Data Protection – An Overview

As of May 2018

OSRAM and its affiliated group companies are committed to protecting personal data. The following data privacy policy provides you with an overview of the data that is collected from you and how and for what purposes it is processed. You can find full information in the detailed version of our data privacy policy.

1. Controller:
OSRAM GmbH
Marcel-Breuer-Str. 6 – 8
80807 Munich
Germany

2. What data do we collect from you?

  • We record the domain name or IP address of your computer, the file request of the client (file name and URL), the http response code, and the Internet site you visit us from.
  • If you create a user account and register, we collect the access data (usually the user name/e-mail address and password).
  • We use cookies, small text files which, for example, are stored temporarily on your computer system for a shopping basket or for the OSRAM login and which your browser stores. You can make settings in your browser so that these cookies are not stored or are deleted at the end of your Internet session. You can find more information on this subject in our Cookie Policy. It also describes how you can object to the use of cookies and use of the data collected by cookies in anonymized or pseudonymized user profiles.
  • Some sites contain buttons of social media networks. These buttons are not recommendation or referral links. The link merely refers to the social media network in question without any user data being transferred.

3. How do we collect your data?
We collect the data generated when you visit our website in automated form. Otherwise, we collect data only as a result of your inputs on our website or using cookies.

4. What do we use your data for?

  • For technical administration and provision of the website
  • To create pseudonymous user profiles we use for promotional purposes and market research – unless you object
  • To the extent permitted by law: To identify misuse and remedy problems

5. Forwarding of your data
If you have given your consent or we are otherwise authorized to do so under the law, we may pass on your personal data to OSRAM Group companies or to service providers (e.g. hosting, sales or marketing partners) for the above purposes.

If the recipients are based in countries that do not have an adequate level of data protection, OSRAM has taken measures to ensure suitable and adequate safeguards so as to protect personal data. If the data is given to

  • Group companies in such countries, we ensure that said companies have signed the Binding Corporate Rules (BCRs) on protection of personal data and abide by them. You can find information on OSRAM’s BCRs in the pdf at the top of the page.
  • recipients outside the Group in such countries, the data is only transferred if said companies (i) have concluded EU standard contractual clauses with OSRAM or (ii) – in the case of recipients based in the U.S. – have been certified under the EU–U.S. Privacy Shield.

6. What rights do you have?

  • Information
  • Erasure
  • Rectification
  • Objection

You can contact the Data Protection Officer of OSRAM GmbH with your query by post or using the information request form.

This data privacy statement is amended from time to time. You can find the date when it was last updated at its beginning.

Detailed version of our data privacy policy

This data privacy statement explains how OSRAM and its subsidiaries (referred to jointly as OSRAM) use your personal data, what measures are taken to protect your data, and what rights you have in relation to your personal data.

Introduction

OSRAM is committed to protecting personal data. That is why OSRAM processes your personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR) and other applicable legal provisions on protection of personal data and data security.

The controller within the meaning of the General Data Protection Regulation, other national data protection laws and other data protection regulations is OSRAM GmbH.

Represented by Dr. Olaf Berlien, Mr. Ingo Bank and Dr. Stefan Kampmann

Marcel-Breuer-Straße 6
80807 Munich
Germany

  • Phone: +49 89 6213-0
  • Fax: +49 89 6213-2020
  • E-mail: contact@osram.com
  • Internet: www.osram.com, www.osram.de
  • Contact details of the Data Protection Officer: privacy@osram.com

In individual cases, the respective subsidiaries may also be the controller on their own or together with OSRAM GmbH. You can find the contact data for the subsidiaries in the specified list.

In principle, OSRAM collects and uses personal data of users only if necessary to provide a well-functioning website.

If we obtain consent from data subjects to process their personal data, the legal basis for that is laid down by Article 6 paragraph 1 point (a) of the EU General Data Protection Regulation (GDPR).

The legal basis for processing your personal data in order to perform a contract between you and OSRAM is Article 6 paragraph 1 point (b) GDPR. That also applies to processing activities required to take steps prior to entering into a contract.

If processing of personal data is necessary for compliance with a legal obligation on the part of OSRAM, the legal basis for that is Article 6 paragraph 1 point (c) GDPR.

If vital interests of the data subject or another natural person necessitate processing of personal data, the legal basis for that is Article 6 paragraph 1 point (d) GDPR.

If processing is necessary to safeguard legitimate interests of OSRAM or a third party and your interests, fundamental rights and freedoms which require protection of personal data are not overridden by the interests of OSRAM or the third party, the legal basis for that is Article 6 paragraph 1 point (f) GDPR.

The data subject’s personal data shall be erased or blocked as soon as the purpose for which it has been stored no longer applies. The data can also be stored if this is envisaged by European or national legislators in EU regulations, laws or other provisions to which OSRAM is subject. The data shall also be blocked or erased when a period of time prescribed for its storage under one of the above legal provisions expires, unless it is necessary for the data to still be stored so that a contract can be concluded or performed.

1. Scope of data collection
Whenever our websites are called, data and information is automatically collected from the computer system calling them.

The following data is collected:

  • Information on the type of browser used and its version
  • The user’s operating system
  • The user’s Internet service provider
  • The user’s IP address
  • The date and time of access
  • Websites from which the user’s system accesses our Internet site
  • Websites the user’s system calls from our website

This data is also stored in our system’s log files. This data is not stored together with other personal data of the user.

2. Legal basis for data processing
The legal basis for temporary storage of data (and log files) is Article 6 paragraph 1 point (f) GDPR.

3. Purpose of data processing
Temporary storage of the IP address by the system is necessary so that the website can be delivered to the user’s computer system. To enable that, the user’s IP address must be stored for the duration of the session.

The data is stored in log files in order to ensure that the website functions properly. The data also helps us optimize the website and ensure the security of our IT systems. The data is not analyzed for marketing purposes in this connection.

This purpose also constitutes our legitimate interest in processing data in accordance with Article 6 paragraph 1 point (f) GDPR.

4. Length of data storage
The data is erased as soon as it is no longer required for achieving the purpose for which it was collected. As regards data recorded to deliver the website, this is the case when the session in question is over.

If the data is stored in log files, this is the case after seven days at the latest. The data can be stored above and beyond that. In that case, the IP addresses of users are erased or anonymized so that the client calling the website can no longer be identified.

5. Possibility of opting out
Recording of data in order to deliver the website and storage of the data in log files is absolutely necessary for operating the Internet site. Consequently, users do not have the possibility of objecting and opting out.

1. Scope of data collection
No data is passed on to third parties in connection with the processing of data needed to send out newsletters. The data is used solely for sending the newsletter.

  • a) Users must register for the newsletter on the website to receive it:

Users can subscribe to free newsletters on our Internet sites. The data provided in the input screen used in registering for the newsletter is sent to us.

The following data is collected:

  • E-mail address
  • Surname and first name (optional)
  • Form of address
  • Language/country
  • The date and time of registration

Your consent to processing of the data is obtained and your attention is drawn to this data privacy statement during registration.

  • b) The newsletter is sent by your OSRAM sales contact:

When you have contact with a sales partner of OSRAM, he or she will ask for your contact data so that you can be sent messages and newsletters. The contact data stored may be your phone number, e-mail address, surname and first name (optional). The e-mail address you disclose in that connection may subsequently be used by us to send out a newsletter. In such a case, only direct advertising for our own, similar goods or services is sent out using the newsletter.

2. Legal basis for data processing
The legal basis for processing data after the user has registered for the newsletter is Article 6 paragraph 1 point (a) GDPR if the user has given consent.

The legal basis for sending the newsletter after the sales employee has entered the data is Section 7 (3) of the German Act Against Unfair Competition (UWG).

3. Purpose of data processing
The user’s e-mail address is collected so that the newsletter can be delivered.

Other personal data is collected as part of registration so as to prevent misuse of the services or the e-mail address.

4. Length of data storage
The data is erased as soon as it is no longer required for achieving the purpose for which it was collected. Accordingly, the user’s e-mail address is stored for as long as the newsletter subscription is active.

5. Possibility of opting out
Users can cancel their subscription to the newsletter at any time. Every newsletter contains a link allowing them to do that.

1. Scope of data collection
On our Internet sites, we give users the possibility of registering using their personal data. The data is entered in an input screen, sent to us and stored. The data is not passed on to third parties.

The following data is collected:

  • E-mail address
  • Surname and first name (optional)
  • Form of address
  • Language/country
  • The date and time of registration

The user’s consent to processing of this data is obtained as part of the registration process.

2. Legal basis for data processing
The legal basis for processing data is Article 6 paragraph 1 point (a) GDPR if the user has given consent.

If registration is carried out for the purpose of performing a contract or steps prior to entering into a contract, the additional legal basis for processing data is Article 6 paragraph 1 point (b) GDPR.

3. Purpose of data processing

  • a) For providing specific content and services on our website
  • b) To perform a contract with the user or steps prior to entering into a contract

4. Length of data storage
The data is erased as soon as it is no longer required for achieving the purpose for which it was collected.

This is the case for data collected during registration when registration is canceled or changed on our Internet site.

If registration is carried out for the purpose of performing a contract or steps prior to entering into a contract, that is the case when the data is no longer needed to perform the contract.

Personal data of the contractual partner may also need to be stored after the contract has been concluded so that contractual or statutory obligations can be fulfilled.

5. Possibility of opting out
Users can cancel their registration at any time. You can have the data stored on you changed or erased at any time.

If registration is carried out for the purpose of performing a contract or steps prior to entering into a contract, premature erasure of the data is possible only if there are no contractual or statutory obligations that prevent it from being erased.

1. Scope of data collection
Our Internet site contains a form that can be used for contacting us electronically. If a user makes uses of this option, the data entered in the input screen is sent to us and stored. . The data is used solely for processing the conversation. The data is not passed on to third parties.

The following data is collected:

  • E-mail address
  • Surname and first name (optional)
  • Form of address
  • Language/country
  • The date and time of registration

Your consent to processing of the data is obtained and your attention is drawn to this data privacy statement.

Furthermore, communication is possible by using the e-mail address you specified. In this case, the personal data sent with your e-mail is stored.

2. Legal basis for data processing
The legal basis for processing data is Article 6 paragraph 1 point (a) GDPR if the user has given consent.

The legal basis for processing data sent with an e-mail is Article 6 paragraph 1 point (f) GDPR. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for processing of the data is Article 6 paragraph 1 point (b) GDPR.

3. Purpose of data processing
We process personal data from the input screen solely for handling contacts. If we are contacted by e-mail, that constitutes the legitimate interest required for processing the data.

The other personal data that is processed helps prevent misuse of the contact form and ensure the security of our IT systems.

4. Length of data storage
The data is erased as soon as it is no longer required for achieving the purpose for which it was collected. This is usually the case when the conversation is over. The conversation is over when it is clear from circumstances that the matter in question has been definitely resolved.

5. Possibility of opting out
Users can revoke their consent to their personal data being processed at any time. If you contact us by e-mail, you can object to your personal data being stored at any time. That then means the conversation cannot be continued.

All personal data stored as part of the contact is erased in this case.

1. Scope of data collection
If you have been authorized by one of our shareholders to take part in the Annual General Meeting as a proxy, we only collect the data required to send the invitation and invitation cards, such as the surname, first name and address of the proxy.

2. Legal basis for data processing
The legal basis for processing data as part of authorization of a proxy is Article 6 paragraph 1 point (c) GDPR in conjunction with the provisions of the German Stock Corporation Act (AktG).

3. Purpose of data processing
The personal data is processed by us solely for handling the proxy’s attendance at the Annual General Meeting.

4. Length of data storage
The data is erased as soon as it is no longer required for achieving the purpose for which it was collected. This is usually the case when the requirements for the Annual General Meeting as defined under the German Stock Corporation Act (AktG) no longer apply.

5. Data Privacy Rights
You have the right to request access to stored data concerning your person at the above-mentioned company address. In addition, you are entitled to demand, subject to certain conditions, the deletion of your personal data or the restriction of its processing (e.g. in case of unlawful processing of your data). If your data is processed to safeguard legitimate interests, you can object to this processing at the above-mentioned company address. We will then terminate the processing unless it serves overriding legitimate interests on our part.

In some cases, we use specialized service providers to process your data. We carefully choose and regularly control our service providers. They process personal data only on our behalf and in strict accordance with our instructions on the basis of agreements on commissioned data processing.

In some cases, your data is also processed in countries outside the European Union (EU) or the European Economic Area (EEA) where, generally speaking, there might be a lower level of data protection than in Europe. In such cases, we ensure that an adequate level of protection for your data is guaranteed, such as by means of agreements with our contractual partners (of which a copy is available upon request), or we ask you for your explicit consent.

If your personal data is processed, you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and you have the following rights vis-à-vis the controller:

1. Right to obtain information
You can demand confirmation from OSRAM as to whether personal data concerning you is processed by us.

If it is processed by us, you can demand the following information from the controller:

  • the purposes for which the personal data is processed;
  • the categories of personal data that is processed;
  • the recipients or categories of recipients to whom the personal data concerning you has been or is to be disclosed;
  • the planned length of time for which the personal data concerning you will be stored or, if concrete details of that are not possible, the criteria used to determine that length of time;
  • the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing of the data by the controller, or a right to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • all available information on the origin of the data if the personal data has not been collected from the data subject;
  • the existence of automated decision-making, including profiling, referred to in Article 22 paragraphs 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  • whether the personal data concerning you is transferred to a third country or an international organization and which appropriate safeguards in accordance with Article 46 GDPR have been provided.

If data is processed for scientific or historical research purposes or statistical purposes, the right to obtain information can be restricted insofar as it is likely to render impossible or seriously impair achievement of the research or statistical purposes and the restriction is necessary to ensure the research or statistical purposes are achieved.

2. Right to rectification
You have a right to demand that OSRAM correct and/or supplement processed personal data concerning you if it is incorrect or incomplete. OSRAM will rectify the data immediately.

3. Right to restriction of processing
You can demand that processing of personal data concerning you be restricted under the following circumstances:

  • if you contest the accuracy of the personal data concerning you, processing of the data will be restricted for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request restriction of its use instead;
  • the controller no longer needs the personal data for the purposes of processing, but it is required by you for the establishment, exercise or defense of legal claims; or
  • you have objected to processing pursuant to Article 21 paragraph 1 GDPR and it has yet to be verified whether the legitimate grounds of the controller override your grounds.

Where processing of personal data concerning you has been restricted, the data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If processing of data has been restricted pursuant to the above circumstances, you will be informed by OSRAM before the restriction is lifted.

4. Right to erasure
You can demand that OSRAM erase the personal data concerning you without undue delay where one of the following grounds applies:

  • the personal data concerning you is no longer necessary for fulfilling the purposes for which it was collected or otherwise processed;
  • you withdraw consent on which the processing was based in accordance with Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) GDPR, and where there is no other legal ground for the processing;
  • you object to the processing pursuant to Article 21 paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 paragraph 2 GDPR;
  • the personal data concerning you has been unlawfully processed;
  • the personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 GDPR (children’s consent).

5. Right to be forgotten
If OSRAM has made personal data concerning you public and is obliged pursuant to the requirements specified in section 4 to erase the data, OSRAM, taking account of available technology and the cost of implementation, will take reasonable steps to inform controllers who process your data further that you have requested erasure of all links to your personal data.

6. Exceptions to the right to erasure
You do not have a right to demand erasure of your data if processing of it is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with Article 9 paragraph 2 points (h) and (i) and Article 9 paragraph 3 GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 paragraph 1 GDPR insofar as the right referred to in (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defense of legal claims.

7. Right to notification
If you have asserted the right to rectification, erasure or restriction of processing toward OSRAM, we will communicate any rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. If requested, we will inform you of who the recipients are.

8. Right to data portability
You have the right to receive the personal data concerning you which you have provided to OSRAM, in a structured, commonly used and machine-readable format and to transmit the data to another controller, provided

  • processing of the data is based on consent in accordance with Article 6 paragraph 1 point (a) GDPR or Article 9 paragraph 2 point (a) GDPR or on a contract in accordance with Article 6 paragraph 1 point (b) GDPR and
  • the processing is carried out by automated means.

You also have the right to have the personal data concerning you transmitted directly from OSRAM to another controller, where technically feasible. This must not adversely affect the rights and freedoms of others.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9. Right to object
You have the right to object at any time to processing of personal data concerning you which is based on Article 6 paragraph 1 point (e) or (f) GDPR, including profiling based on those provisions.

OSRAM will subsequently no longer process the personal data concerning you unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or processing of it is for the purpose of the establishment, exercise or defense of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

You also have the right to object to processing of personal data concerning you that is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 paragraph 1 GDPR.

Your right to object can be restricted insofar as it is likely to render impossible or seriously impair achievement of the research or statistical purposes and the restriction is necessary to ensure the research or statistical purposes are achieved.

10. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on your consent until you withdrew it.

11. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

  • (1) is necessary for entering into, or performance of, a contract between you and the controller;
  • (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • (3) is based on your explicit consent.

In the cases referred to in (1) and (3), OSRAM will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.

If these decisions are based on special categories of personal data referred to in Article 9 paragraph 1 GDPR, the above exceptions shall apply only if Article 9 paragraph 2 point (a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

12. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the General Data Protection Regulation (GDPR).

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

You can find more information and explanations of the rights mentioned above on the website “Rights for citizens” of the European Commission.