GDPR Privacy Statement For Business Partners

At COHERENT, we take the protection of personal data and the confidential treatment of such data very seriously. We hereby inform you about the processing of your personal data in the context of the business relationship with you or your employer and the rights to which you are entitled. Your personal data will be processed only within the framework of the applicable statutory provisions relating to data protection law, in particular, the General Data Protection Regulation (hereinafter referred to as “GDPR”) and the German Federal Data Protection Act [Bundesdatenschutzgesetz] (“BDSG”).

1. WHO IS RESPONSIBLE FOR DATA PROCESSING AND WHO IS THE DATA PROTECTION OFFICER?

The controller that is responsible for your personal data is the entity to which your request is addressed or with which you maintain a business relationship. Please find the respective entity in the list under Sec. 12. You can reach the data protection officer using the respective contact details also provided there.

2. WHAT IS THE SUBJECT MATTER OF DATA PROCESSING?

The subject matter of data protection is personal data. This covers all information referring to an identified or identifiable natural person (who is called a data subject). This includes information as, e.g., name, postal address, e-mail address, or telephone number.

3. WHICH OF MY PERSONAL DATA WILL BE PROCESSED?

In the course of the business relationship with you or your employer, we only process those personal data of yours which are related to the business relationship. In detail, this may include:

• your name;
• your role, position, profession;
• your contact information such as a physical address, email address, phone number;
• transaction-related information, such as account name or business history;
• information you provide for specifications of requested products;
• information from social media you provide to share;
• any other information you provide to share.

4. FOR WHICH PURPOSES ARE MY PERSONAL DATA PROCESSED AND WHAT IS THE LEGAL BASIS FOR THIS?

Below, we provide you with an overview on the purposes and legal bases of the processing of your personal data in the context of the business relationship with you:

4.1 Data processing for purposes relating to the performance of the contract within the business relationship

We process your personal data for the evaluation, preparation, and performance of the business case, in particular:

• administration of your contact details in our Customer Relationship Management Systems
  (CRM);
• communication with prospects and/or customers including contact persons;
• preparation, conclusion, and performance of contracts;
• creation of offers, order confirmations, and invoices;
• registration for and attendance of webinars or other customer events;
• registration for and attendance for product-related training courses;
• contact us with feedback, questions, or requests;
• create an account or profile customer contact registration process;
• make an online purchase (via Coherent webshop).

Provided that the business relationship exists or will be entered into with you personally, the data processing is effected on the basis of Article 6 (1) (b) of the GDPR. If you act on behalf of a third party, especially your employer, the data processing is effected on the basis of Article 6 (1) (f) of the GDPR, as far as it is compatible with your fundamental rights and freedoms, see the further explanations in Sec. 4.4.

We delete your personal data when they are no longer required for the purposes pursued by us for preparation and performance of the business relationship and when no other legal bases, in particular statutory or contractual periods of retention, apply.

4.2 Consent

We may process your personal data also on the basis of an explicit consent you have given. The purpose pursued with the processing arises from the content of the corresponding declaration of consent that was given in each case. This may apply in the following cases:

• sign up to receive newsletters or receive automatically delivered company updates or product information;
• registration for and attendance of webinars or other customer events.

The data processing is effected on the basis of Article 6 (1) (a) of the GDPR.

You may withdraw your consent at any time. However, please note that the withdrawal only takes effect for the future, i.e. that the withdrawal will not affect the lawfulness of the processing of your personal data that was already implemented until the point in time of the withdrawal of the consent.

We will delete the data when they are no longer required for the purposes pursued by us, when the storage period which is specified in the consent has expired or when you have withdrawn your consent, provided no other legal basis applies. In the latter case, we will delete the data after the other legal basis ceases to apply.

4.3 Fulfilment of legal obligations

We may process your personal data also in order to comply with statutory obligations which may arise pursuant to commercial law, tax law, finance law, or criminal law. The purposes of the processing arise from the corresponding statutory obligation. Usually, the processing is effected in order to comply with governmental monitoring obligations and information obligations.

The data processing is effected on the basis of Article 6 (1) (c) of the GDPR.

We delete the data after the legal obligation ceases to apply and provided that no other legal bases, in particular statutory or contractual periods of retention, apply.

4.4 Processing necessary for the purposes of legitimate interests

To the extent to which this is necessary, we process your personal data also in order to protect our legitimate interests. We only process your personal data if, after evaluation of our interests to perform the data processing with your possibly contradictory interests, fundamental rights, and freedoms, we consider our interests to prevail. This may apply in the following cases:

• direct marketing, as far as you did not object to it;
• information about the product life cycle, discontinuation notes;
• protection and safety of IT resources;
• protection of our domiciliary right;
• contact forms, questions, requests, etc.
• information

Our legitimate interests correspond to the aforementioned purposes.

In addition to this, data processing is effected on this basis, if you act for a third party, especially your employer, within the purposes named in Sec. 4.1. In this case, our legitimate interests arise from the processing of our business relationship with this third party.

The data processing is effected on the basis of Article 6 (1) (f) of the GDPR.

We delete the data when they are no longer required for the purposes we pursue and no other legal basis applies.

5. WILL MY PERSONAL DATA ALSO BE COLLECTED FROM THIRD PARTIES?

We predominantly process the personal data that we have received directly from you in the course of the business relationship. In some constellations, however, we may also obtain your personal data from third parties, such as:

• From our business partners or from your business partners or business partners of your employer
• From your employer
• From Business Data Enrichment Providers

Where necessary, we will inform you about this separately.

6. WILL THERE BE AN AUTOMATED DECISION-MAKING OR PROFILING?

We use neither automated decision-making nor profiling pursuant to Article 22 of the GDPR.

7. DO I HAVE TO MAKE MY PERSONAL DATA AVAILABLE?

Within the business relationship, you have to provide those personal data which are necessary for the preparation and performance of the business relationship and the performance of contractual or legal obligations connected to the business relationship, or which we are obliged to process to comply with a statutory requirement. Without these data, we might not be able to perform the business relationship.

8. WHO HAS ACCESS TO MY PERSONAL DATA AND WHICH RECIPIENTS RECEIVE THEM?

Within our company, only those departments and the employees who work there have access to your personal data that absolutely need such access in order to be able to fulfill their tasks and duties. This includes Sales, Order Administration, Finance, Service as well as Marketing.

We only forward your personal data to external recipients if there is a justification under statutory law for this or if you have consented thereto. External recipients may include:

• Processors: Service providers that we use for the provision of services in the human resources area or which are entrusted with the maintenance of our IT systems. We select such processors with due care and they are regularly audited to ensure that your personal data are in good hands. The processors may use your personal data only for the purposes prescribed by us.
• Public bodies: public authorities and government institutions, as, e.g., public prosecutors, courts of law, or financial authorities, to which we may have to transfer personal data in certain individual cases.
• Private bodies: Private bodies to which we transfer your data on the basis of a legal provision or your consent, in particular group enterprises, sales channel partners, lawyers, tax consultants, external consultants.

9. WILL MY PERSONAL DATA BE TRANSFERRED TO ANY THIRD COUNTRIES?

In the context of the business relationship, a transfer of your personal data will occur to institutions whose place of business or location of the processing is not located within a Member State of the European Union or in another state party to the European Economic Area Agreement. In doing so, we ensure prior to the transfer that, outside of exceptional cases permitted by statutory law, the recipient possesses an appropriate level of data protection (e.g. by an adequacy decision of the European Commission, by suitable safeguards as, e.g., an agreement with the recipient on what is called EU standard data protection clauses of the European Commission) and/or you have given your explicit consent. You can obtain an overview on the recipients in third countries and a copy of the actually agreed-upon rules for ensuring an appropriate level of data protection. Please use the data provided in Sec. 12.

10. TO WHICH DATA SUBJECT RIGHTS AM I ENTITLED?

You are entitled to the following rights in relation to the processing of your personal data:

10.1 Right of access

You have the right to receive a confirmation from us whether we process personal data relating to you or not. If this is the case, you have a right of access to your personal data and to further information with respect to the processing.

10.2 Right to rectification

You have the right to demand that your inaccurate personal data will be rectified and to have incomplete personal data be completed.

10.3 Right to erasure (“right to be forgotten”)

In certain cases, you are entitled to demand the erasure of your personal data. This right exists, for example, when the personal data are not needed anymore for the purposes for which they were collected or otherwise processed, or when the personal data have been unlawfully processed.

10.4 Restriction of processing

In certain cases, you are entitled to demand that we restrict the processing of your personal data. In this case, we will only store those of your personal data for which you have given consent, or personal data which the GDPR allows to be processed. For example, you may be entitled to a right to restriction of processing if you have disputed that your personal data are correct.

10.5 Data portability

If you have made the data available to us based on a contract or consent, you are entitled to demand to receive the data which you provided to us in a structured, commonly used, and machine-readable format or to have them transmitted by us to another controller, provided that the statutory requirements are met.

10.6 Withdrawal of consent

If you have given us your consent to the processing of your personal data, you may withdraw the consent at any time with effect for the future. This does not affect the lawfulness of the processing of your personal data before the withdrawal of the consent.

10.7 Right to object

10.8 Right to lodge a complaint with the supervisory authority

Furthermore, if you believe that the processing of your personal data is in breach of applicable law, you may lodge a complaint with a supervisory authority. You may contact the data protection authority that is the competent authority for your habitual residence, your workplace, or the location of the alleged breach, or the data protection authority that is the competent authority for us. The supervisory authority in the state in which you live, work, or in which an alleged breach is supposed to have happened, which is the subject matter of the complaint.

11. WHO MAY I CONTACT IF I HAVE QUESTIONS OR IF I WANT TO EXERCISE MY RIGHTS AS A DATA SUBJECT?

If you have any questions about the processing of your personal data or if you want to exercise your rights as a data subject, which are described in Sec. 10, you may contact us free of charge. Please use our contact data as specified in Sec. 12. If you want to withdraw a consent, you can always use the method of communication that was used when you issued the declaration of consent.

12. LIST OF CONTROLLERS AND DATA PROTECTION OFFICER

The controller that is responsible for your personal data is the entity listed below, to which your request is addressed or with which you maintain a business relationship. For the entities marked with a (*), the personally appointed data protection officer is

Dr. Gregor Scheja
Scheja und Partner Rechtsanwälte mbB
Adenauerallee 136
53113 Bonn
Germany
telephone number: (+49) 0228-227 226 0
https://www.scheja-partner.de/en/contact/contact.html
www.scheja-partner.de

COHERENT entities:

• Coherent LaserSystems GmbH & Co. KG, Hans-Boeckler-Straße 12, 37079 Göttingen, Germany (*)
• Coherent Kaiserslautern GmbH, Opelstraße 10, 67661 Kaiserslautern, Germany (*)
• Coherent (Deutschland) GmbH, Dieselstraße 5b, 64807 Dieburg, Germany (*)
• Coherent Holding BV & Co. KG, Dieselstraße 5b, 64807 Dieburg, Germany (*)
• O.R. Lasertechnologie GmbH, Dieselstraße 5b, 64807 Dieburg, Germany (*)
• Coherent Shared Services B.V., Dieselstraße 5b, 64807 Dieburg, Germany
• ROFIN-SINAR Laser GmbH, Berzeliusstraße 87, 22113 Hamburg, Germany (*)
• DILAS Diodenlaser GmbH, Galileo-Galilei-Straße 10, 55129 Mainz, Germany (*)
• RASANT ALCOTEC Beschichtungstechnik GmbH, Zur Kaule 1, 51491 Overath, Germany
• Rofin-Baasel Lasertech GmbH & Co. KG, Zeppelinstraße 10-12, 82205 Gilching, Germany (*)
• Coherent Munich GmbH & Co. KG, Zeppelinstraße 10-12, 82205 Gilching, Germany (*)
• PMB Eletronik GmbH, Leutstettener Straße 28, 82319 Starnberg, Germany (*)
• Coherent (UK) Limited, St. Thomas Place, Cambridgeshire Business Park, Ely, CB7 4EX, United Kingdom
• Coherent Scotland Limited, West of Scotland Science Park, Maryhill Rd, Glasgow G20 0XA, UK
• Rofin-Baasel Benelux B.V., Kanaalweg 18A, 3526 KL Utrecht, Netherlands
• Coherent Europe B.V., Smart Business Park, Kanaalweg 18A, 3526 KL Utrecht, Netherlands
• Optoskand AB, Aminogatan 30, SE 431 53 Mölndal, Sweden
• Rofin Baasel España, S.L., Pol. Arazuri-Orcoyen, Calle C, nº 12, 31170 Arazuri, Navarra, Spain
• Rofin-Sinar Technologies Europe, S.L., Plaça Maria Aurèlia Capmany, 1, 08970 Sant Joan Despí, Barcelona, Spain
• Rofin-Lasag AG, Aemmenmattstraße 43, 3123 Belp, Switzerland
• Rofin-Baasel France SAS, 4 Rue du Cantal, 91090 Lisses, France
• Coherent Italia S.r.l., Viale Lombardia 159, 20900 Monza, Italy
• Corelase Oy, Kauhakorvenkatu 52, P.O.Box 73, FI-33721 Tampere, Finland

Version: September 2021