Privacy policy

When you visit and eventually interact with a G+D website, we may collect personal data from you. This data may come from you directly, for example, when you register for a newsletter or an event, or when you submit an inquiry to us. Some data that can be linked to you, primarily technical data, is processed automatically. This involves:

• IP address
• Browser and operating system,
• Date and time of the page view
• Referrer URL

We process your personal data for various purposes depending on the nature of your interaction with our websites:

Fulfillment of contractual obligations (Art. 6 para. 1 lit. b GDPR):

We process personal data to fulfill contractual obligations to our customers or to carry out pre-contractual measures. This includes, for example, responding to inquiries as part of our customer relationship management.

Based on consent (Art. 6. para. 1 lit. a GDPR):

We process data on the basis of your consent. This includes the sending of our newsletters or other advertising, the response to contact requests.

When you visit our websites and access messages sent by us, cookies and other similar technologies may be used to make our websites more user-friendly and to adapt them to your preferences. Or to control advertising from G+D on third-party websites. Detailed information on this can be found in our Cookie Notice.

We process data to optimize our online marketing activities. This includes, among other things:

• E-mail marketing (newsletter/infomail, as well as automated mailings, e.g. to provide downloads)
• Reporting (e.g. traffic sources, accesses, etc. ...)
• Contact management (e.g. user segmentation & CRM)
• Landing pages and contact forms

This information may be used by us to contact visitors to our website and to determine which services of G+D might be of interest to them. All information collected is used exclusively to optimize our marketing.

If you register for a congress or event, we collect information necessary for your participation in such events as well as for their organization.

You can revoke the consent you have given at any time with effect for the future.

G+D's marketing and communication activities are coordinated centrally. If you have granted advertising consent in favor of another company of the Giesecke+Devrient Group, this Privacy Policy will apply accordingly.

Maintaining legitimate interests (Art. 6 para. 1 lit. f GDPR):

We also process personal data if this is necessary to protect the legitimate interests of G+D, subsidiaries of G+D and, if applicable, other third parties. The processing is carried out exclusively under consideration of your interests. This includes, for example, the analysis of pseudonymized website usage for the optimization of our websites in accordance with our Cookie Notice or the collection of information necessary for the authentication of software.

Unless the use of personal data is necessary, we use only anonymous information or pseudonyms as far as possible.

Your personal data will not be disclosed to third parties unless you have consented to such disclosure or such disclosure is permitted under applicable law, for example, if it is necessary for the performance of a contract concluded with you. If you submit a request that relates to G+D Group subsidiaries located in other countries ("Group Companies"), this request will be forwarded to the relevant Group Company together with the information required to respond to your request. These Group Companies may be located in a country other than the country in which you reside, including countries outside the European Union ("EU") and the European Economic Area ("EEA"). A list of group companies can be found here.

Furthermore, we may use service providers who act as data processors on our behalf and who may also be located in countries outside the EU and the EEA.

G+D, together with all Group companies and service providers used, has taken appropriate measures to ensure an adequate level of data protection in accordance with applicable requirements. In particular, internal binding data protection regulations pursuant to Art. 47 DSGVO (Corporate Binding Rules) apply to the transfer of personal data between Group companies.

G+D acknowledges that the privacy of children and/or users under the age of 18 ("Minors") must be adequately protected. Our website is not directed at minors. G+D does not wish to address minors with its website and does not knowingly collect personal data from minors without the consent of their parents or legal guardians.

G+D uses technical and organizational security measures (in particular access, availability and input controls, including encryption techniques and measures to protect media using personal data, as well as the use of qualified personnel responsible for the security of personal data) to ensure that the protection of personal data provided by you is not undermined by unauthorized, accidental or intentional manipulation, damage, loss, deletion or unauthorized access, processing or disclosure. Our security measures are constantly updated and adapted according to the current state of knowledge. Due to the nature of the Internet, transmission of information may not always be absolutely secure. Therefore, we cannot guarantee the security of your personal data during transmission over the Internet to our website. However, as soon as we receive your personal data, we will take appropriate technical and organizational measures to protect your personal data.

Our website may contain links to other websites that are not owned or operated by G+D. G+D has no control over the content or data privacy policies of these websites and cannot take any responsibility for them.

You have the option to follow us or interact with us on Facebook and on other social media platforms of third party service providers. The platform operators and we are joint controllers within the meaning of Art. 26 GDPR with regard to the personal data that is collected in the process.  You can control the privacy settings yourself within the social media platform.

Our handling of your personal data in the context of our social media offerings is based on our legitimate interest pursuant to Art. 6 Para. 1 lit. f GDPR. For the provision of our social media offers, it is technically necessary to process certain personal data (e.g. the IP address; personal data that you have provided to the respective platform operator or to us).

As part of the necessary balancing of interests, we have weighed up your interest in the respective confidentiality of your personal data and our interests in the provision of our social media offerings in each case. Your interest in confidentiality is secondary to this. Otherwise, we would not be able to offer you our social media services.

We use service providers to provide our social media services. The data you transmit to us in the course of using our social media offerings is also automatically transmitted to the respective social media platform operator.

Details on the processing of your personal data by social media providers can be found here:

• Twitter
• LinkedIn
• Facebook
• Instagram
• YouTube

Your personal data is usually collected directly from you. If we receive data from third parties, we ensure compliance with the applicable legal requirements.

Depending on the respective business purposes, we process the following categories of personal data as data controller:

• Master data and contact data (e.g. gender, name, company, business address, function, job title, e-mail, telephone and other contact information);
• Communication data as part of the business communications between you and us;
• Visitor data including data from access control and building monitoring;
• Electronic identification data where required (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connection times);
• Contract and payment information (e.g. credit card details, bank account details, VAT or other tax identification number);
• Additional data you provide to us, for example within the scope of an inquiry or our business relationship;
• Data which relate to our products and services;
• Data in the context of your participation in our events;

Commissioned data processing

For personal data that we process as data processor in the sense of Art. 4 No. 8 GDPR on behalf of our customers (e.g. for the production of smart cards) the respective customer remains the data controller under applicable data protection laws. In these cases, the processing is carried out on behalf of and on the instructions of the customer with the consequence that the rights of the affected individuals relating to this data must be asserted against the respective customer directly.

We process the data listed above for the following purposes:

• To establish and fulfill a contract with you or with the entity on behalf of which you act, for example, if you make a purchase from us or enter into an agreement to provide or receive services or use one of our webshops;
• To manage and maintain a contract with you or with the entity on behalf of which you act;
• To answer your requests and provide you with efficient support;
• To respond to any comments or complaints we may receive from you, including to investigate any complaints received from you or from others;
• To detect and prevent misuse of our products and/or services;
• To invite you to events or promotional meetings sponsored by us;
• To invite you to take part in market research or surveys;
• To enable you to participate in virtual events organized by G+D and to ensure that such events are conducted properly;
• To manage our IT resources, including infrastructure management and business continuity;
• To preserve the company's economic interests and ensure compliance and reporting (such as complying with our policies and legal requirements, tax and deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation);
• To fulfill the company’s obligations with regard to the prevention of money laundering and terrorist financing;
• To manage mergers and acquisitions involving our company;
• Archiving and record keeping;
• Billing and invoicing;
• Any other purposes imposed by law or authorities.

Additional purposes may result from your individual business relationship with G+D.

Personal data will only be processed on a valid legal basis, particularly if:

• we have obtained your prior consent (Article 6 par. 1 lit. a GDPR);
• the processing is necessary to perform contractual obligations (including precontractual steps) (Article 6 par. 1 lit. b GDPR);
• the processing is necessary to comply with our legal or regulatory obligations (Article 6 par. 1 lit. c GDPR); or
• the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms (Article 6 par. 1 lit. f GDPR).

The legitimate interest arises from the described business objectives. However, in such cases, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such legitimate interests are marketing activities (e.g. offering of products and/or services to our customers); prevention of fraud or criminal activity and misuse of our products and/or services including the security of our IT systems, architecture and networks; use of cost-effective services offered by suppliers; selling of any part of our business or its assets and meeting our corporate and social responsibility objectives.

Storage period

Personal data are generally stored for the fulfillment of the underlying purposes. Data will be deleted as soon as such purposes have been fulfilled and the data is no longer required, provided that this is not prevented by any statutory retention periods (e.g. as indicated in the German Commercial Code (HGB), the German Criminal Code (StGB) or the German Fiscal Code (AO)) or by any other legal or official regulation. Personal data processed in the context of any possible or ongoing dispute or legal action will be stored for the duration of the legal dispute, proceedings or limitation period, whichever is longer. The storage limitation of personal data which we process as data processor on behalf of our customers (see chapter Commissioned Data Processing above) is determined by the underlying agreements, in particular the service specifications, as well as the individual customer instructions. For example, in the production of smart cards, these are 30 days for payment traffic data, which are subject to the PCI specifications, and 90 days for health cards, which are subject to the requirements of the Gematik.

For the fulfillment of the purposes listed herein, your personal data may be accessed by or transferred to the following categories of recipients (on a need to know basis):

• Personnel of the G+D entity that maintains the business relationship with you including personnel of responsible departments of other G+D subsidiaries;
• suppliers and services providers of G+D including IT systems providers, cloud service providers, database providers and consultants;
• tax consultants advisors and external lawyers;
• (national and international) regulatory authorities, public bodies or courts where we are required to do so by applicable law or at their request.

Personal data may also be processed in a country outside the country where you, the entity on behalf of which you act or G+D is located, including third countries outside the European Union or the European Economic Area. When personal data is transferred to third parties in other jurisdictions, we will make sure to protect your personal data by applying the level of protection required under applicable data protection laws. For data transfers within G+D group companies, G+D’s Binding Corporate Rules apply (Art. 46 para. 2 (b), 47 GDPR). Further information on G+D Binding Corporate Rules can be found here.

• Right to access information about your personal data stored by us (Article 15 GDPR)
• Right to rectification of inaccurate or incomplete personal data concerning you stored by us (Article 16 GDPR)
• Right to erasure of your personal data stored by us, e.g. if there is no longer a legitimate business purpose for processing in accordance with applicable law and statutory storage obligations do not require further storage (Article 17 GDPR)
• Right to restriction of processing, if the accuracy of the personal data is contested by you or the processing is unlawful (Article 18 GDPR)
• Right to data portability, i.e. the right to receive the personal data concerning you, which you have provided us with in a structured, commonly used and machine-readable format (Article 20 GDPR)
• Right to object for the processing of your personal data insofar as such processing is carried out based on Article 6 par. 1 lit. e. or f. GDPR (Article 21 GDPR)
• Right to withdraw consent (Article 7 GDPR)

If you have the impression that the processing of your personal data does not comply with data privacy laws, you have the right to file a complaint with a supervisory authority (Art. 77 DSGVO); a list of data privacy authorities in Germany can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

The supervisory authority responsible for G+D at the Group headquarters in Munich is the Bavarian State Office for Data Protection Supervision (www.lda.bayern.de).

Additionally, we would like to inform you that G+D has implemented a Whistleblowing Tool (BKMS System) that is available 24/7 worldwide to enable all G+D employees and any other individuals to report potential compliance and data privacy violations. The tool can be accessed at the following link: https://www.bkms-system.net/bkwebanon/report/clientInfo?cin=7gd4&language=eng

Categories of personal data collected

G+D may collect the following categories of personal data from you:

• Identifiers, such as name, address, unique personal identifier, IP address, email address, and account name;
• Additional personal information, such as telephone number, credit card number, and debit card number;
• Commercial information, such as products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
• Internet or other electronic activity information, such as browsing history, and information regarding your interaction with an internet website application or advertisement; and
• Professional or employment information.

Categories of sources of personal data

G+D may have collected the categories of personal data listed above either directly from you, from your devices, from our third-party services providers, or our affiliated entities.

Business or commercial purpose for collecting personal data

G+D may have collected the categories of personal data listed above for any of the business or commercial purposes listed in the “Purposes and legal basis for processing data” sections above in this privacy policy.

Notice of right to opt-out of “sale” or “sharing” of personal data

G+D may allow certain third parties to collect your personal data via automated technologies on our website. Under the CCPA, this may constitute a “sale” or “sharing” (as such terms are defined in the CCPA) of your personal data. We may have “sold” or “shared” your personal data, which consists of identifiers, commercial information, and internet or other electronic activity information, to data analytics and advertising and marketing providers for the business and commercial purposes of providing advertising and marketing and internal research. Under the CCPA, you have the right to opt-out of this disclosure of your personal data, which may be considered a “sale” or “sharing” of your personal data under the CCPA, on our website by setting a browser-level opt-out, the Global Privacy Control. Through the Global Privacy Control, we process opt-out signals in a frictionless manner. You may learn how to set that signal by going to this website: https://globalprivacycontrol.org/. You may also request to opt-out of this “sale” or “sharing” of your personal data by contacting us at privacy@gi-de.com. G+D does not have actual knowledge that it “sells” or “shares” the personal data of consumers under sixteen years of age.

Personal data retention

The criteria used to determine the period of time that your personal data will be retained is in the “Storage period” section above in this privacy policy.

Categories of personal data disclosed to third parties

G+D may have disclosed the categories of personal data listed above to the third parties listed in the “Disclosure of data to third parties and data transfers” section above in this privacy policy as part of the business or commercial purposes listed in the “Purposes and legal basis for processing personal data” sections above in this privacy policy.

CCPA rights

This section of our privacy policy describes the rights of California residents regarding their personal data under the CCPA and explains how to exercise those rights.

• Right to know. If you are a California resident, you have the right to know what personal information that we have collected about you, including: (1) the categories of personal information; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting your personal information; (4) the categories of third parties to whom we disclose personal information; and (5) the specific pieces of personal information we have collected about you.
• Right to delete. If you are a California resident, you have the right to delete personal information we have collected about you, subject to certain exemptions.
• Right to correct. If you are a California resident, you have the right to correct personal information that we maintain about you.
• Right to opt-out of “sale” or “sharing”. If you are a California resident, you have the right to opt-out of “sale” or “sharing” your personal data, as described in the “Notice of right to opt-out of ‘sale’ or ‘sharing’ of your personal data” section of this privacy policy above.
• Right not to receive discriminatory treatment. If you are a California resident, you have the right not to receive discriminatory treatment for the exercise of your privacy rights under this section of our Privacy Policy.

Please direct any rights requests to privacy@gi-de.com. However, please see the “Notice of right to opt-out of ‘sale’ or ‘sharing’ of personal data section of this privacy policy” above for additional information on how to opt-out of “sale” or “sharing”. You may also authorize an agent to make such a request by contacting us through this email, disclosing that they are your “authorized agent” and providing your first and last name in connection with the request. Before we can honor your requests, we may confirm that you or your authorized agent are the requesting party. In addition, depending on the type of request and the categories of information subject to the request, we may request verifying information from the requesting party, such as identifiers already known to or collected by us.

G+D does not use or disclose “sensitive personal information” (as defined under the CCPA) of California residents outside of the following purposes: (1) performing our service or providing goods; (2) detecting security incidents; (3) resisting malicious, deceptive, fraudulent, or illegal actions; (4) ensuring physical safety; (5) for short-term transient use, including certain non-personalized advertising; (6) maintaining or servicing accounts, providing customer service, verifying customer information, or providing similar services; and (7) verifying and maintaining the quality or safety of a service or product to improve, upgrade, or enhance a service or product. Accordingly, we do not provide the right to limit the use or disclosure of your sensitive personal information under the CCPA.

Contact us

If you have any questions or concerns regarding this California Privacy Policy or our personal data practices, please contact us at privacy@gi-de.com.

Last updated

This California Privacy Policy was last updated on September 27, 2023.