SPRIND
Federal Agency for Disruptive Innovation 

Data protection policy of SPRIND GmbH
dated 12 April 2022

With this data protection policy we inform you about which of your personal data (hereinafter referred to in short as ÒdataÓ) we process, and how and why we process it. We provide this information to fulfill our information obligations under data protection law. We use terms such as Òpersonal dataÓ or ÒprocessingÓ as they are defined in Article 4 of the General Data Protection Regulation (GDPR).


1. Data controller

The data controller as defined by the GDPR is SPRIND GmbH, having its registered office at Lagerhofstra§e 4, 04103 Leipzig.


2. The controllerÕs data protection officer

If you have any questions about data protection, please contact the data protection officer acting for SPRIND GmbH at the business address: SPRIND GmbH, Lagerhofstra§e 4, 04103 Leipzig, email: DATENSCHUTZ@SPRIND.ORG.


3. Types of data processed

In the course of our work, we process the following categories of personal data provided by you as an interested party for the evaluation of project ideas with breakthrough innovation potential:
* Basic personal data (e.g. name, address, date of birth)
* Contact details (e.g. email address, telephone numbers)
* Content data (e.g. text input) Selection of experts to evaluate project ideas with jump innovation potential
* Selection of experts to evaluate project ideas with breakthrough innovation potential;
* Coordination and discussion of the evaluation of project ideas with breakthrough innovation potential with the SPRIND team, innovators and other experts and
* as part of the support for SPRIND Challenges with the SPRIND Team, innovators and other experts.

We do not process any special categories of data specified in Article 9 (1) GDPR.


4. Purpose of processing

All personal data are processed for the following purposes only:
* To respond to contact requests and for communication
* To initiate, establish, execute and terminate contractual relationships
* To evaluate your proven expertise in the fields of science and/or business to assess projects with breakthrough innovation potential for SprinD.


5. Contact requests

When contacting us, we process the userÕs data to process and handle contact requests in accordance with Article 6 (1) b) GDPR.

We delete all requests insofar as their storage is no longer necessary. We review the necessity every two years. If requests are subject to statutory archiving requirements, they are deleted after the end of the relevant statutory retention period of 6 years under commercial law and 10 years under tax law.


6. Applicable legal basis

In accordance with Article 13 GDPR, we hereby specify the legal basis according to which we process data. Insofar as the legal basis is not specified in the data protection policy, the following applies: The legal basis according to which we obtain consent is Article 6 (1) a) and Article 7 GDPR; the legal basis for processing for the performance of our services and the execution of contractual measures and for responses to requests is Article 6 (1) b) GDRP; the legal basis for processing for compliance with our legal obligations is Article 6 (1) c) GDPR; the legal basis for processing for the purposes of our legitimate interests is Article 6 (1) f) GDPR. Where processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, the legal basis is Article 6 (1) d) GDPR.


7. Amendments and updates to the data protection policy

Please consult the contents of our data protection policy regularly. When our website is published, it may contain a revised data protection policy. We will amend the data protection policy as required to reflect changes in our data processing practices. We will notify you whenever you are required to take action (e.g., renew your consent) as a result of such changes or personal notification becomes necessary for any other reason.

8. Security

In accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures include safeguarding the confidentiality, integrity and availability of data by monitoring physical and logical access to data, inputs and sharing of data, the safeguarding of availability and the segregation of data. We have also implemented procedures to ensure the protection of data subject rights, the erasure of data and a response to data threats. We also consider the protection of personal data in the development and selection of hardware and software and of procedures that reflect the principle of data protection by design and by default (Article 25 GDPR).


9. Cooperation with processors and third parties

Where we disclose, transfer or otherwise grant access to data to other persons and enterprises (processors or third parties) in connection with our processing, we do so only on the basis of a statutory authorization (e.g., when a transfer of the data to third parties, such as payment service providers, is necessary to perform the contract in accordance with Article 6 (1) b) GDPR), if you have consented, in order to comply with a legal obligation or if we have a legitimate interest (e.g., the use of contractors, experts, webhosters, etc.).

Where we engage third parties to process data on the basis of a processing agreement, this is done on the basis of Article 28 GDPR.


10. Transfers to third countries

Where we process data in a third country (i.e., outside the European Union (EU) or European Economic Area (EEA)) or do so using third-party services or in connection with the disclosure or transfer of data to third parties, we only do so to comply with our obligations under a contract or prior to entering into a contract, on the basis of your consent, to comply with a legal obligation or on the basis of our legitimate interests. Notwithstanding statutory or contractual authorizations, we only process data in a third country or have data processed in a third country if and when the special conditions set forth in Article 44 et seq. GDPR are met.

This means that data is processed, for example, on the basis of special safeguards, such as the official recognition of a level of data protection equivalent to that in the EU (e.g., as afforded by the ÒPrivacy ShieldÓ in the US) or compliance with officially recognized special contractual obligations (Òstandard contractual clausesÓ).


11. Rights of data subjects

You have at any time the right to

Ð withdraw your consent in accordance with Article 7 (3) GDPR. If you do so, the data processing for which consent was given may no longer be continued in the future;

Ð obtain access in accordance with Article 15 GDPR to the personal data concerning you which are being processed. This includes, but is not limited to, access to the purposes of processing, the categories of personal data concerned, the categories or recipient to whom the data have been or will be disclosed, the envisaged period of storage, the existence of the right to request rectification, erasure, restriction of processing of personal data or to object to such processing, the existence of a right to lodge a complaint, the source of the data where the personal data were not collected from the data subject, and to the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved;

Ð obtain without undue delay in accordance with Article 16 GDPR the rectification of inaccurate personal data or the completion of incomplete personal data stored by the controller;

Ð obtain the erasure of personal data in accordance with Article 17 GDPR, except where processing is not necessary to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;

Ð obtain in accordance with Article 18 GDPR restriction of processing of personal data where you contest the accuracy of the personal data, the processing is unlawful but you oppose their erasure, and where the controller no longer needs the personal data but they are required by you for the establishment, exercise or defense of legal claims, or you have objected to processing pursuant to Article 21 GDPR;

Ð receive in accordance with Article 20 GDPR the personal data which you have provided in a structured, commonly used and machine-readable format and to transfer those data to another controller; and

Ð lodge a complaint with a supervisory authority in accordance with Article 77 GDPR. As a rule, you may address complaints to the supervisory authority at your habitual residence, place of work or our registered office.


12. Erasure of data

The data processed by us will be erased or their processing will be restricted as laid down in Articles 17 and 18 GDPR. Except where otherwise expressly stated in this data protection policy, the data we store will be erased as soon as they are no longer required for their original purpose and they are no longer subject to retention requirements which would prevent their erasure. If the data are not erased because they are necessary for other and legally permissible purposes, their processing will be restricted. This means the data will be be made unavailable and not processed for other purposes. This applies, for example, to data whose retention is required under commercial or tax law.
According to the statutory requirements, such data must be retained for 6 years pursuant to

Sec. 257 (1) HGB [ÒHandelsgesetzbuchÓ: German Commercial Code] (account books, opening balance sheets, financial statements, trade letters, accounting vouchers, etc.) and for 10 years pursuant to Sec. 147 (1) AO [ÒAbgabenordnungÓ: German Tax Code] (books, records, management reports, accounting vouchers, trade or business letters, documents relevant for taxation, etc.).


13. Right to object

You have the right to object at any time to the processing of the data concerning you in future in accordance with Article 21 GDPR. This includes, but is not limited to, objecting to processing for direct marketing purposes.
To exercise your right to object, please send an email to DATENSCHUTZ@SPRIND.ORG.