The following will provide you with information about how your data are processed and your rights with respect to your personal data.

I. Controller
Controller within the meaning of article 4 no 7 of the EU General Data Protection Regulation (GDPR) in the context of the customer or supplier relationship is
QEST Quantenelektronische Systeme GmbH
Max-Eyth-Str. 38
71088 Holzgerlingen
Hereinafter “controller”.

II. Data Protection Officer
The Data Protection Officer of the controller mentioned above may be contacted at:
Data Protection Officer
QEST Quantenelektronische Systeme GmbH
Max-Eyth-Str. 38
71088 Holzgerlingen
privacy@draexlmaier.com

III. Collection and processing of personal data
We collect the following categories of personal data from the following sources: Categories and sources of personal data
Business contact data of customers' or suppliers`employees and, where applicable, also any additional data concerning managing directors and shareholders. Such business contact data includes in particular:
• Form of address
• Title, position
• Surname, first name
• Business address
• Business contact data (e-mail address, telephone and fax number, where applicable)

We obtain these data from you or, where absolutely necessary, from publicly available sources (e.g., commercial register, authorities, the Internet) and in so doing we always observe the principle of data minimisation.

IV. Purpose of data processing and legal basis
Purpose of processing and legal basis
The purpose of processing is
• initiating, establishing and performing the business relationship.

In the case of customers' or suppliers` employees, the legal basis is generally article 6 (1) (f) GDPR because the controller has a legitimate interest in processing their personal data in the context of initiating, establishing and performing business relationships. In the case of customers' or suppliers` statutory representatives, the legal basis for processing may also be article 6 (1) (b) GDPR because processing may be necessary for the implementation of pre-contractual or contractual measures. Where the personal data is transferred to authorities (e.g., tax authorities), article 6 (1) (c) GDPR serves as the legal basis for processing.

V. Data recipients/categories of recipients
The controller is part of the DRÄXLMAIER Group and works together with other specialised entities of the DRÄXLMAIER Group. Therefore, personal data may be transferred to other DRÄXLMAIER Group companies, particularly in the context of initiating, establishing and performing specific business relationships or a contract.
In cases where we are legally obligated to do so, personal data will be transferred to public bodies such as investigative authorities, courts, tax authorities, municipalities and supervisory authorities.

In the context of initiating, establishing and performing business relationships, personal data may also be transferred to suppliers, customers, sub-suppliers, processors, lawyers and notaries, authorities, auditing firms, collection agencies, financial services providers, tax consultants, or auditors.

VI. Data transfers to third countries
DRÄXLMAIER Group is a globally operating group of companies. In our business dealings, personal data may also be transferred to entities of the DRÄXLMAIER Group located outside the EU. In this respect, we ensure that the principles for processing personal data as well as the conditions of article 44 et seq. GDPR are complied with in order to ensure an adequate level of data protection in all cases. An adequate level of data protection is ensured by means of EU standard contractual clauses.
Data stored within the EU may also be accessed by administration users from a country outside the EU, as the follow-the-sun workflow model is often used to ensure that the systems remain operational around the clock. In those cases, data will only be accessed if an adequacy decision by the Commission exists for the respective country, we have agreed standard contractual clauses with the service providers as provided for by the EU Commission in such cases, or the respective entity has adopted its own binding corporate rules recognised by the data protection authorities.

You can find further information on the above-mentioned measures we have taken at privacy@draexlmaier.com.

VII. Retention of data
We store your personal data for as long as necessary for the aforementioned purposes for which they were collected or otherwise processed, for compliance with a legal obligation to which we are subject, or for the establishment, exercise or defence of legal claims.

VIII. Your rights as a data subject
You have the following rights with regard to the processing of personal data: Your rights/Information

Under article 15 GDPR, you have the right to access your personal data being processed.

Under article 16 GDPR, you have the right to rectification of incorrect personal data. Please note the restrictions under section 34 of the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).

Under article 17 GDPR, you have the right to erasure of personal data. Please note the restrictions under section 35 BDSG.

Under article 18 GDPR, you have the right to restriction of processing.

Under article 20 GDPR, you have the right to data portability.

Insofar as the data is processed on the basis of legitimate interests (article 6 (1) (f) GDPR) you have the right to object to processing (article 21 (1) GDPR).

In such case, the data will no longer be processed for that purpose unless compelling legitimate grounds for the processing can be demonstrated which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. For further information about your right to object, see XIII.
If you believe that the processing of your personal data contravenes applicable law, you may lodge an objection with the competent data protection authority pursuant to article 77 GDPR at any time.
This right applies regardless of any other legal remedies you may have, including to obtain effective administrative or judicial redress.

To ensure orderly processing and avoid delays, please direct your concerns to the following address:
privacy@draexlmaier.com

IX. Required data
You provide us with only those personal data which we need for initiating, establishing and performing the business relationship or which we are required by law to collect. You are under no obligation to provide us with personal data. However, if you do not provide us with such data, we will not be able to enter into the contract or continue to perform it.

X. Automated decision-making
Please be advised that we do not carry out automated decision-making.

XI. Use of website
If you contact us via the QEST website, please note the general data protection policy posted there:
www.qest.de/datenschutz

XII. Amendments clause
Our data processing activities are subject to change and therefore this Data Protection Policy may also be amended from time to time. The applicable version of this Data Protection Policy is also available at www.qest.de.

XIII. Information concerning your right to object under article 21 GDPR
Right to object in individual cases:
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning yourself which is based on point (f) (data processing based on overriding interests) of article 6 (1) GDPR. Should you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Recipient and form of objection

Objections may be lodged informally simply by sending an e-mail with the subject line "Objection" containing your name, address and date of birth to:
privacy@draexlmaier.com

Data Protection Policy for Customers Suppliers QEST, V01, last updated June 2021