ZEISS Public Data Protection Guideline

ZEISS is an international leading technology enterprise operating in the optics and optoelectronics industries. In the previous fiscal year, the ZEISS Group generated annual revenue totaling more than 5.8 billion euros in its four segments Industrial Quality & Research, Medical Technology, Consumer Markets and Semiconductor Manufacturing Technology (status: 30 September 2018).

For its customers, ZEISS develops, produces and distributes highly innovative solutions for industrial metrology and quality assurance, microscopy solutions for the life sciences and materials research, and medical technology solutions for diagnostics and treatment in ophthalmology and microsurgery. The name ZEISS is also synonymous with the world's leading lithography optics, which are used by the chip industry to manufacture semiconductor components. There is global demand for trendsetting ZEISS brand products such as eyeglass lenses, camera lenses and binoculars.

With a portfolio aligned with future growth areas like digitalization, healthcare and Smart Production and a strong brand, ZEISS is shaping the future far beyond the optics and optoelectronics industries. The company's significant, sustainable investments in research and development lay the foundation for the success and continued expansion of ZEISS' technology and market leadership.

Data protection is an important building block for the achievement of these strategic goals. ZEISS takes the protection of your personal data very seriously. ZEISS processes your personal data in accordance with the relevant legal requirements. Furthermore, the handling of personal data at ZEISS is based on the EU data protection principles. These provide for the greatest possible degree of transparency, observance of option, access rights and the lawful processing and transfer of personal data.

Each ZEISS company complies with the applicable data protection laws. In addition, the handling of personal data is stipulated for the entire ZEISS Group in a company directive. This serves to ensure that the ZEISS companies which handle personal data process your data properly and in compliance with the applicable laws. At the same time, our employees are instructed to refer to and comply with our data protection rules wherever personal data is requested.

2.1 Creation, update and quality assurance
The Group Data Protection Officer is responsible for creating and updating this Public Data Protection Guideline.
As part of our Quality Assurance procedures, the Group Data Protection Officer verifies the contents to make sure they are both accurate and up to date.
The Public Data Protection Guideline may be amended during the course of a year and must be submitted to a Quality Assurance process at least once every three years.

2.2 Responsibility of the Executive Board
The Executive Board bears overall responsibility for ensuring that data protection principles are upheld in its company. This includes making a visible commitment and a clear pledge to data protection. The Executive Board

• establishes the strategic data protection guidelines and ensures their implementation in the area of validity,
• implements a data protection organization and designates clear roles and responsibilities,
• provides resources as appropriate,
• promotes leading by example at all other management levels,
• reacts to violations in a consistent manner.

2.3 Scope of application
The personal data processed by the ZEISS Group in physical and digital form is processed in compliance with the provisions of data protection law and the appropriate regulations.

By upholding the data protection laws and the applicable provisions, the ZEISS Group pursues the goal of maintaining and expanding the existing trust-based relationships with its customers, suppliers, service providers and employees. The ZEISS Group recognizes that data protection is highly significant for its business activity and operates a Data Protection Management System (DPMS) in line with these public data protection guidelines.

Data protection is a matter of course in dealing with personal data for the ZEISS Group and is therefore taken into account in all business processes and is fundamentally based on the requirements of the EU General Data Protection Regulation (GDPR). The relevant national regulations and legislation supplement these basic requirements and are also observed by the ZEISS Group.

4.1 Legality of processing
The ZEISS Group ensures that any processing of personal data is undertaken lawfully, i.e. that, for example, the person concerned has granted a valid authorization or the data is processed on another permissible legal basis.

4.2 Processing in good faith
Individuals whose personal data is processed by the ZEISS Group in line with the GDPR can rest assured that the ZEISS Group only collects, saves, uses and deletes their data in accordance with the GDPR and the other relevant legal provisions.

4.3 Transparency
Individuals whose personal data is processed by the ZEISS Group in line with the GDPR are informed of their rights, the purpose of and the responsibilities for the processing during data collection in accordance with the GDPR and the other relevant legal provisions. If they exercise their right to information, they are provided with the relevant information in written form.

4.4 Appropriation
The purposes of the data processing are already defined by the ZEISS Group when personal data is being collected. Further processing for different purposes is possible in exceptional cases in so far as the purposes of the additional processing are compatible with the original purposes of collection and a legal basis exists for the additional processing.

4.5 Data minimization
The saved and used personal data is fit for the purpose and restricted to the extent which is necessary for the purposes of the processing.

4.6 Storage limitation
Data relevant to data subjects is saved at the ZEISS Group in a form that enables a person to be identified for only as long as necessary for the purposes of the processing.

4.7 Integrity and confidentiality
Personal data is processed in a way that ensures appropriate data security. This also comprises protection from unauthorized or illegal processing and from the unintended loss, destruction or damage of the personal data.

ZEISS provides the appropriate security through a variety of technical and organizational means. These measures are based on the state of the art and the defined protection level required. Risk-based data protection impact assessments lead to effective security measures such as restrictions on access to buildings where data is stored and electronic access to data, deletion concepts, secure encryption measures and measures for data back-up and emergency recovery.

The Executive Board is responsible for the establishment of an adequate data protection organization. It has appointed a person responsible to implement the data protection organization. This person serves as a central point of contact for the topic of data protection and is responsible, in particular, for introducing and maintaining the Data Protection Management System (DPMS) described in these public data protection guidelines and for working towards ensuring that the regulations stipulated therein are upheld in the company.

The following responsibilities and rights are transferred to the Corporate Data Protection Officer as part of his duties:

The design and drafting of the Public Data Protection Guideline and the Data Protection Guideline for submission to the Executive Board of the ZEISS Group for their approval. They decide all other topic-related implementation guidelines in their own competence, if necessary in coordination with other specialists;
Access rights for justified reasons and at reasonable discretion to all data protection-related areas, information and systems;
Direct access to employees at all levels (including the Executive Board) when justified and following due consideration for matters and incidents related to data protection.

If you have any questions on data protection, contact data protection at ZEISS as follows:

The Corporate Data Protection Officer
Carl-Zeiss-Strasse 22
73447 Oberkochen

Contact via email (no confidential contents, please): dataprivacy@zeiss.com
Contact via phone: +49 7364 20-0 (key word "data protection")
Contact via web form: to the form

The introduction and maintenance of a DPMS supports the achievement of the data protection goals and the implementation of the basic data protection principles. This management system ensures that the employees of the ZEISS Group have the necessary knowledge of the data protection provisions and take the appropriate measures to safeguard the trust between the data subjects, the organization and the supervisory authorities.

The company develops and maintains a data protection management system which works towards making sure that the employees and contractors of the ZEISS Group uphold the data protection regulations and ensure compliance in relation to customers, employees, contractors, service providers and suppliers.