email systems or websites). For these IT systems, we have implemented and constantly update our IT security measures in order to comply with our duties imposed by the GDPR and other IT and data security laws. For the aforementioned purposes, we may process information generated by such access, such as names, email addresses and passwords, user names, nature and content of emails (including date and time), IP addresses, device information, network location. The scope of data processing depends on the respective IT system and its IT security protection measures.
This data is exclusively used to maintain and grant access to our IT systems and to ensure a proper IT security standard in this process. The legal basis for data processing is Art. 6 (1) (1) (f) GDPR, as well as Art. 6 (1) (1) (c) GDPR in conjunction with Art. 32 (1) GDPR. We have a legitimate interest in using, maintaining and protecting our IT systems from cyber-threats and other security incidents that could harm our business or your data.
We may engage service providers to provide respective IT security measures. The data transfer to those service providers is justified under Art. 28 GDPR in connection with the data processing agreement.
Other data processing purposes
In specific cases, we may process your personal data for the following purposes:
- We may process your personal data to comply with legal obligations that we face (e.g. regarding data retention under commercial or tax law). The legal basis for such data processing is Art. 6 (1) (1) c GDPR in connection with the relevant legal provisions.
- We may process your personal data if we sell our company, a part of it or other assets, or in case we buy another company, a part of it or other assets. The legal basis for this data processing is our legitimate interest (Art. 6 (1) (1) f GDPR) to further the development of our company through mergers and acquisitions.
- We may have a legal obligation to participate in investigations and proceedings of public authorities and the government. The legal basis for such processing is Art. 6 (1) (1) c GDPR in connection with the respective provision establishing our legal obligations.
- We may also process your personal data to protect our rights and safety, our contract and business partners and others, including through assertion of or participation in legal proceedings. The legal basis for this data processing is either a respective legal obligation to this effect (Art. 6 (1) (1) c GDPR in connection with the relevant legal provisions) or our legitimate interest or of those affected to assert legal claims (Art. 6 (1) (1) f GDPR).
Disclosure of your data to external recipients
For some of the aforementioned purposes, we may disclose your personal data to other parties. In addition to any recipients already mentioned in this privacy policy, these categories of recipients may include data processors acting on our behalf and bound by our instructions, such as:
- Communication service providers, e.g. mail relay and fax providers, providers of video conferencing tools
- Newsletter and contact form providers
- Providers of solutions for job application management
- Electronic signature tool providers
- Video surveillance providers
- IT and IT security providers
- Software providers (including software as a service solutions)
- Accounting and billing providers
- Group-internal providers of “shared services” (such as HR, marketing or Legal)
- Other service providers (e.g. events agencies)
The legal basis for respective data transfers is Art. 28 GDPR in connection with the respective data processing agreement concluded with the recipient. Through these agreements, we have contractually bound these recipients to process your personal data only on our behalf and in accordance with our instructions.
We will also transfer your personal data to other third parties for some of the purposes and according to the legal bases mentioned above in this Privacy Policy, in particular:
- Lawyers and tax advisors, notaries, courts, government authorities and agencies
- Banks and insurances
- Credit reference agencies
Third country data transfers
When sharing your personal data with external recipients (see Section 11 above), some of your personal data may be transferred to other countries, including third countries outside the EU / EEA where such laws may not provide the same level of protection for your personal data as the GDPR does. Please note that data processed in a foreign country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, we will endeavor to take the required measures to maintain an adequate level of data protection when sharing your personal data with recipients established in such countries.
In the case of a transfer to a country outside of the EEA, this transfer is either safeguarded by a so-called adequacy decision from the European Commission declaring that such country provides for an adequate level of data protection, or, if such adequacy decision does not exist, the conclusion of EU Standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) and additional measures, if necessary.
Security
We have reasonable state of the art security measures in place to protect against loss, misuse and alteration of personal data under our control. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we will use all reasonable efforts to prevent it.
Data retention period
We retain your personal data only for as long as is necessary for the purpose for which it is processed and delete it afterwards, unless we are required by law to retain it for a longer period (e.g. to comply with statutory retention obligations under tax law).
Data protection rights
You have the following data protection rights, depending on the circumstances of the specific case, which you may exercise by contacting us as set out in Section 16 below:
Information
You have the right to require information as to whether your personal data is retained and request access to your personal data and/or copies of such data, including purposes of processing, the processed data categories, its recipients as well as potential data retention periods.
Rectification, restriction of processing, deletion
You have a right to request the rectification, deletion or restriction of processing of your personal data, for example if (i) it is incomplete or inaccurate, (ii) it is no longer necessary for the purposes for which it was collected, or, (iii) the consent on which the processing was based has been withdrawn.
Refusal or withdrawal of your consent to data processing
You have the right to refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time.
Automated decision-making including profiling
You have the right not to be subjected to any automated decision making, including profiling, which produces legal effects on you or affects you with similar significance.
Right to data portability
You have the right to receive the data, which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from use. You also have the right to transmit this data directly to another controller, where technically feasible.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, where we process your personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6 (1) (1) (e) GDPR) or where we process your personal data based on our legitimate interests (Art. 6 (1) (1) (f) GDPR). In case we process your personal data for direct marketing purposes, you also have the right to object at any time.
Right to lodge a complaint with the competent supervisory authority
You have a right to take legal action against any potential breach of your rights regarding the processing of your personal data, as well as to lodge a complaint with the competent supervisory authority.
Contact
For questions, suggestions and comments on the topic of data protection, please feel free to contact us at [●] concerning the processing of your personal data.
Miscellaneous
We reserve the right to change this Privacy Policy from time to time in accordance with applicable data protection regulations. Please check this website regularly for updates.