Privacy Policy

Responsible body within the meaning of data protection laws, in particular the EU Data Protection Ordinance (DSGVO):

Xenium AG
Sapporobogen 6-8
80637 Munich
Telephone: +49 89 4207980
E-Mail: datenschutz@xenium.de

You can exercise the following rights at any time using the contact details provided by our data protection officer:

• information about your data stored by us and its processing (Art. 15 DSGVO),

• correction of incorrect personal data (Art. 16 DSGVO),

• deletion of your data stored by us (Art. 17 DSGVO),

• restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 DSGVO),

• objection to the processing of your data by us (Art. 21 DSGVO) and

• data portability, given you have consented to the data processing or have concluded a contract with us (Art. 20 DSGVO).

If you have given us consent, you can revoke this at any time with effect for the future.

You can lodge a complaint with a supervisory authority at any time, e.g. the competent supervisory authority in the federal state of your residence or the authority responsible for us as the controller.

A list of the supervisory authorities (for the non-public sector) with address can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Purpose and legitimate interest

There is a contact form on our website that can be used to contact us electronically. If a user uses this option, the data entered in the input field will be transmitted to us and stored.

The following data is also stored once the message is sent:

• Date and time of the request

It is also possible to contact us via the e-mail addresses provided. In this case, the user's personal data transmitted with the e-mail will be stored. This includes the date and time the e-mail was sent, e-mail address, IP address and information on the servers involved in the e-mail communication.

You can also contact us via the telephone number provided. In this case, we collect log data that includes your telephone number and the duration of the call.

Legal basis

The data entered in the contact form is processed in accordance with a legitimate interest (Art. 6 para. 1 lit. f GDPR). Our legitimate interest in processing your data is to facilitate uncomplicated contact.

Recipient of the data

Recipients of the data may be technical service providers who act as processors for the operation and maintenance of our website.

Storage duration

Data will be deleted no later than 6 months after the request has been processed.

If there is a contractual relationship, we are subject to the legal storage periods. These are generally 6 or 10 years for the purposes of orderly accounting and tax law requirements.

Provision voluntary or required

The provision of your personal data is voluntary. However, we can only process your request if you provide us with the required data and the reason for the request.

Right to object

Please read the information on your right to object under Art. 21 GDPR below.

Purpose and legitimate interest

When you access our website, i.e. even if you do not register or otherwise submit information, information of a general nature is automatically collected. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your internet service provider, your IP address and the like..

In particular, they are processed for the following purposes:

• ensuring a problem-free connection setup to our website,

• ensuring the smooth use of our website,

• evaluating system security and stability, and

• for other administrative purposes.

We do not use your data to make any conclusions about your personal identity. We also reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use.

Legal Basis

The processing is carried out in accordance with Art. 6 para. 1 lit. f DSGVO on the basis of our legitimate interest in improving the stability and functionality of our website.

Recipient of data

We use technical service providers for the operation and maintenance of our website who act as our processors.

Storage period

The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is generally the case for data used to provide the website when the respective session has ended.

Provision voluntary or required

The provision of the aforementioned personal data is neither legally nor contractually required. However, without the IP address and the cookie identifier, the service and functionality of our website cannot be guaranteed. In addition, individual services and services may not be available or may be restricted.

Right to object

Please read the information about your right to object according to Art. 21 DSGVO below.

Type and purpose of the processing

The personal data you provide when booking an appointment to arrange an initial consultation (e.g. name, email address, notes, desired appointment) will be processed for appointment planning, organization and execution.

Legal basis

The legal basis is the fulfillment of the contract or pre-contractual measures in accordance with Art. 6 para. 1 lit. b) GDPR (if the appointment booking form is used to initiate a potential contractual agreement or to fulfill an existing contract) or consent in accordance with Art. 6 para. 1 lit. a) GDPR (if the appointment booking is not mandatory or is used for voluntary additional services (for voluntary information, reminder service or advertising-related communication).

Recipient of data

We use Microsoft Bookings as an internal calendar and communication system to organize appointments. In this context, your data may be transmitted to Microsoft Ireland Operations Limited as a service provider. We have signed a data processing agreement with Microsoft to protect your data.

Third country transfers

When using Microsoft Bookings, the transfer of personal data to third countries (in particular the USA) cannot be excluded. Microsoft is certified in accordance with the EU-U.S. Data Privacy Framework, which guarantees an adequate level of data protection in accordance with Art. 45 GDPR.

Storage period

Your personal data will be deleted as soon as it is no longer required for the purpose for which it was collected and there are no legal obligations to retain it. As a general rule, deletion takes place no later than 8 weeks after the scheduled appointment, provided that no further communication or business relationship takes place.

Provision voluntary or required

Voluntary information (e.g. on special requests or for contacting for other purposes) can also be excluded without affecting the appointment booking.

Right to object

If the processing of your data is based on your consent (Art. 6 para. 1 lit. GDPR), you have the right to revoke this consent at any time with immediate effect for the future. The legality of the data processing carried out until the revocation remains unaffected by this. You can send your revocation at any time informally by e-mail to info@xenium.de.

Purpose, legal basis and legitimate interest

You can send us your application via the online application form or by e-mail to karriere@xenium.com.

We will only process the data you provide to assess your professional suitability and to contact you.

The following data from the online application form will be processed:

• Xenium location

• How did you hear about us?

• First name

• Last name

• E-Mail address

• Phone number

• Available from (date)

• LinkedIn profile

• German language skills

• Salary expectations

• Attached documents (CV, cover letter, references)

• For talent pool positions: Consent to data storage

The following data, which the user does not provide directly, will also be processed:

• Job ID

• Recruiting channel ID

• Timestamp of the application

The processing is carried out for the purpose of establishing an employment relationship as part of the implementation of pre-contractual measures, which are carried out upon request, § 26 BDSG.

Within the framework of the balancing of interests (Art. 6 para. 1 lit. f) DSGVO), we process your data, as far as necessary, beyond the actual decision on the establishment of an employment relationship. Examples of such cases are:

• measures to protect employees and customers as well as to protect the company's property and building and facility security (e.g. access controls, locking systems and video surveillance),

• assertion of legal claims and defence in legal disputes: disclosure of personal data may be necessary in the context of official/court measures for the purposes of gathering evidence, criminal prosecution or enforcement of civil claims,

• writing letters of application via LinkedIn, Xing and other applicant databases such as Absolventa, Indeed, etc.

Furthermore, we process your data on the basis of legal requirements (Art. 6 para. 1 lit. c) DSGVO in conjunction with. § 26 BDSG), e.g. in order to comply with tax law and similar control and reporting obligations.

Recipient of the data

Within the company, access to your data is granted to those offices that need it to fulfil contractual, legal and supervisory obligations and to safeguard legitimate interests (e.g. HR department, management, the future supervisor). The processing takes place on the systems and servers of Xenium AG.

Service providers and vicarious agents employed by us may also receive data for these purposes, insofar as they require the data to perform their respective services. These may be external service providers from the following areas: Support or maintenance of EDP or IT applications and personnel management software. All service providers are contractually bound and in particular obliged to treat your data confidentially.

Data will only be passed on to recipients outside our company in compliance with the applicable data protection regulations. Personal data may be passed on to the following third parties, for example: external data protection officer, authorities in the event of a duty to disclose data.

Third country transfers

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

Storage duration

If your application is rejected, it will be deleted six months after notification of the decision.

If an employment relationship is established, the application documents will be stored at Xenium AG for at least the duration of the employment period.

Provided you give us your explicit consent as part of your application, we will include your application documents in our talent pool. This enables us to consider you for future vacancies that match your qualifications and interests.

Your application data will be stored in the talent pool on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and will be stored for a period of 12 months. At the end of this period, your data will be automatically deleted unless you give us renewed consent to extend the storage period.

You can revoke your consent at any time with immediate effect for the future. An informal notification to karriere@xenium.com­ is sufficient. This does not affect the legality of the data processing carried out up to the point of revocation.

Provision voluntary or required

The provision of personal data is neither legally nor contractually required. However, it is not possible to process the application without this information.

Automated decision-making or profiling

We do not use fully automated decision-making pursuant to Article 22 of the GDPR for the establishment, implementation and termination of the working relationship. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law. We also do not process your data with the aim of automatically assessing certain personal aspects.

Right to object

Please read the information on your right to objection under Art. 21 GDPR below.

Purpose and legal basis of processing

We use the privacy-friendly web analytics service Plausible Analytics to gain insights into how our website is used.

The aim is to continuously improve the functionality, user-friendliness, and relevance of our content.

In doing so, we collect information such as:

• which pages are visited most frequently

• from which countries and regions the visits originate (in anonymized form)

• which devices and browsers are used to access our website

• how long visitors stay on certain pages

Plausible Analytics operates without the use of cookies and does not employ tracking technologies that follow individual users across websites or visits.

In addition:

• IP addresses are not stored permanently; they are only processed in a truncated and anonymized form for the duration of the request

• no user profiles are created

• no personal data as defined by the GDPR is collected or stored

• all data is evaluated exclusively in aggregated and anonymized form

While we receive statistical insights into how the website is used, we cannot associate this data with individual persons.

Recipients of data

The data is processed by:

Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia – a company based in the European Union.

Additional recipients may include technical service providers who are contractually obligated to handle your data confidentially.­

Third country transfers

No personal data is transferred to third countries outside the European Union (EU) or the European Economic Area (EEA).

Storage period

Plausible only stores aggregated data with no personal identifiers.

IP addresses or other identifying data are neither stored permanently nor linked to other information.
No personal data is retained.

Provision voluntary or required

The use of Plausible Analytics is not required for visiting our website.

Its use is solely for technical and statistical optimization.

No automated decision-making takes place.

Right to object

You can technically prevent the collection of your data by activating “Do Not Track” in your browser settings.

Our system will recognize this signal and exclude your visit from analysis.

To protect the security of your data during transmission, we use state-of-the-art encryption procedures (e.g. SSL) via HTTPS.

External Links

Xenium AG is only responsible for its "own content" that it makes available for use. If links to websites of other providers are provided, the statements of the Xenium AG privacy policy do not apply to the processing of personal data by these providers.

If you follow a link to one of these websites (which are outside our responsibility), we would like to point out that these websites have their own data protection information and that we are not responsible for this. We therefore recommend that you read the privacy policy on the other websites you visit before passing on your personal data to these website providers.

External links are marked with this symbol on our website: ↗

Please note that clicking on external links may also result in a data transfer to a third country (e.g. USA). In this case, it may be possible that foreign third parties, authorities or intelligence services receive your personal data (such as your IP address).

Purpose and legitimate interest

We operate online profiles on various social media platforms to engage with users, prospective clients, and customers, and to inform them about our services and topics related to IT consulting. Our social media channels complement our own website and offer an alternative means of communication, especially for users who prefer these platforms.

We currently maintain the following company profiles:

• LinkedIn Company Profile (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)

• YouTube Channel (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)

• XING Company and Review Profile (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)

• Kununu Company and Review Profile (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)

Our website does not use embedded social media plugins or interfaces that enable automatic data transmission when visiting our pages. Our social media channels are accessible exclusively via external links. By clicking these links, you leave the protected area of our website and enter the responsibility of the respective network provider, where their own privacy policies apply.

Please note that you use these platforms and their functions under your own responsibility. This applies in particular to interactive features such as likes, comments, shares, or ratings.

The respective networks generally process the data you provide in your profiles and may also collect further usage data (e.g. interactions, visits, session duration) to offer personalized content or ads.

Legal basis

The processing of personal data takes place to stay in contact with our customers, to provide information, and to carry out pre-contractual measures with potential clients or applicants in accordance with Art. 6 para. 1 lit. b) GDPR.
In addition, we have a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in effective communication and information sharing with users and prospects, and for marketing purposes, such as increasing reach, visibility, and employer branding.
We also use aggregated statistics to continuously improve the relevance of content provided on our company profiles.

If you have given your consent pursuant to Art. 6 para. 1 lit. a) GDPR (e.g., by setting your LinkedIn or XING status to “open to work”), we may contact you directly with suitable job opportunities.

Recipients of the data

The primary recipients of the data are the respective social network operators, who may process the data for their own purposes and may share it with third parties under their own responsibility.
In addition, the content you post may be publicly accessible to anyone.

Third country transfers

When accessing our company profiles on LinkedIn and YouTube, personal data may be transferred to third countries, especially the United States.

For the U.S., an adequacy decision from the European Commission under the EU-U.S. Data Privacy Framework has been in place since July 10, 2023. This applies to companies certified under the framework. A list of certified companies is available here.

YouTube (Google LLC) is certified under the EU-U.S. Data Privacy Framework and relies on this adequacy decision for data transfers.

LinkedIn is not currently certified under the framework but has confirmed to the U.S. Department of Commerce that it complies with the EU-U.S. Data Privacy Framework Principles. According to LinkedIn, data transfers are only made to countries with an adequacy decision under Art. 45 GDPR or based on appropriate safeguards under Art. 46 GDPR.

In addition, we have entered into standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR with LinkedIn and YouTube/Google. These can be accessed at the following links:

• LinkedIn: www.linkedin.com

• YouTube/Google: www.business.safety.google, www.policies.google.com

A copy of the standard contractual clauses is available upon request.

There is no transfer of personal data to third countries when using XING and Kununu. Processing takes place exclusively within the European Union (EU).

Storage period

Data is deleted as soon as it is no longer needed for the purpose for which it was collected. As a rule, private messages you send to us are deleted after three years, starting at the end of the calendar year in which they were received.
Comments remain stored on the respective network until you delete them yourself.
We have no control over how social networks handle your data and are not responsible for any third-country transfers by U.S.-based providers.

Provision voluntary or required

Providing your personal data on social media is voluntary. Without it, however, you will not be able to interact with us or our content on those platforms.

Right to object

• LinkedIn: https://www.linkedin.com/help/linkedin/ask/TS-DPRO and www.linkedin.com

• YouTube: www.myaccount.google.com and www.support.google.com

• XING: www.privacy.xing.com and www.xing.com

Please also read your right to object under Art. 21 GDPR below.

We reserve the right to adapt this data protection declaration so that it always complies with the current legal requirements­ or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection statement will then apply to your next visit.

If you have any questions about data protection, please write us an e-mail or contact the person responsible for data protection in our organisation directly:

Data Protection Officer at Xenium AG
c/o activeMind AG
Potsdamer Str. 3
80802 Munich
Phone: +49 (0)89 / 91 92 94 – 900
www.activemind.de
datenschutz@xenium.de

Individual right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6(1)(f) DSGVO (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 DSGVO.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Recipients of an objection

The objection can be made informally with the subject "Objection", stating your name, address or other identifiers, to:Xenium AG

Sapporobogen 6-8

80637 München

Phone: +49 89 4207980
E-Mail: info@xenium.de