Privacy Policy and Information Security Policy

Privacy Policy

On this page, you will find information on how we process your personal data when you access this website.

A. Name and address of the data controller

Nexplore Technology Holding GmbH & Co.KG
Alfredstr. 236
45133 Essen
[email protected]

B. Data protection officer

If you have any questions, complaints, or disputes regarding our privacy practices, you may contact us via the contact information provided in Section A.

C. Lawful basis and purpose of processing

As part of our processing activities, we process personal data of various data subjects (e.g. website users, interested parties, customers, applicants) to the extent permitted by law. We inform you about the purposes and legal bases as well as further details of the respective processing according to the different processing situations in section M of this data protection information.

D. Recipients of personal data

Depending on the respective processing situation, your personal data may be processed not only by the controller, but also by third parties. Possible recipients include, in particular, processors (e.g. web hosting, software providers and other technical service providers) and third-party providers of online services and content. For details, please refer to the information on the respective processing activity provided in section M of this data protection information.

E. Third Party Transfer of personal data

In general, we only process your personal data within the EU or the european economic area (EEA). You will be informed separately about possible third country transfers during the respective processing activity.

If a transfer is based on an adequacy decision pursuant to Art. 45 GDPR, you will find an overview of the existing EU adequacy decisions of the EU Commission under (https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). If a transfer is based on standard data protection clauses of the EU Commission pursuant to Art. 46 (2)(c) GDPR, you will find the corresponding implementing decision containing the contractual clauses under https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en .

F. Storage period

Personal data is stored for as long as the purpose requires, we are legally obliged to store it, or other legal reasons justify further processing. Personal data will be deleted as soon as the purpose of the processing no longer applies or another reason for deletion pursuant to Art. 17 (1) GDPR exists (e.g. the withdrawal of a given consent) and no exception to the deletion obligation pursuant to Art. 17 (3) GDPR applies.

Applicant data: Personal data processed as part of an application in Germany will generally be stored for a period of six months after completion of the application process.

G. Rights of the data subject

As a data subject, you have the following rights:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (right to be forgotten) (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)

H. Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6(1)(f) GDPR. We will then no longer process your personal data unless there are compelling legitimate grounds that outweigh your interests or the processing serves the establishment, exercise or defense of legal claims.

You can object to the processing of your data for the purposes of direct advertising and any associated profiling without giving reasons.

I. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority acc. to Art. 77 GDPR. The data protection supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4
40213 Düsseldorf

You can also lodge a complaint with any other data protection supervisory authority.

J. Withdrawal of consent

Pursuant to Art. 7(3)(1) GDPR, you have the right to withdraw your consent to data processing pursuant to Art. 6(1)(a) GDPR or Art. 9(1) GDPR at any time informally (e.g. by e-mail, telephone) with effect for the future. This does not affect the lawfulness of the processing until the withdrawal.

K. Obligation to provide personal data

You are not obliged to provide your personal data.

If the legal basis for the respective processing is Art. 6 (1)(b) GDPR (see section M for the processing activities and legal bases), your personal data is required for the fulfillment or conclusion of a contract. Without the provision of your personal data, the conclusion and fulfillment of the contract is not possible in these cases.

If the personal data is not provided in the cases of processing pursuant to Art. 6 (1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (balancing of interests), it is not possible to use the respective services and offers.

L. Automated decision-making, profiling

There is no automated decision-making or profiling referred to in Art. 22(1) and (4) GDPR.

M. Processing activities

a. Provision of the website

i. Processing purpose: Functionality and optimization of the website, advertising and marketing measures, information security, conclusion and execution of contracts
ii. Legal basis: Art. 6(1)(f) GDPR, Art. 6(1)(b) GDPR
iii. Legitimate interests, if applicable: Customer acquisition and retention, sales promotion, conclusion of contracts, communication and interaction with interested parties, integrity of digital systems
iv. Data categories: Connection data (e.g. IP address), usage data (e.g. contact, or order history, timestamps)
v. Data recipients: IT service providers
vi. Intended third country transfer: no

b. Consent-Management-Tool (CMT)

i. Processing purpose: Consent management, integration of third-party content
ii. Legal basis: Art. 6 (1)(c) GDPR, Art. 6 (1)(f) GDPR
iii. Legitimate interests, if applicable: Legal matters and compliance, specific design of the fulfillment of legal requirements
iv. Categories of data: Connection data (e.g. IP address), usage data
v. Data recipient: IT service provider
vi. Intended third country transfer: no

c. Web technologies (e.g. Cookies), user analysis/marketing tools

i. Processing purpose: Integration of third-party content and desired or required functionalities, measurement and analysis of user metrics (e.g. visitor source, pages visited, length of stay, scroll depth, click rates if applicable), personalized advertising measures (e.g. personalized addresses and offers)
ii. Legal basis: Art. 6 (1)(a) GDPR (collection and integration of technology, in particular cookies), Art. 6 (1)(f) GDPR (analysis for market research and marketing purposes, insofar as explicit consent is not required)
iii. Legitimate interests, if applicable: Sales promotion, personalized marketing measures, improvement of own products and services, checking and ensuring the functionality of technical processes
iv. Data categories: Connection data (e.g. IP address), usage data (e.g. contact or order history, access times), metrics (e.g. click rate, length of stay, scroll depth)
v. Data recipients: IT service providers, contractual and advertising partners, marketing service providers
vi. Intended third country transfer: none

d. OPTIONAL Cookieless web analysis

i. Purpose of processing: Statistical evaluation of user metrics, optimization and design of our website and services
ii. Legal basis: Art. 6 (1)(f) GDPR
iii. Legitimate interests, if applicable: Sales promotion, improvement of own products, checking and ensuring the functionality of technical processes
iv. Categories of data: Usage data, connection data, metrics (e.g. device information like resolution)
v. Recipients of the data: IT Service provider (etracker GmbH)
vi. Intended third country transfer: no

e. Contact form and email

i. Purpose of processing: Customer, prospective customer and user support
ii. Legal basis: Art. 6 (1)(f) GDPR
iii. Legitimate interests, if applicable: User support, improvement of own products and services
iv. Categories of data: Master data, contact data, content data (from emails), usage data (e.g. contact history) and connection data (e.g. IP address)
v. Recipients of the data: None
vi. Intended third country transfer: no

f. Newsletter

i. Purpose of processing: Sending newsletters, advertising and personalized advertising measures
ii. Legal basis: Art. 6(1)(a) GDPR (newsletter dispatch), Art. 6 (1)(f) GDPR (measurement and analysis of newsletter success, e.g. opening and click rates)
iii. Legitimate interests, if applicable: Sales promotion, optimization of products and services
iv. Categories of data: Master data, contact data (in particular e-mail address), connection data and user metrics (e.g. newsletter open rate), where applicable
v. Recipients of the data: IT service providers, marketing service providers
vi. Intended third country transfer: no

g. Application management

i. Purpose of processing: Conducting applicant management, initiating and conducting employment relationships, communicating with applicants, conducting job interviews
ii. Legal basis: Art. 6 (1)(b) GDPR
iii. Legitimate interests, if applicable: –
iv. Categories of data: Master data, contact data, content data (e.g. content of the cover letter, CV, certificates, qualifications), contract data, applicant and employee data, special categories of personal data within the meaning of Art. 9 if provided by the data subject
v. Recipients of the data: recruitment service provider (Lumesse Ltd.)
vi. Intended third country transfer: yes, adequacy decision (United Kingdom)

h. Documentation and Compliance

i. Purpose of processing: Compliance measures
ii. Legal basis: Art. 6 (1)(c) GDPR
iii. Categories of data: Master data, contact data, connection data
iv. Recipients of the data: IT service providers, Authorities and public bodies, legal and tax consultants (if applicable)
v. Intended third country transfer: no.

N. Additional Information about Data Security

We implement a robust set of technical and organizational security measures (TOMs) to safeguard personal data against unauthorized access, disclosure, alteration, and destruction (Art. 32 GDPR).
These include:

Encrypted data transmission (SSL/TLS)
Role-based access control (RBAC)
Regular security audits and vulnerability scans
Physical server protection and secure hosting environments
Staff training on data protection and confidentiality obligations

All processing activities are logged and monitored, and in the event of a personal data breach, users and authorities will be notified in accordance with Articles 33 and 34 GDPR.

O. Data Quality and Accountability

We are committed to maintaining accurate and up-to-date personal data. Our processes ensure:

That users can update their information on request.
That we only collect data necessary for specific purposes.
That data is verified at the point of collection when applicable.

We rely on data subjects to provide truthful and complete information and to inform us of any changes. We take accountability for our data practices under Art. 5(2) GDPR and maintain records of processing activities as per Art. 30 GDPR.

P. Oversight, Monitoring and Enforcement

Nexplore’s executive management is actively engaged in ensuring compliance with privacy laws and internal privacy policies. Specifically:

The Privacy Policy is reviewed annually for accuracy and relevance.
Quarterly privacy compliance reviews are conducted by executive leadership.
Data protection practices are monitored internally and externally, with corrective actions implemented if required.
Regular internal audits are carried out to verify that processing aligns with documented purposes and legal obligations.

A designated Data Protection Officer (DPO) oversees this framework and advises management on ongoing obligations under the GDPR.

Nexplore maintains internal policies and procedures that define permitted scenarios for the use and disclosure of personal information, ensuring alignment with this privacy policy and applicable laws.

Q. Cookies & Cookieless Tracking

To improve communication and interaction with our users and optimize the user experience, we use various software solutions and web technologies, including tools provided by third-party providers for web analysis and marketing as well as services for integrating third-party content, such as fonts, maps or videos.

Analysis tools are used to collect, measure and analyze data points such as visitor numbers, visitor sources, pages visited, time spent on the website or scroll depth. Marketing tools enable the targeted control and evaluation of marketing measures (ad campaigns, affiliate advertising, multichannel analysis).

Analysis tools may also include analysis in so-called cookie-less mode, i.e. an analysis of usage and connection data without storing cookies on the user’s end device by recording the data sent by the user to evaluate user behavior.

For reasons of ePrivacy and data protection, the use of such tools often requires the consent of the respective user. If this is the case (see the respective processing procedure under section M where consent is mentioned as the legal basis in these cases), we use a so-called consent management tool (CMT) to manage the required consents in accordance with Section 25 (1) TDDDG and, if applicable, Art. 6 (1)(a) GDPR.

In this case, detailed information on the subject matter and scope of the relevant consents and the data processing based on them will be provided to you directly via the CMT.

Where consent is not required, e.g. when collecting user data in cookieless mode, personal data processing is carried out on the basis of Art. 6 (1)(f) GDPR for the purposes described, which also represent the legitimate interests pursued by us. The collection of data for the provision of the website and the storage of log files are absolutely necessary for the operation of the website.

Information Security Policy

1. Introduction

This policy establishes the commitment of top management to information and cybersecurity to minimize the impact of security incidents and threats.

2. Purpose

The Information Security Policy aims to establish a management framework to initiate and control the implementation of information security within the Nexplore.

3. Key Outcomes

The main outcomes of implementing this policy are:

Better adherence to standards and regulations.
Protection of the confidentiality, integrity, and availability of the Nexplore’s information assets.
Reduction of cybersecurity risks.

4. Scope

This policy applies to the Nexplore, its affiliated partners, or subsidiaries, including data processing and process control systems, that are in possession of or using information and/or facilities owned by the Nexplore. It applies to all staff/users directly or indirectly employed by the Nexplore, subsidiaries, or any entity conducting work on behalf of the Nexplore that involves the use of Nexplore-owned information assets.

5. Policy Enforcement and Compliance

Compliance with the provisions of this policy is mandatory. Non-compliance may result in disciplinary actions, including dismissal.

6. Waiver Criteria

Waivers must be formally submitted to Risk Management, including justification and benefits. The maximum waiver period is one year, and it must be reassessed and re-approved, if necessary, for a maximum of three consecutive terms.

7. Related Documents

Policies
Workstation Security Policy
VPN Access and Communications Policy
Endpoint Protection Policy
Supplier Security Policy
Infrastructure and Application Security Policy
Backup and Recovery Policy
Vulnerability and Threat Management Policy
Information Security Awareness Policy
Cybersecurity Incident Management Policy
Network Architecture Policy
Information Classification Policy
Physical and Environmental Security Policy
Access Control Policy
Acceptable Use of Assets Policy
Cloud Use Policy
Teleworking Policy
Password Policy
Cryptographic Controls Policy

Procedures
Development Secure Code Procedure
Secure Communications
Use of Assets
Change Management Procedure
Cybersecurity Roles and Contacts
Termination Changes of Employment Relation
Incident Response Plan and Data Breaches Procedure
Good Practice in Secure Development

8. Document Owner

IT Security Department.

9. Policy Management

This policy will be periodically updated to reflect technological advances and business requirements. Deficiencies must be immediately communicated to the Information Security Manager. Policy changes require approval from Management Review Meetings.

10. Policy Statements

Cybersecurity shall align with the Nexplore’s strategic direction and business objectives. A dedicated Risk Management and Information Security Department, independent from IT and operations, shall be established.

The department will be directed by the CISO, responsible for approving cybersecurity policies and projects. The Nexplore will comply with regulatory, legislative, and contractual requirements. The Nexplore will adopt the ISO 27001 Information Security Management System (ISMS) standard. The Nexplore will implement controls to protect and monitor the confidentiality, integrity, and availability (CIA) of information assets.

Cybersecurity risks will be managed based on the Nexplore’s Risk Management Methodology. Protection measures will be cost-effective and minimize inconvenience to authorized users. The Nexplore is committed to protecting the privacy of personal identifiable information. Continuous improvement of ISMS and cybersecurity is a commitment. Cybersecurity training and awareness will be provided to staff. The Nexplore will invest in resources to protect against cyber-attacks and risks.

A Cybersecurity Steering Committee (CSC) will ensure support and implementation of cybersecurity programs, reporting to the Risk Management Department. This policy is available to employees and relevant interested parties.

All managers are responsible for implementing and ensuring adherence to Information and Cyber Security Policies by their staff.

Compliance with this Policy and all supporting policies, standards, and procedures is mandatory for all managers, staff, and third parties. Violations will result in corrective actions consistent with the severity of the violation as determined by an investigation and deemed appropriate by management.