Privacy Policy

Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws and other data protection regulations is:

SARSTEDT AG & Co. KG
Sarstedtstraße 1
51588 Nümbrecht
Phone: +49 (0) 2293 305 - 0
Email info(at)sarstedt.com

For information, correction, blocking, or deletion of personal data or if you have any questions regarding the use, collection, or processing of your personal data, please contact:

SARSTEDT AG & Co. KG
Sarstedtstraße 1
51588 Nümbrecht
Germany

email: datenschutz(at)sarstedt.com
Tel.: +49 2293 305 - 0
Fax: +49 2293 305 - 2470

For reasons of better readability, we have deliberately refrained from distinguishing between female and male personal pronouns.

1. General information on data processing

1.1. Processing of personal data and its purpose

SARSTEDT AG & Co. KG (hereinafter referred to as "SARSTEDT" or "we") processes users' personal data only to the extent necessary to provide a functional website and our content and services. When you visit our websites, the following data is processed:

• User's IP address

• Browser used (type, version, language)

• Operating system used

• User's internet service provider

• Date and time of access to our website

• Files accessed on our website

• Website from which the user accessed our website

• Website that the user accesses via our website.

The processing and temporary storage of the IP address is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must be stored for the duration of the session. The log files contain IP addresses or other data that enable the user to be identified. The data is stored in log files to ensure the functionality of the websites. In addition, the data is used to optimize our websites and to ensure the security of our information technology systems. Any processing of personal data is carried out exclusively for the purposes stated and to the extent necessary to achieve these purposes. This data is not used for advertising, customer advice, or market research purposes. These purposes also constitute our legitimate interest in data processing.

1.2. Legal basis for the processing of personal data

The processing of our users' personal data is carried out regularly with the user's consent. An exception applies in cases where it is not possible to obtain prior consent for practical reasons and we are permitted to process the data by law. The storage of data and log files is based on Art. 6 (1) lit. f GDPR.

1.3. Data deletion and storage period

We delete or block the personal data of the data subjects as soon as the purpose of storage no longer applies. In the case of data processing for the provision of the websites, deletion takes place when the respective session is ended. In the case of storage of personal data in log files, deletion takes place after seven days at the latest. Further storage is possible if the IP addresses of the users are deleted or anonymized beforehand, so that it is no longer possible to assign the calling client.

2. Cookies

We use cookies in several places on our websites. When a user visits one of our websites, a cookie may be stored on the user's operating system. A cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the user visits our websites again. The following data is stored and transmitted in the cookies:

• Language setting and region

• Session

The purpose of using cookies is to make our websites user-friendly. The processing of personal data using cookies is based on Art. 6 (1) lit. f GDPR. Cookies are stored on the user's computer and transmitted to our websites from there. Users can deactivate or restrict the transmission of cookies by changing the settings of their Internet browser. Cookies that have already been stored can be deleted at any time. If cookies are deactivated for our websites, it may no longer be possible to use all the functions of our websites to their full extent.

3. Tools

3.1 Contentful

We use the Contentful content management system from Contentful GmbH, Ritterstraße 12-14, 10969 Berlin, Germany, to efficiently manage and provide the content of our website.

Purpose of processing
Contentful is used to create, maintain, and provide website content in a structured manner. The platform is used to deliver text, images, and other media content to ensure that our website remains user-friendly and up to date.

Legal basis
The use of Contentful is based on Art. 6 (1) lit. f GDPR on the basis of our legitimate interest in the technically secure, efficient, and modern management and provision of our web content. If consent is required (e.g., via a consent management tool), processing is based on Art. 6 (1) lit. a GDPR.

Recipients and data transfer
Contentful may process personal data (e.g., IP address, time of page view, browser information) to enable the delivery of content. Data processing is usually carried out on servers within the European Union. If data is transferred to third countries (e.g., the USA), this is done on the basis of appropriate safeguards in accordance with Art. 46 GDPR, in particular through the conclusion of EU standard contractual clauses.

Duration of storage
The data is only stored for as long as is necessary to achieve the stated purpose.

Further information on data protection at Contentful can be found in Contentful's privacy policy at: https://www.contentful.com/legal/privacy/

3.2 Cookiebot

Our website uses the Cookiebot™ tool to manage consent for the use of cookies. Cookiebot™ is a service provided by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter "Cookiebot").

Cookiebot helps us comply with legal requirements for obtaining and managing user consent to cookies. This includes displaying a cookie banner, obtaining consent to use cookies, storing this consent, and creating reports.

Cookiebot processes the following data:

• User's IP address (in anonymized form)

• Date and time of consent

• Browser user agent

• URL from which consent was sent

• Anonymous, randomly generated key

• User's consent status, which serves as proof of consent

• This data is not used to identify visitors to the website.

The data is processed on the basis of Art. 6 (1) (c) GDPR in order to comply with our legal obligations to obtain consent. In addition, the processing is based on Art. 6 (1) (f) GDPR due to our legitimate interest in the legally compliant management of cookie consent.

The consent data is stored for a period of 12 months and then automatically deleted, unless a longer retention period is required by law or necessary for the defense or enforcement of legal claims.

The data is transmitted to Usercentrics A/S and processed there. Usercentrics A/S is contractually obliged to process the data only in accordance with our instructions and to comply with EU data protection regulations.

You have the right to request information about the personal data we have stored about you at any time. In addition, you have the right to correct, delete, and restrict the processing of your data, as well as the right to data portability. You can also revoke your consent at any time with future effect. To do so, please contact our data protection officer.

Further information on data protection at Cookiebot can be found in the privacy policy of Usercentrics A/S: https://www.cookiebot.com/de/privacy-policy/

3.3 Algolia

Our website uses Algolia, a search technology implementation service provided by Algolia Inc., 3790 El Camino Real, Unit #518, Palo Alto, CA 94306, USA (hereinafter "Algolia"). Algolia uses artificial intelligence to improve the search functionality and user experience on our website.

Algolia enables us to provide a fast and relevant search function on our website. This includes searching our content, offering search suggestions, and analyzing search behavior to optimize search results.

Algolia processes the following data:

• User search queries

• User's IP address

• Information about the device and browser used

• Usage data and interactions with the search function (e.g., clicks on search results)

• Location information (if enabled)

• This data is processed anonymously and is not directly linked to a specific person.

The data is processed on the basis of Art. 6 (1) lit. f GDPR due to our legitimate interest in the efficient and user-friendly design of our website and in improving the search function and user experience.

The data is stored by Algolia for the period of time necessary to fulfill the above-mentioned purposes. Anonymized usage data may be stored for a longer period of time for analysis purposes.

The data is transferred to Algolia Inc. and processed there. Algolia Inc. is contractually obliged to process the data only in accordance with our instructions and to comply with EU data protection regulations.

As Algolia is a US company, data may be transferred to and processed in the US. Algolia takes appropriate measures to ensure that an adequate level of data protection is maintained in accordance with the requirements of the GDPR.

You have the right to request information about the personal data we have stored about you at any time. In addition, you have the right to correct, delete, and restrict the processing of your data, as well as the right to data portability. Please contact our data protection officer for more information.

For more information on data protection at Algolia, please refer to Algolia's privacy policy: http://algolia.com/de/policies/privacy

3.4 Microsoft Azure

We use Microsoft Azure, a cloud service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland, to host and operate our IT infrastructure, web applications, and data processing processes.

Purpose of processing

Azure is used to provide, scale, and secure our online services. This includes, in particular, hosting, database management, storage, and processing of content (e.g., website data, user requests, log files). It is used to ensure a stable, secure, and high-performance technical infrastructure.

Processed data

• Depending on usage, the following data may be processed:

• IP addresses and device information,

• access times and server log data,

• Content and usage data (e.g., form data entered, files transmitted),

• Technical metadata for system security and stability.

Legal basis
Processing is based on Art. 6 (1) (f) GDPR (legitimate interest in a secure, efficient, and modern IT infrastructure). Insofar as Azure services are necessary for the performance of the contract (e.g., to provide online services), the legal basis is Art. 6 (1) (b) GDPR. If consent is required (e.g., for analysis or tracking purposes), processing is carried out in accordance with Art. 6 (1) (a) GDPR.

Order processing
We have a contract with Microsoft for order processing in accordance with Art. 28 GDPR, which ensures that personal data is processed exclusively in accordance with our instructions and that appropriate technical and organizational measures are in place to protect the data.

Data transfer to third countries
Microsoft may also transfer data to servers outside the European Union, in particular to the USA, in the context of providing Azure services. Data is transferred on the basis of the EU standard contractual clauses pursuant to Art. 46 GDPR and the EU-U.S. Data Privacy Framework, where applicable.

Duration of storage
The data will only be stored for as long as is necessary to fulfill the respective processing purposes. Log data is regularly deleted automatically.

Further information on data processing by Microsoft can be found at: https://privacy.microsoft.com/de-de/privacystatement Details on Azure's data protection measures: https://learn.microsoft.com/de-de/azure/compliance/

3.5 commercetools

We use the commerce platform commercetools, a service provided by commercetools GmbH, Adams-Lehmann-Straße 44, 80797 Munich, Germany, for the operation and technical provision of our online shop.

commercetools provides the technical infrastructure for the operation of our shop ("Headless Commerce Platform") and, in this context, processes personal data that is collected when you use our online offering. This includes, in particular:

• Master data (e.g., name, email address, billing and delivery address),

• Order data (e.g., products, payment information, shipping status),

• Communication data (e.g., inquiries via contact forms or customer accounts),

• Technical data (e.g., IP address, browser type, access time, session IDs).

This data is processed in order to provide you with shop operations, product selection, order processing, and personalized functions (e.g., customer account or shopping cart).

commercetools processes this data exclusively on our behalf and in accordance with our instructions on the basis of a contract for order processing in accordance with Art. 28 GDPR. commercetools does not process this data independently for its own purposes.

The legal basis for the processing is Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in the stable and secure technical operation of our online shop).

commercetools stores personal data exclusively on servers within the European Union. If, in exceptional cases, processing takes place in third countries (e.g., by subcontractors), commercetools ensures that an adequate level of data protection is guaranteed by means of appropriate safeguards such as EU standard contractual clauses.

Further information on data processing by commercetools can be found in the privacy policy of commercetools GmbH at:https://commercetools.com/privacy

3.6 Captcha tool reCAPTCHA

Our website uses reCAPTCHA, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). This service is used to distinguish whether the input is made by a human or abusively by automated, machine processing.

reCAPTCHA helps us to ensure the security of our website and prevent misuse of our online services by automated programs (bots). The use of reCAPTCHA helps to protect our contact forms and other interactive areas of our website from spam and misuse.

The following data may be processed in connection with the use of reCAPTCHA:

• User's IP address

• Referrer URL (the address of the page from which the user comes)

• Information about the device and browser used

• Screen and window resolution

• Browser plugins, browser language

• Date and time of the request

• Mouse movements and keyboard entries on the page

This data is transmitted to Google and processed there.

The data is processed on the basis of Art. 6 (1) lit. f GDPR due to our legitimate interest in the security of our website and the prevention of misuse by automated programs.

The data is only stored for as long as is necessary to fulfill the above-mentioned purposes. However, Google usually stores this data for a period of 9 to 18 months.

The data is transmitted to Google LLC and processed there. Google is contractually obliged to process the data only in accordance with our instructions and to comply with EU data protection regulations.

As Google is a US company, the data may be transferred to and processed in the US. Google takes appropriate measures to ensure that an adequate level of data protection is maintained in accordance with the requirements of the GDPR. Google is certified under the EU-US Privacy Shield.

You have the right to request information about the personal data we have stored about you at any time. In addition, you have the right to correct, delete, and restrict the processing of your data, as well as the right to data portability. Please contact our data protection officer for more information.

For more information about data protection at Google reCAPTCHA, please refer to Google's privacy policy.

3.7 Avalara

We use the Avalara service, operated by Avalara Europe Ltd., 4th Floor, 5 Hatfields (Hay's Galleria), London SE1 9PG, United Kingdom, for the automated calculation and management of taxes and duties (e.g., value added tax, sales tax, OSS procedures) in the context of ordering and billing processes.

Avalara will implement and maintain economically reasonable and appropriate technical, administrative, and physical safeguards and security methods designed to prevent any unauthorized disclosure, access, or release of customer data, confidential information, or personal information. Avalara will implement processes and maintain procedures designed to comply with applicable laws and facilitate the customer's compliance with its data protection obligations with respect to personal information in Avalara's possession or control, to the extent that the customer is required to comply with the following regulations:

(i) the U.K. Data Protection Act 1998; (ii) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR") and any applicable laws enacted by an EU Member State to implement the requirements of the Regulation; (iii) the Australian Privacy Act 1988 and the National Privacy Principles; (iv) the Canadian Personal Information Protection and Electronic Documents Act; (v) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. and the related implementing regulations ("CCPA"); and (vi) any amendments and successors to the above data protection laws or any newly enacted applicable data protection laws.

Avalara processes and documents customer data at our direction. Customer data may only be used for the agreed purpose. The Avalara Data Processing Agreement is incorporated by this reference and can be found at https://www.avalara.com/GDPR-DPA. Avalara may use subcontractors to fulfill its obligations under the Agreement. Avalara will take commercially reasonable steps to ensure that such subcontractors implement and maintain appropriate security measures when handling Customer Data, personal information, or confidential information.

3.8 PSP (Payment Service Provider)

Applicable to our web store in the United States (Link: https://www.sarstedt.com/en/US)

Payment via Stripe and EVO Payments is possible on this website.

We transmit personal data such as bank details or credit card numbers to EVO Payments, Inc., 10 Glenlake Parkway, South Tower Suite 950, Atlanta, Georgia 30328, USA.This type of processing is necessary to verify and process the payment instruction arranged to fulfill the contract you have entered into with us. The legal basis for this is Art. 6 (1) (b) GDPR. For more information, please refer to EVO's privacy policy: https://www.evopayments.eu/en/data-protection.

If you wish to make payment for our services online, we use the services of Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, California 94080, USA ("Stripe") for our payment processing on the basis of Art. 6 (1) lit. f GDPR (legitimate interest). Unless otherwise specified, Stripe acts as a data processor and its affiliates ("Stripe Payments Europe Limited," "Stripe Technology Europe Limited," and "Stripe Payments UK Limited") act as sub-processors. During the payment process, if you choose to pay with your credit card, you will be asked to enter your card information, which will be securely transmitted to Stripe and processed by Stripe. Stripe may use your personal data (e.g., credit card number, amount, and date of payment) to process and authenticate online payment transactions. During the transaction, Stripe may receive and process personal information about you obtained through the Services or from third parties to determine your identity and prevent fraudulent activity. The legal basis for such processing by Stripe (as the controller) is Art. 6 (1) (c) and (f) GDPR (legitimate interest). In addition, if you wish to receive a receipt for your payment transaction from Stripe, you may choose to enter your name, email address, and billing address. This information will be securely transmitted to Stripe and processed based on Art. 6 (1) (a) GDPR (consent). Stripe may transfer your personal data to third countries, including the United States. For information about the measures Stripe takes to ensure that such transfers comply with applicable data protection laws, please visit https://stripe.com/privacy-center/legal#data-transfers. Stripe may also set cookies to facilitate the transaction (see section 2.1 lit. b). For more information about how Stripe processes your personal data, please refer to Stripe's privacy policy. This can be found here: Privacy Policy (stripe.com)

b) Valid for our web shop in Ireland (link: https://www.sarstedt.com/en/IE

If you wish to pay for our services online, we use the services of Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, California 94080, USA ("Stripe") for our payment processing on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest). Unless otherwise specified, Stripe acts as a data processor and its affiliates ("Stripe Payments Europe Limited," "Stripe Technology Europe Limited," and "Stripe Payments UK Limited") act as sub-processors.

If you choose to pay by credit card, you will be asked to enter your card details during the payment process. These will be securely transmitted to Stripe and processed by them. Stripe may use your personal data (e.g., credit card number, amount, and date of payment) to process and authenticate online payment transactions. During the transaction, Stripe may receive and process personal information about you obtained through the services or from third parties in order to determine your identity and prevent fraudulent activity. The legal basis for such processing by Stripe (as controller) is Art. 6 (1) lit. c and f GDPR (legitimate interest).

If you would like to receive a receipt for your payment transaction from Stripe, you can enter your name, email address, and billing address. This information will be securely transmitted to Stripe and processed based on Art. 6 (1) (a) GDPR (consent).

Stripe may transfer your personal data to third countries, including the United States. For information on the measures Stripe takes to ensure that such transfers comply with applicable data protection laws, please visit https://stripe.com/privacy-center/legal#data-transfers. Stripe may also set cookies to facilitate the transaction (see Section 2.1 lit. b). For more information about how Stripe processes your personal data, please refer to Stripe's privacy policy. This can be found here: Privacy Policy (stripe.com)

3.9 Trusted Shops (Trustbadge / Widgets)

We use the Trusted Shops Trustbadge on our website to display reviews, buyer protection, and the Trusted Shops seal of approval. Access data such as IP address, date, and time of access are automatically logged. This data is not evaluated and is deleted no later than seven days after your visit.

If you register for Trusted Shops products after placing an order, Trusted Shops processes personal data on the basis of the contractual agreement to provide buyer protection and to process review requests.

The processing is carried out by Trusted Shops GmbH, Subbelrather Straße 15C, 50823 Cologne, Germany. Trusted Shops ensures that an appropriate level of data protection is maintained.

Further information on Trusted Shops' data protection can be found here: https://www.trustedshops.de/impressum-datenschutz/

3.10 Google Analytics

If you have given your consent, this website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The use includes the "Universal Analytics" operating mode. This makes it possible to assign data, sessions, and interactions across multiple devices to a pseudonymous user ID and thus analyze a user's activities across devices.

Google Analytics uses "cookies," which are text files placed on your computer, to help the website analyze how users use the site. The info generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. However, if IP anonymization is activated on this website, your IP address will be truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. We would like to point out that on this website, Google Analytics has been extended to include IP anonymization in order to ensure anonymous collection of IP addresses (so-called IP masking). The IP address transmitted by your browser within the scope of Google Analytics is not merged with other Google data. For more information on terms of use and data protection, please visit https://www.google.com/analytics/terms/de.html or https://policies.google.com/?hl=de.

We use Google Signals. When you visit our website, Google Analytics collects your location, search history, YouTube history, and demographic data (visitor data), among other things. This data can be used for personalized advertising with the help of Google Signals. If you have a Google account, Google Signals links the visitor data to your Google account and uses it for personalized advertising messages. The data is also used to create anonymous statistics on the user behavior of our users.

Purposes of processing
On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website activity and internet usage to the website operator.

Legal basis
The legal basis for the use of Google Analytics is your consent in accordance with Art. 6 (1) (a) GDPR.

Recipients/categories of recipients
The recipient of the collected data is Google.

Transfer to third countries
The personal data is transferred to the USA under the EU-US Privacy Shield on the basis of the adequacy decision of the European Commission. You can view the certificate here here.

Duration of data storage
The data we send and link to cookies, user IDs (e.g., user ID) or advertising IDs is automatically deleted after 14 months. Data that has reached its retention period is automatically deleted once a month.

Rights of data subjects
You can revoke your consent at any time with future effect by preventing the storage of cookies through a corresponding setting in your browser software; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the browser add-on . Opt-out cookies prevent the future collection of your data when you visit this website. To prevent Universal Analytics from collecting data across different devices, you must opt out on all systems you use. If you click here, the opt-out cookie will be set:

Disable Google Analytics

3.11 Amazon Cloud Front

The provider is Amazon Web Services EMEA SÀRL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter AWS).

When you visit our website, your personal data is processed on AWS servers. In this context, personal data may also be transferred to the parent company of AWS in the USA. Data transfer to the USA is based on the EU standard contractual clauses. Details can be found here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

For further information, please refer to the AWS privacy policy: https://aws.amazon.com/de/privacy/?nc1=f_pr.

The use of AWS is based on Art. 6 (1) lit. f GDPR. We have a legitimate interest in ensuring that our website is as reliable as possible. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's terminal device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that is intended to ensure compliance with European data protection standards when processing data in the US. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000TOWQAA4&status=Active

4. Contact form and email contact

Our website features various contact forms that can be used to contact us electronically. If a user takes advantage of this option, the data they enter in the input mask will be transmitted to us and stored:

• Title (optional)

• Title (optional)

• First name

• Last

• Company

• Customer number (optional)

• Item number (optional)

• Charge (optional)

• Address (street, city, postal code) (optional)

• State

• Phone number

• Email address

• Free field for individual text

• User's IP address

• Date and time of submission.

By filling out the contact form, you consent to the processing of the data you have provided. Alternatively, you can contact us via the email address provided.

In this case, we will store the user's personal data transmitted with the email. The legal basis for the processing of the data is Art. 6 (1) (a) GDPR if the user has given their consent. If the personal data is transmitted in the context of sending an email, the legal basis is Art. 6 (1) (f) GDPR. If the purpose of the contact is to conclude a contract, the legal basis is Art. 6 (1) (b) GDPR. The data will be used exclusively for processing the contact and subsequent communication. In this context, the data will not be passed on to third parties. The personal data from the input mask of the contact form and those sent by email will be deleted when the respective communication with the user has ended, i.e. as soon as it can be inferred from the circumstances that the matter in question has been conclusively clarified. The additional personal data collected during the sending process will be deleted after a period of 30 days at the latest.

The user has the option of revoking their consent to the processing of personal data at any time. If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the contact request cannot be processed or the communication cannot be continued. All personal data stored in the course of establishing contact will be deleted in this case.

5. Google Maps

Our websites use Google Maps API to visually display geographic information. When using Google Maps, Google also processes data about the use of the Maps functions by users of the websites. More detailed information about data processing by Google can be found in Google's privacy policy at https://policies.google.com/privacy?hl=de .

6. Newsletter

You can subscribe to a free newsletter on our websites. If you subscribe to our newsletter, we will process the following personal data:

• Title (optional)

• First name, last name (optional)

• State

• Email address

• Field of activity (optional)

• Areas of interest (optional)

• IP address of the accessing computer

• Date and time of registration.

The user's consent is obtained during the registration process for the processing of the data and reference is made to this privacy policy. In connection with the processing of data for the purpose of sending newsletters, no data is passed on to third parties. The data is used exclusively for the purpose of sending the newsletter. The legal basis for the processing of personal data after registration for the newsletter is Art. 6 (1) (a) GDPR. The user's personal data will be stored by us for as long as the newsletter subscription is active. The subscription can be canceled at any time by clicking on the corresponding link contained in each newsletter. The personal data will then be deleted immediately.

7. Social media

We maintain an online presence on the LinkedIn platform, which is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn").

7.1 Company page on LinkedIn

We use our LinkedIn company page to communicate with users, provide information about our company and our services, and to recruit personnel.

Joint responsibility (Art. 26 GDPR) We are jointly responsible with LinkedIn for the processing of personal data in connection with visits to our LinkedIn page. The relevant agreement in accordance with Art. 26 GDPR can be found at: https://legal.linkedin.com/pages-joint-controller-addendum

LinkedIn processes users' personal data (e.g., IP address, device information, interactions, usage behavior) and provides us with anonymized statistics on page activity ("Page Insights"). Further information on data processing by LinkedIn can be found at: https://www.linkedin.com/legal/privacy-policy

Legal basis: Data processing is based on Art. 6 (1) lit. f GDPR (legitimate interest in effective public relations and communication with interested parties, customers, and applicants). If LinkedIn obtains consent (e.g., via account settings), processing is based on Art. 6 (1) lit. a GDPR.

7.2 LinkedIn Ads

We use LinkedIn Ads, an advertising service offered by LinkedIn, to place targeted advertisements and analyze the effectiveness of our campaigns. LinkedIn may create pseudonymous usage profiles to display interest-based advertising to you within and outside the platform.

rocessed data:

• Device and browser information

• IP address

• Interaction data (clicks, views, conversions)

• Professional characteristics (e.g., industry, position—if stored in the profile)

Legal basis
Processing is carried out exclusively on the basis of your consent in accordance with Art. 6 (1) (a) GDPR via our consent management tool. You can revoke your consent at any time with future effect.

7.3 LinkedIn Insight Tag

Our website uses the LinkedIn Insight Tag, an analytics and conversion tracking tool from LinkedIn. The Insight Tag enables us to measure the success of our LinkedIn campaigns and to place target group-based advertising (retargeting).

When you visit our website, a connection is established to LinkedIn's servers. LinkedIn collects, among other things, your IP address, device information, usage behavior on our website, and, if applicable, your LinkedIn member ID (if you are logged into your LinkedIn account). This data is encrypted, pseudonymized within seven days, and deleted after 90 days.

Legal basis
The LinkedIn Insight Tag is only used with your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent at any time via our cookie/consent tool.

Data transfer
Data processing generally takes place within the European Union. Transfer to third countries (in particular the USA) cannot be ruled out. In such cases, the transfer is based on EU standard contractual clauses (Art. 46 GDPR).

Further information
LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy Information about the Insight Tag: https://www.linkedin.com/help/linkedin/answer/a427660

8. Security

SARSTEDT uses technical and organizational security measures to protect users' personal data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures are continuously improved in line with technological developments.

9. Rights of the data subject

If SARSTEDT processes your personal data, you are a data subject in accordance with Art. 4 No. 1 GDPR and have the following rights vis-à-vis SARSTEDT:

9.1. Right to information

In accordance with Art. 15 GDPR, you can request confirmation from us as to whether we process personal data relating to you. If we process your personal data, you can request the following information from us:

• the purposes of processing;

• the categories of your personal data that we process;

• the recipients or categories of recipients to whom we have disclosed or will disclose your personal data;

• (if possible) the planned duration for which we will store your personal data or, if this is not possible, the criteria for determining the storage period;

• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by us, or a right to object to such processing;

• the existence of a right to lodge a complaint with a supervisory authority;

• any available information on the origin of the data, if the personal data was not collected from you;

• the existence of automated decision-making, including profiling (Art. 22 (1) and (4) GDPR) and, at least in these cases, meaningful information about the logic involved, as well as the significance and the intended consequences of such processing for you.

You have the right to request information about whether personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

9.2. Right to rectification

In accordance with Art. 16 GDPR, you have the right to request that we correct and/or complete inaccurate personal data concerning you.

9.3. Right to erasure

You may request that we delete your personal data immediately in accordance with Art. 17 GDPR. We are obliged to delete your data immediately if one of the following reasons applies:

Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

You withdraw your consent on which we base the processing pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR, and there is no other legal basis for the processing.

You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.

Your personal data has been processed unlawfully.

The erasure of your personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which we are subject.

Your personal data has been collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

If we have made your personal data public and are obliged to erase it in accordance with Art. 17 (1) GDPR, we shall take reasonable measures, including technical measures, taking into account the available technology and implementation costs, to inform the controllers who process the personal data that you, as the data subject, have requested them to delete all links to your personal data or copies or replications of your personal data.

The right to erasure does not apply if the processing is necessary

• to exercise the right of freedom of expression and information;

• to fulfill a legal obligation to which we are subject or to perform a task carried out in the public interest or in the exercise of official authority vested in us;

• for reasons of public interest in the area of public health (Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR);

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the aforementioned right is likely to render impossible or seriously impair the achievement of the objectives of such processing, or

• for the establishment, exercise, or defense of legal claims.

9.4. Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of your personal data in accordance with Art. 18 GDPR:

• if you dispute the accuracy of your personal data for a period of time that allows us to verify the accuracy of the personal data;

• if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

• if we no longer need your personal data for the purposes of processing, but you need it to assert, exercise, or defend legal claims; or

• if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet clear whether our legitimate reasons outweigh your reasons.

If the processing of your personal data has been restricted, this data may – apart from its storage – only be processed with your consent or for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the restriction of processing has been restricted in accordance with the above conditions, we will inform you before the restriction is lifted.

9.5. Right to be informed

If you have asserted your right to rectification, erasure, or restriction of processing against us, we are obliged under Art. 19 GDPR to notify all recipients to whom we have disclosed your personal data of this fact, unless this proves impossible or involves disproportionate effort. You have the right to be informed by us about these recipients.

9.6. Right to data portability

Pursuant to Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that

• the processing is based on consent (Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR) or on a contract pursuant to Art. 6 (1) (b) GDPR, and

• the processing is carried out using automated procedures.

In exercising this right, you also have the right to have your personal data transferred directly from us to another controller, where technically feasible. This must not adversely affect the freedoms and rights of other persons. The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

9.7. Right to object

Pursuant to Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

9.8. Right to revoke the data protection consent declaration

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation, Art. 7 GDPR.

9.9. Automated decision-making in individual cases, including profiling

Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or performance of a contract between you and us,

• is authorized by Union or Member State law to which we are subject and that law provides for appropriate measures to safeguard your rights and freedoms and legitimate interests, or

• is based on your explicit consent.

9.10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, pursuant to Art. 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of your personal data by us infringes the GDPR.

10. Responsibility for external content and information

Our websites contain links to external providers' websites. When setting the links, we checked the content of external providers' websites to ensure that they did not violate any applicable civil or criminal laws. However, it cannot be ruled out that this content may have been changed by the respective providers since then.

If you believe that linked external sites violate applicable law or contain other inappropriate content, please notify us. We will review your report and remove the external link if necessary. SARSTEDT is not responsible for the content and availability of linked external websites.

Our privacy policy does not apply to links to websites of external providers, even if these can be accessed via a link on our website.

10.1 Integration of YouTube videos

Videos from the YouTube platform are embedded on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

When you visit a page with an embedded YouTube video, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, YouTube can assign your surfing behavior directly to your personal profile.

We use YouTube in what is known as "extended data protection mode."According to YouTube, this means that no cookies are set before you actively play the video. Only when the video is started can further data processing operations be triggered, over which we have no influence.

Legal basis
The integration is based on your consent in accordance with Art. 6 (1) (a) GDPR, granted via our consent management tool. You can revoke your consent at any time with effect for the future.

Data transfer
Google may transfer personal data to third countries (in particular the USA). The transfer is based on the EU standard contractual clauses pursuant to Art. 46 GDPR and, where applicable, within the framework of the EU-U.S. Data Privacy Framework.

For more information, please refer to Google's privacy policy at: https://policies.google.com/privacy?hl=de

11. Processing of personal data of children and young people

Our website is not intended for persons under the age of 16. In accordance with Art. 8 GDPR, the data of persons under the age of 16 will only be processed if their legal representatives have expressly consented to this. The child's legal representatives have the right to view the information provided by the child upon request and/or to request the deletion of this data.

12. Inclusion and validity of the privacy policy

By using our websites, you consent to the data processing described above. This privacy policy applies only to the web content of SARSTEDT. Other data protection and data security provisions apply to linked external content. You can find out who is responsible for these offers in the respective legal notice.

Due to the further development of our websites or the implementation of new technologies, it may become necessary to amend this privacy policy. We therefore reserve the right to amend the privacy policy at any time with future effect. The version available at the time of your visit to the website shall always apply.

Date: January 2026