DATA PROTECTION

We are very pleased about your interest in our company!

Data protection is of particularly high importance to the management of PANDA GmbH. The use of the Internet pages of PANDA GmbH is fundamentally possible without providing any personal data. However, if a data subject wishes to use special services of our company via our website, processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.

The processing of personal data, such as the name, address, email address, 3or telephone number o4f a data subject, is always carried out in compliance with the General Data Protection Regulation and in accordance with the country-specific data protection regulations applicable to PANDA GmbH. Through this privacy policy, our company aims to inform the public about the nature, scope, and purpose of the personal data collected, used, and processed by us. Furthermore, data subjects are informed of the rights to which they are entitled by means of this privacy policy.

As the controller, PANDA GmbH has implemented numerous technical and organizational measures to ensure the most complete protection possible of the personal data processed through this website. Nevertheless, Internet-based data transmissions can fundamentally have security gaps, meaning absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us via alternative means, for example, by telephone.

1. Intro

In the following, we inform you about the processing of personal data when using

our Website https://we-are-panda.com/
our profiles on social media.

Personal data is any data that can be related to a specific natural person, such as their name or IP address.

1.1. Contact Details

The controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) is:
PANDA GmbH, Augsburger Straße 5, 86415 Mering, Germany
Email: datenschutz@we-are-panda.com
Legally represented by Isabelle Hoyer and Stuart B. Cameron

Our data protection officer can be contacted via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu , email: datenschutz@heydata.eu .

1.2. Scope of Data Processing, Processing Purposes and Legal Bases

We detail the scope of data processing, processing purposes, and legal bases further below. In principle, the following legal bases for data processing are considered:

Art. 6 Para. 1 Sentence 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent.
Art. 6 Para. 1 Sentence 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the fulfillment of a contract, e.g., if a website visitor purchases a product from us or we perform a service for them. This legal basis also applies to processing operations that are necessary for pre-contractual measures, such as inquiries about our products or services.
Art. 6 Para. 1 Sentence 17 lit. 8c GDPR applies when we fulfill a legal obligation with the processing of personal data, as may be the case, for example, under tax law.
Art. 6 Para. 1 Sentence 1 lit. f GDPR serves as the legal basis when we can invoke legitimate interests for the processing of personal data, e.g., for cookies that are necessary for the technical operation of our website.

1.3. Data Processing Outside the EEA

Insofar as we transmit data to service providers or other third parties outside the EEA, adequacy decisions by the EU Commission pursuant to Art. 45 Para. 3 GDPR guarantee the security of the data upon transfer, where available, as is the case for Great Britain, Canada, and Israel, for example.

When transferring data to service providers in the USA, the legal basis for the data transfer is an adequacy decision by the EU Commission if the service provider has additionally certified under the EU-US Data Privacy Framework.

In other cases (e.g., if no adequacy decision exists), the legal basis for the data transfer is generally Standard Contractual Clauses, unless we provide different information. These are a set of rules adopted by the EU Commission and are part of the contract with the respective third party. Pursuant to Art. 46 Para. 2 lit. b GDPR, they ensure the security of the data transfer. Many of the providers have provided contractual guarantees that go beyond the Standard Contractual Clauses, protecting the data further than the Standard Contractual Clauses. These include, for example, guarantees regarding the encryption of the data or regarding an obligation of the third party to notify data subjects if law enforcement agencies wish to access the data.

1.4. Storage Duration

Unless expressly stated otherwise in this privacy policy, the data we store will be deleted as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted, meaning the data will be blocked and not processed for other purposes. This applies, for example, to data that we are required to retain for commercial or tax law reasons.

1.5. Rights of the Data Subjects

Data subjects have the following rights vis-à-vis us regarding their personal data:

Right of access,
Right to rectification or erasure,
Right to restriction of processing,
Right to object to processing,
Right to data portability,
Right to withdraw consent granted at any time.

Data subjects also have the right to lodge a complaint with a data protection supervisory authority about the processing of their personal data. Contact details of the data protection supervisory authorities can be found at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

1.6. Obligation to Provide Data

Customers, prospective customers, or third parties must only provide us with the personal data that is necessary for the establishment, execution, and termination of the business relationship or other relationship, or which we are legally obligated to collect. Without this data, we will generally have to refuse to conclude a contract or provide a service, or we will no longer be able to carry out an existing contract or other relationship.

Mandatory information is marked as such.

1.7 No Automated Individual Decision-Making

For the establishment and execution of a business relationship or other relationship, we generally do not use fully automated decision-making pursuant to Article 22 GDPR. Should we use these procedures in individual cases, we will inform you separately if this is legally required.

1.8. Contacting Us

When you contact us, e.g., via email or telephone, the data communicated to us (e.g., names and email addresses) will be stored by us in order to answer questions. The legal basis for the processing is our legitimate interest (Art. 6 Para. 1 Sentence 1 lit. f GDPR) in answering inquiries addressed to us. We delete the data arising in this context after storage is no longer necessary, or we restrict the processing if legal retention obligations exist.

1.9. Customer Surveys

From time to time, we conduct customer surveys to better understand our customers and their needs. In doing so, we collect the data requested in each survey. It is in our legitimate interest to gain a deeper understanding of our customers and their preferences; therefore, the legal basis for the associated data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We delete the data once the survey results have been evaluated.

2. Newsletter

We reserve the right to inform customers who have already used our services or purchased goods about our offers from time to time via email or other means, provided they have not objected to this. The legal basis for this data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. Our legitimate interest lies in direct marketing (Recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time without additional costs, for example, via the link at the end of every email or by email to our email address mentioned above.

Based on the consent of the recipients (Art. 6 Para. 1 Sentence 1 lit. a GDPR), we also measure the open and click-through rates of our newsletters in order to understand which content is relevant to our recipients.

We send newsletters using the Mailchimp tool from the provider Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. The provider processes content, usage, meta/communication data, and contact details in the USA. Further information is available in the provider's privacy policy at https://mailchimp.com/legal/privacy/.

3. Data Processing on Our Website

3.1. Notice for Website Visitors from Germany

Our website stores information on the end devices of website visitors (e.g., cookies) or accesses information already stored on the end device (e.g., IP addresses). The specific information involved can be found in the following sections.

This storage and access take place on the basis of the following provisions:

Insofar as this storage or access is absolutely necessary for us to provide a service explicitly requested by the website visitor (e.g., to run a chatbot used by the website visitor or to ensure the IT security of our website), it is carried out on the basis of Section 25 (2) No. 2 of the Telecommunications-Digital Services Data Protection Act (TDDDG).
Otherwise, this storage or access is carried out on the basis of the website visitor's consent (Section 25 (1) TDDDG).

The subsequent data processing is carried out in accordance with the following sections and the provisions of the GDPR.

3.2. Informational Use of the Website

When the website is used for informational purposes, meaning when page visitors do not separately transmit information to us, we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. This constitutes our legitimate interest, so the legal basis is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

These data are:

IP address
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request originates
Browser
Operating system and its interface
Language and version of the browser software.

This data is also stored in log files. It will be deleted when its storage is no longer necessary, at the latest after 14 days.

3.3. Web Hosting and Provision of the Website

Our website is hosted by IONOS. The provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. The provider processes the personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact details, within the EU. Further information can be found in the provider's privacy policy at https://www.ionos.de/terms-gtc/datenschutzerklaerung/.

It is our legitimate interest to provide a website, so the legal basis for the described data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

3.4. Contact Form

If you contact us via the contact form on our website, we store the data requested there and the content of the message. The legal basis for the processing is our legitimate interest in answering inquiries addressed to us. The legal basis for the processing is therefore Art. 6 Para. 1 Sentence 1 lit. f GDPR.

We delete the data arising in this context after storage is no longer necessary, or we restrict the processing if legal retention obligations exist.

3.5. Job Advertisements

We publish job advertisements on our website, on pages linked to the website, or on third-party websites.

The processing of the data provided during the application is carried out for the purpose of conducting the application procedure. Insofar as these are necessary for our decision to establish an employment relationship, the legal basis is Art. 88 Para. 1 GDPR in conjunction with Section 26 Para. 1 BDSG. We have marked the data required for carrying out the application procedure accordingly or draw attention to it. If applicants do not provide this data, we cannot process the application. Further data is voluntary and not required for an application. If applicants provide additional information, the basis is their consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR). We ask applicants to refrain from providing information on political opinions, religious beliefs, and similarly sensitive data in their CV and cover letter. They are not required for an application. If applicants nonetheless provide such information, we cannot prevent its processing as part of the processing of the CV or cover letter. Their processing is then also based on the consent of the applicants (Art. 9 Para. 2 lit. a GDPR).

Finally, we process the applicants' data for further application procedures if they have given us their consent to do so. In this case, the legal basis is Art. 6 Para. 1 Sentence 1 lit. a GDPR.

We forward the applicants' data to the responsible employees of the HR department, to our processors in the recruiting area, and to the other employees involved in the application procedure.

If we enter into an employment relationship with the applicant following the application procedure, we will only delete the data after the termination of the employment relationship. Otherwise, we will delete the data at the latest six months after an applicant is rejected.

If applicants have given us their consent to use their data for further application procedures, we will only delete their data one year after receiving the application.

3.6. Registration on Our Website

Website visitors can open a customer account on our website. We process the data requested in this context on the basis of our contract. The legal basis for the processing is therefore Art. 6 Para. 1 Sentence 1 lit. b GDPR.

Which personal data is processed in this context is apparent from the respective input mask used for registration. Data is only transferred to one or more processors, such as Collaborative Partner companies, after explicit prior consent from the data subject.

Furthermore, registration on the controller's website stores the IP address assigned by the data subject's Internet Service Provider (ISP), the date, and the time of registration. This data is stored because it is the only way to prevent misuse of our services, and this data makes it possible to investigate committed criminal offenses if necessary. In this respect, the storage of this data is necessary to safeguard the controller. This data is generally not passed on to third parties, unless there is a legal obligation to pass it on or the transfer serves the purpose of criminal prosecution.

Our platform is hosted by Hivebrite. The provider is Kit United, 5 rue des italiens, 75009 Paris, France. The provider processes the personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact details, within the EU. Further information can be found in the provider's privacy policy at https://hivebrite.io/privacy-policy.

It is our legitimate interest to provide our platform, so the legal basis for the described data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

Registration for Events We offer the opportunity to apply for various events organized by us via forms on our site. The data entered during this application process can be seen in the input mask of the application form. They are collected and stored exclusively for the use of our service.

The data involved are:

First name, last name, email, phone number, postal code, place of residence
current job title, current type of employment, current company
academic background, industry
who should definitely be at the event? Name 3 other people you would like to recommend (first name, last name, email) > voluntary information
how did you find out about PANDA?
upload CV (as a PDF)

In this context, the IP address, date, and time of registration are also stored. This serves as a safeguard on our part in the event that a third party misuses your data and registers on our site without your knowledge.

The data is generally not passed on to third parties. An exception to this is the forwarding of the CV to corporate partners of the event for which you applied to us as a participant. This forwarding only takes place upon an explicit request and after explicit release by you. This is obtained during your application as follows:

PANDA CV-Book* Before the event, we offer you the opportunity to appear with your CV in the 'PANDA CV-Book'. The CV-Book is forwarded to our partner companies. Companies interested in your profile can contact you and invite you to a personal introductory meeting at the PANDA Event. If you would like to be included, we will use the CV we have on file for this purpose (unless you would like to provide us with a different version).

IMPORTANT: Your CV is accessible to the partner companies for a period of four weeks – after which your contact information will be deleted. Participation in the CV-Book is voluntary, of course, and is intended to offer additional added value. Your profile will not be forwarded without your consent.

Yes, I would like to appear in the CV-Book.
No, I would not like to appear in the CV-Book.

3.7. Payment Service Provider

For the processing of payments, we use payment providers who are themselves data controllers within the meaning of Art. 4 No. 7 GDPR. Insofar as they receive data entered by us during the ordering process as well as payment data, this is done for the purpose of fulfilling the contract concluded with our customers (Art. 6 para. 1 sentence 1 lit. b GDPR).

These payment service providers are:

Stripe Payments Europe, Ltd., Ireland

3.8. Technically Necessary Cookies

Our website uses cookies. Cookies are small text files stored in the web browser on a visitor’s device. They help make our offering more user-friendly, effective, and secure. Insofar as these cookies are required for the operation of our website or its functions (hereinafter “technically necessary cookies”), the legal basis for the associated data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing customers and other visitors with a functional website.

Specifically, we use technically necessary cookies for the following purpose(s):

cookies that store language settings,
cookies that remember search terms,
flash cookies used for playing media content, and
cookies that store login data

3.9. Third-Party Providers

3.9.1. LinkedIn Share Button

We use the LinkedIn Share button to share interests on social media. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The provider processes usage data (e.g., pages visited, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) within the EU.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of consent. Data subjects may revoke their consent at any time by contacting us using the details provided in our privacy policy. The revocation does not affect the legality of the processing carried out until the revocation.

Data will be deleted when the purpose of its collection no longer applies and no retention obligations prevent deletion. Further information can be found in the provider’s privacy policy at https://www.linkedin.com/legal/privacy-policy

3.9.2. Insta Page

We use Instapage. The provider is Instapage, Inc., 303 2nd Street, San Francisco, CA, USA. The provider processes usage data (e.g., visited websites, interest in content, access times), contact data (e.g., email addresses, telephone numbers), and meta/communication data (e.g., device information, IP addresses) in the USA.

The legal basis for the processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. We have a legitimate interest in managing our customer or marketing data in a simple way.

The transfer of personal data to a country outside the EEA takes place on the legal basis of Standard Contractual Clauses. The security of the data transferred to the third country (i.e., a country outside the EEA) is guaranteed by Standard Data Protection Clauses issued pursuant to the examination procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed upon with the provider.

The data will be deleted when the purpose of its collection is no longer applicable and no retention obligation stands in the way. Further information is available in the provider's privacy policy at https://instapage.com/privacy-policy/

3.9.3. YouTube Videos

We use YouTube videos for videos on the website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. visited websites, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing is based on consent. Data subjects can revoke their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing up to the revocation.

The transfer of personal data to a country outside the EEA is based on the legal basis of consent. Further information is available in the provider's privacy policy at https://policies.google.com/privacy.

3.9.4. heyData

We have integrated a data protection seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g. IP addresses) in the EU.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing website visitors with confirmation of our data protection compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use its seals, which is why a mere image copy of the certificate does not represent a viable alternative for confirmation.

The data is masked after collection so that there is no longer any personal reference. Further information is available in the provider's privacy policy at https://heydata.eu/datenschutzerklaerung

4. Data Processing on Social Media Platforms

We are represented on social media networks in order to present our organisation and our services there. The operators of these networks regularly process data of their users for advertising purposes. Among other things, they create user profiles from their online behaviour, which are used, for example, to display advertising on the pages of the networks and elsewhere on the internet that corresponds to the interests of the users. For this purpose, the operators of the networks store information about usage behaviour in cookies on the users' computers. It also cannot be ruled out that the operators combine this information with other data. Further information and instructions on how users can object to processing by the site operators can be found in the privacy policies of the respective operators listed below. It may also be the case that the operators or their servers are located in non-EU countries, so that they process data there. This may result in risks for users, e.g. because the enforcement of their rights is made more difficult or government authorities access the data.

If users of the networks contact us via our profiles, we process the data communicated to us in order to respond to the enquiries. This is our legitimate interest, so that the legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

4.1. Instagram

We maintain a profile on Instagram. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://help.instagram.com/519522125107875.

4.2. YouTube

We maintain a profile on YouTube. The operator is Google Ireland Limited Gordon House, Barrow Street Dublin 4. Ireland. The privacy policy is available here: https://policies.google.com/privacy?hl=de.

4.3. LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://https://www.linkedin.com/legal/privacy-policy?_l=de_DE. An option to object to data processing is available via the advertising settings: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

5. Compliance with Child Safety Laws and Reporting Obligations

Our app complies with the applicable laws and regulations on child safety.

Our app ensures that all content shared within the app is appropriate for a mixed audience, including children. User-generated content is moderated to prevent inappropriate material from being accessible. All CSAM content (Child Safety Abuse Material) is automatically removed when flagged or reported through our moderation features or when we are contacted directly for this purpose. We will systematically take measures to report confirmed CSAM content to the National Center for Missing and Exploited Children.

CSAM includes any visual depiction, including but not limited to photos, videos and computer-generated images, involving the use of a minor in sexually explicit conduct.

Contact Person for Child Safety

You can contact go@we-are-panda.com if CSAM content is discovered.

Privacy and Data Protection

Our app is committed to protecting user data, particularly of children under 13 years of age, in accordance with applicable regulations. The privacy policy is clearly displayed and accessible via the app settings and our website. All data is encrypted during transmission and stored securely.

Advertising and Monetisation

Our app does not contain any advertising or monetised content.

Transparency and Disclosure Data Security:

Detailed information can be found in the Google Play Data Safety form. Content Ratings: IARC 3+, L, E, 3, 3, USK 0

Validation and Updates Regular internal testing is conducted to ensure compliance with Google Play child safety standards, including functionality checks and content audits.

The policies are reviewed quarterly or as needed to align with updated child safety standards.

6. Changes to this Privacy Policy

We reserve the right to amend this privacy policy with effect for the future. A current version is available here at all times.

7. Questions and Comments

For questions or comments regarding this privacy policy, we are happy to be available using the contact details provided above.

SIGN UP FOR THE NEWSLETTER NOW

Receive quarterly updates on events, initiatives, and insights from the PANDA universe. By subscribing, you agree that PANDA GmbH may send you news and information via email.

*You can unsubscribe from the newsletter at any time via the unsubscribe link at the end of each email. For more information on how we handle personal data, please refer to our privacy policy.