This translation is a service provided by Perseus and was created using artificial intelligence. The German version is legally binding.

General Terms and Conditions of Perseus Technologies GmbH

Perseus Technologies GmbH (hereinafter: “Perseus”) offers services in connection with the security of information and communication technologies and systems and their use in companies (so-called “cyber security”). These services include, among other things, those for analyzing and evaluating the level of cyber security of companies as well as preventive consulting and training services to increase it, the use of software-based cyber security technology for real-time monitoring and defense, as well as consulting and coordination or management services in the event of a cyber attack and the resulting disadvantages. This range of services and the services covered by it are also referred to collectively as the “Perseus Cybersecurity Service” (hereinafter: “PCSS”).

These General Terms and Conditions (hereinafter “GTC”) apply to the offer and provision of the PCSS, the conclusion and execution of related contracts and the contractual and business relationships existing in this respect between Perseus and its relevant contractual and business partners (hereinafter uniformly referred to as “Customers”).

Basic principles; validity and amendment of these GTC

1.1 Perseus shall provide services exclusively on the basis of these GTC in conjunction with the Perseus service offer on which the respective contract is based. By booking a service within the meaning of these GTC, the customer agrees to the validity of these GTC in the version valid at the time of the customer’s declaration of intent to conclude a contract with Perseus (see also clause 2 of these GTC; hereinafter regularly referred to as “booking”).

If an offer from Perseus contains provisions that conflict with provisions in these GTC, the provisions in the offer shall take precedence in cases of doubt. Any other agreements on the basis of which the provisions of these GTC are to be deviated from shall be recorded in writing.

1.2 The services offered by Perseus are aimed exclusively at entrepreneurs and companies within the meaning of Section 14 of the German Civil Code (BGB), i.e. exclusively at natural or legal persons or partnerships with legal capacity who, when concluding a legal transaction with Perseus in this respect, are acting in the exercise of their commercial or independent professional activity (hereinafter uniformly referred to as “companies”). By making a booking, the customer declares that he is making the booking as a company.

1.3 These GTC shall apply to the entire business relationship between Perseus and its customers, insofar as the subject of this business relationship is the PCSS. In this respect, these GTC in their current version shall also apply to future bookings, even if Perseus does not expressly refer to them again and the GTC are not expressly included again in the contractual relationship in question. This applies in particular to extensions or renewals of bookings already made and to subsequent or follow-up bookings (e.g. so-called “re-checks” following an initial security check by Perseus).

1.4 Conflicting or deviating general terms and conditions of the customer shall only be included in a contract between Perseus and the customer if this has been expressly confirmed by Perseus in writing. If the customer’s general terms and conditions are effectively incorporated in this way, the continued validity of these GTC shall remain unaffected. Insofar as provisions of the customer’s general terms and conditions effectively incorporated contradict provisions of these GTC, the provisions of these GTC shall apply in case of doubt.

In all other respects, the customer’s general terms and conditions shall not be binding on Perseus, even if Perseus does not expressly object to their validity or the customer declares that it only wishes to perform a contract subject to its general terms and conditions.

1.5 For the purposes of these GTC and the legal relationships relating to the services provided by Perseus, a distinction shall be made between customers and “users” where necessary:

A customer is a party to a contract with Perseus under which the respective exchange relationship, in particular the corresponding obligation(s) of Perseus to perform and the corresponding counter-performance obligation of the contractual partner, is established with regard to the services or the range of services offered by Perseus. A user is anyone who, on the basis of such a contract, is entitled to use the contractual services of Perseus – in addition to the customer, if applicable – or is involved on the customer’s side in the provision and receipt of these services without himself being a party to the underlying contract with Perseus.

Users are regularly, but not necessarily, natural persons, in particular employees of the respective customer, who are involved in the provision and receipt of the contractual services of Perseus as agreed on the basis of a corresponding legal relationship with the customer. In addition, customers of a customer of Perseus may also merely be users within the meaning of these GTC; this applies in particular in the context of cooperation between Perseus and so-called “partner companies”, on the basis of which customers of the partner companies are entitled to use and utilize certain services or service modules of the PCSS and can register with Perseus for this purpose without themselves being customers of Perseus within the meaning of these GTC (hereinafter referred to as “partner models”).

Provisions of these GTC that are aimed at or refer to users always also apply to customers.

1.6 Perseus reserves the right to amend or supplement these GTC with effect for the future. If the subject matter of the contract is the permanent/repeated provision of services and an amendment to these GTC is to come into force during the term agreed in this respect, Perseus shall inform the customer of the new version of these GTC and the date from which it is to apply by means of a notification of amendment in text form. If the customer does not object to the inclusion of the amended GTC in these cases within two weeks of receipt of the notification of amendment, but at the latest by the date on which the amendments are to come into force, they shall be included in the contract concluded for the services concerned with effect for the future.

If the customer objects to the inclusion of the amendments in due time, Perseus shall be entitled to terminate the relevant contract with effect from the date on which the amended GTC are to enter into force in accordance with the notification of amendment. Payments already made by the customer shall be refunded to the extent that the scope of the relevant services up to the time of termination as a result of the termination by Perseus is less than that which would have been available to the customer as agreed up to the end of the current term at that time.

If the subject matter of the contract is the provision of a one-off service aimed at a specific result (in the sense of a work service pursuant to Section 631 BGB, e.g. the performance of an analysis and evaluation of the cyber security level on the part of the customer or a user group/a user company, so-called “security baseline check” and any subsequent so-called “re-checks”), these GTC shall apply in the version valid at the time of booking the service in question, irrespective of any changes made in the meantime.

Conclusion of contract, registration, establishment of user relationships, user accounts

2.1 Insofar as a contract between Perseus and a customer is not concluded by way of the mutual signing or signature of a contractual document (in written, electronic or other agreed form), a contract between the customer and Perseus shall be concluded by the customer making a binding booking for the relevant service(s) from Perseus using the function made available to the customer for this purpose in connection with the presentation and offer of the service(s) within the scope of the PCSS online presence. Insofar as Perseus provides a booking function there in relation to the respective service, the service offer within the framework of the PCSS online presence is therefore an offer by Perseus to conclude a corresponding contract, which the customer accepts with the binding booking of the service in question. Following an effective booking, the customer shall be sent a confirmation of the booking and, if necessary, information and functions relating to his registration or that of the relevant users for the relevant PCSS.

2.2 Insofar as services are the subject matter of the contract which are provided or utilized via the PCSS online presence, the utilization of such services requires the registration of the respective user by means of the registration function provided to the customer for this purpose within the framework of the PCSS online presence. With the registration of a user, a user relationship is established between the user and Perseus in accordance with these GTC, on the basis of which the user is obliged in particular to comply with the conditions of Perseus for the use and utilization of the relevant services of Perseus, the “Terms of Use for the Perseus Cybersecurity Service” of Perseus (hereinafter “Terms of Use”) (see also Section 5 of these GTC). The Terms of Use are an integral part of every contract between the customer and Perseus.

In these cases, a user account shall be set up for each customer and for each user group or user company of partner models, to which at least one user on the part of the customer or user group/user company in question shall have access as administrator to the account settings and the administration of the available services and, if agreed, the possibility of activating further users for the available services.

2.3 If Perseus offers to procure third-party service providers from Perseus’ cooperation network for the Customer – e.g. in the course of providing consulting and coordination or management services in the event of a cyber-attack – for the use of services that go beyond those offered directly by Perseus, the Customer shall conclude any contracts concluded with such third-party service providers as a result thereof in its own name and for its own account; Perseus shall not be involved in such contractual relationships, nor in their conclusion. Descriptions and/or conditions that Perseus may make available to the customer in relation to such third-party service providers and the services offered by them are provided solely for the customer’s preliminary information and are non-binding with regard to any contracts between the customer and the respective partner company or third-party service provider. In this respect, only the service descriptions and contractual conditions of the respective third-party service provider at the time of the conclusion of the contract between the latter and the customer are authoritative.

Services and obligations of Perseus

3.1 Unless otherwise agreed, the content and scope of the Perseus services covered by a usage model and individual PCSS service modules shall be based on their presentation and description on the PCSS online presence at the time of booking the relevant services.

If no detailed provisions have been made in this respect, Perseus shall be free to determine the type of services suitable for achieving the agreed purpose or, if no agreements have been made in this respect, the purpose recognizably pursued by the customer with the booking on the basis of the relevant service description, and, in particular, the manner in which they are provided at its due discretion.

3.2 If the services to be provided by Perseus include the sending of test phishing e-mails, it should be noted that in order to fulfill their purpose of evaluation and training with regard to the cyber security of the customer or the relevant user company and thus Perseus’ obligation to perform in this respect, they (must) come as close as possible to actual phishing e-mails in their design. For this purpose, as is a widespread method of actual “phishing”, the test phishing e-mails also imitate the names or companies and identifiers of existing companies and institutions. As the test phishing emails are sent solely for the aforementioned purpose and exclusively within the relevant user groups, this does not constitute the use of the names, companies and trademarks in question or the actual usurpation of such names, companies and trademarks.

3.3 Even if a partner company whose customers are entitled to use the services of the PCSS in the form of partner models as users on the basis of an agreement concluded between the partner company and Perseus in this respect is an insurer, the services provided by Perseus to the partner company’s customers in this respect are expressly not insurance or insurance benefits.

3.4 The customer acknowledges that a temporally and technically unlimited availability of the PCSS and the services offered within its framework, insofar as these are provided and / or utilized using Internet technology and infrastructure, is technically and factually not feasible and therefore cannot be guaranteed. In particular, the degree of availability and functionality of the Internet and the Internet access of customers and users and their capacity requirements are beyond the control of Perseus. To this extent, this also includes the functionality and effectiveness of other third-party technologies that Perseus may use to provide services.

Accordingly, Perseus shall take reasonable, technically feasible and state-of-the-art measures that are proportionate to the effort required to provide the PCSS and the services offered as part of it as comprehensively as possible. Against this background and in accordance with this provision, Perseus can nevertheless not guarantee that the PCSS and the services covered by it will be available and utilized at all times and/or without interruption.

Customers and users will be informed of unforeseen system failures in an appropriate manner. Where possible and reasonable, maintenance work shall be carried out outside normal business hours. If this is not possible and if the nature and / or scope of such maintenance work exceeds a reasonable level, Perseus shall inform the customers and users accordingly in good time in advance.

3.5 The customer is further advised that, according to the current state of the art, it is not possible to set up, operate and use information and communication systems connected to public networks that are always error-free and, above all, immune to interference or damage by third parties; cyber attacks are developed and, in particular, continuously developed in technical and strategic terms with the aim of penetrating information systems undetected by overcoming or undermining precautionary and security measures taken in this regard. In addition, the quality and (resulting) effectiveness of measures to detect and defend against cyber attacks is naturally also dependent on the appropriate actions of the relevant employees on the customer’s side; in particular, the effectiveness of preventive consulting and training services provided by Perseus is largely dependent on the learning success and implementation of what has been taught on the customer’s side.

In particular with regard to Perseus’ preventive consulting and training services to increase the customer’s cyber security as well as such services of Perseus that include real-time monitoring and defense with regard to the systems and structures operated and used by the customer and the cyber attacks directed against them, Perseus therefore does not owe any success in the sense of such absolute protection of the customer’s information and communication systems concerned.

3.6 Unless expressly agreed otherwise in individual cases, the services to be provided and rendered by Perseus shall not include legal advice.

3.7 If Perseus offers the procurement of third-party service providers from the Perseus cooperation network, Perseus shall not be obliged to offer a certain number of third-party service providers or certain types of third-party services, nor shall Perseus be obliged to offer the customer a certain scope of choice in this respect. Since the customer concludes any contracts with such third-party service providers in its own name and for its own account, the services provided to the customer by such third-party service providers shall also be the customer’s own services and not those of Perseus.

If the third-party service provider indicates a need in this respect and the customer gives its consent, Perseus shall provide a third-party service provider commissioned by the customer with the IT technical reports on the cyber security situation and, if such an attack has occurred, the specific cyber attack or other cyber security incident on the part of the customer, which were prepared by Perseus in the course of providing the agreed services to the customer.

3.8 Perseus shall be entitled to further develop and adapt individual agreed services insofar as such changes become necessary after conclusion of the contract for the performance of the contract and are reasonable for the customer. This shall apply in particular to such changes as Perseus is obliged to make due to legal changes or judicial or official decisions, as well as to such changes that are necessary to close existing security gaps, that are merely beneficial to the customer and users or if such changes are of a purely technical or procedural nature and have no material impact on the content and scope of the services owed by Perseus or on the customer and users. Perseus shall inform the customer immediately of any such necessary changes to the services.

Should a change in the services of Perseus become necessary which leads to a significant restriction of the agreed scope of services or a significant change in the agreed content of services which is not reasonable for the customer, the customer shall be entitled, without prejudice to any alternative or additional rights to which it may be entitled in such a case under these GTC, to terminate the relevant contractual relationship extraordinarily within one month of receipt of the corresponding notification of change with effect from the date on which the change in services occurs.

Perseus shall be entitled to change or discontinue services that Perseus offers free of charge in addition to/supplementary to agreed services at any time.

3.9 If the customer fails to provide Perseus with information and data required for the provision of the services incumbent on Perseus on the basis of a booking as agreed or fails to provide other agreed cooperation or cooperation legitimately requested by Perseus, Perseus shall not be liable for any damage or other disadvantages resulting from a delay in the provision of services caused by this. Such a delay shall entitle Perseus to withhold or suspend performance for the duration of the delay.

3.10 In the event of significant or repeated breaches of the obligations incumbent on the customer under these GTC and the Terms of Use for which the customer is responsible, Perseus shall be entitled to suspend the provision of individual services affected by the breach of duty or the provision of services to the user(s) concerned and to exclude them from further use of the services of Perseus (blocking of one or more users). Any right to which Perseus may be entitled in such cases to terminate the underlying contract prematurely as a whole shall remain unaffected by this provision. (see also section 7.2 of these GTC)

3.11 In the event of force majeure or other unforeseeable events whose effects on the performance of the contract are not attributable to Perseus (e.g. strike, power failure, unrest or official measures for which Perseus is not responsible, general disruptions to telecommunications and data networks, failure of third-party services required for the performance of the order for which Perseus is not responsible), Perseus shall be released from the relevant performance obligation for the duration of the resulting hindrance plus a reasonable start-up period after its cessation. Should adherence to the contract in such cases constitute an unreasonable hardship for Perseus, Perseus shall be entitled to withdraw from the contract.

3.12 Perseus shall be entitled to use the services and technologies of third-party companies and service providers to fulfill the performance obligations incumbent on Perseus on the basis of a booking.

Warranty

4.1 Perseus does not assume any warranty for the properties and quality of third-party service providers offered for brokerage (see in particular Section 2.4 of these GTC) and their services beyond the provisions applicable in these cases pursuant to Section 8 of these GTC.

4.2 The customer shall not be entitled to claims for rectification of defects in the event of only insignificant deviation from the quality owed and in the event of only insignificant impairment of the usability of the services provided. The same shall apply to defects which are based on information or data provided by the customer or on specifications of the customer or on the fact that the customer has not provided or transmitted such information or data to Perseus in breach of duty.

4.3 The customer shall lose any rights arising from liability for defects if it changes or has changed the relevant service or the relevant service result or its systems and infrastructure and other company or operating components in relation to which the relevant services are to be provided by Perseus without the prior consent of Perseus and this makes it impossible or unreasonably difficult for Perseus to remedy the defect. In any case of a change to the relevant service made without Perseus’s consent, the customer shall reimburse Perseus for any additional expenses incurred in remedying the defect.

4.4 If a service provided by Perseus is defective in accordance with the above and the customer is entitled to warranty claims in this respect, Perseus shall remedy the relevant defects within a reasonable period of time by subsequent performance.

If a remedy of defects fails or requires a disproportionate effort, in particular financially, or if it is not reasonable for Perseus for other reasons, the customer shall be entitled to reduce the agreed remuneration for the relevant service appropriately or to withdraw from the relevant booking in accordance with the statutory provisions and to claim damages in accordance with the provisions set out in Section 8 of these GTC. The statutory cases of the dispensability of a prior request for supplementary performance remain unaffected by this.

Likewise, any claims for payment already accrued by Perseus for services rendered at the time of the customer’s withdrawal shall remain unaffected by the withdrawal.

4.5 Unless shorter periods are provided for by law in this respect, warranty claims of the customer due to a defect shall become statute-barred within one year from the provision of the relevant service or, if the relevant services were provided or made available on a permanent or continuous basis, from the end of the respective contract term. This shall not apply to claims for damages by the customer due to a defect if Perseus has acted with intent or gross negligence or was aware of the defect at the time the service was provided or in the event of injury to life, limb or health as a result of such a defect.

Duties, obligations and responsibilities of the customer and users

5.1 The use of the PCSS and the respective services offered by Perseus within the scope thereof shall be subject to the Terms of Use, the current version of which is available at the domain https://www.perseus.de/nutzungsbedingungen/ as well as within the scope of each user account by means of a link and which are an integral part of every contract between the customer and Perseus.

5.2 The customer shall provide Perseus with all information and data (e.g. information about the customer’s IT infrastructure, contact data, access data, (domain) names and the like) that may be required for the performance of the contract in full, correctly and free of charge. Should Perseus be held liable as a result of the use of such data and information due to its incompleteness or inaccuracy, the customer shall be obliged to indemnify Perseus against any liability in this respect and to reimburse all resulting damages and necessary costs, including any necessary legal fees.

5.3 The customer shall be solely responsible for ensuring that the use of the services provided by Perseus to the customer and the users on the customer’s side complies with the Terms of Use and the relevant statutory provisions.

In particular, the customer shall be solely responsible for safeguarding the legitimate interests of its employees and other persons who may be affected by the collection and processing of data in the context of and as a result of the use of Perseus’ services. In this respect, it shall be the sole responsibility of the customer to inform the persons concerned to the extent necessary and to obtain any necessary consent from them in this respect.

The customer shall indemnify and hold Perseus harmless against all claims that may be asserted against Perseus by its employees or other persons due to the collection and processing of data relating to them in the context of the use of Perseus’ services by the customer or the customer’s users. The obligation to indemnify shall also include the reimbursement of any necessary legal defense costs.

5.4 Unless expressly agreed otherwise in individual cases, the customer shall be responsible for backing up its own data. The customer must counteract the risk of data loss as a result of system failures or interventions by regularly backing up its own data.

5.5 In the course of using the PCSS, the customer and the users may gain knowledge of Perseus’ proprietary information requiring confidentiality, in particular with regard to experience, procedures, processes, technologies, software, developments, business ideas and plans as well as know-how in connection with Perseus’ current and, if applicable, future service offerings and business activities. This also applies in particular to the form, content and execution of the sending of test phishing e-mails in the course of the provision of services by Perseus for evaluation and training purposes. Such information shall be regarded as confidential information and shall be treated as such by the customer, unless it is not

– are demonstrably lawfully publicly accessible without breach of a confidentiality obligation or become so at a later date;

– can be proven to have come into the possession of the customer or a user lawfully from a source other than Perseus without breach of a confidentiality obligation,

– were demonstrably already lawfully known to the customer prior to obtaining knowledge in connection with the services offered by Perseus,

– were demonstrably developed by or for the customer or a user without using the confidential information,

– became known or generally accessible to the public after the customer or a user became aware of it, without the customer being responsible for this, or

– is demonstrably required to be disclosed by the Customer or a User pursuant to a valid order of a court or governmental authority; however, in such event, the Customer or such User shall provide Perseus with written notice of such requirement prior to disclosing such information and, to the extent possible under applicable procedural rules, provide Perseus with an opportunity to object to such disclosure.

The customer and the users shall be obliged to keep Perseus’ information which is to be regarded as confidential secret and not to disclose it either directly or through third parties. They are obliged to take the necessary precautions to prevent third parties from gaining unauthorized knowledge of this information.

In particular, the customer and the users may not disclose the confidential information to any third parties unless these are persons employed by them or persons professionally bound to secrecy who require access to and knowledge of the confidential information concerned for the purpose of performing the contract in accordance with the agreement or to safeguard the legitimate interests of the customer or the users. Such third parties shall be obliged to maintain confidentiality in the same manner and to the same extent before the confidential information is made available to them.

Furthermore, the customer and the users shall only be permitted to use the confidential information to the extent that this is necessary for the purpose of performing the relevant contract or user relationship. In particular, the customer and the users are prohibited from using this information for other business purposes of the customer, the users or third parties without the express prior consent of Perseus.

Prices and terms of payment

6.1 Unless expressly stated otherwise, all prices quoted in relation to the services provided by Perseus under the PCSS are exclusive of the applicable statutory value added tax and all other taxes and duties that may be incurred.

6.2 Unless otherwise specified or agreed, the fee for fee-based usage models and service modules shall be due for payment in advance immediately upon registration for the relevant usage model/service module or, in the event of an extension of the term of a usage model/service module involving the repeated or permanent provision of services by Perseus, upon invoicing.

6.3 The timeliness of payments shall be determined by the time of their receipt by Perseus. The customer shall be in default with a payment owed if it is not received by Perseus within two (2) weeks of proper invoicing.

6.4 Perseus reserves the right to increase the fee for fee-based usage models and service modules that involve the repeated or permanent provision of services by Perseus and thus have a fixed term (see also clause 7 of these GTC) once a calendar year to a reasonable extent in the event of any cost and/or price increases that have occurred since the conclusion of the relevant contract. In this case, Perseus shall inform the customers concerned accordingly at least six weeks before the beginning of the month from which the price increase is to apply. If a customer does not agree with an announced price increase, it may object to the price increase in writing or in text form, i.e. by e-mail, to Perseus no later than three weeks before the price increase comes into effect. Such an objection shall have the effect of terminating the contract underlying the relevant usage model or service module or the relevant service modules with effect from the end of the last month before the price increase comes into force.

Terms, contract termination, blocking of users/user accounts

7.1 Contracts relating to usage models and service modules that involve the repeated or permanent provision of services by Perseus shall have a fixed term which, unless otherwise stated in the relevant service offer at the time of booking or expressly agreed otherwise in individual cases, shall generally be one year, calculated from the beginning of the month in which the relevant contract was concluded or, if the use of the services covered by the relevant usage model or service module requires the registration of the respective users (see also Section 2.2 of these GTC), the information and, if applicable, functions relating to the customer’s registration or that of the respective users were sent to the customer (so-called “onboarding mail”). 2.2 of these GTC), the customer has been sent the information and, where applicable, functions relating to their registration or that of the relevant users (so-called “onboarding mail”). These contracts are renewed for a further year unless they are terminated with three months’ notice before the end of the initial term or the current renewal period.

If the customer extends a booked usage model by booking additional service modules, which in turn have fixed terms that extend beyond the current term of the underlying usage model, the contract on which the usage model is based shall be extended by a further fixed term upon booking the additional service module. Ordinary termination of the contract on which the relevant usage model is based is therefore excluded.

7.2 Any contract may be terminated without notice by either the customer or Perseus for good cause. Such good cause may be deemed to exist for Perseus in the following cases in particular:

– illegal or immoral behavior of a user;

– breaches by a user of obligations under Sections 5.3 and 5.5 of these GTC or of the Terms of Use; this applies in particular in the event of false information during registration or misuse of the PCSS or the services, functions and information made available to the user within the scope thereof.

In such cases, Perseus may, at its own discretion, also – merely – block the user account of the user concerned and thus exclude the user from accessing the relevant Perseus services and thus from using them.

In the event of justified extraordinary termination or blocking of a user account for a reason for which the customer is responsible, the customer’s entitlement to services under the relevant contract shall lapse without replacement; in such cases, there shall be no entitlement to reimbursement of any fees paid in advance for the services in question.

7.3 Notice of termination must be given in writing or in text form (i.e. by e-mail) or by means of a function provided by Perseus for this purpose within the framework of the online presence of the PCSS. The time of receipt by Perseus shall be decisive for the time of termination.

7.4 Upon termination of a contract, the authorization to use the PCSS, including the functions offered within the scope of the online presence of the PCSS and the user accounts accessible there, shall end. Data and content uploaded by users will not be backed up, nor is there any entitlement to their surrender.

Liability

8.1 Perseus is liable in contract and tort

– for damages due to gross negligence and intent and for those resulting from injury to life, limb and health;

– for damages arising from the breach of contractual obligations, the fulfillment of which is essential for the proper execution of the contract and on the observance of which the customer regularly relies and may rely (so-called “essential contractual obligations”); in this respect, however, liability is limited to the amount of the foreseeable damage, the occurrence of which must typically be expected.

The foreseeable damage typical for this type of contract is generally considered to be the simple amount of the respective “booking value”, i.e. the sum of the total remuneration payments to be made by the customer to Perseus on the basis of the contract in question (if applicable up to the earliest possible termination date). Any further liability claims are excluded in this respect and to this extent, in particular Perseus shall not be liable for loss of profit, loss of savings and other consequential damages.

The above limitations of liability shall also apply in favor of Perseus’ employees, bodies and vicarious agents. Perseus shall not be liable for the conduct of its vicarious agents if the vicarious agent is the customer, the user concerned or a person appointed by the customer to perform this function.

Mandatory statutory liability provisions remain unaffected by the above provisions.

8.2 Claims for damages by the customer due to the breach of material contractual obligations (see above under clause 8.1, 2nd indent) shall become statute-barred within five (5) years of their occurrence, irrespective of knowledge.

8.3 Since the customer and the users are solely responsible for securing the information and data that they provide to Perseus or that they have posted on the online presence of the PCSS, in particular their user accounts there, as well as those that they have obtained and generated by using the services of Perseus, Perseus shall not be liable for their loss, unless such loss was caused by Perseus intentionally or through gross negligence.

8.4 The assumption of a guarantee by Perseus can only be accepted if such a guarantee has been expressly declared by Perseus. Subject to a corresponding express agreement in individual cases, Perseus shall furthermore not assume any obligation to pay liquidated damages or contractual penalties.

Data protection

9.1 Information on the collection and processing of personal data of customers and users by Perseus and on how Perseus ensures their protection can be found in Perseus’ data protection information, the current version of which can be accessed at the domain https://www.perseus.de/datenschutzerklaerung/ and via a corresponding link within the online presence of the PCSS and the user accounts.

Assignment, contract transfer

10.1 Any assignment by the customer to third parties of the claims (in particular claims for performance) to which it is entitled against Perseus shall require Perseus’ express prior consent in each case.

10.2 Perseus shall be entitled to transfer its rights and obligations as provider of the PCSS and contractual partner of the customer to third parties in whole or in part by giving the customer four weeks’ notice.

Reference authorization

11.1 Unless expressly agreed otherwise, Perseus shall be permitted to make public advertising reference to the contractual relationship with the respective customer in an appropriate form and to an appropriate extent, stating the customer’s name or company name and logo, in particular in the context of Perseus’ online presence and the PCSS.

Place of performance, place of jurisdiction, applicable law

12.1 Unless Perseus has expressly assumed the obligation to provide a service at the registered office of the customer or a user on the basis of a special agreement in an individual case, the place of performance for the obligations arising from the contractual relationship between Perseus and the customer shall be the registered office of Perseus, which shall also be the sole place of jurisdiction for all disputes arising from and in connection with the business relationship between Perseus and the customer.

12.2 The contractual relationship between Perseus and the customer and any disputes arising in connection therewith shall be governed exclusively by the laws of the Federal Republic of Germany.

Severability clause

Should individual provisions of these GTC be wholly or partially invalid or lose their validity at a later date, this shall not affect the validity of the remaining provisions of these GTC.

Last update: May 2022

Privacy policy for the website, newsletter, Perseus services, webinars and applications

1. Background and terminology

2. Data controller

3. Data Protection Officer

4. Details of data processing by data subject group

4.1. Website visitors

4.2. Perseus customers and their employees

4.3. Newsletter subscribers

4.4. Webinar participants

4.5. Applicants

5. Rights of the data subject

5.1. Right of access

5.2. Right to rectification

5.3. Right to restriction of processing

5.4. Right to erasure

5.5. Right to be informed

5.6. Right to data portability

5.7. Right to object

5.8. Right to withdraw consent to data processing

5.9. Right to lodge a complaint with the supervisory authority

6. Current status of and changes to this Privacy Policy

1. Background and terminology

This data protection declaration informs you about the type, scope, and purpose of the processing of
your personal data by the data controller under data protection law pursuant to Art. 13 and 14 of the
General Data Protection Regulation (GDPR).

Data protection legislation, in particular the GDPR, defines the following terms:

Data processor

The data processor is a natural or legal person, public authority, agency, or other body who processes
personal data on behalf of the data controller (Art. 4 no. 8 GDPR).

Cookies

A cookie is text information that can be stored in the browser of the viewer’s end device (computer, laptop, smartphone, tablet, etc.) for each website visited (web server, server). The cookie is either sent from the web server to the browser or generated in the browser by a script (JavaScript). When you return to this website at a later time, the web server can read out this cookie information directly from the server or transfer the cookie information to the server via a script on the website. (Source: Wikipedia)

Data security

Data security is the confidentiality, availability, and integrity of personal data; this is also referred to as technical and organizational measures (Art 32 GDPR).

Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 no. 2 GDPR).

Third country

Third country refers to countries outside the European Union for which the European Commission has not determined a level of data protection equivalent to that of the European Union (Art. 44 GDPR).

Personal data and data subjects

Personal data is all information that relates to an identified or identifiable natural person (data subject) (Art 4 no. 1 GDPR).

Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures to ensure that the personal data is not assigned to an identified or identifiable natural person (Art. 4 no. 5 GDPR).

Data controller

The data controller is the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of processing personal data (Art 4 no. 7 GDPR).

Web beacons

Web beacons (also known as tracking pixels or web bugs inter alia) are small graphics in HTML emails or on websites that enable log file recording and log file analysis, which are often used for the statistical evaluation of online marketing (source: Wikipedia).

2. Data controller

The data controller pursuant to data protection legislation is Perseus Technologies GmbH (“Perseus” & “we”) based in Hagelberger Straße 53-54 in 10965 Berlin.

3. Data protection officer

We have appointed a data protection officer. You can contact our data protection officer by writing to the “Data Protection Officer” at the address of the company headquarters, or via email at datenschutz@perseus.de.

4. Details of data processing for each category of data subjects

4.1. Website visitors

If you visit our website at perseus.de (“website”), we process your personal data as follows:

To do so, we use the services of third parties. These services also include the use of cookies (essential cookies, functional cookies, analysis cookies, statistics cookies, marketing cookies and other third-party cookies). Specific information on the individual cookies and individual setting options can be found under “Individual settings” in the consent management tool.

Here you can give your consent to processing and/or object to processing on the basis of legitimate interest. You can also adjust your preferences at a later point in time or withdraw your consent with effect for the future. Please note that without your consent, individual website features may not function properly.

4.1.1. Provision of website content

Purpose

Establishing the technical connection between the visitor’s device and our website (conducting the session)
Maintaining and improving the functionality of the website
Maintaining and improving information security and data security (confidentiality, availability, and integrity) of the website (data storage in log files)

Categories of data processed

IP address of the accessing system
Type and version of browser used on the end device
Internet service provider of the accessing system
Date and time of access as well as whether access was successful or not
Third-party websites from which the user’s system reached our website
Third-party websites that are accessed by the user’s system via our website

Categories of recipients

Website hosting – Winter Business Net GmbH, Feithstr. 68, 58095 Hagen

Third-country data transfer

Storage duration and criteria

Session: Data deleted at the end of the respective session
Log files: Data deleted after 90 days or anonymized

Legal basis

Art. 6 para. 1 b) and f) GDPR (performance of a contract and legitimate interest)

4.1.2. Contact

As a visitor to our website, you can use various options to contact us. Currently these include: Contact form, email, telephone, and live chat. Contact is primarily established via Freshworks applications. We use the following Freshworks systems: Freshsales as a customer relationship management system (CRM system), Freshdesk as a helpdesk system, and Freshchat as a chat system.

Purpose

Acceptance, checking, and processing of inquiries
Customer relationship management

Categories of data processed

Contact information via contact form, email, telephone, or social media: Name, email address, and optional telephone number
Connection data: IP address as well as date and time of contact form registration; if applicable, transfer to third parties via cookies (this can be managed via the consent management tool), email address, social media username, if applicable telephone number
Contents of the completed contact form, emails, live chats, and telephone calls may contain personal
data

Categories of recipients

Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA
Email and telecommunications providers, social media channels

Third-country data transfer

To the USA to Freshworks
We have concluded an agreement with Freshworks based on the EU standard data protection clauses, thus enabling data to be transferred with appropriate safeguards pursuant to Art. 46 GDPR.

Storage duration and criteria

3 months after completion of the respective enquiry

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

4.1.3. Appointment booking

We use the Calendly service to book appointments for subsequent live demonstrations of our services via our website.

Purpose

Booking appointments for live demonstrations for interested parties
Calendar and comment function

Categories of data processed

Contact details via booking form: Name, email address and company name
Content data of the contact (title, comment)

Categories of recipients

Calendly, Inc. , 115 E Main St., Ste A1B Buford, GA 30518, USA (“Calendly”)

Third-country data transfer

To the USA to Calendly
We have concluded an agreement with Calendly based on the EU standard data protection clauses, thus enabling data to be transferred with appropriate safeguards pursuant to Art. 46 GDPR.

Storage duration and criteria

3 months after completion of the respective enquiry
In addition to the essential cookies, consent or refusal to the collection of the following data can be specified:
- Performance cookies – data to measure performance, data is collected in aggregated and anonymised form
- Functional cookies – enable the website to provide enhanced functionality and personalisation
- Targeting cookies – cookies that can be set by advertising partners, do not store any direct personal data but are based on the unique identification of the browser and device

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

4.1.4. Website optimization and reach analysis (analysis and statistics)

We process the personal data of visitors to our website in order to optimize our website and conduct reach analysis. You can find detailed information on this type of data processing in the consent management tool under “Analysis and statistics”. The legal basis for processing is Art. 6 para. 1 f) GDPR (legitimate interest).

4.1.5. Social media and targeted advertising

On our website, we give you the option of sharing content directly via social media and networks. For social media sharing, we use so-called Shariff social media buttons, so that the content is shared within selected social networks while maintaining appropriate data protection. In contrast to the usual social plugins, which process data when you visit the website, Shariff only establishes direct contact with the respective social network when you actively click on a social button to share a post.

You can find detailed information on this type of data processing in the consent management tool under “Marketing and other third-party cookies”. The legal basis for processing is Art. 6 para. 1 a) GDPR (consent).

4.2. Perseus’ customers and their employees

If you are a Perseus customer who uses Perseus services or an employee of a Perseus customer (data subject group), we process your personal data as follows.

Insofar as Perseus processes personal data on behalf of customers (“processing on behalf”), Perseus’ customers and other recipients of Perseus services are entitled to adopt the description of services, inform their own data subjects and thus fulfill their own information obligations pursuant to Articles 13 and 14 GDPR.

In particular, the services or sub-services Perseus Phishing Check, Perseus Cyber Security Club and Incident Response Management may be provided by Perseus as part of the processing on behalf of customers or authorised recipients. In such cases, it is important to note that the legal basis provided for the processing is the same legal basis used by Perseus to process the data. The legal basis for the customer or the authorised users as the data controller as defined by data protection legislation, on whose behalf Perseus is processing the data, may differ from this.

This includes the following Perseus services:

Assessment

Perseus Phishing Check (PPC)
Security Baseline Check (SBC)
Cyber Risiko Dialog (CRD)

Awareness

Perseus Cyber Security Club (PCSS)
Threat Alert

Cyber Claims

Incident Response Management (IRM)

The following listing shows the details of the data processing, its purposes and legal bases, and if applicable, the legitimate interests, potential recipients or categories of recipients of the personal data, and any third-country transfers, as well as the storage period.

4.2.1. Assessment

Perseus Phishing Check (Order processing)

Purpose

In general:

For the purpose of maintaining information security (including cyber security) and data security (technical and organisational data protection) at the client’s premises
Analysing the awareness of employees
Raising awareness among employees

Specifically:

Provision of a web application for the administration of phishing checks
Performing phishing tests with employees of corporate clients
Distribution and evaluation of simulated phishing mails
Raising awareness of phishing

Categories of data processed

Names
Email address
Company name
Results of the phishing checks

Categories of recipients

Account administrators at the respective corporate customer/partner
Processor: Amazon Web Services Inc., Inboxroad

Third-country data transfer

USA (Amazon Web Services Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

Security Baseline Check

Purpose

Contact
Booking an appointment
Execution SBC

Categories of data processed

Name
Email address

Categories of recipients

Contact persons of the customer/partner
Processors: Amazon Web Services Inc, TeamViewer GmbH, Google Ireland Ltd, Calendly, Inc.

Third-country data transfer

USA (Amazon Web Services Inc., Calendly Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

Cyber Risiko Dialog

Purpose

Contract initiation, implementation and coordination for the CRD

Categories of data processed

Name
Email address

Categories of recipients

Contact persons of the customer/partner
Cooperation partner Intelliant GmbH
Processor: Amazon Web Services Inc

Third-country data transfer

USA (Amazon Web Services Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

4.2.2. Awareness

Perseus Cyber Security Club (Order processing)

Purpose

Establishing, maintaining and improving cybersecurity and data protection compliance for customers and beneficiaries
Technical and organisational data protection (data security) and cyber security (information security) to ensure the confidentiality, availability and integrity of information and personal data
Implementation and evaluation of online training courses
Malware scan

Categories of data processed

File information, such as file path, file name, hash value of files, file owner, date and time stamp
Network information, such as host name, fully qualified domain name, IP address, MAC address
Process information, such as file path, process name, hash value of processes, process owner, date and time stamp
Account information, such as account name, full name of the account holder, membership of local groups, account status, language settings
Endpoint network activity, such as destination IP address, destination port, process name, image path, host name, source port/source IP address
Device identity, such as Distinguished Name (DN) of the device, membership of the device in groups from Active Directory, name of the last logged-in user account
Participation status and results of online training sessions (dashboard)

Categories of recipients

Administrators (e.g. supervisors, managers or IT employees) of the customer companies or authorised beneficiaries
Organisational units of the customer companies or beneficiaries that are required to provide evidence
Processors: Amazon Web Services Inc, Dynamic Edge Software Ltd, Google Ireland Ltd, Sendinblue SAS

Third-country data transfer

Storage duration and criteria

The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data will be stored until the deadlines expire and then deleted.
Malware scan: All emails received are automatically deleted after 5 days. This period is retained in order to guarantee checks in the event of downtimes as soon as the reason for the outage has been compensated. Furthermore, this period is required in order to be able to answer any queries from customers regarding the results.

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

Threat Alerts

Purpose

Provision of information on security vulnerabilities and cyber incidents

Categories of data processed

Name
E-mail address

Categories of recipients

Administrators (e.g. supervisors, managers or IT employees) of the client company or the authorised beneficiaries
Processor: Freshworks Inc (Freshdesk)

Third-country data transfer

USA (Freshworks Inc.) on the basis of the EU standard data protection clauses Controller-Processor

Storage duration and criteria

The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data will be stored until the deadlines expire and then deleted.

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

4.2.3. Cyber Claims

Purpose

In general:

Establishing, maintaining and improving cybersecurity and data protection compliance for customers and authorised beneficiaries
Technical and organisational data protection (data security) and cybersecurity (information security) to ensure the confidentiality, availability and integrity of information and personal data

Specifically:

Analysing and recreating security incidents
Issuing recommendations for action
Restoring systems, applications, information and data
Documentation of security incidents
Forensic preservation of evidence
Continuous improvement (“PDCA cycle”)

Categories of data processed

All personal connection and content data (master and transaction data) that is processed in the compromised systems of the customer or authorised party is potentially accessible
All personal data transferred to Perseus systems for analysis or forensic evidence preservation

Categories of recipients

Processor: SEC Consult Deutschland Unternehmensberatung GmbH and TeamViewer Germany GmbH

Third-country data transfer

Storage duration and criteria

The personal data is stored until the purpose no longer applies, after which it is deleted, unless statutory retention obligations must be fulfilled. If this is the case, the data is stored until the deadlines expire and then deleted.

Legal basis

Art. 6 para. 1 b) GDPR (performance of a contract)
Art. 6 para. 1 f) GDPR (legitimate interest)

4.2.4 Payment processing for Perseus services

For the purpose of payment processing, we use the external payment services Stripe, Quaderno, and FastBill.

Purpose

Payment processing (payments by credit card and SEPA direct debits)
Automatic creation of invoices
Semi-automatic creation of invoices

Categories of data processed

Inventory data
In particular account or payment card holder
Bank details incl. account or credit card number
Invoice amount
Transaction number
Contact details and contract information

Categories of recipients

Stripe Payments Europe Ltd, (Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland, “Stripe”)
Quaderno of the provider Recrea Systems, SLU (Fernando Guanarteme 111, 35010 Las Palmas, Spain, “Quaderno”)
FastBill GmbH (Wildunger Str. 6, 60487 Frankfurt a. M. “FastBill”) (no end customers, but other contractual partners)

Stripe, Quaderno, and Fastbill process your data on our behalf. In order to protect your data, we have concluded a data processing agreement with Stripe, Quaderno, and Fastbill.

Third-country data transfer

Storage duration and criteria

After the statutory retention requirements have expired, 6 and 10 years respectively

Legal basis

Art. 6 para. 1 b), c) and f) GDPR (performance of the contract, compliance with legal obligations, and legitimate interest)

4.3. Newsletter subscribers

If you are a newsletter subscriber who receives the Perseus newsletter, we process your personal data as follows.

The data you enter via the input mask provided for this purpose will be transmitted to us and processed when you register. It is mandatory to provide your email address when subscribing to the newsletter. The provision of any further data is voluntary and enables us to address you personally. At the time the message is sent, we save your IP address and the date and time of your registration via the contact form.

We use a double opt-in procedure to ensure that you only receive our newsletter if you really want to. To this end, we will send you a notification email. By clicking on the link contained in this email, you confirm that you actually want to receive our promotional emails or our newsletter.

4.3.1. Newsletter-Abonnement

We use the Mailchimp system to send newsletters to the email addresses provided by subscribers.

Purpose

To send our newsletter in a lawful manner

Categories of data processed

Email address (required on contact form)
The provision of any further data is voluntary and enables us to address you personally
At the time the message is sent, we save your IP address and the date and time of your registration
via the contact form.

Categories of recipients

The Rocket Science Group LLC, 675 Ponce de Leon Ave. NE, Suite 5000, Atlanta, GA 30308, USA as data processor

Third-country data transfer

To the USA (Rocket Science)

We have concluded an agreement with Rocket Science based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

After unsubscribing from the newsletter (possible at any time)

Legal basis

Art. 6 para. 1 a) and b) GDPR (performance of the contract and consent)

4.3.2. Statistical evaluation of the newsletter

We carry out statistical evaluations of our newsletter mailing process and the response to our newsletter. We use the “MailChimp” and “Mandrill” systems. We evaluate user behavior in relation to newsletter subscriptions (e.g., when users open a message, which links they click on) and carry out statistical analysis of our newsletter campaigns.

Purpose

To design effective, secure, and reader-friendly newsletters
To secure the mailing process to the satisfaction of newsletter subscribers and thus to ensure customer acquisition

Categories of data processed

Email address
If applicable name and company
Technical information (time of retrieval, IP address, browser type, and operating system)

This data is collected in pseudonymized form only and is not linked to your other personal data.

Categories of recipients

The Rocket Science Group LLC (675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA, “Rocket Science”) as the data processor

Third-country data transfer

to the USA (Rocket Science)

Storage duration and criteria

Evaluation data will be deleted after 12 months at the latest (after unsubscribing from the newsletter or deactivating the display of graphics in the email program)

Legal basis

Art. 6 para. 1 f) GDPR (legitimate interest)

4.4. Webinar participants

If you are a webinar participant, we process your personal data as follows.

You can participate in a webinar if you have registered for this in advance on our website. Webinars are implemented and followed up using the Zoom systems.

In the virtual seminar rooms, the personal data of lecturers and participants (collectively “participants”) is processed. The lecturers and participants are therefore data subjects pursuant to the GDPR.

When participants and lecturers log in and/or enter the virtual seminar rooms, they assign themselves a virtual name tag in order to identify themselves and to enable other webinar participants to address them.

When a webinar is held, the lecturers and participants transmit video data, audio, screen content, and chat messages to everyone involved in the webinar, provided that the respective feature is enabled or actively used by the lecturer or the participant. Data is only stored and processed for the purpose of transmission and in order to document the participants; apart from this, webinars are generally not saved once the transmission has ended.

Participants have the option of chatting one-on-one in virtual private rooms or with all participants in the main room. Only the two participants involved in a one-on-one chat or the participants in the respective webinar have access to the content of the chat messages.

We occasionally take the opportunity to record webinars and subsequently make the recorded content available to the participants, as well as to document the webinar internally. If we are going to record a webinar, we will announce this in the webinar itself so that participants can decide whether they want to enable or actively use video data, audio, screen content, and chat messages and thus make them available for the recording.

We collect personal data from participants about their presence in the virtual seminar room, the length of their stay, and their use of features. This corresponds roughly to how we would observe participants in a real room.

Webinar participants via Freshworks and Zoom

Purpose

To enable the technical implementation of webinars (transfer of names, camera images, audio, video content, and chat messages)
To record webinars
To issue participation certificates
To follow up after webinars (e.g., by providing seminar documents and evaluating lecturers)
To request feedback from participants and, where applicable, identify areas for improvement

Categories of data processed

Contact information via contact form, email, telephone. Or via social media: name, email address, and optional telephone number
Connection data: IP address as well as date and time of contact form registration; if necessary, transfer to third parties via cookies (this can be managed via the consent management tool), e-mail address, social media user name, if necessary telephone number
Contents of the completed contact form, emails, live chats, and telephone calls may contain personal data

Categories of recipients

Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA (“Freshworks”)
Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113 (“Zoom”)

Third-country data transfer

to the USA to Freshworks and Zoom

We have concluded agreements with Zoom and Freshworks based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

After the end of the respective webinar, the chat content is automatically deleted.
After we have aggregated and issued the attendance certificates, we delete the data from the virtual seminar room.

Legal basis

Art. 6 para. 1 a), b) and f) GDPR (consent, contract performance, and legitimate interest)

Participants are regularly given the opportunity to evaluate lecturers at the end of the webinars. We use the Google Forms service for this. Organizationally, it is impossible for us to see individual participants’ evaluations. We receive an aggregated evaluation of the lecturer.

Purpose

To request feedback from participants and, where applicable, identify areas for improvement

Categories of data processed

Response selection
IP addresses

Categories of recipients

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Third-country data transfer

To the USA to Google

We have concluded Agreements with Google based on the EU standard data protection clauses in order to provide appropriate safeguards pursuant to Art. 46 GDPR. This ensures that we are meeting the legal requirements for the adequacy of the level of data protection pursuant to Art. 45 GDPR.

Storage duration and criteria

Manual deletion within 90 days of recording.

Legal basis

Art. 6 para. 1 f) GDPR (legitimate interest)

4.5. Applicants

If you are an applicant, we process your personal data as follows.

We use the Personio recruiting system as a technical platform.

Applicant management

Purpose

Participation in the application process for vacant positions
Handling of the application process
Implementation of pre-contractual measures

Categories of data processed

Name (first name and surname)
Email address
Telephone number
Desired salary
Availability
Documents provided (e.g., cover letter your resume and references)
Information contained in the uploaded data (e.g. date of birth, address, etc.)

Categories of recipients

Authorized employees from HR
Employees involved in the application process
Employees of Personio GmbH (processor)

Third-country data transfer

Storage duration and criteria

Once purpose of processing has ended
Storage period – 6 months from the end of the application process
If the applicant is rejected, the data is deleted or anonymized. If the applicant is hired, the data is transferred to the applicant’s personnel file

Legal basis

Art. 6 para. 1 b) GDPR (performance of contract).

5. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR. You have the following rights with respect to the data controller:

5.1. Right of access, Art. 15 GDPR

In accordance with Art. 15 GDPR, you have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you can request the following information from us: Purposes of the data processing; Categories of personal data being processed; Recipients and/or categories of recipients to whom your data has been or will be disclosed; planned storage period or, if specific information on this is not available, criteria for determining the storage period; Existence of your right to rectification or deletion of data, restriction of processing or objection to processing; Existence of your right to lodge a complaint with a supervisory authority; Source of your data, if not collected by us; Existence of automated decision-making including “profiling” and, where appropriate, meaningful information on its details; Transfer of personal data to a third country or to an international organization; appropriate safeguards in accordance with Art. 46 GDPR relating to the transfer.

5.2. Right to rectification

In accordance with Art. 16 GDPR, you have the right to demand the immediate correction or completion of any personal data stored by us.

5.3. Right to restriction of processing

In accordance with Art. 18 GDPR, you have the right to demand the restriction of processing of your personal data if you contest the accuracy of the data, or if the processing is unlawful but you refuse to have the data erased. You can also demand the restriction of processing if we no longer require the data, but you require it to assert, exercise or defend legal claims, or if you have objected to the processing in accordance with Art. 21 GDPR.

5.4. Right to erasure

In accordance with Art. 17 GDPR, you have your right to demand the erasure of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend erasure-rightlegal claims.

5.5. Right to information

In accordance with Art. 19 GDPR, if you have asserted your right to rectification, erasure or restriction of processing with respect to Perseus as the data controller, we are obliged to inform all recipients to whom your personal data has been disclosed of this rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to request that Perseus informs you about these recipients.

5.6. Right to data portability

In accordance with Art. 20 GDPR, you have the right to receive the personal data that you provided to us in a structured, common and machine-readable format or to request its transfer to another data controller.

5.7. Right to object

In accordance with Art. 21 GDPR, you have the right to object to the processing of your data at any time. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your personal data is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for this purpose; this also applies to “profiling” insofar as it relates to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for these purposes.

5.8. Right to withdraw your consent under data protection legislation

In accordance with Art. 7 para. 3 GDPR, you have the right to withdraw your consent to the processing of your data at any time. Your withdrawal of consent does not affect the legality of the processing carried out on the basis of this consent up to the point of withdrawal.

5.9. Right to lodge a complaint with a supervisory authority

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority responsible for your usual place of residence, place of work or the place of the alleged violation.

6. Status of and changes to this Privacy Policy

This Privacy Policy is valid as amended from time to time. You can visit our website at www.perseus.de/privacypolicy to access and print the current Privacy Policy at any time.

Last updated: January 2024