1. General Information With this Privacy Policy, we would like to inform you about the collection of personal data when using our website and related services. This privacy policy applies to all websites or services that refer to this privacy policy. 1.1 Processing of Personal Data Personal data (short: data) within the meaning of Art. 4 EU General Data Protection Regulation (GDPR) is all information relating to an identified or identifiable natural person, e.g. name, address, e-mail addresses, etc. 1.2 Responsible Company The responsible company for the processing of personal data within the meaning of Art. 4 (7) GDPR is: Beiersdorf AG, Beiersdorfstraße 1-9; 22529 Hamburg, Germany (see our imprint). Contact details Data Protection Officer: Dataprotection[at]beiersdorf.com or at the postal address of the responsible company with the addition "Attn. Data Protection Officer". Certain processing may be carried out under the responsibility of other companies. This is indicated below in the respective description of the processing, if this is the case. 1.3 Rights of the Data Subject As a data subject of data processing, you have the following rights regarding your personal data in accordance with the legal provisions: • Right to information, • Right to rectification or deletion, • Right to restriction of processing, • Right to object to processing, • Right to data portability. You also have the right to complain to a data protection supervisory authority about our processing of your personal data. When processing your rights, it may be possible that we ask you for proof of identity. Further information on how we process your data in this regard can be found under 3.1. 1.4 Recipients (General Information) In addition to the recipients listed in the individual sections below, we transmit the collected data for processing to the relevant internal departments and to other affiliated companies within the Beiersdorf Group or to external service providers, processors according to the required purposes. Furthermore, we forward the data to the following recipients: Authorities: In case of a legal obligation, we reserve the right to disclose information about you if we are obliged to transmit it to competent authorities or law enforcement agencies, according to Art. 6 (1) c GDPR (legal obligation). Further information can be found in the corresponding paragraphs of the individual sections. 2. Collection and Processing of Personal Data When Visiting Our Website When visiting and using our website, we already collect personal data. In this section you will find further information about website-specific processes and tools, especially from external partners. Further information about processes that can also take place in an offline context can be found in section 3. 2.1 Retrieval of Information on Orders Purpose / Information: We offer you the opportunity on this platform to view your invoices as well as order status and history as desired, after you have logged in with a self-selected password and your e-mail address known from the business relationship. Recipients: We pass on the collected data for processing to the respective internal departments as well as to other affiliated companies within the Beiersdorf Group or to external service providers, processors (e.g. hosting and software service providers) according to the specified purposes. Deletion: Your data will be deleted from this platform as soon as you inform us that you no longer wish to participate in the information service via the Internet. This is without prejudice to the fact that we continue to hold invoices and other data on the business relationship in other systems as long as legal retention obligations or limitation periods have not expired. Legal Basis: Art 6 (1) b GDPR (Contract (our existing business relationship)) 3. Additional Functions and Services (Within and Outside the Website) In addition to the online use of our website, we offer various other services for which we also process your personal data in an offline context. Deviating from 1.2, in some cases the Beiersdorf company is the responsible company for the functions and services listed below, which has already been named to you in the context of communication. Therefore, if sections of this privacy policy are referred to, e.g. via link, and a responsible company has already been mentioned to you in the context of communication, e.g. in the footer/signature of an e-mail or action card, this is the responsible company according to Art. 4 No. 7 GDPR. 3.1 Contact/Communication/Cooperation Purpose / Information: In the context of communication and/or cooperation with us, e.g. by e-mail, via a contact form on our website, via a data exchange platform, whether as a consumer, test subject, business partner or customer, the data you provide (your e-mail address, possibly your name and your telephone number or the personal data specified within the communication) are stored by us in order to, for example, answer your questions or to comply with the communication required for our business purposes. Regarding cooperation with our suppliers, we have implemented an internal evaluation process that aims to improve the business relationship through the development of an "Action Plan" in our legitimate interest. In this process, we usually only process information about the company, but conclusions about you as a contact person are possible if communication with suppliers is examined with regard to response times, reliability and transparency. We may ask you, if you contact us by telephone as a consumer, whether the telephone call may be recorded for quality assurance and training purposes. If you consent to the recording, we process all information that you share with us during the conversation (communication content, possibly also sensitive (health) data, as well as your telephone number and other personal data). When processing data that arises in the context of communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal review or according to the respective communication request. The provision of your personal data is necessary for the fulfillment of the contract or a contract-like situation. You are not obliged to provide your personal data. If you do not provide your personal data, you cannot use the described service. Recipients and Sources: To combat terrorism, we are obliged by legal requirements to carry out a comparison with sanctions lists. Therefore, we also process your data to comply with legal requirements for comparison with these lists. Furthermore, we process your data within the Beiersdorf Group for the prevention and investigation of criminal offenses and other misconduct, assessment and control of risks, for internal communication and for corresponding administrative purposes. If an affiliated company reports a need to work with you as a supplier, we will share our experiences from cooperation with the affiliated company. If you are a business partner, we compare your data with published lists of misleading providers (e.g. warning lists of the World Intellectual Property Organization and Bundesanzeiger Verlag GmbH) in order to make an informed decision about any payments. We also regularly check your creditworthiness in certain cases (e.g. when concluding contracts). Our legitimate interest here is the minimization of financial risk. For this purpose, we cooperate with credit agencies (e.g. Creditreform Hamburg von der Decken KG, Wandalenweg 8-10, 20097 Hamburg and Bisnode D&B Deutschland GmbH, Robert-Bosch-Straße 11, 64293 Darmstadt) from which we receive the necessary data. For this purpose, we transmit your name and your contact data to the credit agencies. Further information on data processing at Creditreform can be found here. In our legitimate interest in faster data entry, D&B provides us with addresses of our business partners. From EcoVadis SAS, 43 Avenue de la Grande Armée, 75116 Paris, France, we receive a risk assessment regarding sustainability to fulfill legal requirements and in our legitimate interest. Depending on the result, a longer sustainability audit may result. Furthermore, as part of our anti-corruption audit, we query the rank of the country of residence in the Corruption Perceptions Index of Transparency International e.V., Alt-Moabit 96, 10559 Berlin, Germany. Depending on the result, a longer anti-corruption audit may result, in which we may process your data to check in our legitimate interest in risk minimization whether cooperation with us could be associated with corruption law risks. If you are a business customer or partner, it may be necessary in the context of a corporate transaction to transfer your personal data to potential buyers. In the context of due diligence, anonymized data is usually processed. However, it may be necessary in specific individual cases to also process personal data. Our legitimate interest is based on the implementation of the corporate transaction. Additionally, we transmit the data to the following recipients: - Customer/Consumer Service Providers - Platform/Hosting Service Providers Transmissions to third countries are possible. As appropriate safeguards, so-called standard contractual clauses according to Art. 46 GDPR have been concluded. For third countries/companies for which an adequacy decision exists, the adequacy decision also applies. Additionally, binding internal data protection regulations have been approved for a platform/hosting service provider. For further information (such as a copy of the safeguards), you can contact us at the contact details mentioned under 1.2. Further recipients can be found in section 1.4 about general recipients. Deletion/Objection: We delete the data arising in this context again after storage is no longer necessary, unless legal retention obligations exist or limitation periods must be observed. For consumer inquiries that are processed via our internal consumer management tool, personal data is usually deleted after one year if no other legal retention periods apply. Deviating from this, the data will be kept longer if the data is necessary for the assertion, exercise or defense of legal claims. Conversation recordings are stored for a maximum of 90 days. You can object to this processing according to the requirements under 4. Legal Basis: Art. 6 (1) a GDPR in conjunction with Art. 9 (2) a GDPR (Consent: Telephone recording) Art. 6 (1) b GDPR (for processing in connection with a contract or a contract-like situation) Art. 6 (1) c GDPR (for processing data in connection with a legal obligation) Art. 6 (1) f GDPR (for processing according to the above-mentioned legitimate interest) 4. Objection or Withdrawal Against the Processing of Your Data If you have given consent to the processing of your data, you can withdraw it at any time. Such withdrawal affects the legality of the processing of your personal data after you have expressed it to us. Insofar as we base the processing of your personal data on the balancing of interests, you can lodge an objection against the processing. This is the case when the processing is not necessary for the fulfillment of a contract with you, which is presented by us in the description of the functions and services. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as carried out by us. In the case of your justified objection, we will examine the situation and will either stop or adjust the data processing or show you our compelling legitimate reasons due to which we continue the processing. Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your advertising objection using the contact details mentioned under "Responsible Company".