A. General information

B. For applicants

C. For customers and interested parties

D. For suppliers and service providers

E. Participants in a Teams meeting with video recording or transcription

The following information applies to all subsequent descriptions of data processing.

The controller responsible for processing your personal data in connection with this contact shall be

GEMÜ Gebr. Müller Apparatebau GmbH & Co. KG

Gert-Müller-Platz 1

74635 Kupferzell

Germany

Website: www.gemu-group.com

The designated data protection officer can be contacted at [email protected].

As part of the operation of our IT systems, personal data (e.g. IP addresses, log data, communication content) is also processed by security and administrative applications such as firewalls, virus protection or access logs. The purpose is to ensure IT security, prevent misuse and maintain the stability of system operations. The legal basis for this is Article 6(1f) GDPR.

Under the General Data Protection Regulation, you have the following rights:

• If your personal data is processed, you have the right to access information from the controller about the data we hold that relates to you (Article 15 GDPR).
• If incorrect personal data is processed, you have the right to rectification of your data (Article 16 GDPR).
• If the statutory provisions apply, you can request erasure or restriction of processing (Articles 17 and 18 GDPR).
• If you have consented to data processing or if a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data portability (Article 20 GDPR).
• If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes; this shall also apply to profiling insofar as it is related to such direct marketing.  If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for these purposes (Article 21 GDPR).
• Furthermore, there is a right to lodge a complaint to the competent supervisory authority (Article 77 GDPR): State Commissioner for Data Protection and Information Security in Baden-Württemberg, PO Box 10 29 32, 70025 Stuttgart, Germany, Tel.: +49 (0) 711 6155410, e-mail: [email protected].

If you have consented to processing by the controller by means of a corresponding declaration, you may withdraw your consent at any time with future effect. The lawfulness of the data processing carried out on the basis of the consent until withdrawal shall remain unaffected by this.

a. Your personal data that we process

As part of the application process, we shall process the following personal data about you:

• Title
• First name and surname
• Postal address
• E-mail address
• Telephone/mobile number
• (Possible) start date
• Salary expectations
• All personal data contained in the application (CV, cover letter, references, etc.)
• IP address (if participating in applicant feedback)

We collect personal data from you in the following ways:

• Direct application via our careers page
• Applying by e-mail directly to one of our employees or to our collective mailbox [email protected]
• Postal application
• Immediate application via external applicant/online portals
• Recruiting events
• Recruitment consultants
• Active sourcing

b. Purposes of the data processing

As part of the application process, your personal data shall be processed for the following purposes:

• Conducting the application process and deciding on the establishment of the employment relationship
• Communication (telephone, e-mail, video calls)
• Implementation of pre-contractual measures (initiation of the employment relationship)
• Adding applicant data to an applicant pool
• Anonymous feedback to optimise the application process (voluntary)
• Assertion, exercise or defence of legal claims arising from the application process
• For the purpose of monitoring publicly accessible areas in our branches using optical-electronic devices (video surveillance).

c. Legal bases for the data processing

The legal basis for processing data in connection with the application process, communication and the implementation of pre-contractual measures shall be Article 6(1b) GDPR, Article 88(1) GDPR in conjunction with Section 26(1) of the German Federal Data Protection Act (BDSG).

Insofar as we obtain your consent for the processing of your personal data, such as when adding applicant data to an applicant pool, the processing of your personal data is based on Article 6(1a) GDPR in conjunction with Articles 5 and 7 GDPR.

The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims shall be our legitimate interest pursuant to Article 6(1f) GDPR. The same shall apply to the monitoring of publicly accessible areas in our branches using optical-electronic devices (video surveillance). Our legitimate interest lies in protecting our property rights, deterring criminal offences and preserving evidence. When collecting applicant feedback to optimise the application process, we shall also rely on our legitimate interest, whereby the survey is anonymous and the IP address is only collected for technical reasons. This address shall be processed by the tool used and we shall have no access to it.

In the course of processing your personal data, we may disclose personal data relating to you to the following recipients. We will only transfer your personal data to external recipients if you have given your consent or if this is permitted by law.

The recipients of your personal data shall be, in particular:

• Internal employees who need access to your data via an authorisation concept (employees in the Human Resources department and the specialist department responsible for filling the position)
• Processors

Within the framework of commissioned data processing under data protection law in accordance with Article 28 GDPR, we shall use service providers for the operation and maintenance of our information technology systems who may obtain knowledge of your personal data in connection with the maintenance and servicing of the IT systems. We have therefore taken appropriate legal, technical and organisational measures with these service providers to ensure that personal data is protected in accordance with the applicable statutory regulations.

Your personal data shall not be transferred to third countries outside the European Union or the European Economic Area, nor are there any plans to do so.

We will anonymise your personal data as soon as the purposes for storing it as specified in Item 1. b. above no longer apply, or if you object to the use of your personal data (in the case of processing based on legitimate interests) or if you withdraw your previously given consent. However, your personal data may also be stored beyond this, particularly in the following cases:

• If erasure is prevented by contractual, legal (in particular from the German Commercial Code (HGB), German Criminal Code (StGB) and Fiscal Code of Germany (AO)) or statutory retention periods
• To assert, exercise or defend legal claims
• If this is required by European or national laws to fulfil a legal obligation to which we are subject.

Legal provisions require us to observe the following storage periods in particular:

• After deciding not to fill the position: Five (5) months’ retention period for application documents (Section 15(4) German General Act on Equal Treatment (AGG), Section 224 Civil Procedure Code of Germany (ZPO)).

If you have given your consent, your application documents shall be added to the applicant pool and stored there for a maximum of one (1) year from the date of consent, unless you agree to an extension of the storage period after we have contacted you. Personal data shall be anonymised when the purpose ceases to apply or when the applicant withdraws their consent.

If you are hired by our company, your personal data shall be anonymised once the purpose for which it was collected no longer applies, at the latest after the end of the employment relationship, provided that there are no legal retention periods that prevent its deletion.

In the context of voluntary participation in applicant feedback, the feedback collected shall be erased after six (6) months.

a. Your personal data that we process

In the context of the existing customer relationship and the initiation of a contract, we process the following data relating to your person:

• Surname
• First name
• Title
• Titles and academic degrees
• Company name
• Position in the company
• Business address
• Customer number
• Your e-mail address
• Your mobile phone number
• Your landline number
• Your fax number
• Reason for closing the contact
• Date of contact establishment
• Your language of communication
• Your social media contact (profile URL and contact image)
• All personal data provided to us in the course of customer communication

b. Collection of personal data

We collect data from interested customers in the following ways:

• Enquiry via the contact form and GEMÜ Live Chat on our website
• Enquiries and registrations via MyGEMÜ
• Enquiries via the contact form in the GEMÜ App
• Enquiries sent to our employees via message, e.g. via e-mail, LinkedIn messages or other communication channels
• Enquiries at trade fairs or other events where data is passed on to our employees for the purpose of establishing contact
• Independent booking of an appointment by an interested party
• Requesting personal data from the individual themselves after concluding a contract with us, or receiving personal data from an employee of the customer’s company. This may also affect employees of service providers working for the customer’s company
• Transmission via portals where customers have registered and consented to their data being passed on to us, e.g. IIR portal, CADENAS, HyFindr

c. Purposes of the data processing

Within the scope of the existing customer relationship and the contract initiation, your personal data shall be processed for the following purposes:

• To process your enquiries as an interested party. For this purpose, we use your contact details to respond to your enquiry. To this end, your data may be shared within the GEMÜ Group and with authorised sales partners/representatives
• To prepare and carry out pre-contractual measures, including, for example, the preparation and sending of an individual offer or an individual agreement and the transmission of contract terms with the aim of concluding a contract
• To add your contact details to our customer and contact database
• Contact (e-mail, telephone)
• Establishment, execution and termination of the contractual relationship
• Customer management and customer services – in particular, handling customer enquiries
• To provide you with the best possible information about our products and services. This also includes sending (direct) advertising by e-mail or telephone
• Provision of training/education services
• Measures to improve our sales activities, our service and to strengthen our customer relationships, e.g. customer surveys
• For the purpose of carrying out marketing initiatives such as: Sending newsletters (if you have subscribed to our newsletter), invitations to events and webinars
• To ensure smooth billing for the services provided. For this purpose, your personal data shall be processed in order to issue invoices. In addition, we shall forward your personal data to external service providers for the purpose of debt collection if invoices are not paid within the payment period
• To comply with our legal obligations, e.g. the transfer of your personal data to the tax office
• To fulfil post-contractual measures
• To assert, exercise or defend legal claims
• For the purpose of conducting credit checks
• To carry out product testing phases
• To survey your satisfaction with our products and services
• For the purpose of monitoring publicly accessible areas in our branches using optical-electronic devices (video surveillance)
• For information about product changes and discontinuations
• To carry out software testing phases for the automation of our order entry process using AI.

d. Legal bases for the data processing

The legal basis for this data processing for the purpose of fulfilling the contract shall be Article 6(1b) GDPR. This shall also apply to processing operations required for the implementation of pre-contractual and post-contractual measures.

Insofar as we obtain your consent for the processing of your personal data, the processing of your personal data shall be based on Article 6(1a) GDPR in conjunction with Articles 5 and 7 GDPR.

Insofar as the processing of your personal data is necessary to fulfil a legal obligation to which we are subject, Article 6(1c) GDPR shall serve as our legal basis. Our legal obligation to process data shall arise, for example, from tax and/or commercial law retention obligations.

The legal basis for direct marketing or video surveillance, among other things, may be Article 6(1f) GDPR, provided that we have legitimate interests and these do not override the fundamental rights and freedoms or interests of the data subjects requiring the protection of personal data. The legitimate interests we pursue in this regard – in addition to the purposes listed above – shall include:

• To provide you with the best possible information about our products, offers and services through direct marketing
• To carry out due diligence with our potential business partner
• We carry out credit checks on our potential business customers. Our legitimate interest lies in avoiding payment defaults
• To obtain customer feedback in order to improve the customer experience and enhance our products and services
• Monitoring of publicly accessible areas in our branches using optical-electronic devices (video surveillance). Our legitimate interest lies in protecting our property rights, deterring criminal offences and preserving evidence
• The evaluation of processes for automating our order entry process using AI on our local servers and with a possible machine learning function disabled. Our legitimate interest lies in further digitalising our processes in the future and making the processing of your orders more efficient.

In the course of processing your personal data, we may disclose personal data relating to you to the following recipients. We will only transfer your personal data to external recipients if you have given your consent or if this is permitted by law. External recipients of your personal data shall include, in particular:

• Companies in the GEMÜ Group
• Processors
• External service providers, e.g. for sending newsletters
• Authorised sales partners/representative offices
• Distribution platforms
• Potential business partners in the context of a (future) due diligence review
• Authorities, e.g. tax offices, courts, trade supervisory authorities, German Federal Office for Economic Affairs and Export Control (BAFA)
• Credit institutions
• Parcel services
• Post
• External consultants, e.g. solicitors, tax advisors, insurance brokers (our product liability insurance)
• Auditors

Personal data shall only be made available to other companies within the GEMÜ Group if and to the extent that this is necessary to safeguard our legal and contractual rights and obligations. This may be the case, for example, for the coordination of our contractual services to our customers. Typical examples include cooperation between the sales department and the supporting company, or the support of major customers by several companies within the GEMÜ Group.

In order to fulfil certain contractual obligations, we may work with external service providers/consultants. Where we engage external service providers/consultants, this shall always be done within the limits and in compliance with the applicable data protection regulations. If, in such cases, commissioned data processing is involved, a contract for commissioned data processing shall be concluded, whereby we shall ensure in advance that the respective service provider offers an adequate level of data protection.

To optimise our sales activities, we use the services of DirectIndustry (VirtualExpo SAS) and other sales platforms, such as Wer liefert was? (Visable GmbH) and Europages (Visable France). We shall be responsible for processing your personal data and shall only contact you if you initially contact us in the form of an enquiry.

We shall only transfer personal data to other recipients outside the GEMÜ Group, apart from authorised sales partners/representatives, if we are legally obliged to do so. In all other cases, we shall only transfer your data to other third parties if you have given us your express consent to do so.

Any transfer of your personal data to a third country shall take place exclusively within the scope of group-wide data transfer within the GEMÜ Group. Within the GEMÜ Group, a uniform level of data protection shall be ensured by the existence of a data protection policy and by mutual contractual obligations based on the standard contractual clauses provided/reviewed by the European Union or equivalent measures.

In addition, for some countries, there are also so-called adequacy decisions by the EU Commission (Article 45 GDPR): The EU Commission has decided that personal data in such countries is protected in the same way as in the European Union.

Adequacy decisions by the EU Commission pursuant to Article 45 GDPR are available on the EU Commission’s website (at ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm).

We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data in our systems shall be destroyed or erased as soon as it is no longer required. We will take appropriate measures to ensure that your personal data is only processed under the following conditions:

a. For the duration that the data is used to provide you with a service

b. As required by applicable law, contract or in relation to our legal obligations

c. Only for as long as necessary for the purpose for which the data was collected, or longer if required by contract or applicable law, using appropriate safeguards.

Such requirements may include, but shall not be limited to, the data still needed to fulfil contractual services, or to check warranty/guarantee claims in order to accept or reject them. If the data is no longer required for the fulfilment of contractual or legal obligations, it shall be erased on a regular basis, unless its temporary storage is still necessary, in particular to comply with statutory retention periods of up to ten (10) years (including those specified in the German Commercial Code (HGB), the Fiscal Code of Germany (AO) and the German Money Laundering Act (GwG)). In the case of legal retention obligations, erasure can only be considered upon expiry of the retention obligation in question.

For a (planned) conclusion of a contract – as well as the execution of the contract with you – you must provide the personal data that is necessary for the establishment and execution of the contractual relationship and the fulfilment of the associated contractual obligations, or the personal data we are legally obliged to collect. This obligation shall also arise from the law, e.g. Section 14 of the German Value Added Tax Act (UStG). Without this data, we shall generally not be able to conclude and execute the contract with you.

a. Your personal data that we process

We process personal data from suppliers and service providers. This is necessary in the context of existing business relationships and the initiation of contracts. The following personal data regarding you shall be processed:

• Supplier number/service provider number
• Surname
• First name
• Business address
• Company name
• Bank details
• Your e-mail address
• Your mobile phone number
• Your landline number
• Your fax number
• Title and academic degree
• Position in the company
• All personal data provided to us in the course of communication

b. Collection of personal data

We collect personal data from you in the following ways:

• Obtaining personal data directly from the data subject contacting suppliers/service providers
• Obtaining personal data directly from the data subject by contacting them
• Searching in business directories or websites
• Supplier/service provider platforms

c. Purposes of the data processing

Within the framework of the existing supplier/service provider relationship and the initiation of contracts, your personal data shall be processed for the following purposes:

• Initiation, execution and termination of the contractual relationship
• Processing of orders
• Review and optimisation of procedures for needs analysis
• Consultation and data exchange with credit agencies to determine credit and default risks
• Conducting market and opinion research, provided you have not objected to the use of this data for these purposes
• Asserting, exercising or defending legal claims
• Measures for business management and further development of our products
• For the purpose of monitoring publicly accessible areas in our branches using optical-electronic devices (video surveillance).

d. Legal bases for the data processing

The legal basis for processing data in connection with the initiation and execution of contracts shall be Article 6(1b) GDPR.

Insofar as we obtain your consent for the processing of your personal data, the processing of your personal data shall be based on Article 6(1a) GDPR in conjunction with Articles 5 and 7 GDPR.

Insofar as the processing of your personal data is necessary to fulfil a legal obligation to which our company is subject, Article 6(1c) GDPR shall serve as our legal basis. Our legal obligation to process data shall arise, for example, from tax and/or commercial law retention obligations.

The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims shall be our legitimate interest pursuant to Article 6(1f) GDPR. The same shall apply to the monitoring of publicly accessible areas in our branches using optical-electronic devices (video surveillance). Our legitimate interest lies in protecting our property rights, deterring criminal offences and preserving evidence.

In the course of processing your personal data, we may disclose personal data relating to you to the following recipients. We will only transfer your personal data to external recipients if you have given your consent or if this is permitted by law. External recipients of your personal data shall include, in particular:

• Companies in the GEMÜ Group
• Processors
• Potential business partners in the context of a (future) due diligence review
• Authorities, e.g. tax offices, courts, trade supervisory authorities
• Credit institutions
• Parcel services
• Post
• External consultants, e.g. solicitors, tax advisors
• Auditors
• Credit agencies

Any transfer of your personal data to a third country shall take place exclusively within the scope of group-wide data transfer within the GEMÜ Group. Within the GEMÜ Group, a uniform level of data protection shall be ensured by the existence of a data protection policy and by mutual contractual obligations based on the standard contractual clauses provided/reviewed by the European Union or equivalent measures.

In addition, for some countries, there are also so-called adequacy decisions by the EU Commission (Article 45 GDPR): The EU Commission has decided that personal data in such countries is protected in the same way as in the European Union.

Adequacy decisions by the EU Commission pursuant to Article 45 GDPR are available on the EU Commission’s website (at ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm).

We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data in our systems shall be destroyed or erased as soon as it is no longer required. We will take appropriate measures to ensure that your personal data is only processed under the following conditions:

a. As required by applicable law, contract or in relation to our legal obligations

b. Only for as long as necessary for the purpose for which the data was collected, or longer if required by contract or applicable law, using appropriate safeguards.

Such requirements may include, but shall not be limited to, the data still needed to fulfil contractual services, or to check warranty/guarantee claims in order to accept or reject them. If the data is no longer required for the fulfilment of contractual or legal obligations, it shall be erased on a regular basis, unless its temporary storage is still necessary, in particular to comply with statutory retention periods of up to ten (10) years (including those specified in the German Commercial Code (HGB), the Fiscal Code of Germany (AO) and the German Money Laundering Act (GwG)). In the case of legal retention obligations, erasure can only be considered upon expiry of the retention obligation in question.

For a (planned) conclusion of a contract – as well as the execution of the contract with you – you must provide the personal data that is necessary for the establishment and execution of the contractual relationship and the fulfilment of the associated contractual obligations, or the personal data we are legally obliged to collect. Without this data, we shall generally not be able to conclude and execute the contract with you.

a. Your personal data that we process

We shall process personal data of participants in a Teams meeting as part of a video recording and/or transcription (if activated). This shall serve as documentation in individual cases and provide subsequent information to persons who were unable to attend the meeting. The following personal data regarding you shall be processed:

• Livestream recordings
• Video recordings
• Voice/sound recordings
• Photos
• Statements
• Surname
• First name
• Company name
• Title and academic degree
• Your e-mail address
• All personal data provided to us in the course of communication.

b. Collection of personal data

We collect personal data from you in the following ways:

• Obtaining personal data directly from the data subject by participating in a Teams meeting using the video recording or transcription features.

c. Purposes of the data processing

As part of the existing working or business relationship, your personal data shall be processed for the following purposes:

• AI-assisted creation of meeting summaries and/or minutes based on transcripts (without automated decision-making)
• Documenting the meeting
• A clear summary and outline of the topics discussed
• Information for persons who were unable to attend the respective meeting
• Training measures

An AI-powered tool is used to assist with the drafting of minutes or meeting summaries; this tool summarises the content in a structured manner based on the transcript. This process does not involve any automated assessment of individuals or decisions with legal implications. The AI merely produces a draft, which must be fully reviewed, corrected where necessary, and approved by a responsible person before it can be used further (‘human-in-the-loop’).

d. Legal bases for the data processing

Video recordings and/or transcripts of Teams meetings are made solely on the basis of your prior consent in accordance with Article 6(1a) GDPR in conjunction with Articles 5 and 7 GDPR.

The subsequent AI-assisted creation of a meeting summary and/or minutes is carried out – provided this does not go beyond the purpose covered by the consent – on the basis of our legitimate interest pursuant to Article 6(1f) of the GDPR. Our legitimate interest lies in the efficient, complete and audit-proof documentation of relevant meetings.

In the course of processing your personal data, we may disclose personal data relating to you to the following recipients. We will only transfer your personal data to external recipients if you have given your consent or if this is permitted by law. External recipients of your personal data shall include, in particular:

• Companies in the GEMÜ Group
• IT service providers for video conferencing systems (e.g. Microsoft as the provider of Microsoft Teams) acting as processors in accordance with Article 28 of the GDPR
• IT service provider for AI-powered logging and analysis functions acting as a processor in accordance with Article 28 of the GDPR

We do not store your personal data for longer than is necessary for the purpose for which it was collected.

• Video and audio recordings of Teams meetings are automatically deleted by the system after sixty (60) calendar days at the latest and can no longer be accessed once this period has expired.
• Transcription-based drafts for meeting summaries and/or minutes are automatically deleted no later than three (3) weeks after the relevant meeting date.
• Final, approved meeting summaries and/or minutes are only stored for as long as is necessary for the relevant documentation or evidence purposes and are subject to the applicable statutory retention periods or internal deletion policies.