Data privacy statement of Profectus Films GmbH • Profectus Films GmbH

Trust is a crucial foundation for any communication and collaboration. That is why Profectus Films GmbH (hereinafter referred to as “PROFECTUS”) places great value on responsible use of your data.

We appreciate your interest in our company very much. Data privacy is very important to the management of PROFECTUS. Using the PROFECTUS websites is generally possible without providing any personal data. However, processing of personal data may be required, if you wish to make use of special services provided by our company through our website. If processing of personal data is required and if there is a legal basis for processing this data, we will generally ask for the consent of you as the data subject.

We exclusively process personal data, for instance the name, address, e-mail address or phone number of a data subject, in accordance with the provisions of the European General Data Protection Regulation (GDPR) and in compliance with the country-specific data privacy regulations valid for PROFECTUS. Our company would like to use this data privacy statement to inform the public about the type, extent and purpose of the personal data collected, used and processed by us. Moreover, this data privacy statement is intended to inform you about your rights. As the processing controller, PROFECTUS has implemented various technical and organisational measures to provide full protection of personal data processed via this website to the extent possible. Nevertheless, internet-based data transmission may have security flaws, so that absolute protection cannot be guaranteed. For this reason, you have the right to transmit personal data to us through alternative methods, for instance by phone. If any of the terms used in the following explanation seem unclear or require explanation, we have provided a glossary in appendix 1.

I. Name and address of the controller

The controller as defined by the General Data Protection Regulation and other national data privacy laws of EU member states as well as other data privacy regulations is:

PROFECTUS Films GmbH
Industriepark 10
32805 Horn-Bad Meinberg, GERMANY
Phone +49 5233 95492 0
Fax +49 5233 95492 150
Email: datenschutz@profectus-films.de
Website: www.profectus-films.de
(hereinafter referred to as “PROFECTUS”).

II. General information on data processing

It is not necessary to provide personal data in order to visit our homepage or use our web presence. Personal data refers to individual pieces of information regarding personal and factual situations of an identified or identifiable person (§ 3 paragraph 1 German data privacy law BDSG), i.e. data allowing conclusions to be drawn about a person. We only collect or store this data, if you provide us with this data voluntarily, for instance when contacting us.

We follow the principles of data minimisation and avoidance: For instance, if you use our contact form to contact us, you consent to the temporary processing, storage and use of the data provided by you by our company for getting in contact with you. Once we have settled/responded to your query, we will immediately delete this data, unless your query leads to a transaction or you explicitly consent to further processing. Of course we will also adhere to all applicable data protection regulations when using your data, in particular the German Federal Data Protection Regulation and the Telemedia Act.

1. Extent of the processing of personal data

As a rule we only collect and use the personal data of our users insofar as this is required for providing a functional website as well as our content and services. In general, our users’ personal data is only collected and used with our users’ consent acc. to point (a) of Art. 6 (1) GDPR. However, an exception is made for cases in which prior consent cannot be given due to the conditions of the situation and processing is permitted by legal regulations, for instance for performance of a contract to which the data subject is party acc. to point (b) of Art. 6 (1) GDPR or to maintain a legitimate interest of our company or a third party, provided it is not overridden by the interests, fundamental rights and freedoms of the data subject acc. to point (f) of Art. 6 (1) GDPR. To clarify, we would like to note that the legal privilege defined in point (b) of Art. 6 (1) GDPR also applies to processing required prior to entering into a contract.

2. Data erasure and storage period

Your personal data is deleted or blocked, as soon as the purpose of storage is no longer valid. Beyond this point, storage is permissible, if European or national lawmakers have provided for this possibility in EU regulations, laws or other directives to which PROFECTUS is subject. The data is also blocked or deleted, when a mandatory retention period specified by the above-mentioned standards expires, unless further storage of the data is required for entering into or performance of a contract.

III. Provision of the website and creation of log files

1. Description and extent of data processing

Any time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected and processed based on point (f) of Art.6

(1) GDPR:

(1) browser types and versions used

(2) the operating system of the accessing system

(3) the website by which an accessing system was referred to our website (the “referrer”)

(4) the sub-sites accessed on our website by an accessing system

(5) the date and time of access to our website

(6) an Internet Protocol address (IP address)

(7) the internet service provider of the accessing system

(8) other similar data and information serving to prevent danger in the event of attacks on our information technology systems.

This data is also saved in the log files of our system. The IP address of the user or other data allowing the data to be linked to a user are not subject to this. This data is not saved together with other personal data of the user.

Instead, this information is required to:

(1) provide the content of our website without errors

(2) optimise the content of our website and advertisement for it

(3) ensure the long-term function of our information technology systems and the technology of our website

(4) to provide law enforcement authorities with the information required for criminal prosecution in the event of a cyber attack.

2. Explicit purpose of data processing

The anonymised storage of the listed data types and data in log files is for the purpose of ensuring the function of our website. In addition, we use this data to optimise our website and safeguard the security of our information technology systems. The data is not evaluated for marketing purposes in this context, as this requires your explicit consent.

3. Storage period

The data is deleted as soon as it is no longer required for the purpose for which it was collected. If data is saved in log files, it is deleted after no more than seven days. Further storage is possible. In this case, the IP addresses of the user are deleted or made unidentifiable in a non-restorable manner, so that it is no longer possible to associate them with the accessing client.

4. Option of objection and erasure

Collecting the data to provide the website and storing the data in log files is absolutely necessary for operating the website. This means that the user has no option to object.

IV. Use of cookies

1. Description and extent of data processing

Our website uses cookies. Cookies are text files stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie can be saved on the operating system of the user. Each cookie contains a characteristic sequence of characters, which permits clear identification of the browser when the website is accessed again.

We are transparent in our use of cookies. They are required to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after changing sites.

The following data is saved and transmitted in the cookies:

(1) Language settings

(2) Items in a shopping cart

(3) Log-in information

The legal foundation for processing personal data by using technically necessary cookies is point (f) of Art. 6 (1) GDPR.

Moreover, our website uses cookies permitting an analysis of the users’ browsing behaviour.

The following data can be transmitted through these:

(1) Entered search terms

(2) Frequency of access to sites

(3) Use of website functions

Technological measures are used to pseudonymise the user data collected in this manner. This ensures that it is no longer possible to associate the data with the accessing user. The data is not saved together with any other personal data of the user. When accessing our website, users are shown a banner informing them about our use of cookies for analysis purposes and are referred to this data privacy statement.

In this context they are given explicit information on how to prevent cookies from being saved through browser settings. You can stop our website from saving a cookie by making the relevant settings in the web browser used, thereby permanently objecting to cookies being used.

2. Purpose of data processing

The purpose of using technically necessary cookies is to facilitate use of our website for the user. Some functions of our website cannot be provided without using cookies. For these functions it is required for the browser to be recognised even after changing sites.

The user data collected by technically required cookies is not used to create user profiles. Analysis cookies are used to improve the quality of our website and its content. Analysis cookies give us information about how our website is used, allowing us to steadily improve our web presence.

The above-mentioned purposes and the purpose of conducting our business to the benefit of all of our employees and our shareholders constitute our legitimate interest in processing this personal data according to point (f) of Art. 6 (1) GDPR. 3. Storage period, option of objection and erasure

Cookies are saved on the user’s computer and transmitted from this computer to our website. This means you as a user have full control over the use of cookies. By changing the settings in your web browser you can deactivate or restrict transmission of cookies. Previously saved cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of our website to their full extent.

The transmission of so-called “flash cookies” cannot be prevented through browser settings, but only through settings in the Flash Player.

V. Contact form and e-mail contact

1. Description and extent of data processing

Our website contains a contact from used for getting in contact with us electronically. If a user uses this option, the data entered in the input mask is transmitted to us and stored. This data is:

(1) First and last name (optional)

(2) Company name (optional)

(3) Email address

(4) Your message to us

In addition, the following data is saved at the time when the message is sent:

(1) The IP address of the user

(2) Date and time of the interaction

For the purpose of processing this data, we will request your explicit consent prior to sending the data and refer to this data privacy policy.

As an alternative, it is possible to use the provided e-mail address to contact us or get in contact by phone or fax. In this case, the user’s personal data transmitted by e-mail is processed electronically.

No data is disclosed to third parties in this context. The data is only used for processing the conversation, not or promotional or other informational purposes.

2. Legal foundation for data processing

The legal foundation for processing data when the user has given consent is point (a) of Art. 6 (1) GDPR.

The legal foundation for processing personal data transmitted when sending an e-mail is point (f) of Art. 6 (1) GDPR. If email contact is for the purpose of entering into a contact, the additional legal foundation for processing is point (b) of Art. 6 (1) GDPR.

3. Purpose of data processing

Processing of personal data from the input mask is exclusively intended for the purpose of getting in contact. If you contact us by email, this is also the required legitimate interest in processing the data.

Any other personal data processed during the transmission process is used to prevent misuse of the contact form and safeguard our information technology systems.

4. Storage period

The data is deleted as soon as it is no longer required for the purpose for which it was collected. For the personal data from the input mask of the contact form and the personal data transmitted by e-mail, this is the case when the respective conversation with the user is completed. The conversation is completed, when the circumstances indicate that the matter in question is completely settled.

Any other personal data processed during the transmission process is used to prevent misuse of the contact form and safeguard our information technology systems.

5. Option of objection and erasure

The user has the option to withdraw consent to processing of their personal data at any point. The user can object to the storage of his or her personal data at any time by contacting us by email at the address listed in section II. However, in this case, the conversation by email cannot be continued.

In this case, all personal data saved when the user contacted us is deleted immediately.

VI. Rights of the data subject

If personal data related to your person is processed, you are the data subject as defined by GDPR and you have the following rights toward PROFECTUS:

1. Right of access

You can request a confirmation by PROFECTUS indicating whether we are processing personal data related to your person.

If this is the case, you can demand information from PROFECTUS on the following:

(1) the purposes for which your personal data is processed

(2) the categories of personal data processed

(3) the recipients or categories of recipients to which the personal data was disclosed or will still be disclosed

(4) the planned duration of storage of your personal data or, if specific information cannot be given, criteria for determining the duration of storage

(5) the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by PROFECTUS or a right to object against this processing

(6) the existence of a right to submit a complaint to a supervisory authority

(7) all available information about the origin of the data, if the personal data is not collected directly from the data subject

(8) the existence of automated decision making including profiling in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved and the extent and envisaged effect of such a manner of processing on the data subject

You also have the right to request information on whether the relevant personal data is transmitted to a third country or to an international organisation. In this context, you can demand to be informed about appropriate safeguards in accordance with Art. 46 GDPR in the context of this transmission.

2. Right to rectification

You have the right to demand that PROFECTUS rectify and/or complete any personal data related to your person, if this data is incorrect or incomplete. PROFECTUS must make the correction as soon as possible.

3. Right to restriction of processing

(1) If you contest the accuracy of your personal data for a period enabling PROFECTUS to verify the accuracy of the personal data

(2) If processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead.

(3) If PROFECTUS no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims.

(4) If you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of PROFECTUS override your grounds.

If processing of your personal data was restricted, your personal data may only – with the exception of storage – be used with your consent or to establish, exercise or defend legal claims or to protect the rights of another natural person or legal entity or for reasons of important public interest of the European Union or a member state.

If processing was restricted according to the above-mentioned prerequisites, PROFECTUS will inform you before this restriction is lifted.

4. Right to erasure

a) Erasure obligation

You have the right to have personal data referring to your person deleted immediately and PROFECTUS is obligated to delete this data immediately, if one of the following reasons applies:

(1) The personal data referring to your person is no longer required for the purposes for which it was collected or otherwise processed.

(2) You withdraw consent on which the processing is based according to point (a) of Article 6(1), GDPR or point (a) of Article 9(2), and there is no other legal ground for the processing

(3) You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR

(4) The personal data related to your person has been unlawfully processed.

(5) The personal data related to your person has to be erased for compliance with a legal obligation in Union or Member State law to which PROFECTUS is subject

(6) The personal data related to your person has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR

b) Exceptions

There is no right to erasure, if processing is required

(1) for exercising the right to free speech and information;

(2) to meet a legal obligation which requires processing according to Union or Member State law to which PROFECTUS is subject, or to perform a task that is in the public interest;

(3) to establish, exercise or defend legal claims.

5. Right to information

If you have exercised your right to rectification, erasure or restriction of processing against PROFECTUS, we are obligated to report this rectification or erasure of data or processing restriction to all recipients to whom your relevant personal data has been disclosed, unless this proves to be impossible or involves disproportionate effort.

You have the right to request that PROFECTUS inform you about these recipients.

6. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR; this also applies to profiling based on those provisions.

PROFECTUS will not continue to process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or processing is required for the establishment, exercise or defence of legal claims. Where we process personal data for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

If you submit an objection to processing for direct marketing purposes, we will no longer process your personal data for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

7. Right to withdraw the declaration of consent under data protection law

You may withdraw your declaration of consent under data protection law at any point. Withdrawal of your consent does not affect the legitimacy of the data processing performed up to that point based on your consent.

8. Automated decision-making in individual cases including profiling

You have the right not to be subject to a decision exclusively based on automated processing – including profiling – which has a legal effect or a similar significant impact on you. This does not apply, if the decision

(1) is required for entering into or performance of a contract between you and PROFECTUS

(2) is permissible based on European Union or Member State law to which PROFECTUS is subject and this law contains suitable measures for maintaining your rights and freedoms as well as legitimate interests or (3) is made with your explicit consent

(3) is made with your explicit consent.

However, these decisions must not be based on special categories of personal data according to Art. 9(1) GDPR, provided point (a) or (g) of Art. 9(2) do not apply and suitable measures to protect your rights and freedoms and your legitimate interests were taken.

In the cases listed under (1) and (3) PROFECTUS will take suitable measures to safeguard your rights and freedoms as well as your legitimate interests, which include at least the right to effecting intervention by a person on PROFECTUS’s side and to explaining your own position

9. Right to file a complaint with a supervisory authority

Without prejudice to other legal remedies based on administrative law or court decisions, you have the right to file a complaint with a supervisory authority, especially in the member state that is your location, the location of your workplace or the location of the alleged breach, if you believe that processing of your personal data violates GDPR.

The supervisory authority with which the complaint was filed then informs the claimant of the status and result of the complaint including the option of legal redress according to Art. 78 GDPR.

10. Right to data portability

According to Art. 20 GDPR, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance by us, where processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and processing is carried out by automated means, unless processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Moreover, in exercising your right to data portability pursuant to Article 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, provided that this is technically feasible. You have

VII. Data privacy for applications and application processes

The controller collects and processes the personal data of job applicants for processing job applications. These applications may be processed electronically. In particular, this is the case if applicants submit their application documents to the controller in an electronic manner, for instance by email or through an online form on the website.

If the controller enters into an employment contract with a job applicant, the transmitted data will be stored according to the relevant regulations for the purpose of permitting the employment relationship. If the controller does not enter into an employment contract with the applicant, the application documents will automatically be deleted six months after the job position is filled and the rejection decision has been sent to the applicant, provided this does not conflict with other legitimate interests of the controller. Other legitimate interests in this sense may, for instance, be an obligation to provide proof in proceeding related to the General Equal Treatment Act (AGG). Please feel free to submit your application to us in an encrypted format for confidential use.

VIII. Provision of the website and use of Google Analytics

We use Google Analytics to review our web presence regularly and adapt it to your requirements. The provider of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies” which are text files saved on your computer permitting analysis of your use of the website.

The information generated by the cookies about your use of this website will generally be transmitted to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website (which is the case for our website), Google will first abbreviate your IP address within member states of the European Union or in other member states of the European Economic Area Agreement. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there.

Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website traffic, and to provide other services for the website operator relating to the use of the website and the internet. The IP address transmitted by your browser in connection with Google Analytics will not be associated with any other data held by Google.

As a rule you may refuse the storage of cookies by selecting the appropriate settings of your browser. Please note, however, that in this case you may not be able to use the full range of functions on this website. You can also prevent Google’s collection and processing of the data (including your IP address) generated by the cookie related to your use of this website by downloading and installing the browser plug-in available from the following link (http://tools.google.com/dlpage/gaoptout?hl=de).

You can disable the Google Analytics logging function by clicking on the link below. This will save an opt-out cookie which will prevent your data from being logged on future visits to this website: Deactivating Google Analytics

For further information on conditions of use and data privacy, please visit http://www.google.com/analytics/terms/de.html and https://policies.google.com/?hl=de. Please note that the Google Analytics code is supplemented by “anonymizeIp” on this website in order to consistently guarantee anonymous logging of IP addresses (referred to as IP masking).

IX. Provision of the website and use of Google Maps

This website uses Google Maps API, a map service of Google Inc. (“Google”) to display an interactive map and provide route planning. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

When you use Google Maps, information about your use of this website (including your IP address) may be transmitted to a Google server in the United States and stored there. Google may also transfer the information gathered through Maps to third parties where required to do so by law, or where such third parties process the information on Google’s behalf.

Google will not associate your IP address with any other data held by Google. Nevertheless, it would technically be possible for Google to identify at least some individual users through the collected data. It would be possible for personal data and personality profiles of users of this website to be processed by Google for other purposes on which we do not and cannot have any impact. You have the option to deactivate the Google Maps service, thereby preventing data transfer to Google, by deactivating JavaScript in your browser. However, we would like to point out that if you do so, you will not be able to use the web display on our websites.

For the Google data privacy statement & additional conditions of use for Google Maps, visit

https://www.google.com/intl/de_de/help/terms_maps.html

X. Legal or contractual stipulations regarding the provision of personal data; requirement for entering into a contract; obligation of the data subject to provide personal data; possible consequences of failure to provide

We would like to inform you that provision of personal data is partially legally mandated (e.g. tax regulations) or may be required by contractual stipulations (e.g. information about the contract partner). Occasionally entering into a contract may require the data subject to provide us with personal data which we then have to process. The data subject is, for instance, obligated to provide us with personal data, if our company enters into a contract with him or her.

Failure to provide personal data would result in the data subject being prevented from entering into the contract. Prior to providing personal data, the data subject must contact one of our employees. Our employee will inform the data subject whether provision of personal data is legally or contractually mandated or required for entering into the contract in his or her case, whether there is an obligation to provide the personal data and what the consequences of failure to provide the personal data would be.

XI. Existence of automated decision-making

Due to our sense of responsibility as a company, we do not use automated decision-making or profiling.

XII. Appendix 1: Terminology

The data privacy statement of PROFECTUS is based on the terminology used by European regulators when issuing GDPR. Our data privacy statement is intended to be easy to read and understand for the general public and for our customers and business partners. To ensure this, we would like to start by explaining some terminology. We use the following terms, among others, in this data privacy statement:

a) Personal data
Personal data is any information referring to an identified or identifiably natural person (hereinafter “data subject”). A natural person is regarded as identifiable if the person can be identified directly or indirectly, in particular through an identifier such as a name, an ID number, location data or an online user name or one or several special features which are an expression of the person’s physical, physiological, genetic, mental, economic, cultural or social identity.

a) Data subject
Personal data is any information referring to an identified or identifiably natural person (hereinafter “data subject”). A natural person is regarded as identifiable if the person can be identified directly or indirectly, in particular through an identifier such as a name, an ID number, location data or an online user name or one or several special features which are an expression of the person’s physical, physiological, genetic, mental, economic, cultural or social identity.

c) Processing
Processing is any process or sequence of processes related to personal data performed with or without the aid of automated procedures, such as collection, recording, organisation, ordering, saving, adapting or modifying, exporting, retrieving, usage, disclosure through transmission, distribution or other manners of provision, comparison or linking, restriction, erasure or destruction.

d) Restriction of processing
The restriction of processing is the marking of stored personal data with the aim of limiting the processing thereof in the future.

e) Profiling
Profiling is any kind of automated processing of personal data consisting of the use of this personal data to evaluate specific personal aspects of a natural person, in particular in order to analyse or predict aspects regarding work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or changes in location of this natural person.

f) Pseudonymisation
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

g) Controller or processing controller
The controller or processing controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

h) Processor
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient
The recipient is a natural or legal person, public authority, agency or other body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients.

j) Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

k) Consent
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.