ZEISS public data protection guidelines

Guidelines on handling of data protection requirements in accordance with the EU's General Data Protection Regulation and the Federal Data Protection Act (Bundesdatenschutzgesetz) (new)

Foundations
Objective
Basic principles of data protection
Group Data Protection Officer
DPMS
Implementation

1 Introduction

ZEISS is an internationally leading technology enterprise operating in the fields of optics and optoelectronics. In the previous fiscal year, the ZEISS Group generated annual revenue totaling more than 5.8 billion euros in its four segments Industrial Quality & Research, Medical Technology, Consumer Markets and Semiconductor Manufacturing Technology (status: 30 September 2018).

For its customers, ZEISS develops, produces and distributes highly innovative solutions for industrial metrology and quality assurance, microscopy solutions for the life sciences and materials research, and medical technology solutions for diagnostics and treatment in ophthalmology and microsurgery. The name ZEISS is also synonymous with the world's leading lithography optics, which are used by the chip industry to manufacture semiconductor components. There is global demand for trendsetting ZEISS brand products such as eyeglass lenses, camera lenses and binoculars.

With a portfolio aligned with future growth areas like digitalization, healthcare and Smart Production and a strong brand, ZEISS is shaping the future far beyond the optics and optoelectronics industries. The company's significant, sustainable investments in research and development lay the foundation for the success and continued expansion of ZEISS' technology and market leadership.

Data protection is an important building block for the achievement of these strategic goals. ZEISS takes the protection of your personal data very seriously. ZEISS processes your personal data in accordance with the relevant legal requirements. Furthermore, the handling of personal data at ZEISS is based on the EU data protection principles. These provide for the greatest possible degree of transparency, observance of option, access rights and the lawful processing and transfer of personal data.

Each ZEISS company complies with the applicable data protection laws. In addition, the handling of personal data is stipulated for the entire ZEISS Group in a company directive. This serves to ensure that the ZEISS companies which handle personal data process your data properly and in compliance with the applicable laws. At the same time, our employees are instructed to refer to and comply with our data protection rules wherever personal data is requested.

Legal Information

2 Foundations

2.1 Creation, update and quality assurance

The Group Data Protection Officer is responsible for creating and updating these public data protection guidelines.
As part of quality assurance, the Group Data Protection Officer inspects the contents to make sure they are both accurate and up to date.
The public data protection guidelines may be adapted during the year and must be submitted to a quality assurance process at least once every three years.

2.2 Responsibility of management

The Executive Board bears overall responsibility for ensuring that that data protection principles are upheld in its company. This includes making a visible commitment and a clear pledge to data protection. The Executive Board

  • establishes the strategic data protection guidelines and ensures their implementation in the area of validity,
  • implements a data protection organization and designates clear roles and responsibilities,
  • provides resources as appropriate,
  • promotes leading by example at all other management levels,
  • reacts to violations in a consistent manner.

2.3 Area of application

The personal data processed by the ZEISS Group in physical and digital form is processed in compliance with the provisions of data protection law and the appropriate regulations. 

3 Objective

By upholding the data protection laws and the applicable provisions, the ZEISS Group pursues the goal of maintaining and expanding the existing trust-based relationships with its customers, suppliers, service providers and employees. The ZEISS Group recognizes that data protection is highly significant for its business activity and operates a Data Protection Management System (DPMS) in line with these public data protection guidelines.

4 Basic principles of data protection

Data protection is a matter of course in dealing with personal data for the ZEISS Group and is therefore taken into account in all business processes and is fundamentally based on the requirements of the EU General Data Protection Regulation (GDPR). The respective relevant national regulations and legislation supplement these basic requirements and are also upheld by the ZEISS Group.

4.1 Lawfulness of processing

The ZEISS Group ensures that any processing of personal data is undertaken lawfully, i.e. that, for example, the person concerned has granted an effective authorization or the data is processed on another permissible legal basis. 

4.2 Fair processing

Individuals whose personal data is processed by the ZEISS Group in line with the GDPR can rest assured that the ZEISS Group only collects, saves, uses and deletes their data in accordance with the GDPR and the other relevant legal provisions.

4.3 Transparency

Individuals whose personal data is processed by the ZEISS Group in line with the GDPR are informed of their rights, the purpose of and the responsibilities for the processing during data collection in accordance with the GDPR and the other relevant legal provisions. If they exercise their right to information, they are provided with the relevant information in written form.

4.4 Purpose

The purposes of the data processing are already defined by the ZEISS Group when personal data is being collected. Further processing for other purposes is possible in exceptional cases unless the purposes of the processing are incompatible with the original collection purposes and there is a legal basis for this. 

4.5 Data minimization

The saved and used personal data is fit for the purpose and restricted to the extent which is necessary for the purposes of the processing.

4.6 Storage limitation

Data of persons concerned is stored at the ZEISS Group in a form that enables the identification of a person only as long as this is required for the processing purposes. 

4.7 Integrity and confidentiality

Personal data is processed in a way that ensures appropriate data security. This also comprises protection from unauthorized or illegal processing and from the unintended loss, destruction or damage of the personal data.

ZEISS ensures the appropriate security through a variety of technical and organizational measures. These measures are based on the state of the art and the defined protection level required. Risk-based data protection impact assessments lead to effective security measures such as access restrictions, access limitations, deletion concepts, safe encryption measures and measures for data back-up and emergency recovery.

5 Group Data Protection Officer and organization

The Executive Board is responsible for the establishment of an adequate data protection organization. It has appointed a person responsible to implement the data protection organization. This person serves as a central point of contact for the topic of data protection and is responsible, in particular, for introducing and maintaining the Data Protection Management System (DPMS) described in these public data protection guidelines and for working towards ensuring that the regulations stipulated therein are upheld in the company.

The following competencies and rights are transferred to the Group Data Protection Officer as part of his duties to be fulfilled:

  1. Conception and drafting of the public data protection guidelines and the data protection directive for submission to the Executive Board of the ZEISS Group for resolution. He decides all other topic-related implementation directives under his own authority, in consultation with other specialist officers, as applicable;
  2. Access rights when justified and following due consideration in all data protection-related areas, information and systems;
  3. Direct access to employees at all levels (including Executive Board) when justified and following due consideration for matters and incidents related to data protection.

If you have any questions on data protection, contact data protection at ZEISS as follows:

Group Data Protection Officer
Carl-Zeiss-Straße 22
73447 Oberkochen

Contact via Email (no confidential content please): mailto:datap rivacy @zeiss .com
Contact by phone: +49 7364 20-0 (keyword "data protection")
Contact via web form: View form

6 Data protection management system (DPMS)

The introduction and maintenance of a DPMS supports the achievement of the data protection goals and the implementation of the basic data protection principles. This management system ensures that the employees of the ZEISS Group have the necessary knowledge of the data protection provisions and take the appropriate measures to safeguard the trust between the person concerned, the organization and the supervisory authorities.

7 Implementation

The company develops and maintains a data protection management system which works towards making sure that the employees and contractors of the ZEISS Group uphold the data protection regulations and ensure compliance in relation to customers, employees, contractors, service providers and suppliers.