Privacy Statement

1 General information

The below statement will inform you about the type of personal data that we, as the data controller, collect and the purpose of the collection as well as the extent to which this data is disclosed to third parties.

1.1 Data controller and data protection officer

Vanguard AG

Landsberger Str. 222, 12623 Berlin, Germany

Email: info@vanguard.de

Telephone: +49 (0)30 / 3187 343 – 300

Data protection officer

Carola Sieling

c/o Technologiewerft c/o Kanzlei Sieling

Gutlittstrasse 24, 20099 Hamburg, Germany

Email: datenschutz@vanguard.de

Telephone: +49 (0)40 41923921

1.2 Agreement between joint controllers

This website is jointly provided by the aforementioned companies which are using shared servers and IT services for this purpose and jointly determine the purposes and means of the processing of personal data. Therefore the companies are considered “joint controllers” within the meaning of Art. 4 no. 7 in conjunction with Art. 26 para. 1 sentence 1 GDPR.

We determined in an agreement that, in general, the company first mentioned above is responsible for fulfilling our obligations under the GDPR, in particular those relating to data subject rights and duties to provide information. In individual cases specified in more detail, another company may be responsible if it is most closely connected to the relevant processing operation.

Of course you are free to contact any of our companies, or their respective contacts, and/or our data protection officer if you have any concerns relating to data protection or your rights as a data subject

1.3 Legal bases for processing of your personal data

The processing of personal data requires a legal basis which we would like to present to you below.

The legal basis for any processing of personal data for which we obtain the data subject’s consent is Article 6(1)(a) of the EU General Data Protection Regulation (GDPR).

The legal basis for any processing of personal data that is required for the performance of an agreement to which the data subject is a party is Article 6(1)(b) GDPR. This also includes processing operations that are required for the implementation of pre-contractual measures.

Where processing of personal data is required for compliance with a legal obligation to which our company is subject, such processing is based on Article 6(1)(c) GDPR.

Where processing is necessary for the purposes of the legitimate interest pursued by our company or by a third party, and where such interest is not overridden by the interests or fundamental rights and freedoms of the data subject, such processing is based on Article 6(1)(f) GDPR. The legitimate interest of our company is the conduct of our business activities as well as the analysis, optimisation and maintenance of the security of our online offering.

1.4 Data subject rights

You have the right to access the personal data concerning you that is stored at our company. In particular, you may request information about the purposes of processing, the category of the personal data, the categories of recipients to which your data was or is being disclosed, the envisaged retention period, the origin of your data where it was not collected from you by us directly, as well as the existence of automated decision making, including profiling, and, as applicable, meaningful information concerning its details.

Under the legal regulations you also have the right to the rectification of inaccurate data, restriction of processing, data portability and the erasure of your personal data. To exercise these rights, you can send us an email using the words “data privacy” in the subject line.

You also have the right to lodge a complaint with a data protection supervisory authority if you believe that personal data concerning you is being processed in violation of legal regulations.

On grounds relating to your particular situation, you may object to our processing of personal data concerning you which is based on subsections (e) or (f) of Article 6(1) GDPR at any time. This also applies to profiling based on these provisions (Art. 21 GDPR). Where the legal requirements are met, we will no longer process your personal data following such objection.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

Based on your objection, the personal data will no longer be processed for such purposes.

Where you have given your consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of any processing carried out prior to the withdrawal of your consent.

We currently do not engage in automated decision making, including profiling.

If you exercise any of the aforementioned rights as a data subject, we process your personal data collected in this context to respond to your request. Your personal data is processed to comply with a legal obligation.

If you object to processing, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing of this data which override your interests, rights and freedoms or your personal data is processed for the establishment, exercise or defence of legal claims.

1.5 Retention period for personal data

Unless we have provided information on retention periods for the specific items, the following applies: We retain personal data for the duration of the applicable statutory retention period or for as long as the purpose of the collection exists. Upon the expiry of the retention period, data is erased routinely unless it is required for pre-contractual measures or for performing a contract. Where user data is not erased because it is required for other, lawful purposes, its processing is restricted to the maximum possible extent. Accordingly, where possible, the data will be blocked and not processed for other purposes. This, for example, applies to user data that must be retained for reasons related to commercial or tax law.

2 Contract-related data processing

When you enter into a contractual relationship with us or inquire about a contractual relationship, we typically collect the following data: Form of address, first and last name, email address, postal address, telephone/mobile phone number, information that is required for performing the contract and for pre-contractual measures.

We need this data to be able to identify you as a contracting party, perform the contract or contact you or for billing purposes. Data is processed upon your/our request or order and is required for the purposes specified for the mutual performance and obligation under the contract.

We may also process data based on a legitimate interest, e.g. in the context of the establishment or defence of legal claims under the contract. The personal data collected is stored until the expiry of the contractual relationship and deleted thereafter unless we need to retain it for a longer period due to legal retention and documentation obligations under tax and commercial law (specifically the German commercial code, the German criminal code or the German tax code).

We use the data of our (future) contracting partners and employees (first name, last name and, as applicable, address) to check this data against sanctions lists. Sanctions lists are lists containing persons, associations or companies that are subject to economic or legal restrictions imposed by governments which are centrally created and maintained. We have an obligation under various regulations to take steps to prevent any support of business partners, suppliers but also our (potential) employees if they are included on such lists. We only use the data to ensure that these persons are not included on any sanctions list. We need this information to comply with our legal obligations and prevent the imposition of potential sanctions. This is also in our legitimate interest.

Further information on this is also available in our privacy statement for customers.

3 Application data

We receive data from you when you submit an application to us. We provide information to you about this in our separate privacy statement for applications which is available on our career web page.

4 Data processing related to the website

4.1 Log files, hosting

The server statistics automatically store data transmitted to us by the browser in the context of our legitimate interest in analysing such data and for security reasons (referred to as “log files”).

In detail, the following data is collected in this context:

Language and version of the browser software
The operating system used and its interface
Referrer URL (last website visited prior to visiting our website)
Host name of the computer accessing our website (IP address)
Date and time of the server request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Data amount transferred
Access status/ HTTP status code

In general, we cannot attribute this data to specific persons. This data is not combined with other data sources. The data is also deleted on a monthly basis following its statistical analysis. Data we need to continue to retain for evidentiary purposes cannot be deleted until the incident has been fully resolved.

We use hosting services. They are used to provide infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services to maintain the operation of this online offering.

In this context we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors of this online offering based on our legitimate interest in making this online offering available in an efficient and secure manner.

4.2 Contact

When you contact us by email or using our contact form, we store the information provided by you to respond to your questions.

As a general rule, we do not disclose data to third parties unless the disclosure is justified under applicable data protection regulations or we have a legal obligation to disclose it. You can withdraw your consent at any time with future effect. If you withdraw your consent, your data will be erased without undue delay unless there is a legal exception that requires continued processing. Otherwise your data will be deleted when we have responded to your request or when the purpose for retaining the data no longer exists and there are no other legal exceptions that would prevent us from doing so.

4.3 Cookies

Cookies are small text files that are stored on your end device which are used to provide certain information to the entity placing the cookie. They are used to make the internet offering more user friendly and effective and/or facilitate your navigation on our website.

We only place cookies that are not absolutely necessary with your consent. You can withdraw this consent at any time with future effect.

Giving your consent is voluntary and you can also use our website without accepting cookies. You can also configure your browser settings according to your preferences and generally reject e.g. the acceptance of third-party cookies or all cookies or delete any cookies already stored. Please note that, if you do not accept cookies, the functionality of our offering might be impaired. Unless otherwise specified in the context of the individual subjects addressed in this privacy statement or in the cookie banner, the lifespan of cookies is 24 months.

Information on which function on our website places cookies is provided in the description of the relevant function in our privacy statement and in the cookie banner.

4.4 Login

We offer different login options for e.g. customers and employees for special areas. The personal data entered in the context of logging in is transmitted to the data controller. The data is only stored by us for internal use.

When a user logs in, the system stores the user’s IP address as well as the date and time of the login. This is done to prevent misuse of the services. This data is not disclosed to third parties. The only situation where this general rule does not apply is if we have a legal obligation to disclose data.

Registration of the data is required for providing content or services for the contractual purpose. Registered persons may request the erasure or modification of the data stored at any time. Data subjects will always be provided information on the personal data stored concerning them.

5 Information provided to interested parties

Where you, as our contracting partner, have entered into a contract for our services, we offer you additional information on our own similar services using the email address you provided when entering into the contract (Section 7 III of the German Act against Unfair Competition (UWG)). You can object to receiving such information at any time.

These mailings are based on our legitimate interest in advertising our services.

6 Disclosure of data: General information and contractual purpose

We disclose data to third parties where this is necessary to perform a contract and/or we have a legal obligation or right to do so in an individual case. The data is typically disclosed to service providers contracted by us, for example for hosting, operation, maintenance and support of IT systems, communication systems and disposal, as applicable. In addition, your data may also be transmitted to postal and delivery services, our main bank, tax consultants/auditors and lawyers.

Sharefile

For a secure exchange of data with our company we provide files to our customers in a virtual data room. For this purpose we use the ShareFile platform provided by Progress Software Corporation, 15 Wayside Rd, Suite 400, Burlington, MA 01803, USA.

The platform is used with your consent and for contractual purposes.

The exchange of data using virtual data rooms involves the processing of various types of data. The volume and content of the data depends on the information that is relevant to the file content and the agreements we have with you.

ShareFile is a cloud-based exchange platform. Its central components are the document exchange feature and the device-independent access to files. ShareFile allows you to make voluminous documents available to one or multiple persons.

Further information can be found in the data protection information available at https://www.progress.com/legal/privacy-center

7 Disclosure of data: Tools used in the operation of the website and online services

In part we use the online offering of external service providers for analysis, optimisation and efficient operation purposes within the scope of your consent and/or our legitimate interests. If you have given your consent to tools that are not required for the operation of the website, you can change these settings again at any time. We are providing a list of our service providers below.

Where your data would be used for other purposes, we will notify you ahead of time and only use the data where you have expressly given your additional consent.

7.1 Google – YouTube

Within the scope of your consent we use services provided under the responsibility of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) for optimisation purposes under https://www.vanguard.de and the efficient operation of our online offering.

Google LLC is certified under the Data Privacy Framework and we have executed EU standard contractual clauses meaning that possible measures to ensure compliance with European data protection law have been taken.

YouTube

We use YouTube, a service provided by Google, for embedding videos.

These videos are stored on www.youtube.com and can be directly played from our website. YouTube uses cookies to collect data and perform statistical analyses of data. YouTube uses cookies among other reasons to collect reliable video statistics, to prevent fraud and to improve user-friendliness. The information on your use of this website generated by the cookie (including your IP address) is transferred to YouTube servers (including servers located in the USA) and stored there. Your IP address cannot be attributed to your person unless you have logged in to YouTube or another Google service before accessing the page (or are always logged in). If you do not want your IP address to be attributed to your person, you need to log out of your YouTube account and your other Google accounts.

The YouTube cookies provide us with statistical values regarding viewing of individual videos embedded in the website without any connection to the respective user.

The embedded YouTube videos are used by YouTube within the scope of the permitted use which all users must accept. If you notice any violation of copyrights, please report it directly to YouTube. We use embedded YouTube videos in the privacy-enhanced mode. This means that YouTube does not store cookies for a user who displays a website with an embedded YouTube video player without clicking on the video to start playback. If the user clicks on the YouTube video player, YouTube may store cookies on the user’s computer. We note that we, as the web pages provider, do not receive any information about the content of the data transmitted or its use by YouTube. Further information on YouTube’s official privacy policy can be found on https://www.google.de/intl/de/policies/privacy/ and on https://support.google.com/youtube/answer/171780?hl=de.

7.2 Polylang

To be able to display our website https://www.vanguard.de in multiple languages, we use the Polylang service. Polylang is provided by WP SYNTEX, 8, rue Joseph Cugnot 38307 Bourgoin Jallieu, France. Polylang cookies are only placed for the necessary and legitimate purpose of recognising and noting the language used or selected by the user. These cookies are stored for one year and are deleted thereafter. Additional information on compliance with data protection laws can be found here: https://polylang.pro/doc/is-polylang-compatible-with-the-eu-cookie-law/.

7.3 CookieYes

On our websites https://www.vanguard.de and https://vanguard-healthcare.com we use the Cookieyes service provided by CookieYes Limited, Warren Park, 3 Warren Yard, Wolverton Mill, Wolverton, MK12 5NW Milton Keynes, United Kingdom, to comply with our legal obligations. The related data is transmitted to a third country outside the EU. The EU commission has issued an adequacy decision for this country. An up-to-date list of all adequacy decisions is available on the EU Commission’s website (Link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de).

The service provided by Cookieyes is used to create and implement data protection information as well as to embed a cookie banner that stores and implements the individual settings of website visitors.

Further information can be found in the provider’s privacy statement available at https://www.cookieyes.com/privacy-policy/.

7.4 Complianz

On our website https://spmintegra.de we use the cookie consent tool Complianz, which we store locally, to comply with our legal obligations.

The cookie consent tool stores and provides information about the individual settings of website visitors regarding consent to cookies and implements them.

7.5 Burst Statistics

We use the Burst Statistics tool to create web statistics for our web pages. The Burst plugin is executed locally on our own web server and does not collect any IP addresses.

8 Storage of data outside of the EU/EEA

Where this is mentioned above in the individual tool descriptions, we use tools provided by US third-party providers. In this context, to the extent this is required for the communicated purposes, your IP address may be processed outside of the European Economic Area where a data protection level equivalent to the European standard is not always consistently ensured or confirmed (for example using an adequate safeguard, as defined in Art. 46 GDPR, or an adequacy decision by the European Commission). Consequently, it is not possible to exclude, in particular, that security agencies in a third country may gain access to your IP address without you being able to effectively take legal action against this.

The transmission of the IP address to such third parties is based on Art. 49(1)(a) GDPR, i.e. your consent which is granted by you expressly in the consent banner. This consent is voluntary. You can withdraw it at any time with future effect. You will not suffer any disadvantage based on the withdrawal.

In the opinion of some US third-party providers, a level of protection equivalent to the European standard is already ensured by executing what is referred to as “standard contractual clauses” as well as taking additional measures within the meaning of the Schrems II ruling. Given that the suitability of such measures for ensuring an adequate level of data protection is disputed, however, we decided to nevertheless only transmit your IP address with your consent.

The certification of some companies under the Data Privacy Framework (DPF) is meant to ensure the level of protection and can be checked for these companies here: https://www.dataprivacyframework.gov/s/ . This certification is deemed a sufficient measure to ensure an adequate level of data protection.

9 Our presences in social media

We maintain online presences within social media and platforms. We consider these presences a means to communicate with customers, interested parties and users who are active on them to inform them about our services and our company.

Processing of personal data of users who are active on them is based on our legitimate interest in communicating with and providing information to such users. Where users provided their consent to data processing in the context of using the relevant social platform, processing is based on such consent.

When you visit one of our social media presences, we are jointly responsible for the data processing operations triggered by your visit together with the operator of the social platform. In principle, you can assert your rights (access, rectification, erasure, restriction of processing, data portability and complaints, see the following section “Data subject rights”) by contacting us and by contacting the operator of the relevant social platform.

Please note that, despite our joint responsibility, we cannot fully influence data processing operations performed on the social platform and, as applicable, may forward a request relating to data subject rights to the relevant operator for better processing of the rights-related requests. Our options always depend on the company policy of the relevant provider.

Our information on data retention is set out below. We do not have any influence on the retention period for your data that is stored by the operator of the social platform for its own purposes. Please check directly with the operators of the social networks for details on this subject (e.g. by reading their privacy statement, see below).

Depending on the terms of the relevant platform mentioned below, user data may also be processed outside of the territory of the European Union. We have agreed EU standard contractual clauses with companies located in the USA or they are certified under the Data Privacy Framework (DPF) which means that we have taken measures available to us to ensure compliance with European data protection law.

In general, user data is processed by the platforms for market research and advertising purposes. For example, a user’s behaviour and interests derived from it can be used to create a usage profile. Usage profiles in turn, for example, can be used to place ads—which supposedly match users’ interests—within and outside of the platform. For this purpose, the platforms typically place cookies on users’ computers that store user behaviour and interests. The platforms may also store data in usage profiles that is independent from the devices used by users. This is done specifically where users are members of the relevant platforms and are logged in on these platforms.

For a detailed description of the relevant processing operations and the options for objecting to them we refer to the provider information linked below.

9.1 Google/ YouTube

(Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)

Privacy statement: https://policies.google.com/privacy

Opt-out: https://adssettings.google.com/authenticated

9.2 Twitter (X)

(Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland)

Privacy statement: https://twitter.com/de/privacy

Opt-out: https://twitter.com/personalization

9.3 LinkedIn

(LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)

Privacy statement: https://www.linkedin.com/legal/privacy-policy

Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

9.4 Xing

(New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)

Privacy statement:/ Opt-out: https://privacy.xing.com/de/datenschutzerklaerung

9.5 Kununu

(New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)

Privacy statement: https://privacy.xing.com/de/datenschutzerklaerung

This privacy statement was provided by Technologiewerft GmbH.