Data Protection Policy

German

Yttrium GmbH (hereinafter “Yttrium“, “we” or “us“) takes the protection of personal data very seriously. We treat personal data confidentially and in accordance with the statutory data protection regulations and on the basis of this Privacy Policy. The legal bases can be found in particular in the General Data Protection Regulation (hereinafter “GDPR“) and in the Federal Data Protection Act (hereinafter “BDSG”).

This Privacy Policy informs you in accordance with Art. 12 et seq. GDPR about the way in which we process your personal data in connection with your use of our website www.yttrium.com (hereinafter “Website“). In particular, it shows the kinds of data we collect and what we use it for. It also contains information on how and for what purpose this is done.

Please note that the use of third-party services that may be referenced or accessed through the Website is governed solely by the Privacy Policy of the relevant third party.

Where we use terms defined in the GDPR in this Privacy Policy, such as “processing” or “controller”, the definition of the GDPR applies to the term in question: https://gdpr.eu/tag/gdpr/.

The data protection information to be provided pursuant to Art. 12 et seq. GDPR can be found below, in a thematical order.

1.      controller name and address

The controller for the collection, processing and use of your personal data within the meaning of the GDPR is:

Yttrium GmbH

Sendlinger Str. 10

80331 Munich

Germany

Phone: +49 89 1250 128 92

E-mail: info@yttrium.com

Website: www.yttrium.com

If you have any questions or comments about the collection, processing and use of your personal data by Yttrium in accordance with this Privacy Policy, or if you wish to object to this as a whole or to individual measures, you can contact us by e-mail or letter at the above address.

2.      Data Protection Officer

Any data subject may also contact our data protection officer directly at any time with any questions or suggestions regarding data protection. Yttrium’s data protection officer is:

Axel Krieger

Yttrium GmbH

Sendlinger Str. 10

80331 Munich

E-mail: dataprivacy@yttrium.com

3.      Purposes and legal bases for the processing of personal data

The reasons for processing your personal data may vary depending on the purpose of its collection. In general, we process your personal data for the purposes and on the legal basis described below.

3.1              Accessing and visiting our Website – server log files

For the purpose of the technical provision of our Website, it is necessary that we process certain information automatically transmitted by your browser so that our Website can be displayed in your browser, and you can use the Website. This information is automatically collected each time our Website is called up and automatically stored in so-called server log files. These are:

• Browser type and version
• Operating system used
• Website from which the access is made (referrer URL)
• Host name of the accessing computer
• Date and time of access
• IP address of the requesting computer

hereinafter referred to as “Access Data“.

The storage of this Access Data is technically necessary to provide a functional Website and to ensure system security. This also applies to the storage of your IP address, which is necessary and, under further conditions, can at least theoretically make you identifiable as a person. In addition to the above-mentioned purposes, we use this Access Data only as needed for further designing and optimising our Website, purely statistically and without any inference to your person. This Access Data is not merged with other data sources, nor is the Access Data analysed further for marketing purposes.

The Access Data collected in the course of using our Website is only stored for the period of time for which this data is required to achieve the aforementioned purposes. Your IP address is stored on our web server for a maximum of 7 days for IT security purposes.

If you visit our Website to find out about or use our range of products and services, the legal basis for the temporary storage and processing of Access Data is Art. 6 (1) sentence 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or for the implementation of pre-contractual measures. In addition, Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis for the temporary storage of technical Access Data. Our legitimate interest here is to be able to provide you with a technically functioning and user-friendly Website and to ensure the security of our systems.

3.2              Job applications

If you use the opportunity to apply for an advertised position via our Website, we collect the personal data you provide to us as part of the application, such as name, e-mail, and your application documents and references as a PDF document.

We process this personal data in order to give due consideration to your application, to contact you in this context and, if applicable, to establish an employment relationship with you. The processing of personal data is thus carried out for the implementation of pre-contractual measures on the legal basis of Art. 6 (1) sentence 1 lit. b GDPR.

Insofar as special categories of personal data pursuant to Art. 9 (1) GDPR are disclosed to us in the context of the application procedure, their processing is additionally carried out in accordance with Art. 9 (2) lit. b GDPR in order to enable us to exercise the rights we have under labour law and social security and social protection law and to comply with our obligations in this respect (e.g. health data, such as severely disabled status, or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are requested in the context of the application procedure, and the applicant expressly consents to the processing of the said personal data for one or more specified purposes, such processing is carried out on the basis of this consent in accordance with Art. 9 (2) lit. a GDPR.

The personal data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a vacancy is unsuccessful, the applicants’ personal data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. The deletion will generally take place after the expiry of a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the General Equal Treatment Act (AGG). Invoices from the applicant for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

3.3              eFront investor portal

If you are an investor and sign up to the eFront Investor Portal accessible via the Website, we will process your email address or UserID and password in connection with your registration. After successful registration, you will be redirected to the eFront Investor Portal, which is not operated by Yttrium but by the third-party provider BlackRock, Inc. including its affiliates (hereinafter referred to as “BlackRock Group“). After forwarding to the eFront Investor Portal, any data processing is no longer carried out by Yttrium but by the BlackRock Group as the responsible party and is subject exclusively to the Privacy Policy of the BlackRock Group made available on the eFront Investor Portal. This can be found at https://www.blackrock.com/corporate/compliance/privacy-policy. We recommend that you familiarise yourself with the BlackRock Group Privacy Policy before registering on the eFront Investor Portal.

3.4              Use of Cookies and related functions/technologies

We aim to constantly improve our offerings and make them more attractive. Only if we know which parts of our Website are visited most frequently and for the longest time, we can optimise the content of our Website according to your requirements and wishes. For this reason, our Website sometimes uses so-called cookies and similar technologies (e.g. pixels) (hereinafter collectively referred to as “Cookies“), as set out in more detail in our Cookie Policy.

Through the use of Cookies, we may collect data (e.g. device IDs) to recognise you and your device, inside and outside of and across different services and devices. Some of the Cookies we use are from third parties to help us analyse the impact of our Website content and Website users’ interests, measure the performance of our Website, or serve tailored advertising and other content on our Website or other internet sites. To do this, we use both First-Party Cookies (only visible from the domain you are visiting) and Third-Party Cookies (visible across domains and set regularly by third parties).

The Cookie-based data processing is carried out on the basis of your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR or on the basis of Art. 6 (1) sentence 1 lit. f GDPR to protect our legitimate interests. In particular, our legitimate interests lie in being able to provide the Website in a technically optimised, user-friendly and needs-oriented manner, to provide certain functions and to ensure the security of our systems. You can withdraw any consent you may have given to us at any time, e.g. by deactivating the Cookie-based tools/plugins listed in detail in the Cookie Policy.

3.5              Other processing purposes

3.5.1       Compliance with legal obligations

Insofar as processing your personal data is necessary for compliance with legal obligations to which we are subject, we process your personal data on the basis of these legal obligations. The legal basis for the processing in this case is Art. 6 (1) sentence 1 lit. c GDPR. For example, we are required by law to retain certain information that may contain personal data for a certain period of time.

3.5.2       Enforcement of rights

We also process your personal data in order to be able to assert our rights and enforce our legal claims, if necessary. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data to the extent necessary to prevent or prosecute criminal offences. The processing of personal data is carried out to protect our legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f GDPR.

3.5.3       Consent

Insofar as you have given us consent to process personal data for certain purposes (e.g. sending information material and offers), the lawfulness of this processing is based on your consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR as the legal basis. Any consent you have given us can be revoked at any time. Please note that the withdrawal is only effective for the future and any prior processing is not affected.

4. Recipients of personal data

Within Yttrium, access to your personal data is granted to those persons who need it to fulfil our contractual and legal obligations.

Insofar as this is necessary for the purposes described under section 3 of this Privacy Policy, we will also disclose personal data to third parties as recipients. The personal data transferred may only be used by the recipients for the purposes set out in section 3.

In some cases, the recipients receive your personal data as processors. If we transfer personal data to processors, it is contractually ensured that they process the personal data exclusively on our behalf in accordance with our instructions and have implemented appropriate technical and organisational measures to protect the personal data. The processors we use include e.g.

• IT, cloud or hosting service provider,
• Marketing service provider, and
• CRM service provider.

However, we may also transfer personal data to recipients who do not act as our processors, such as auditors, tax consultants or lawyers. These recipients process personal data independently in their role as data controllers and are thereby obliged to comply with the requirements of the GDPR and other data protection regulations. The transfer of personal data to auditors, tax advisors or lawyers is based on the legal basis of Art. 6 (1) sentence 1 lit. c GDPR for the fulfilment of our legal obligations or Art. 6 (1) sentence 1 lit. f GDPR for the protection of our legitimate interests.

The same applies to bodies requesting access to which we must transmit personal data on the legal basis of Art. 6 (1) sentence lit. c GDPR or Art. 6 (1) sentence 1 lit. f GDPR due to a law, a court order or an enforceable official order.

Personal data will not be transferred to third parties for purposes other than those listed above.

5. Data transfer to third countries

Generally, your personal data is processed in Germany and other countries within the European Economic Area (EEA). However, in order to provide our services on the Website, we also use service providers who have their headquarters in a country outside the EEA, such as the USA. If there is a transfer of your personal data to recipients outside the EEA, we will ensure beforehand that each of these recipients undertakes to subject your personal data to appropriate safeguards so that it is afforded a level of protection comparable to that within the EEA. If there is no adequacy decision of the European Commission within the meaning of Art. 45 GDPR for a country outside the EEA, we ensure an adequate level of data protection through careful selection of the service provider as well as through contractual, technical and organisational measures. In particular, we sign agreements incorporating the standard contractual clauses approved by the European Commission (available here) with such service providers and/or ensure that the service providers we use in turn conclude such agreements with service providers outside the EEA. Upon request, we will provide you with a copy of the agreement concluded between us and the respective service provider located outside the EEA with regard to the protection of personal data.

6. Necessity to provide personal data

The provision of personal data to us is necessary for the purposes set out in section 3 above. If you do not wish to provide us with your personal data for these purposes, we may not be able to provide you with the use of our Website, or we may only be able to provide you with limited use of our Website and/or we may not be able to respond to your enquiries to us.

7. Data deletion and storage period

Initially we process and store your personal data for the duration for which the respective purpose of use requires corresponding storage. In principle, this also includes the periods of the initiation of a contract (pre-contractual legal relationship) and the processing of a contract. On this basis, personal data is regularly deleted or pseudonymised in accordance with contractual and/or legal obligations, unless its temporary further processing is necessary for the following purposes:

• Compliance with legal retention obligations stemming, for example, from the German Commercial Code (Sections 238, 257 (4) HGB) and the German Fiscal Code (Section 147 (3), (4) AO). The periods specified there for storage or documentation are up to ten years.
• Preservation of potential evidence, taking into account the statute of limitations. According to Sections 194 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

For more detailed information on data erasure and retention periods in relation to certain personal data, please refer to section 3.

8. Data subject rights

As a data subject you are entitled to the following rights, subject to the legal requirements. To assert your rights, it is sufficient to send us an informal message, e.g. by e-mail.

8.1              Right of access/information

You are entitled to request confirmation from us at any time within the scope of Art. 15 GDPR as to whether we are processing personal data relating to you; if this is the case, you are also entitled within the scope of Art. 15 GDPR to receive information about this personal data as well as certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of third country transfers, the appropriate safeguards) and a copy of your data. The restrictions of Section 34 BDSG apply.

8.2              Right to rectification

In accordance with Art. 16 GDPR, you are entitled to request that we correct the personal data stored about you if it is inaccurate or incomplete.

8.3              Right to erasure

You are entitled to request that we delete personal data relating to you without delay under the conditions of Art. 17 GDPR. We don’t have to comply with this request if, among other things, the processing of personal data is necessary, e.g. for the fulfilment of a legal obligation (such as statutory retention obligations) or for the assertion, exercise or defence of legal claims. Furthermore, the restrictions of Section 35 BDSG apply.

8.4              Right to restriction of processing

You are entitled to request that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.

8.5              Right to data portability

You are entitled, under the conditions of Art. 20 GDPR, to request that we hand over to you the personal data concerning you in a structured, common and machine-readable format.

8.6              Right to withdraw

You can withdraw your consent to the processing of personal data at any time. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is not affected.

8.7              Right to object

You have the right to object at any time to the processing of your personal data that is carried out on the basis of Art. 6 (1) sentence 1 lit. f GDPR (data processing on the basis of a balance of interests) or Art. 6 (1) sentence 1 lit. e GDPR (data processing in the public interest) if there are grounds for doing so that arise from your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

8.8              Right to lodge a complaint with a supervisory authority

Under the conditions of Art. 77 GDPR, you have the right to lodge a complaint with a competent supervisory authority. In particular, you can lodge a complaint with the supervisory authority of your usual place of residence or workplace or our registered office. The supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information. A list of all data protection supervisory authorities and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

9. Data security

Personal data is protected by us by means of appropriate technical and organisational measures in order to ensure an adequate level of protection and to safeguard the rights of the persons concerned. The measures taken serve, among other things, to prevent unauthorised access to the technical equipment used by us and to protect personal data from unauthorised access by third parties. Nevertheless, we would like to point out that data transmission on the Internet can have security gaps. Complete protection of data against access by third parties is therefore not possible.

10. Automated decision-making/profiling

We do not use automated decision-making or profiling (an automated analysis of your personal circumstances) on this Website.

11. Currentness and amendment of this Privacy Policy

If we change the content of this Privacy Policy, we will notify you and change the date of this Privacy Policy.