Privacy Statement

This website is owned and operated by:

4SREM S.à r.l. with registered office at:

19, Rue de Flaxweiler
L-6776 Grevenmacher
Luxembourg

Responsible Data Controller:

Patrick Schulz

email: info@4srem.eu

Tel: +352 621 268 358

General Information on Data Collection & Processing

The following gives an overview of what happens to your personal information when you visit our website (Privacy Notice Part 1) or you register in our embedded application management system (Privacy Notice Part 2) or you provide data to us in any other form (Privacy Notice Part 3). Furthermore, we give an overview about how we collect and analyze data from other sources if applicable (Privacy Notice Part 4). The Status of this privacy policy can be checked here (Privacy Notice Part 5). Personal information is any data with which you can potentially be personally identified. Please also check the latest Version of the EU General Data Protection Regulation (GDPR).

Status of this privacy policy

This privacy policy may be amended from time to time. Please use this page to keep informed as we post any changes here.

Data protection

The operator of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this data protection declaration. When you use this website, various personal data are collected. Personal data is data with which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.We would like to point out that data transmission on the Internet (e.g. communication by e-mail) can have security gaps. Complete protection of the data against access by third parties is not possible.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This can be, for example, data that you enter in our contact form, data you provide through our embedded application management system or data you sent to us by email. Other data is collected automatically or with your consent by our IT systems when you visit the website. This is mainly technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you enter this website.

What rights do you have regarding your data?

You have the right at any time to receive information free of charge about the origin, recipient and purpose of your stored personal data. You also have a right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority. You can contact the data controller at any time with regard to this and other questions on the subject of data protection.

Business related processing

We process our clients’ data within the scope of our contractual services, which include HR Consulting, Development, Recruitment, Coaching and Marketing Services.

In doing so, we process contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., subject matter of the contract, term), payment data (e.g., bank details, payment history), usage and metadata (e.g., in the context of evaluating and measuring the success of marketing measures). As a matter of principle, we do not process special categories of personal data, unless they are part of a commissioned processing operation. Data subjects include our customers, prospective customers and their customers, users, website visitors or employees, and third parties. The purpose of the processing is to provide contractual services, billing and our customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b GDPR (contractual services), Art. 6 para. 1 lit. f GDPR (analysis, statistics, optimisation, security measures). We process data that are required for the justification and fulfilment of the contractual services and point out the necessity of their provision. Disclosure to external parties only takes place if it is required as part of an assignment. When processing the data provided to us within the scope of an order, we act in accordance with the instructions of the client as well as the legal requirements of a commissioned processing pursuant to the German Data Protection Act. Art. 28 GDPR and do not process the data for any other purposes than those specified in the order.

We delete the data after statutory and comparable obligations. the necessity of retaining the data is reviewed every three years; in the case of statutory archiving obligations, deletion takes place after their expiry.

Objection to advertising e-mails

The use of contact data published within the framework of the imprint obligation for the transmission of advertising and information material not expressly requested is herewith objected to. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, for example by spam e-mails.

Part 1: Data Collection & Processing on our Website

1.1. Host

This website is hosted by Squarespace Inc. Squarespace collects personal data when you visit this website (including: Information about your browser, network and device, Web pages you visited prior to coming to this website, Web pages you view while on this website,Your IP address). Squarespace needs the data to run this website, and to protect and improve its platform and services. Squarespace analyzes the data in a de-personalized form. The host is used for the purpose of fulfilling the contract with our potential and existing clients (Art. 6 (1)(b) GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 (1)(f) GDPR). Our host will only process your data insofar as this is necessary for the fulfilment of its service obligations and will follow our instructions with regard to this data.

The host is certified according to the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link https://www.dataprivacyframework.gov/participant/4774

1.2. Cookies

This website uses cookies and similar technologies, which are small files or pieces of text that download to a device when a visitor accesses a website or app. For information about viewing the cookies dropped on your device, visit The cookies Squarespace uses.

• These necessary and required cookies are always used, which allow Squarespace, our hosting platform, to securely serve this website to you.

• These analytics and performance cookies are used on this website, as described below, only when you acknowledge our cookie banner. This website uses analytics and performance cookies to view site traffic, activity, and other data.

1.3. Marketing emails

We may send you marketing emails, which you can unsubscribe from by clicking the link at the bottom of the email. We share your contact information with Squarespace, our email marketing provider, so they can send these emails on our behalf.

Part 2: Data Collection & Processing through our embedded Applicant Management System

With this policy section we inform you as the responsible party in accordance with Art. 4 No. 7 GDPR about which personal data we collect as part of the recruitment and application management process and for what purpose the data is used. This policy section applies to our applicant and recruiting system operated by softgarden on our behalf.

2.1. Data Processor

We use an applicant and recruiting software of softgarden e-Recruiting GmbH, Tauentzienstr.14, 10789 Berlin (hereinafter softgarden). Softgarden processes the data on behalf of the data controller and always acts in accordance with his instructions. You can contact the data protection officer of softgarden at the following e-mail address: datenschutz@softgarden.de.

2.2. Location of data processing

softgarden operates an IT infrastructure at its administrative offices in Berlin and Saarbrucken, as well as in the data processing centres operated by the following service providers

• myLoc managed IT AG

• PlusServer GmbH

• Equinix GmbH

The data centres are located at the server site in Germany and are ISO27001 certified. In addition, processing may be carried out by subcontractors and integrated services, which are referred to separately in this data protection notice.

2.3. Object of the data protection

The object of data protection is personal data. According to Art. 4 No. 1 of the GDPR, this is any information relating to an identified or identifiable natural person (hereinafter "data subject"). This includes, for example, information such as name, postal address, e-mail address or telephone number as well as usage and personal/employees data. Usage data is data that is required to use and operate our websites, such as information about the beginning, end and extent of the use of our website and login data. In addition, in the context of the provision of services, data is collected that is processed in the context of recruiting and applicant management and is described in this data protection declaration.

2.4 Automated processing (Website/Account)

For operational and maintenance purposes as well as in accordance with the provisions of telemedia law, interaction is recorded ("system logs"), which are necessary for the operation of the website or processed for system security purposes, for example to analyse attack patterns or unlawful usage behaviour ("evidence function"). When accessing and accessing softgarden's products, your internet browser automatically transmits the following data for technical reasons:

• Date and time of access,

• browser type and version,

• operating system used,

• amount of data sent,

• IP address of the access,

• user name,

• login attempts,

• Geographical allocation.

This data is not used for direct allocation within the scope of applicant management and is deleted again promptly in accordance with the legitimate retention periods, unless longer retention is required for legal or factual reasons, such as for evidence purposes. In individual cases, storage for the above-mentioned purposes may be considered. The legal basis is Art. 6para. 1 lit. f GDPR.

softgarden uses the services of the ISO 27001 certified provider Cloudflare Inc., 101 Townsend St, San Francisco, USA and its subsidiary Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany ("Cloudflare") to increase the security of the platform, especially for protection against DDoS attacks, and to improve delivery speed. Cloudflare offers a network of servers that is able to deliver optimized content to the end user and intercept virus-laden traffic. The services provided by Cloudflare include the "Data Localisation Suite" product with the "Regional Services" and "Metadata Boundary for Customers" components. Both components ensure that the transfer of personal data when using our platform takes place exclusively within the EU. The "Regional Services" ensure that customer content traffic, in this case end-user traffic, is securely transferred to Cloudflare PoPs within the region selected by softgarden and is inspected within a Point of Presence (PoP) in that defined region. softgarden has selected Germany as the selected region, so all traffic is inspected exclusively on servers in Germany. Metadata Boundary ensures that Cloudflare does not transfer customer logs originating from the services it uses outside of the European Union. The personal data processed by Cloudflare includes all content submitted by customers and applicants, i.e. beyond the IP address, all files (application documents) and multimedia images, graphics, audio or video, as well as every interaction of their browser with the softgarden system.  Cloudflare is the recipient of your personal data and acts as a processor for softgarden. This corresponds to the legitimate interest within the meaning of Art. 6 (1) sentence 1 (f) GDPR to ensure security and security as well as user-friendliness on the platform. Your personal data will be stored by Cloudflare for as long as necessary for the purposes described, usually 124 calendar days.

2.5. Recruiting & Application process

As part of the Recruiting & application process, you can set up and manage an account in the career portal after configuring your username and password. In addition to the individual application, you can use other options in the softgarden applicant management system and make your individual settings and choices (e.g. admission to a specific Leadership pool). For an efficient and promising application, you can provide the following information as part of your application to us:  Contact details (address, telephone number) CV data e.g.  School education,  Vocational training Professional experience, Language skills, Profiles in social networks (e.g. XING, LinkedIn, Facebook) Documents related to applications (application photos, cover letters, references, job references, work samples, etc.)  The legal basis for processing for the purposes of conducting the recruiting & application process and initiating an employment relationship is Art. 6 I b) GDPR. In addition, the use of the applicant management system by the controller is in the legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. If consent within the meaning of Art. 6 para. 1 lit. a) is required for a certain processing activity, this will be obtained separately and transparently from you by the data controller, unless this results from conclusive and voluntary conduct on your part in accordance with the transparency requirement, such as voluntary participation in a video interview.

2.6 Disclosure of data

Your data will not be passed on to unauthorized third parties in the context of applicant management and will be processed for the purposes specified in this privacy policy. Thus, inspection by internal bodies and specialist managers of the data controller is in the legitimate interest, insofar as knowledge of the information from the application procedure is necessary and permissible for the selection of applicants or internal administrative purposes of the company. For this purpose, your information may be forwarded to third parties in the company by e-mail or within the management system. The legal basis can be Art. 6 para. 1 lit. f) and a) GDPR.

The transfer to third parties also takes place within the framework of order processing in accordance with Art. 28 GDPR, i.e. in the context of processing activities in which the data controller has a legitimate interest in outsourcing processing activities that it would otherwise be entitled to carry out itself. To this end, the Controller shall take the necessary measures to ensure compliance with data protection regulations. Disclosure to external third parties may also be made to defend legal claims based on legitimate interest or in the context of the investigation of or disclosure to government agencies, insofar as this is required by law or there is an obligation to disclose. The information obligations towards data subjects within the meaning of Art. 13, 14 GDPR are guaranteed in advance of the relevant disclosure, insofar as these are to be fulfilled separately.

2.7. Client Recruiting

To bring you to the attention of our clients, there is the opportunity for you to be included in our regional Expert & Leadership Pools. Inclusion in the Expert & Leadership Pool is based solely on your explicit consent (Art. 6 para. 1 lit. a GDPR). Giving consent is voluntary and is not related to any ongoing application process. The affected individual can revoke their consent at any time. In this case, the data from the Pool will be irreversibly deleted unless there are legal retention requirements. With your consent, we can also create an anonymous profile of you in order to check job opportunities and qualification requirements in advance with your regional preferences.

Before introducing your complete application profile to clients of interest, we will ask for your final consent. With your consent we can introduce your applicant profile to potential employers of your choice. Your applicant profile will be presented in a standardized format which includes an individual cover letter and a CV as well as other documents you have given consent. Furthermore, we will write to you after 6 months to ask if you still want to be part of the Expert & Leadership pool.

2.8. Deletion and use of data

Your data will be stored for the duration of the application process and in accordance with the legitimate retention periods after the application process has been completed. In case of cancellation, the data [deletion interval rejection pool] will be kept for 6 months. After the settings have been made, the data is kept for 9 months[deletion interval hire pool]. After the retention period has expired, the data will be completely anonymized. The processing of anonymised data sets is not subject to the material scope of the data protection provisions, so that anonymised data may be processed for statistical and analytical purposes, for the preparation of market studies or for product development.

2.9. Rights of data subjects

Data subjects are entitled to know at any time whether their personal data has been stored and can assert a right of access to stored data (right of access), check its accuracy (right to rectification), request its completion and update, request its deletion (right to be forgotten), request the restriction of processing (right to restriction) and have the data ported/ported in a common, machine-readable format (Data portability). These rights apply unless there are compelling and/or justified reasons to the contrary on the part of the controller. To do so, please contact the responsible data controller by email or by post at the address above. In cases where we process data on the basis of your consent (Art. 6 para. 1 lit. a) GDPR), you have the right to revoke your consent at any time without giving reasons and with effect for the future. The corresponding data processing will then no longer take place in the future, but will not affect the lawfulness of the processing carried out up to the time of revocation. In addition, you have the right to object to processing, for example if the data is or has been processed in error, or if other reasons in the interest of the data subject oppose (further) processing. Data subjects also have the right to complain to the supervisory authority responsible for data processing. Please note that in the event of an objection and/or revocation, certain services/processing activities cannot be carried out or used if the processing is necessary for these purposes.

Part 3: Data Collection & Processing through any other form

3.1. Requests by email, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry including all resulting personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent. The processing of this data is based on Art. 6 (1) lit. b DSGVO if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f DSGVO) or on your consent (Art. 6 para. 1 lit. a DSGVO) if this has been requested; the consent can be revoked at any time. The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

3.2. Linkedin

This website uses elements of the LinkedIn network. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Each time a page of this website containing elements from LinkedIn is accessed, a connection to LinkedIn servers is established. LinkedIn is informed that you have visited this website with your IP address. If you click the LinkedIn "Recommend" button and are logged into your LinkedIn account, it is possible for LinkedIn to associate your visit to this website with you and your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by LinkedIn. Insofar as consent has been obtained, the above-mentioned service is used on the basis of Art. 6 Para. 1 lit. a GDPR. The consent can be revoked at any time. Insofar as no consent has been obtained, the use of the service is based on our legitimate interest in achieving the greatest possible visibility in social media.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.linkedin.com/help/linkedin/answer/62538/datenubertragung-aus-der-eu-dem-ewr-und-der-schweiz?lang=de

For more information, please see LinkedIn's privacy policy at: https://www.linkedin.com/legal/privacy-policy.

3.3. Audio and Video Conferencing

One of the tools we use to communicate with our clients is online conferencing. The individual tools we use are listed below. If you communicate with us by video or audio conference via the Internet, your personal data will be collected and processed by us and the provider of the respective conference tool. The conference tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other "contextual information" related to the communication process (metadata). Furthermore, the provider of the tool processes all technical data that is required to handle the online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection. If content is shared, uploaded or otherwise made available within the tool, it will also be stored on the servers of the tool providers. Such content includes, but is not limited to, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service. Please note that we do not have full influence on the data processing procedures of the tools used. Our options are largely determined by the corporate policy of the respective provider. For further information on data processing by the conference tools, please refer to the data protection statements of the respective tools used, which we have listed below this text.

PURPOSE AND LEGAL BASIS of the conference tools: The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Insofar as consent has been requested, the tools in question are used on the basis of this consent; consent can be revoked at any time with effect for the future.

STORAGE PERIOD of the conference tools: The data collected directly by us via the video and conference tools is deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

We use the following conference tools:

MICROSOFT TEAMS

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy: https://privacy.microsoft.com/de-de/privacystatement.

The company is certified according to the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active

GOOGLE MEET

We use Google Meet. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on data processing, please refer to Google's privacy policy: https://policies.google.com/privacy?hl=de.

The company is certified according to the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

ZOOM

We use Zoom. The provider is Zoom Communications,55 Almaden Blvd San Jose, CA 95113, USA. For details on data processing, please refer to Zoom privacy policy: https://www.zoom.com/de/trust/privacy/privacy-statement/

The company is certified according to the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

JOB PROCESSING

We have concluded a contract on order processing (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that this service only processes the personal data of our website visitors, clients and prospective clients in accordance with our instructions and in compliance with the GDPR.

Part 4: Other Data Collection and Analysis Tools

Not applicable at the moment.

Part 5: Status of this privacy policy

Document Version Code Numner: D101

Valid from: 01.10.2025

This privacy policy may be amended from time to time. Please use this page to keep informed as we post any changes here.