Responsible body within the meaning of data protection laws, in particular the EU Data Protection Ordinance (DSGVO):
Xenium AG
Sapporobogen 6-8
80637 Munich
Telephone: +49 89 4207980
E-Mail: datenschutz@xenium.de
Privacy Policy
Responsible body within the meaning of data protection laws, in particular the EU Data Protection Ordinance (DSGVO):
Xenium AG
Sapporobogen 6-8
80637 Munich
Telephone: +49 89 4207980
E-Mail: datenschutz@xenium.de
I. Your data subject
You can exercise the following rights at any time using the contact details provided by our data protection officer:
information about your data stored by us and its processing (Art. 15 DSGVO),
correction of incorrect personal data (Art. 16 DSGVO),
deletion of your data stored by us (Art. 17 DSGVO),
restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 DSGVO),
objection to the processing of your data by us (Art. 21 DSGVO) and
data portability, given you have consented to the data processing or have concluded a contract with us (Art. 20 DSGVO).
If you have given us consent, you can revoke this at any time with effect for the future.
You can lodge a complaint with a supervisory authority at any time, e.g. the competent supervisory authority in the federal state of your residence or the authority responsible for us as the controller.
A list of the supervisory authorities (for the non-public sector) with address can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
II. Contact
There is a contact form on our website that can be used to contact us electronically. If a user uses this option, the data entered in the input field will be transmitted to us and stored.
The following data is also stored once the message is sent:
Date and time of the request
It is also possible to contact us via the e-mail addresses provided. In this case, the user's personal data transmitted with the e-mail will be stored. This includes the date and time the e-mail was sent, e-mail address, IP address and information on the servers involved in the e-mail communication.
You can also contact us via the telephone number provided. In this case, we collect log data that includes your telephone number and the duration of the call.
The data entered in the contact form is processed in accordance with a legitimate interest (Art. 6 para. 1 lit. f GDPR). Our legitimate interest in processing your data is to facilitate uncomplicated contact.
Recipients of the data may be technical service providers who act as processors for the operation and maintenance of our website.
Data will be deleted no later than 6 months after the request has been processed.
If there is a contractual relationship, we are subject to the legal storage periods. These are generally 6 or 10 years for the purposes of orderly accounting and tax law requirements.
The provision of your personal data is voluntary. However, we can only process your request if you provide us with the required data and the reason for the request.
Please read the information on your right to object under Art. 21 GDPR below.
III. Server log files
When you access our website, i.e. even if you do not register or otherwise submit information, information of a general nature is automatically collected. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your internet service provider, your IP address and the like..
In particular, they are processed for the following purposes:
ensuring a problem-free connection setup to our website,
ensuring the smooth use of our website,
evaluating system security and stability, and
for other administrative purposes.
We do not use your data to make any conclusions about your personal identity. We also reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use.
The processing is carried out in accordance with Art. 6 para. 1 lit. f DSGVO on the basis of our legitimate interest in improving the stability and functionality of our website.
We use technical service providers for the operation and maintenance of our website who act as our processors.
The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is generally the case for data used to provide the website when the respective session has ended.
The provision of the aforementioned personal data is neither legally nor contractually required. However, without the IP address and the cookie identifier, the service and functionality of our website cannot be guaranteed. In addition, individual services and services may not be available or may be restricted.
Please read the information about your right to object according to Art. 21 DSGVO below.
IV. Appointment Bookings via Microsoft Bookings
The personal data you provide when booking an appointment to arrange an initial consultation (e.g. name, email address, notes, desired appointment) will be processed for appointment planning, organization and execution.
The legal basis is the fulfillment of the contract or pre-contractual measures in accordance with Art. 6 para. 1 lit. b) GDPR (if the appointment booking form is used to initiate a potential contractual agreement or to fulfill an existing contract) or consent in accordance with Art. 6 para. 1 lit. a) GDPR (if the appointment booking is not mandatory or is used for voluntary additional services (for voluntary information, reminder service or advertising-related communication).
We use Microsoft Bookings as an internal calendar and communication system to organize appointments. In this context, your data may be transmitted to Microsoft Ireland Operations Limited as a service provider. We have signed a data processing agreement with Microsoft to protect your data.
When using Microsoft Bookings, the transfer of personal data to third countries (in particular the USA) cannot be excluded. Microsoft is certified in accordance with the EU-U.S. Data Privacy Framework, which guarantees an adequate level of data protection in accordance with Art. 45 GDPR.
Your personal data will be deleted as soon as it is no longer required for the purpose for which it was collected and there are no legal obligations to retain it. As a general rule, deletion takes place no later than 8 weeks after the scheduled appointment, provided that no further communication or business relationship takes place.
Voluntary information (e.g. on special requests or for contacting for other purposes) can also be excluded without affecting the appointment booking.
If the processing of your data is based on your consent (Art. 6 para. 1 lit. GDPR), you have the right to revoke this consent at any time with immediate effect for the future. The legality of the data processing carried out until the revocation remains unaffected by this. You can send your revocation at any time informally by e-mail to info@xenium.de.
V. Applications
You can send us your application via the online application form or by e-mail to karriere@xenium.com.
We will only process the data you provide to assess your professional suitability and to contact you.
The following data from the online application form will be processed:
Xenium location
How did you hear about us?
First name
Last name
E-Mail address
Phone number
Available from (date)
LinkedIn profile
German language skills
Salary expectations
Attached documents (CV, cover letter, references)
For talent pool positions: Consent to data storage
The following data, which the user does not provide directly, will also be processed:
Job ID
Recruiting channel ID
Timestamp of the application
The processing is carried out for the purpose of establishing an employment relationship as part of the implementation of pre-contractual measures, which are carried out upon request, § 26 BDSG.
Within the framework of the balancing of interests (Art. 6 para. 1 lit. f) DSGVO), we process your data, as far as necessary, beyond the actual decision on the establishment of an employment relationship. Examples of such cases are:
measures to protect employees and customers as well as to protect the company's property and building and facility security (e.g. access controls, locking systems and video surveillance),
assertion of legal claims and defence in legal disputes: disclosure of personal data may be necessary in the context of official/court measures for the purposes of gathering evidence, criminal prosecution or enforcement of civil claims,
writing letters of application via LinkedIn, Xing and other applicant databases such as Absolventa, Indeed, etc.
Furthermore, we process your data on the basis of legal requirements (Art. 6 para. 1 lit. c) DSGVO in conjunction with. § 26 BDSG), e.g. in order to comply with tax law and similar control and reporting obligations.
Within the company, access to your data is granted to those offices that need it to fulfil contractual, legal and supervisory obligations and to safeguard legitimate interests (e.g. HR department, management, the future supervisor). The processing takes place on the systems and servers of Xenium AG.
Service providers and vicarious agents employed by us may also receive data for these purposes, insofar as they require the data to perform their respective services. These may be external service providers from the following areas: Support or maintenance of EDP or IT applications and personnel management software. All service providers are contractually bound and in particular obliged to treat your data confidentially.
Data will only be passed on to recipients outside our company in compliance with the applicable data protection regulations. Personal data may be passed on to the following third parties, for example: external data protection officer, authorities in the event of a duty to disclose data.
Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).
If your application is rejected, it will be deleted six months after notification of the decision.
If an employment relationship is established, the application documents will be stored at Xenium AG for at least the duration of the employment period.
Provided you give us your explicit consent as part of your application, we will include your application documents in our talent pool. This enables us to consider you for future vacancies that match your qualifications and interests.
Your application data will be stored in the talent pool on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and will be stored for a period of 12 months. At the end of this period, your data will be automatically deleted unless you give us renewed consent to extend the storage period.
You can revoke your consent at any time with immediate effect for the future. An informal notification to karriere@xenium.com is sufficient. This does not affect the legality of the data processing carried out up to the point of revocation.
The provision of personal data is neither legally nor contractually required. However, it is not possible to process the application without this information.
We do not use fully automated decision-making pursuant to Article 22 of the GDPR for the establishment, implementation and termination of the working relationship. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law. We also do not process your data with the aim of automatically assessing certain personal aspects.
Please read the information on your right to objection under Art. 21 GDPR below.
VI. Usage of Plausible Analytics
We use the privacy-friendly web analytics service Plausible Analytics to gain insights into how our website is used.
The aim is to continuously improve the functionality, user-friendliness, and relevance of our content.
In doing so, we collect information such as:
which pages are visited most frequently
from which countries and regions the visits originate (in anonymized form)
which devices and browsers are used to access our website
how long visitors stay on certain pages
Plausible Analytics operates without the use of cookies and does not employ tracking technologies that follow individual users across websites or visits.
In addition:
IP addresses are not stored permanently; they are only processed in a truncated and anonymized form for the duration of the request
no user profiles are created
no personal data as defined by the GDPR is collected or stored
all data is evaluated exclusively in aggregated and anonymized form
While we receive statistical insights into how the website is used, we cannot associate this data with individual persons.
The data is processed by:
Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia – a company based in the European Union.
Additional recipients may include technical service providers who are contractually obligated to handle your data confidentially.
No personal data is transferred to third countries outside the European Union (EU) or the European Economic Area (EEA).
Plausible only stores aggregated data with no personal identifiers.
IP addresses or other identifying data are neither stored permanently nor linked to other information.
No personal data is retained.
The use of Plausible Analytics is not required for visiting our website.
Its use is solely for technical and statistical optimization.
No automated decision-making takes place.
You can technically prevent the collection of your data by activating “Do Not Track” in your browser settings.
Our system will recognize this signal and exclude your visit from analysis.
VII. SSL encryption
To protect the security of your data during transmission, we use state-of-the-art encryption procedures (e.g. SSL) via HTTPS.
VIII. Links and references
Xenium AG is only responsible for its "own content" that it makes available for use. If links to websites of other providers are provided, the statements of the Xenium AG privacy policy do not apply to the processing of personal data by these providers.
If you follow a link to one of these websites (which are outside our responsibility), we would like to point out that these websites have their own data protection information and that we are not responsible for this. We therefore recommend that you read the privacy policy on the other websites you visit before passing on your personal data to these website providers.
External links are marked with this symbol on our website: ↗
Please note that clicking on external links may also result in a data transfer to a third country (e.g. USA). In this case, it may be possible that foreign third parties, authorities or intelligence services receive your personal data (such as your IP address).
IX. Social Media (LinkedIn, YouTube, XING, Kununu)
We operate online profiles on various social media platforms to engage with users, prospective clients, and customers, and to inform them about our services and topics related to IT consulting. Our social media channels complement our own website and offer an alternative means of communication, especially for users who prefer these platforms.
We currently maintain the following company profiles:
LinkedIn Company Profile (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
YouTube Channel (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
XING Company and Review Profile (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)
Kununu Company and Review Profile (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)
Our website does not use embedded social media plugins or interfaces that enable automatic data transmission when visiting our pages. Our social media channels are accessible exclusively via external links. By clicking these links, you leave the protected area of our website and enter the responsibility of the respective network provider, where their own privacy policies apply.
Please note that you use these platforms and their functions under your own responsibility. This applies in particular to interactive features such as likes, comments, shares, or ratings.
The respective networks generally process the data you provide in your profiles and may also collect further usage data (e.g. interactions, visits, session duration) to offer personalized content or ads.
The processing of personal data takes place to stay in contact with our customers, to provide information, and to carry out pre-contractual measures with potential clients or applicants in accordance with Art. 6 para. 1 lit. b) GDPR.
In addition, we have a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in effective communication and information sharing with users and prospects, and for marketing purposes, such as increasing reach, visibility, and employer branding.
We also use aggregated statistics to continuously improve the relevance of content provided on our company profiles.
If you have given your consent pursuant to Art. 6 para. 1 lit. a) GDPR (e.g., by setting your LinkedIn or XING status to “open to work”), we may contact you directly with suitable job opportunities.
The primary recipients of the data are the respective social network operators, who may process the data for their own purposes and may share it with third parties under their own responsibility.
In addition, the content you post may be publicly accessible to anyone.
When accessing our company profiles on LinkedIn and YouTube, personal data may be transferred to third countries, especially the United States.
For the U.S., an adequacy decision from the European Commission under the EU-U.S. Data Privacy Framework has been in place since July 10, 2023. This applies to companies certified under the framework. A list of certified companies is available here.
YouTube (Google LLC) is certified under the EU-U.S. Data Privacy Framework and relies on this adequacy decision for data transfers.
LinkedIn is not currently certified under the framework but has confirmed to the U.S. Department of Commerce that it complies with the EU-U.S. Data Privacy Framework Principles. According to LinkedIn, data transfers are only made to countries with an adequacy decision under Art. 45 GDPR or based on appropriate safeguards under Art. 46 GDPR.
In addition, we have entered into standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR with LinkedIn and YouTube/Google. These can be accessed at the following links:
LinkedIn: www.linkedin.com
YouTube/Google: www.business.safety.google, www.policies.google.com
A copy of the standard contractual clauses is available upon request.
There is no transfer of personal data to third countries when using XING and Kununu. Processing takes place exclusively within the European Union (EU).
Data is deleted as soon as it is no longer needed for the purpose for which it was collected. As a rule, private messages you send to us are deleted after three years, starting at the end of the calendar year in which they were received.
Comments remain stored on the respective network until you delete them yourself.
We have no control over how social networks handle your data and are not responsible for any third-country transfers by U.S.-based providers.
Providing your personal data on social media is voluntary. Without it, however, you will not be able to interact with us or our content on those platforms.
LinkedIn: https://www.linkedin.com/help/linkedin/ask/TS-DPRO and www.linkedin.com
YouTube: www.myaccount.google.com and www.support.google.com
XING: www.privacy.xing.com and www.xing.com
Please also read your right to object under Art. 21 GDPR below.
X. Change to our privacy policy
We reserve the right to adapt this data protection declaration so that it always complies with the current legal requirements or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection statement will then apply to your next visit.
XI. Questions to the Data Protection Officer
If you have any questions about data protection, please write us an e-mail or contact the person responsible for data protection in our organisation directly:
Data Protection Officer at Xenium AG
c/o activeMind AG
Potsdamer Str. 3
80802 Munich
Phone: +49 (0)89 / 91 92 94 – 900
www.activemind.de
datenschutz@xenium.de
XII. Information about your right to object according to Art. 21 DSGVO
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6(1)(f) DSGVO (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Art. 4 No. 4 DSGVO.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
The objection can be made informally with the subject "Objection", stating your name, address or other identifiers, to:Xenium AG
Sapporobogen 6-8
80637 München
Phone: +49 89 4207980
E-Mail: info@xenium.de
I. Your data subject
II. Contact
III. Server log files
IV. Appointment Bookings via Microsoft Bookings
V. Applications
VI. Usage of Plausible Analytics
VII. SSL encryption
VIII. Links and references
IX. Social Media (LinkedIn, YouTube, XING, Kununu)
X. Change to our privacy policy
XI. Questions to the Data Protection Officer
XII. Information about your right to object according to Art. 21 DSGVO