Privacy Policy
1. Introduction
ifp-labs GmbH and its group companies (collectively “ifp-labs”, “we”, “us”, or “our”) are committed to protecting your personal data.
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our website ifp-labs.com (the “Website”), use our services, subscribe to our newsletter, apply for a job, or otherwise interact with us.
This Privacy Policy applies to data subjects in the European Union, the European Economic Area, the United Kingdom, and elsewhere. It is intended to fulfil our information obligations under Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the German Bundesdatenschutzgesetz (“BDSG”), and, where applicable, the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (“TDDDG”).
2. Controller
The data controller responsible for the processing described in this Privacy Policy is:
ifp-labs GmbH
Wagner-Régeny-Str. 8
12489 Berlin
Germany
Phone: +49 30 / 74 73 33 - 0
Email: datenschutz@ifp-labs.com
Web: www.ifp-labs.com
Where services are provided by one of our UK group companies, including ifp-labs UK Limited, ifp-labs UK West Yorkshire Limited, ifp-labs UK South Yorkshire Limited, or ifp-labs South Wales Limited, the relevant UK entity acts as controller or joint controller for the personal data processed in connection with those services.
3. Data Protection Officer
Our Data Protection Officer can be contacted at:
mip Consult GmbH
Lawyer Asmus Eggert
Wilhelm-Kabus-Str. 9
10829 Berlin
Germany
Email: datenschutz@ifp-labs.com
Phone: +49 30 / 74 73 33 - 0
Web: www.sofortdatenschutz.de
For data protection enquiries, you may also contact:
ifp-labs GmbH
Wagner-Régeny-Str. 8
12489 Berlin
Germany
Email: datenschutz@ifp-labs.com
4. What Personal Data We Collect
We collect and process different categories of personal data depending on how you interact with us.
4.1 Website Visitors
When you visit our Website, our web server automatically collects technical data required to deliver the Website to your browser and to ensure secure and stable operation.
This may include your IP address, browser type and version, operating system, referrer URL, pages visited, date and time of access, volume of data transferred, and other technical access data.
This data is processed on the basis of our legitimate interest in ensuring the security, stability, and functionality of our Website pursuant to Art. 6(1)(f) EU GDPR / UK GDPR.
Server log files are retained for a maximum of 30 days and then deleted, unless longer retention is required for security incident investigation.
4.2 Contact and Enquiry Forms
When you contact us by email, telephone, contact form, or the “Get a Quote” function, we process the personal data you provide.
This typically includes your name, email address, phone number, company name, and the content of your enquiry.
We process this data for the purpose of responding to your enquiry and, where applicable, initiating or performing a business relationship. The legal basis is Art. 6(1)(b) EU GDPR / UK GDPR for pre-contractual measures or contract performance and Art. 6(1)(f) EU GDPR / UK GDPR for our legitimate interest in responding to business enquiries.
4.3 Clients and Business Partners
When you commission testing, inspection, laboratory, advisory, or related services from us, we process the personal data necessary to perform the contract.
This may include names and contact details of contact persons, billing and invoicing data, sample submission records, test report data, order data, and business correspondence.
The legal basis is Art. 6(1)(b) EU GDPR / UK GDPR for contract performance and, where applicable, Art. 6(1)(c) EU GDPR / UK GDPR for compliance with legal obligations, including tax and commercial record-keeping obligations.
4.4 Job Applicants
When you apply for a position at ifp-labs, we process the personal data contained in your application, including your name, contact details, CV, qualifications, references, and other information submitted by you.
The legal basis is Art. 6(1)(b) EU GDPR / UK GDPR for pre-contractual measures and § 26 BDSG for data processing in the employment context.
Application data is retained for up to six months after conclusion of the recruitment process, unless you consent to longer retention for consideration for future vacancies.
4.5 Newsletter Subscribers
If you subscribe to a newsletter offered on our Website, we process the data required to provide the newsletter.
This generally includes your email address and information required to verify that you are the owner of the email address provided and that you consent to receiving the newsletter. Additional data may be collected on a voluntary basis.
We use this data exclusively to send the requested information and do not disclose it to third parties for their own marketing purposes.
The legal basis for processing newsletter subscription data is your consent pursuant to Art. 6(1)(a) EU GDPR / UK GDPR. You may withdraw your consent at any time, for example by using the “unsubscribe” link in the newsletter. The lawfulness of processing carried out before withdrawal remains unaffected.
The data stored for newsletter subscription purposes will be retained until you unsubscribe from the newsletter or until the purpose no longer applies. After unsubscribing, your data will be deleted from the newsletter distribution list unless retention is required for other lawful purposes.
After unsubscribing, your email address may be stored in a suppression list or blacklist where this is necessary to prevent future mailings. This processing is based on our legitimate interest in complying with legal requirements for email marketing pursuant to Art. 6(1)(f) EU GDPR / UK GDPR. Data in the suppression list is used only for this purpose and is not combined with other data. You may object to this processing where your interests outweigh our legitimate interest.
4.6 Cookies and Similar Technologies
Our Website uses cookies and similar technologies. Cookies are small data packages that are stored on your device. They may be session cookies, which are deleted automatically after the end of your visit, or persistent cookies, which remain stored on your device until you delete them or your browser deletes them automatically.
Cookies may be set by us as first-party cookies or by third-party providers as third-party cookies. Third-party cookies may enable the integration of services provided by third parties, such as analytics, advertising, embedded content, or other website functions.
Cookies serve different purposes. Some cookies are technically necessary for the operation of the Website. Other cookies may be used to analyse user behaviour, measure reach, personalise content, or support advertising and remarketing activities.
Technically necessary cookies are generally processed on the basis of Art. 6(1)(f) EU GDPR / UK GDPR, unless another legal basis applies. We have a legitimate interest in providing a technically error-free and optimized Website.
Where consent is requested for the storage of cookies or access to information on your device, processing is carried out exclusively on the basis of your consent pursuant to Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. You may withdraw your consent at any time.
You can configure your browser to inform you about the use of cookies, to allow cookies only in individual cases, to exclude cookies in certain cases or in general, and to activate automatic deletion of cookies when closing the browser. If cookies are disabled, the functionality of this Website may be limited.
Further information on the cookies and third-party services used on this Website is provided in this Privacy Policy and, where available, in our Cookie Policy or consent management tool.
5. Hosting and Content Delivery Networks
5.1 External Hosting by HubSpot
We host the content of our Website with the following provider:
HubSpot, Inc.
25 First Street
Cambridge, MA 02141
USA
This Website is externally hosted. Personal data collected on this Website may be stored on the servers of the hosting provider. This may include IP addresses, contact enquiries, metadata and communication data, contract data, contact details, names, website access data, and other data generated through the Website.
External hosting is used for the purpose of performing contracts with our potential and existing customers pursuant to Art. 6(1)(b) EU GDPR / UK GDPR and in our legitimate interest in providing a secure, fast, and efficient online offering through a professional provider pursuant to Art. 6(1)(f) EU GDPR / UK GDPR.
Where consent is requested, processing is carried out exclusively on the basis of Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s device, such as device fingerprinting. Consent may be withdrawn at any time.
HubSpot processes personal data only to the extent necessary to fulfil its service obligations and in accordance with our instructions.
We have concluded a data processing agreement with HubSpot pursuant to Art. 28 EU GDPR / UK GDPR. This agreement ensures that HubSpot processes the personal data of our Website visitors only in accordance with our instructions and in compliance with applicable data protection laws.
HubSpot may process personal data in the United States. Transfers to the United States may be based on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other applicable safeguards.
Further information is available in HubSpot’s privacy policy: https://legal.hubspot.com/privacy-policy
5.2 Cloudflare
We use the service “Cloudflare”. The provider is:
Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107
USA
Cloudflare provides a globally distributed Content Delivery Network and DNS services. Technically, the information transfer between your browser and our Website may be routed through Cloudflare’s network. This enables Cloudflare to analyse the data traffic between your browser and our Website and to act as a filter between our servers and potentially malicious traffic from the internet.
Cloudflare may also use cookies or similar technologies to recognise internet users. Such technologies are used only for the purposes described in this section, in particular for secure and efficient delivery of the Website and protection against attacks.
The use of Cloudflare is based on our legitimate interest in providing our Website as securely, reliably, and efficiently as possible pursuant to Art. 6(1)(f) EU GDPR / UK GDPR.
Where consent is requested, processing is carried out exclusively on the basis of Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. Consent may be withdrawn at any time.
Cloudflare may process personal data in the United States. Transfers to the United States may be based on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other applicable safeguards.
Further information is available in Cloudflare’s privacy policy: https://www.cloudflare.com/privacypolicy/
We have concluded a data processing agreement with Cloudflare pursuant to Art. 28 EU GDPR / UK GDPR. This agreement ensures that Cloudflare processes the personal data of our Website visitors only in accordance with our instructions and in compliance with applicable data protection laws.
6. HubSpot CRM and Marketing Functions
We use HubSpot CRM and related HubSpot functions on our Website. The provider is:
HubSpot, Inc.
25 First Street
Cambridge, MA 02141
USA
HubSpot CRM enables us to manage existing and potential customers and business contacts. With HubSpot CRM, we may record, organize, analyse, and manage customer interactions across different channels, including email, social media, telephone, contact forms, and website interactions.
The personal data collected through HubSpot CRM may be used to communicate with potential and existing customers, manage business relationships, process enquiries, and, where legally permitted, conduct marketing activities such as newsletter mailings or event invitations.
HubSpot CRM may also enable us to record and analyse the behaviour of contacts on our Website, for example when a contact interacts with emails, forms, landing pages, or other Website content.
The use of HubSpot CRM is based on Art. 6(1)(f) EU GDPR / UK GDPR. We have a legitimate interest in efficient customer management, customer communication, and business development.
Where consent is requested, processing is carried out exclusively on the basis of Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user’s device, such as device fingerprinting. Consent may be withdrawn at any time.
HubSpot may process personal data in the United States. Transfers to the United States may be based on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other applicable safeguards.
Further information is available in HubSpot’s privacy policy: https://legal.hubspot.com/privacy-policy
We have concluded a data processing agreement with HubSpot pursuant to Art. 28 EU GDPR / UK GDPR. This agreement ensures that HubSpot processes the personal data of our Website visitors only in accordance with our instructions and in compliance with applicable data protection laws.
7. Analytics, Tag Management, and Advertising
7.1 Google Tag Manager
We use Google Tag Manager. The provider is:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
Google Tag Manager is a tool that allows us to integrate and manage tracking, analytics, marketing, and other technologies on our Website.
Google Tag Manager itself does not create user profiles, does not store cookies, and does not perform independent analyses. It is used to manage and deploy the tools integrated through it. However, Google Tag Manager may collect your IP address, which may also be transferred to Google LLC in the United States.
The use of Google Tag Manager is based on Art. 6(1)(f) EU GDPR / UK GDPR. We have a legitimate interest in the fast and uncomplicated integration and management of various tools on our Website.
Where consent is requested, processing is carried out exclusively on the basis of Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user’s device. Consent may be withdrawn at any time.
Google LLC is certified under the EU-U.S. Data Privacy Framework. Transfers to the United States may also be based on Standard Contractual Clauses or other applicable safeguards.
7.2 Google Analytics
This Website uses Google Analytics, a web analytics service provided by:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
Google Analytics enables us to analyse the behaviour of Website visitors. In doing so, we may receive usage data such as page views, session duration, operating systems used, referrer information, approximate location, and user interactions.
Google Analytics may use technologies that enable recognition of the user for the purpose of analysing user behaviour, including cookies or comparable technologies. The information collected by Google about the use of this Website may be transferred to and stored on Google servers, including servers in the United States.
We use Google Analytics only on the basis of your consent pursuant to Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. You may withdraw your consent at any time.
IP anonymisation is activated for Google Analytics. This means that your IP address is shortened by Google within Member States of the European Union or other contracting states of the Agreement on the European Economic Area before being transferred to the United States. Only in exceptional cases will the full IP address be transferred to a Google server in the United States and shortened there.
On our behalf, Google uses this information to evaluate your use of the Website, compile reports on Website activity, and provide other services relating to Website and internet usage. The IP address transmitted by your browser in connection with Google Analytics is not merged with other Google data.
You can prevent Google from collecting and processing your data by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout
Further information on Google Analytics and privacy is available at: https://support.google.com/analytics/answer/6004245
We have concluded a data processing agreement with Google for the use of Google Analytics.
Google LLC is certified under the EU-U.S. Data Privacy Framework. Transfers to the United States may also be based on Standard Contractual Clauses or other applicable safeguards.
7.3 Google Signals
We may use Google Signals as part of Google Analytics where consent has been provided.
When you visit our Website, Google Analytics may collect information such as your location, search history, YouTube history, and demographic data, insofar as such data is available to Google and you are logged into a Google account. This data may be used by Google Signals for personalised advertising and for the creation of aggregated and anonymised statistics on user behaviour.
If you have a Google account and have enabled personalised advertising, Google may link the data collected through Google Signals with your Google account and use it for personalised advertising.
The use of Google Signals takes place only on the basis of your consent pursuant to Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. You may withdraw your consent at any time.
7.4 Google Ads
We use Google Ads, an online advertising programme provided by:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
Google Ads allows us to display advertisements in Google Search and on third-party websites when users enter certain search terms or match certain target audience criteria.
Google Ads may enable us to evaluate advertising performance quantitatively, for example by analysing which search terms triggered our advertisements and how many users clicked on an advertisement.
The use of Google Ads is based on your consent pursuant to Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. You may withdraw your consent at any time.
Google LLC is certified under the EU-U.S. Data Privacy Framework. Transfers to the United States may also be based on Standard Contractual Clauses or other applicable safeguards.
Further information is available at: https://policies.google.com/privacy
7.5 Google Ads Remarketing
We use Google Ads Remarketing. The provider is:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
Google Ads Remarketing enables us to assign Website visitors to certain target groups in order to display interest-based advertisements within the Google advertising network.
Remarketing audiences may also be linked with Google’s cross-device functions. This may allow interest-based, personalised advertising messages adapted to your previous usage and browsing behaviour on one device to be displayed on another device.
If you have a Google account, you can object to personalised advertising at: https://adssettings.google.com/
The use of Google Ads Remarketing is based on your consent pursuant to Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. You may withdraw your consent at any time.
Further information is available in Google’s advertising privacy information: https://policies.google.com/technologies/ads
Google LLC is certified under the EU-U.S. Data Privacy Framework. Transfers to the United States may also be based on Standard Contractual Clauses or other applicable safeguards.
7.6 Google Conversion Tracking
We use Google Conversion Tracking. The provider is:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
Google Conversion Tracking enables Google and us to determine whether a user has performed certain actions, for example clicking buttons, submitting forms, viewing content, or completing other conversions.
This information is used to create conversion statistics. We receive the total number of users who clicked on our advertisements and completed defined actions. We do not receive information that allows us to personally identify individual users.
Google may use cookies or similar recognition technologies for identification.
The use of Google Conversion Tracking is based on your consent pursuant to Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. You may withdraw your consent at any time.
Further information is available at: https://policies.google.com/privacy
Google LLC is certified under the EU-U.S. Data Privacy Framework. Transfers to the United States may also be based on Standard Contractual Clauses or other applicable safeguards.
7.7 LinkedIn Insight Tag
This Website uses the LinkedIn Insight Tag. The provider is:
LinkedIn Ireland Unlimited Company
Wilton Plaza
Wilton Place
Dublin 2
Ireland
The LinkedIn Insight Tag enables us to obtain information about visitors to our Website. If a Website visitor is registered with LinkedIn, we may analyse professional data such as career level, company size, country, location, industry, and job title in aggregated form in order to better tailor our Website and advertising to relevant target groups.
LinkedIn Insight Tag also enables conversion measurement, including cross-device conversion measurement, and may provide retargeting functions that allow us to display targeted advertising to Website visitors outside our Website.
LinkedIn may collect log files, including URL, referrer URL, IP address, device and browser properties, and time of access. LinkedIn states that IP addresses are shortened or hashed where used to reach LinkedIn members across devices. Direct identifiers of LinkedIn members are generally deleted by LinkedIn after a short period, and remaining pseudonymised data is deleted within the periods specified by LinkedIn.
The data collected by LinkedIn cannot generally be assigned by us to specific individuals. LinkedIn may store personal data on servers in the United States and use it for its own advertising purposes.
Where consent is obtained, the use of LinkedIn Insight Tag is based on Art. 6(1)(a) EU GDPR / UK GDPR and § 25(1) TDDDG. You may withdraw your consent at any time.
Where no consent is required by applicable law, processing may be based on Art. 6(1)(f) EU GDPR / UK GDPR. Our legitimate interest is the effective measurement and optimisation of our advertising activities, including on social media.
Transfers to the United States may be based on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other applicable safeguards.
Further information is available in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy
You can object to LinkedIn’s analysis of usage behaviour and targeted advertising at: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
LinkedIn members can also manage the use of their personal data for advertising purposes in their LinkedIn account settings. To prevent LinkedIn from linking data collected on our Website with your LinkedIn account, you should log out of your LinkedIn account before visiting our Website.
8. Purposes and Legal Bases of Processing
We process personal data for the following purposes and on the following legal bases:
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Delivering the Website and ensuring its security | Technical data, IP address, browser information, server logs | Art. 6(1)(f) EU GDPR / UK GDPR – legitimate interest |
| Hosting the Website and providing CDN/security services | Website access data, IP address, technical and communication data | Art. 6(1)(b), Art. 6(1)(f), and, where applicable, Art. 6(1)(a) EU GDPR / UK GDPR; § 25 TDDDG |
| Responding to enquiries | Name, email, phone, company, message content | Art. 6(1)(b) – pre-contractual measures; Art. 6(1)(f) – legitimate interest |
| Performing testing, inspection, laboratory, and advisory services | Client contact data, sample data, reports, invoicing data | Art. 6(1)(b) – contract performance |
| Complying with legal obligations | Invoicing data, tax records, regulatory reporting | Art. 6(1)(c) – legal obligation |
| Customer relationship management | Contact details, communication history, website interactions | Art. 6(1)(f) – legitimate interest; where applicable Art. 6(1)(a) – consent |
| Sending service-related communications | Name, email, business contact data | Art. 6(1)(f) – legitimate interest |
| Direct marketing, newsletters, and event invitations | Name, email, consent records, communication preferences | Art. 6(1)(a) – consent; where applicable Art. 6(1)(f) – legitimate interest |
| Analytics and website optimisation | Usage data, device data, interaction data, cookie IDs | Art. 6(1)(a) – consent; § 25 TDDDG |
| Advertising, remarketing, and conversion measurement | Usage data, device data, cookie IDs, advertising IDs, conversion events | Art. 6(1)(a) – consent; § 25 TDDDG |
| Recruitment and applications | Applicant data, CV, qualifications, references | Art. 6(1)(b) – pre-contractual measures; § 26 BDSG |
| Exercising or defending legal claims | All relevant data | Art. 6(1)(f) – legitimate interest |
Where we rely on legitimate interests pursuant to Art. 6(1)(f) EU GDPR / UK GDPR, we have conducted a balancing assessment and concluded that our interests do not override your rights and freedoms. You may request further information about our balancing assessments at any time.
9. Recipients and Data Sharing
We share personal data only where necessary and on a lawful basis.
Recipients may include the following categories:
Within the ifp-labs group: Personal data may be shared between ifp-labs GmbH and its UK group companies for service delivery, group-wide administration, quality management, and business operations. The legal basis is Art. 6(1)(f) EU GDPR / UK GDPR, including our legitimate interest in efficient group administration.
Subcontractors and processors: Where we engage subcontractors to perform testing or inspection services on our behalf, or where we use IT service providers, hosting providers, CRM providers, analytics providers, communication tools, or other service providers, these parties may act as processors under Art. 28 EU GDPR / UK GDPR. We conclude data processing agreements with processors where required.
Technology and marketing providers: We may share personal data with providers such as HubSpot, Cloudflare, Google, and LinkedIn to the extent described in this Privacy Policy and where the relevant legal requirements are met.
Authorities and regulatory bodies: We may disclose personal data to supervisory authorities, accreditation bodies, tax authorities, law enforcement agencies, courts, or other public authorities where legally required pursuant to Art. 6(1)(c) EU GDPR / UK GDPR or where necessary for the establishment, exercise, or defence of legal claims pursuant to Art. 6(1)(f) EU GDPR / UK GDPR.
Clients and report recipients: Test and inspection reports may contain personal data, such as names of contact persons or signatories. These reports are provided to the commissioning client as part of the contractual service.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes unless you have expressly consented or another lawful basis applies.
10. International Data Transfers
10.1 Transfers between Germany and the United Kingdom
Personal data may be transferred between our German and UK entities.
Transfers from the European Economic Area to the United Kingdom are currently based on the European Commission’s adequacy decision for the United Kingdom, which recognises that the United Kingdom provides an adequate level of data protection.
Transfers from the United Kingdom to the European Economic Area are permitted under UK data protection law.
10.2 Transfers to the United States and Other Third Countries
Where we use service providers established outside the EU/EEA or the UK, including providers in the United States, we ensure that appropriate safeguards are in place.
These safeguards may include:
- an adequacy decision by the European Commission or the UK Secretary of State, including the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework, where applicable;
- Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) EU GDPR;
- the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses for transfers from the United Kingdom;
- transfer risk assessments and supplementary technical and organisational measures where required.
You may request further information about the applicable safeguards by contacting us using the contact details provided in this Privacy Policy.
11. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected or as required by applicable law.
Our general retention periods are:
| Data category | Retention period | Basis |
|---|---|---|
| Server log files | Up to 30 days | Legitimate interest in security |
| Contact form enquiries where no contract is concluded | 12 months after last contact | Legitimate interest |
| Client contract and invoicing data | 10 years after end of contract | § 147 AO, § 257 HGB |
| Test and inspection reports | 10 years or as required by applicable accreditation standards | Legal obligation; accreditation requirements |
| Sample data and records | As specified in our GTC; minimum four weeks for microbiological samples | Contractual obligation |
| Job application data | Six months after conclusion of recruitment process | § 26 BDSG; limitation periods for claims |
| Newsletter subscriber data | Until consent is withdrawn or the purpose no longer applies | Consent |
| Suppression list or blacklist data for newsletter unsubscribe management | As long as necessary to prevent future mailings | Legitimate interest |
| Cookie consent records | Up to five years | Art. 7(1) EU GDPR / UK GDPR – demonstrating consent |
| Analytics and advertising data | As specified in the relevant tool settings, consent management tool, or provider documentation | Consent; legitimate interest where applicable |
After expiry of the relevant retention period, personal data is securely deleted or irreversibly anonymised.
12. Your Rights
Under the EU GDPR and UK GDPR, you have the following rights in relation to your personal data:
Right of access: You may request confirmation of whether we process your personal data and, if so, a copy of the data and information about the processing pursuant to Art. 15 EU GDPR / UK GDPR.
Right to rectification: You may request the correction of inaccurate personal data or the completion of incomplete data pursuant to Art. 16 EU GDPR / UK GDPR.
Right to erasure: You may request deletion of your personal data where there is no longer a legal basis or legitimate reason for continued processing pursuant to Art. 17 EU GDPR / UK GDPR.
Right to restriction of processing: You may request that we restrict the processing of your personal data under certain circumstances pursuant to Art. 18 EU GDPR / UK GDPR.
Right to data portability: Where processing is based on consent or contract performance and carried out by automated means, you may request to receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller pursuant to Art. 20 EU GDPR / UK GDPR.
Right to object: You may object at any time to processing based on legitimate interests pursuant to Art. 6(1)(f) EU GDPR / UK GDPR. We will cease processing unless we can demonstrate compelling legitimate grounds. You may object to direct marketing at any time without giving reasons pursuant to Art. 21 EU GDPR / UK GDPR.
Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time pursuant to Art. 7(3) EU GDPR / UK GDPR. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right not to be subject to automated decision-making: We do not currently make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you pursuant to Art. 22 EU GDPR / UK GDPR.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority.
The competent supervisory authorities include:
Germany:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
https://www.datenschutz-berlin.de
United Kingdom:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
https://ico.org.uk
To exercise any of your rights, please contact us at datenschutz@ifp-labs.com. We will respond within one month of receiving your request. This period may be extended by two further months in complex cases, and we will inform you where an extension is required.
13. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction.
These measures include encryption of data in transit, TLS/SSL, access controls, regular security reviews, staff training, and physical security at our laboratory and office premises.
Our measures are reviewed and updated regularly in accordance with Art. 32 EU GDPR / UK GDPR.
14. Children’s Data
Our Website and services are directed at business clients and are not intended for use by children under the age of 16.
We do not knowingly collect personal data from children. If you believe that we have inadvertently collected personal data relating to a child, please contact us and we will delete it promptly.
15. Direct Marketing
We may send you information about our services, events, publications, or similar offerings where legally permitted.
Where required by law, we will obtain your prior opt-in consent before sending electronic marketing communications. You may withdraw your consent at any time.
You may also object to receiving direct marketing at any time by clicking the “unsubscribe” link in any email or by contacting us at datenschutz@ifp-labs.com.
For the avoidance of doubt:
EU/Germany: Electronic direct marketing to individuals, including business contacts with named email addresses, generally requires prior consent under § 7 UWG, unless a statutory exception applies.
United Kingdom: Electronic marketing to individual subscribers generally requires prior consent under PECR Regulation 22, as amended. Marketing to corporate subscribers is subject to the applicable PECR rules, including opt-out requirements.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time.
The date of the last update should be shown at the top or bottom of this page. Material changes will be communicated via our Website where appropriate.
We encourage you to review this Privacy Policy periodically.
17. Contact
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact:
ifp-labs GmbH
Wagner-Régeny-Str. 8
12489 Berlin
Germany
Email: datenschutz@ifp-labs.com
Phone: +49 30 / 74 73 33 - 0
