Data protection declaration in accordance with the requirements stipulated under GDPR

I.    Name and address of the responsible party
The responsible party in the context of the General Data Protection Regulation (GDPR) and other national member state data protection laws and data protection regulations is:

MOLOGEN AG
Represented by the Executive Management Board
Fabeckstraße 30
14195 Berlin
Germany
Tel.: +49 30 84 17 88 0
Email:  info@mologen.com
Website:  www.mologen.com

II.    Name and contact details of Data Protection Officer
The external Data Protection Officer of the responsible party is:
   
Sven Rahn Datenschutz 
Mr Sven Rahn
Sophienstraße 35
41065 Mönchengladbach
Germany
Tel.:  +49 2161 82807 14
Email:  datenschutzbeauftragter.mologen@rahn-datenschutz.de
Website:  www.rahn-datenschutz.de

III.    General information on data processing

1.    Scope of processing of personal data
Personal data shall be deemed to mean all information pertaining to personal or material circumstances that relate to an identified or identifiable person. Such information constitutes, e.g., your name, date of birth, email address, postal address, country of origin and telephone number(s). Conversely, information of a general nature which cannot help to identify you shall not be deemed personal data. Examples of this are the number of website users. The majority of the service we offer does not require registration. Consequently, you can visit our website without revealing your identity.

In principle, we process the personal data of our users solely where this is required for the establishment of a functional website and if such processing is necessary for our content and services. Moreover, we only capture your personal data if you make this voluntarily available on our website, e.g. if you register for a Newsletter or contact us. The processing of personal user data then takes place on a regular basis, however, only with the consent of the user.

2.    Legal basis for processing personal data
The personal data you make available to us shall be used solely for the purposes of giving you access to the information and services you require and for other purposes for which you have given your consent and that are necessary for the processing and performance of statutory or contractual services or that require such use by order of law (e.g. pursuant to legal or official regulatory grounds). Where consent is obtained from the individual concerned for the processing of personal data, Art. 6 para. 1 a of the EU General Data Protection Regulation (GDPR) shall constitute the legal basis.

In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b DSGVO as legal basis. This also applies to processing operations required to carry out pre-contractual actions. The enforcement of claims should also be considered a legitimate reason for the use of personal data.

For the event that vital interest of the individual concerned or any other natural persons requires the processing of personal data, Art. 6 para. 1 d GDPR shall constitute the legal basis.

Where the processing of personal data is necessary to preserve the interests of our company or a third party and providing such interests do not outweigh the interests, fundamental rights and freedoms of the individual concerned, Art. 6 para. 1 f GDPR shall constitute the legal basis for processing.

3.    Data deletion and period of retention
The personal data of the individual concerned shall be deleted or blocked as soon as the grounds for retention no longer apply. Personal data may be retained beyond such time where European or national legislation provides for this under the terms of the regulations, laws or other provisions of Union legislature to which the party responsible is subject. Data may be deleted or blocked on expiry of the period of retention specified in the standards indicated, unless there is a requirement for further retention of the data for the purposes of concluding or fulfilling a contract.

IV.    Forwarding of company information (press and investor distribution list)
Description and scope of data processing

Users can register online for inclusion on the press distribution list. On registration, data is forwarded by email to us at presse@mologen.com or investor@mologen.com. The email address of the user is captured along with contact data from the user’s boiler plate.

The registration procedure includes obtaining the consent of the party registering for the data to be processed, and parties are also referred to the present data protection declaration.

In the context of data processing relating to the forwarding of company information, such information shall not be forwarded to third parties. The data is for the exclusive purposes of forwarding company information.

4.    Legal basis for data processing
The legal basis for the processing of data when users register for the distribution list shall constitute the presence of the user’s consent as specified by Art. 6 para. 1 a GDPR.

5.    Purpose of data processing
User email addresses are captured for the purposes of forwarding information from the company.

Capture of other personal data in the context of the registration process serves to prevent any misuse of services or of the email address used and for the purposes of compliance with any other applicable statutory provisions.

6.    Period of retention
Data shall be deleted as soon as it is no longer required for the achievement of the purpose for which it was obtained. The email address of the user will be retained until such time as the user raises an objection or de-registers from the press contact list.

Other personal data captured in the context of the registration process is generally deleted after a period of seven days.

7.    Objections and remedy
Users may unsubscribe to company information at any time. There is a corresponding link in every newsletter to this end.

At the same time, this facilitates revoking of the consent to retention of personal data retained pursuant to the registration process.

V.    Use of Cookies
Cookies are not used on our website.

VI.    Contact form and email contact details

1.    Description and scope of data processing
Our website includes a contact form that can also be used for electronic contact purposes. When users make use of this, data entered on the user interface is forwarded to us and retained. This data comprises:

When the message is forwarded, the following data is retained:

•    Title
•    First name(s)
•    Surname
•    Email address
•    Tel

Reference shall be made to the present data protection declaration in the context of the forwarding process.

Alternatively, contact is possible via the email address provided and in this case, the personal data of the user forwarded in the email will be retained.

In this context, such data shall not be transmitted to third parties. The data shall be used exclusively for the purposes of processing and answering your query as well as allowing us to make contact with you.

2.    Legal basis for data processing
The legal basis for processing the data forwarded on the contact form or sent by email shall constitute Art. 6 para.1 f GDPR.

3.    Purpose of data processing
The processing of personal data from the user interface form shall serve us solely for the purposes of making contact. Where we do so, this shall also apply to data processed under the terms of a necessary justifiable interest.

Other personal data processed during the forwarding process shall serve to prevent misuse of the contact form and to ensure the security of our IT systems.

4.    Period of retention
Data shall be deleted as soon it is no longer required for the achievement of the purpose for which it was obtained. As regards personal data taken from the contact form and data forwarded by email, this will apply when the interaction with the user has ended. Interaction with the user shall be deemed to have ended when circumstances indicate that the issue concerned has been finally concluded. Please also see Section VIII of the Data Protection Declaration.

5.    Objections and remedy
The user shall be entitled to object to retention of personal data at any time. This being the case, interaction cannot continue.

In this case, please write us an e-mail at info@mologen.com with the request to remove your personal data.

In such cases, all personal data retained as part of the process of making contact will be deleted.

VII.    Information on data protection for shareholders
MOLOGEN AG processes personal data (name, address, email address, number of shares, class of shares, type of ownership of shares and entry card number) pursuant to the current data protection legislation, in order to allow shareholders to exercise their rights in the context of the Annual General Meeting.

The processing of personal data is essential for participation at the Annual General Meeting. The party responsible for processing your personal data is MOLOGEN AG. The legal basis for processing is Art. 6 (1) c) GDPR.

The service providers appointed by MOLOGEN AG for the purposes of arranging the Annual General Meeting shall receive from MOLOGEN AG solely such personal data as is necessary for performance of the services they have been charged with and shall process such data exclusively on instruction from MOLOGEN AG.

You shall be entitled at any time to obtain information, or to correct, limit, object to and delete your personal data where processing of your personal data is concerned and you shall further be entitled to data transfer in accordance with the provisions of Chapter III of the GDPR. You may lodge your claims to exercise such rights vis-a-vis MOLOGEN AG at no charge by contacting the appropriate parties indicated in the present Data Protection Declaration.

VIII.    Rights of the individual concerned
Where personal data is processed by you, you are the individual concerned in the context of the GDPR and you consequently have the following rights vis-a-vis the party responsible:

1.    Entitlement to information
You may request the party responsible for confirmation of whether personal data relating to you is processed by us.

If such processing does occur, you may request the party responsible for the following information:

(1)    the purposes for which personal data is processed;

(2)    the categories of personal data that is processed;

(3)    the recipients resp. categories of recipients to whom you have given or may still give access to the personal data concerned;

(4)    the scheduled period of retention of your personal data, or, if it is not possible to give concrete information, the criteria for determination of the period of retention;

(5)    a right to correct or delete your personal data,  to limit processing by the party responsible or a right to object to such processing;

(6)     a right to complain to a supervisory authority;

(7)    all available information on the provenance of data if the personal data were not obtained from the individual concerned;

(8)    the existence of automated decision-making, including profiling, as indicated in Art. 22 paras. 1 and 4 GDPR and – at least in such cases – meaningful information on the logic involved and the consequences and intended impact of such processing on the individual concerned.
You have the right to request information as to whether your personal data is passed on to another country or international organisation. In this context, you may ask for appropriate guarantees as specified in Art. 46 GDPR and request to be advised in the event of transmission of such information.

2.    Right to correct
You shall be entitled to ask the responsible party to correct and/or complete any of your personal data that is incorrect or incomplete. The party responsible shall undertake to carry out such amendments forthwith.

3.    Right to limit processing
You may request processing of your personal data to be restricted under the following circumstances:

(1)    if you contest the accuracy of your personal data, for the period of time during which it will be possible for the party responsible to verify the accuracy of the personal data;

(2)    if processing is unlawful and you reject deletion of your personal data and instead, request the use of such personal data to be limited;

(3)    if the party responsible no longer needs your personal data for processing purposes, and you need the data for the enforcement, exercise or defence of a legitimate claim, or

(4)    if you have lodged an objection against processing under the terms of Art. 21 para. 1 GDPR and it has not yet been decisively clarified whether the justifiable grounds of the party responsible outweigh your reasons.

If the processing of your personal data was limited, such data may only be processed – and this does not include retention – with your consent or for the purposes of enforcement, exercise or defence of legitimate claims or for the protection of the rights of other natural or juridical persons or for compelling reasons public interest of the Union or one of its member states.

If the restriction on processing was implemented in accordance with the above provisions, you will be advised by the party responsible prior to lifting of such restriction.

4.    Right to deletion
a)    Period of retention
Your personal data shall be retained by us solely for the time needed to achieve the intended purposes for which the information was obtained or – where there are more extensive statutory retention periods (e.g. as indicated in the Commercial Code and or the Internal Revenue Code – for the statutory period of retention. Subsequently, your personal data will be deleted. In a few exceptional cases, your data may be retained beyond this time, if, for instance, this is needed in connection with the enforcement or defence of legal claims in favour of MOLOGEN.

b)    Mandatory deletion
You are entitled to ask the party responsible for immediate deletion of your personal data and the party responsible shall be obliged to do so forthwith, unless one of the grounds below is relevant:

(1)    that the personal data concerned is no longer required for the purposes for which they were captured or processed in any other way

(2)    if you voluntarily revoke the consent to processing given under the terms of Art. 6 para. 1 a or Art. 9 para. 2 a GDPR and there is no other legal basis for processing

(3)    if you object to processing under the terms of Art. 21 para. 1 GDPR and there are no overriding justifiable grounds for processing or if you lodge an objection to processing as specified under Art. 21 para. 2 GDPR

(4)    if your personal data has been unlawfully processed

(5)    if deletion of your personal data is for the purpose of fulfilment of a legal obligation under the terms of Union law or the law of member states to which the party responsible is subject

(6)        if your personal data was captured in association with services offered by an information company in accordance with Art. 8 para. 1 GDPR.

c)    Information supplied to third parties
Should the party responsible have made public your personal data, a duty to delete this exists under Art. 17 para. 1 GDPR and taking into account the available technology and the cost of implementing appropriate measures, including those of a technical nature, furthermore, the party responsible shall be obliged to inform those responsible for data processing and who process such personal data, that you, as the individual concerned, have requested deletion of all links to such personal data and of copies or replicates of such personal data.

d)    Exceptions
The right to deletion shall not exist where processing is necessary

(1)    for the exercise of the right to freedom of speech and information;

(2)    for fulfilment of a legal obligation which requires processing in line with the law of the Union or itsmember states and to which the party responsible is subject, or for the exercise of a task which is in the public interest or pursuant to powers plenipotentiary conferred on the party responsible by a public authority;

(3)    on the grounds of public interest for reasons of public health in accordance with Art. 9 paras. 2 h and i and Art. 9 para. 3 GDPR;

(4)    for reasons of the public interest relating to archiving, scientific or historical research purposes or on statistical grounds in accordance with Art. 89 para. 1 GDPR, insofar as, to all intents and purposes, the rights indicated under section a) make realisation of the aims of processing impossible or seriously compromises them or

(5)    for the purposes of enforcement, exercise or defence of legitimate claims.

5.    Right to briefing
If you have invoked your right to correct, delete or limit the party responsible from processing your personal data, the party concerned shall be obliged to notify all recipients who were given access to your personal data of such correction or deletion of the data or of the restriction on processing, unless this proves impossible or is associated with unreasonable costs.
You shall be entitled to receive advice of these recipients from the party responsible.

6.    Right to data transferability
You shall be entitled to maintain the personal data you have made available to the party responsible in a structured, common and machine readable form. Beyond this, you have the right to transfer this data to another responsible party without hindrance from the responsible party originally given access to your personal data, providing

(1)    processing is pursuant to consent in the context of Art. 6 para. 1 a GDPR or Art. 9 para. 2 a GDPR or to contractual agreement in accordance with Art. 6 para. 1 b GDPR and

(2)    processing is carried out with the aid of automated processes.
When exercising this right, you shall also be entitled to ensure that your personal data is transferred directly from one responsible party to another responsible party, where this is technically feasible.  This may not compromise the freedoms and rights of other individuals.
The right to data transferability does not apply to processing of personal data required for the fulfilment of a task that is in the public interest or is carried out under plenipotentiary rights conferred on the party responsible by a public authority.

7.    Right to object
You shall be entitled, on grounds emanating from your particular situation, to object to the processing of your personal data as carried out under the terms of Art. 6 para. 1 e or f GDPR at any time and this applies also to profiling practised pursuant to these provisions.
The party responsible shall no longer process your personal data, unless compelling grounds for processing which need to be upheld can be proven and which outweigh your interests, rights and freedoms, or where processing is essential for the enforcement, exercise or defence of legitimate claims.

Should your personal data be processed for the purposes of direct marketing, you shall be entitled to raise an objection to processing of your personal for such marketing purposes at any time: this applies also to profiling, if it is used in connection with direct marketing
If you object to processing being used for purposes of direct marketing, the personal data concerned will no longer be used for such purposes.

You shall have the possibility, with the aid of the services of an information company – irrespective of directive 2002/58/EC – to exercise your right to object by automated means that are in conformity with technical specifications.

8.    Right to revoke declaration of consent under the terms of data protection law
You shall be entitled to revoke your consent under the terms of data protection law at any time. The legality of processing carried out on the basis of consent before and up to the time consent was revoked shall not be affected by its withdrawal.

9.    Automated decision-making in individual cases, including profiling
You shall be entitled not to be subject to a decision made purely on the basis of automated processing – including profiling – that affects you and has no basis in law or that otherwise significantly compromises you. This does not apply if the decision

(1)    is necessary for conclusion or fulfilment of a contractual agreement between your and the party responsible,

(2)    is admissible on the basis of the legal prescriptions of the Union or its member states, to which the responsible party is subject and such legal provisions contain appropriate measures to preserve your rights and freedoms and your rightful interests, or

(3)    you give your express consent.
However, such decisions may not be based on specific categories of personal data as per Art. 9 para. 1 GDPR, unless Art. 9 para. 2 a or g GDPR apply and appropriate measures for the protection of rights and freedoms and your rightful interests have been taken.
With regard to the cases indicated under (1) and (3) above, the party responsible shall take appropriate measures to preserve your rights and freedoms and rightful interests, whereby on putting forward your own point of view and challenging the decision, you shall at the very least be entitled to request intervention of a person from the responsible party.

10.    Right to complain to a supervisory authority
Affected parties can lodge complaints with the following regulatory authority:

Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219
Visitor entrance: Puttkamerstr. 16 – 18 (5th floor)
10969 Berlin; Tel.: 030 13889-0, Fax: 030 2155050,
Email: mailbox@datenschutz-berlin.de

Irrespective of your right to lodge a complaint with the Berlin Data Protection Commissioner, you can also contact us or our in-house data protection office about any concerns you may have.

11.    Planned transfers to third countries
There are no plans to transfer personal data to third countries.

12.    Changes to this data protection declaration
We reserve the right to supplement and amend this Data Protection Declaration. The current version of the data protection declaration is valid at the time it was published on our website.

Berlin, May 2018