Data privacy notice

How we treat your data

We are pleased about your visit and your interest in our products and services. The protection of your personal data is important to us. We would therefore like to inform you below about how personal data is processed at Carl Zeiss AG and other companies in the ZEISS Group (hereinafter referred to as ZEISS).

Personal data is data that enables the direct or indirect identification of a person. It does not matter whether the determination can be made on the basis of a single piece of information or several pieces of information. The more information and data can be combined, the more precisely the person can be determined. Personal data includes, for example, the name, address, age or e-mail address, but also indirect data such as an IP address or social security number.

Controller and Data Protection Officer

The responsible party for the processing and protection of your personal data is Carl Zeiss AG.

If you have any questions regarding data protection or questions relating to the processing of your personal data or the exercise of your rights, please contact us by either using the contact form at the bottom of this page or at the following address, telephone number or email address:

Corporate Data Protection Officer
Carl-Zeiss-Strasse 22
73447 Oberkochen
Germany
Phone: +49 7364 20-0 (keyword "data protection")
E-mail: dataprivacy@zeiss.com (Please do not send confidential content by e-mail)

Your rights as a data subject

Of course, you retain control over all personal data that you provide to us when visiting our website or using our services. You have the following rights, which you can exercise free of charge.

1. Right of access

You have the right to obtain information about your personal data stored by us at any time. You have the right to know for what purposes your personal data is processed, how long it is processed (see Storage duration) and to whom it is disclosed, if applicable (see Data categories). Please understand that we must first verify the identity of the requesting person before we can provide information.

2. Right of revocation/objection

If you have given us consent for a certain processing of your data, you have the right to revoke this consent at any time with effect for the future.

If we process your personal data within the framework of a balancing of interests due to our overriding legitimate interest, you have the right to object to this processing at any time with effect for the future.

3. Right to data portability

You have the right to request a transfer of your personal data from us to another entity.

4. Right to rectification, erasure or restriction of processing.

You have the right to have your data rectified and/or supplemented by means of an additional declaration, you also have the right to have your data deleted for the purposes for which they were collected or to limit the processing of your data thereof.

5. Right of complaint

You have the right to complain to a supervisory authority or our data protection officer, insofar as you should have a reason to complain. To claim rights against our company, please contact the contact person listed at the beginning of this data protection notice.

Data categories and recipients of the data

1. What categories of data does ZEISS use?

The categories of personal data that ZEISS processes include, among others

  • Your contact details, e.g. first and last name, address, telephone number(s), email address, etc.
  • Professional information, e.g. the name and address of your company, your position in your company, etc.
  • Location or preference data, e.g. when using our website in order to be able to display content in the language relevant to you, to be able to provide newsletters with content relevant to you, etc.
  • Product and service data, e.g. which products or services you or your company have purchased from ZEISS, which products or services are assigned to you, device identifiers, product interaction data, etc.
  • Purchase and payment information, e.g. your preferred payment method, credit card number, bank account number, etc.
  • Access data, e.g. assigned user IDs for certain ZEISS systems, your ZEISS ID, etc.
  • Health data, e.g. refraction data for the production of spectacle lenses or health data for conducting medical studies. In most cases, this health data is pseudonymized. In any case, strict standards apply to the processing of health datan at ZEISS.

We would like to draw your attention to the fact that, within the framework of the respective contractual relationship, you must provide those personal and company-related data that are required for the establishment, implementation and termination of the contractual relationship or promise of performance and their respective fulfillment, or which we are legally obligated to collect.

2. Recipients of personal data

To the extent necessary, those departments within ZEISS will have access to personal data that require it to fulfill their duties.

In addition, your personal data may be disclosed to business partners (other service providers) to provide services to us or to you on our behalf. These are carefully selected partners who provide services for ZEISS. These service providers handle your personal data as so-called processors on our behalf and according to our instructions. Each business partner or service partner is expected to use reasonable security measures appropriate to the nature of the information involved to protect your Personal Information from unauthorized access, use, or disclosure. Service providers are prohibited from using Personal Information that we provide to them other than as specified by us.

Categories of service providers that we may transfer your data to include:

  • suppliers of IT or other service providers
  • logistics partners and other service providers engaged to provide shipping and delivery services
  • if necessary regulatory authorities, public authorities, law enforcement agencies and courts

ZEISS does not share your data with third parties unless specified otherwise in the subsequent sections describing the purposes of the processing of personal data.

3. Transfer to third countries or international organizations

A transfer to countries outside the European Union or the European Economic Area ("third countries") only takes place to the extent necessary for the respective purpose. Before any transfer of personal data to processors or third parties in third countries, we ensure that a transfer mechanism exists in accordance with the EU GDPR:

  • If it's a safe third country, the data transfer is covered by an adequacy decision.
  • If data is transferred to a so-called insecure third country, this data transfer is covered by standard contractual clauses.

Duration of storage

Your personal data will be deleted as soon as it is no longer required for the respective purpose. Insofar as we are legally obligated to do so, we store your data until the end of the legally regulated retention periods. Depending on the legal basis, these are usually 6 to 10 years.

In addition, your data will be stored until the expiry of the statutory limitation periods, usually 3 years, insofar as this is necessary for the assertion, exercise or defense of legal claims. After that, the corresponding data will be routinely deleted if it is no longer required to achieve the necessary purposes.

Automated decision making incl. profiling

Personal data that we collect, for example, on our websites and that help us to understand your interests may be used for personalization purposes in order to provide you with content and information that is relevant to you. Automated decision-making based on this collected data does not take place.

An informal objection to this type of use is possible without giving reasons at any time for the future. Please use the contact form provided at the bottom of this page.

Purposes of the processing of personal data

ZEISS only collects and processes your personal data if you have given your consent or if it is permitted or required by other legal regulations. We generally obtain this data in two ways: either you have provided us with the data or we collect the data when you use our products and services.

The following list shows the various processing purposes for personal data here at ZEISS. Each entry contains a brief description of the respective purpose together with the corresponding legal basis for the processing. By clicking on an entry, you can view a more detailed description for each purpose.

If you have any questions about one or more processing purposes, please feel free to contact us.

  • As a website or webshop operator, ZEISS collects data about access to our websites and webshops and stores this data as so-called "server log files". The following information is collected automatically and stored for 7 days:

    • The website or page of the webshop visited
    • Date and time of access
    • The website from which the access was made (so-called referrer URL)
    • Browser used
    • Operating system used
    • The IP address of the requesting end device

    The aforementioned data is processed by us for the following purposes:

    Monitoring and evaluation of system security and stability.

    • Ensuring a smooth connection of the website
    • Ensuring a comfortable use of our website

    The legal basis for this data processing is to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR. Our overriding legitimate interest follows from the purposes for data collection listed above. In no case do we use the collected data for the purpose of drawing conclusions about individual persons.

  • Normal application process

    By registering and submitting your application to us in the ZEISS application portal, you provide us with your personal data and consent to the processing of this information as part of the application. You also have the option to separately consent to the inclusion of your data in the applicant pool (see below).

    As a matter of principle, your data will only be used for the purpose of filling the specific position within the ZEISS group of companies. The ZEISS company responsible for the job advertisement or, in the case of a speculative application, the ZEISS company to which you send the application is responsible for the collection and processing within the meaning of the General Data Protection Regulation. For more information on the specific ZEISS company, please contact recruiting.oberkochen@zeiss.com. You can check, update and supplement the information you have provided in the ZEISS application portal at any time.

    Pre-Employment Screening

    Depending on the ZEISS company responsible, additional processes may be implemented that require a check of your person or your details. This serves to protect the business interests of the ZEISS Group. All verification processes strictly adhere to the applicable data privacy principles. In these cases, data processing may additionally be legitimized either by legal requirements (Art. 6 (1)(c) GDPR) or on the basis of the legitimate interests of the ZEISS (Art. 6(1)(f) GDPR).

    Unsolicited application

    If you send an unsolicited application to our applicant management system, your data will be forwarded to the appropriate ZEISS company that matches your skills.

    Applicant pool

    If you have agreed to your application data being passed on, your profile will be circulated if it could also be of interest for filling vacancies at other ZEISS companies. Thus, your data will be made available to ZEISS companies involved in the application process and they can contact you if they are interested.

    Active sourcing

    If what we read about you in your profile is interesting and we have contacted you via career portals or similar, we will first get to know you via the relevant social network. With your consent, we include the data from the social network in our application portal and send you a link with which you can complete your profile via an individual access and agree to your inclusion in our applicant pool. After we have collected your data from the social network, you will move on to the normal application process (see above).

    Recommendation

    If you have an interesting profile, it may be that you have already been recommended by one of our ZEISS employees. In this case, your contact details are first recorded via the ZEISS employee so that our system can send you an automated e-mail with information and a link to the job profile. If you are interested, you can go through the normal application process. If you are not interested and do not respond to the email, we will delete your contact information from our system after a maximum of two months. This gives you enough time to adapt your profile to the job in question or to use the data already collected for other interesting jobs. If you wish, we will also be happy to delete your data before the two-month period expires.

    Type of data

    As part of the application process, we process the data that you provide to us with your application. This data includes in particular:

    • Identification data (first name, last name, etc.)
    • Contact data (e-mail address, telephone number, etc.)
    • Data on education and profession (school/university attended, professional career, etc.)
    • Other relevant data (certificates, your photo, etc.)
    • Data about your personal preferences (likes, interests, etc.)
    • Legal basis and rights of the data subjects

    Your data is collected for the purposes described above (reasonable grounds for employment with ZEISS). The data processing is carried out to fulfill a contract or to carry out pre-contractual measures in accordance with Art. 6(1)(b) GDPR.

    Regularly the personal data may be processed as it is necessary for the decision on the establishment of an employment relationship or in special cases on the basis of the applicants' consent.

    If the processing of your data is based on consent given by you, you can revoke your consent at your discretion at any time with effect for the future in the ZEISS application portal or by email to recruiting.oberkochen@zeiss.com. The legality of the data processing carried out until the revocation is not affected by the revocation.

    Recipients of the data and place of data processing

    The ZEISS Group ensures that third parties acting on behalf of ZEISS and authorized to access this data comply with the rights and obligations set out in this Data Privacy Notice. ZEISS and its service providers generally process the data on servers located in the European Union. In exceptional cases, the data may also be processed in countries outside Europe, to the extent permitted by law. 

    When transferring data within the ZEISS Group, when transferring data abroad and when processing data by external partners, ZEISS complies with the applicable data protection laws and secures these activities as far as possible by the means available under data protection law, including data processing contracts, EU standard contractual clauses and international conventions. If the local requirements abroad do not correspond to the level of protection of the EU Charter of Fundamental Rights, ZEISS will endeavor to keep the risks of processing personal data as low as possible by taking appropriate measures.

    Deletion of data

    In principle, we are required by law to archive your data relevant to the application process for six months. In the event that we are unable to offer you a position but you have agreed to be included in the applicant pool, we will delete your data no later than two years after your application has been rejected. After six months, you can also have your data deleted at any time in the ZEISS Applicant Portal or by sending an email to recruiting.oberkochen@zeiss.com. If you have not consented to the storage of your data, it will be deleted as soon as we have filled the position or within the six-month period.

    If you have consented to the storage of your data, we will include this data in the personnel administration processes that we carry out within the framework of the statutory provisions.

    Data security

    ZEISS has globally applicable corporate guidelines to ensure the security and confidentiality of data; in addition, the data protection regulations of the countries in which a ZEISS company has its registered office apply. In addition, any service provider who processes your personal data on behalf of ZEISS undertakes to ensure confidentiality and to apply the same strict security measures as ZEISS.

    The technical support of our applicant management system is provided by an IT provider in Germany, which we have selected in accordance with the legally prescribed parameters and for which the data protection requirements also apply.

    Job Alert

    If you set up a Job Alert, we only store the information necessary for this (e-mail address and selection criteria). You can terminate your participation in Job Alert at any time. In this case, we will delete your data immediately.

    Contact

    Please send any questions about the application process to recruiting.oberkochen@zeiss.com.

  • ZEISS offers various apps for mobile devices (iOS and/or Android) that can collect personal data. This personal data is required for the function of the respective app.

    Apps on mobile devices can gain access to functions of the end device if required and with the consent of the user. Each app that ZEISS offers will ask you for consent to use the required functions. These functions may include, but are not limited to, the following:

    • Calendar
    • Contacts
    • Camera
    • Location
    • Audio (output & microphone)
    • Phone
    • SMS/MMS
    • Memory
    • Possibly other sensors

    The legal basis for data processing is your consent pursuant to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

  • ZEISS wants to make it easy for you to contact us. We therefore offer contact forms on our websites for various types of inquiries.

    Depending on the purpose of the individual form, you will be asked to provide the data we need to answer your request. This is usually your name and your e-mail address for contacting you; we may collect further contact data such as telephone number or address as well as other data to help us respond to your request.

    Purpose of the contact form and associated legal basis:

    • Marketing or sales enquiry

    Marketing or sales inquiry forms are used to inform interested parties or potential customers about products or services or to advertise them (see also processing purpose "Newsletter"). The legal basis for the processing of personal data is the consent of the data subject pursuant to Art. 6(1)(a) GDPR. Every person has the right to withdraw consent at any time with effect for the future.

    • Customer inquiry

    Customer inquiry forms can be used by existing customers to ask questions about products or services or support requests, for example about products or services. The legal basis for this processing is the fulfillment of a contract or the implementation of pre-contractual measures in accordance with Art. 6(1)(b) GDPR.

    • Data privacy request

    The data privacy request form is offered to enable interested parties or customers of ZEISS to exercise the rights of the data subject, e.g. to request information about stored personal data or to request for the deletion of this data. This data processing is a legal obligation that ZEISS must comply with in accordance with Art. 12 GDPR, the legal basis is therefore Art. 6(1)(c) GDPR.

    • General request

    General inquiry forms can be used to ask ZEISS general questions or concerns that do not fall into one of the other categories. The legal basis for the processing of personal data is our overriding legitimate interest in being able to respond to such inquiries from users in accordance with Art. 6(1)(f) GDPR.

    All data collected will be used exclusively for the processing for the respective purpose and will not be used for any other purpose.

  • If you participate in one of our events, the processing of your personal data may become necessary for your participation for processing and billing reasons.

    The legal basis for data processing is the performance of a contract or the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR or, if there is no contractual relationship between you and ZEISS, the protection of the overriding legitimate interests pursuant to Art. 6(1)(f) GDPR. Our overriding legitimate interest is the effective implementation of our events (offline or online).

    We use the following platforms and applications to conduct virtual meetings or webinars:

    As a rule, only your e-mail address, first and last name, and IP address are processed for the event. For paid events, data may also be processed for billing purposes.

    An encrypted connection is established between you and the service provider of the webinar. We do not record the audio or visual information transmitted during this session. By clicking "Join", you confirm that you will not record or screen capture this session either.
    You can end the session at any time by simply closing the browser window or exiting the program or app. If your contact ends the session, your session participation will automatically end as well.

    During and after the webinar, statistical data is transmitted to us. If you participate in a webinar, ask or answer a question during the webinar, in addition to your registration data, we receive information about the duration of participation, interest in the webinar, the question asked, or answer for further support or expansion of the user experience.

    We would also like to point out that the providers collect their own data as part of the provision, which we cannot influence. Detailed information on this can be found on the websites of the providers.

  • ZEISS offers various forums on specific specialist topics. These specialist forums offer users the opportunity to exchange thoughts, experiences and helpful tips with other users. To participate, each user must have a ZEISS ID. In this process, the user name, e-mail address and usage data are processed.

    The legal basis for data processing is your consent pursuant to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

  • Google Analytics is a web analytics service provided by Google, Inc. This service allows us as a website operator to track and analyze the interactions of visitors with our website. Google Analytics allows us to obtain information about the origin of visitors, the actions performed on the website and the conversion rate of visitors. This information can be used to improve website performance and optimize the user experience for visitors.

    Google Analytics collects the following data:

    • Age
    • App Store
    • App version
    • Browser
    • City
    • Continent
    • Country
    • Brand of the device
    • Category of the device (smartphone, tablet, etc.)
    • Model of the device
    • Gender
    • Interests
    • Language
    • New or already known user
    • Operating system
    • Operating system version
    • Platform
    • Region
    • Subcontinent

    The legal basis of the data processing is your consent according to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

  • The ZEISS learning platforms support you in your continuing education. The purpose of the ZEISS learning platforms is to provide you with learning content, organize learning processes, support learning scenarios and track learning progress during the processing of learning content. Communication between teachers and learners is also enabled for this purpose. The ZEISS learning platforms send e-mails and calendar entries with relevant information for the participants as part of the organization of learning processes. Users can book trainings and provide reviews (ratings) on training, which can be read by other users including the name of the providing user.

    The legal basis for data processing is your consent pursuant to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

  • ZEISS would like to send you information about our products and services that may be of interest to you. For this we gather and process your data in different ways.

    Data you provide to us

    We use your personal data collected as part of a newsletter registration, in particular the areas of interest indicated, to provide you with product and service information tailored to you personally. By providing your name, you enable us to address you personally and to easily manage your data. If you provide your address data, e.g. your postal code, we can also provide you with regionally tailored offers.

    The legal basis of the data processing is your consent pursuant to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future. You will find unsubscribe instructions in the footer of each newsletter.

    Data we get by purchasing or using our products or services

    The data we receive in the course of purchasing one of our products or services as well as in the use of them will be used for direct marketing measures to draw attention to news and updates about purchased or related products or services. The legal basis for data processing is the safeguarding of the legitimate interests of ZEISS in accordance with Art. 6(1)(f) GDPR. Our overriding legitimate interest follows from our interest in being able to send you news and improvements to the products or services you have purchased or related products or services.

    You can object to the processing of your personal data for advertising purposes by ZEISS at any time with effect for the future. The objection can be made easily via the request form provided at the bottom of this page or by using the unsubscribe link in the footer of each newsletter.

    Stitching

    Stitching means combining and linking data from different ZEISS sources to create a more comprehensive profile of our users. By combining information from various interactions, both online and offline, we aim to improve your experience, tailor our products and services to your preferences and provide you with personalized recommendations.

    How we use Stitching: We use Stitching to better understand your interests and needs so that we can improve our products and services and provide you with a more personalized experience. By analyzing data from multiple touchpoints, we can provide you with relevant content, promotions, and recommendations that are tailored to your preferences.

    Types of Data Affected: Data subject to stitching includes, but is not limited to, your demographic information, purchase history, browsing behavior on our websites, interaction with our apps, and survey feedback. We ensure that all data processed through Stitching is handled in accordance with applicable data protection laws.

    Third Party Involvement: We work with trusted partners to enhance our data profiles through Stitching. These partners are carefully selected and bound by strict confidentiality agreements. Rest assured that we maintain control over the combined data and ensure that it is only used for the purposes outlined in this privacy notice.

    The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR. We respect your rights with respect to your personal information. If you prefer not to participate in the stitching process or related profiling activities, you obviously have the right to opt out. You can exercise this option by contacting us here.

    Analysis

    Furthermore, we are always striving to improve our offer. For this purpose, evaluations are made of the newsletters sent, e.g. whether a communicated e-mail address can be reached, which newsletters are opened, which links are clicked on within the newsletter, etc. The data is collected and processed exclusively by ZEISS. The data will not be transmitted to other external companies.

  • With the purchase of ZEISS lenses, you can receive a consumer card* from your optician or can register your product on MyZEISS Vision. Using the product number of your order you can verify that the lenses purchased are genuine ZEISS brand. With prior registration to ZEISS ID you can register your product using the unique identifier of your order and obtain an extended warranty in MyZEISS Vision, if available in your market.

    The processing of data for the following purposes of MyZEISS Vision relies on your consent and complies with applicable law:

    When you register a product in MyZEISS Vision, we will process order-related data such as the product´s serial number, date of purchase as well as the prescription information. Your prescription information is considered as your protected health information.

    MyZEISS Vision also offers you the option to conduct ZEISS Online Vision Screening and save your results in your account.

    If you register for the personalized marketing newsletter, we use your personal data collected in MyZEISS Vision to provide you with product and service offers tailored to your needs. These communications will be sent to the email address provided in MyZEISS Vision.

    For all the above-mentioned purposes we ask for your consent independently of each other. You can withdraw each of the consents individually at any time in the MyZEISS Vision Preference Center or by sending a notification to dataprivacy@zeiss.com. The change will be effective immediately upon receipt of the consent withdrawal.

    To offer you MyZEISS Vision, your national ZEISS Vision entity and Carl ZEISS Vision International GmbH act as Joint Controllers. This means, that both entities share responsibility and determine the purposes and means of processing your protected health and personal information in a collaborative and transparent manner, with defined roles and obligations for data protection compliance.

    *Only available in selected markets.

  • "My vision profile" and the "ZEISS Online Vision Check" are online services for determining personal vision habits and identifying individual needs based on visual acuity, contrast and color vision as well as astigmatism and field of view for individual lens solutions from ZEISS. The data collected in this process is used exclusively for the analyses required in each case. The results of "My Vision Profile" can be subsequently accessed via a code provided with the result; on request, this code can also be provided by email.

    Various data are collected for the determination of the vision profile or the vision check: Age, limitation of vision, previously used visual aid, vision problems, occupational and daily activities, duration of use of mobile devices, etc.

    If you would like to receive the results by email, your email address will also be collected for sending the QR code with the analysis results. The email address will not be stored further.

    The legal basis for the data processing is your consent according to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

  • Personal data that ZEISS receives as part of quotation requests, order processing, configuration, etc. is used to process the respective business transactions. The collected data is processed in our CRM system for this purpose. The legal basis of the data processing is the fulfillment of a contract or the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR.

  • For the processing of contractual relationships, we offer our customers secure payment options and use other payment service providers in addition to banks for this purpose. The legal basis of the data processing is the fulfillment of a contract or the implementation of pre-contractual measures according to Art. 6(1)(b) GDPR.

      Personal data is processed by the payment service providers (such as name, address, bank data, such as account numbers or credit card numbers). This processing is necessary to carry out the transactions. However, the data entered in this process is only processed by the payment service providers and stored by them. ZEISS only receives information with confirmation or negative information of the payment.

        Further transmissions may be made by the payment service providers for the purpose of checking identity and creditworthiness. In this regard, we refer to the terms and conditions and data protection information of the payment service providers. The terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications.

        • Mastercard
          Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium
          Privacy policy
        • Visa
          Visa Europe Services Inc, London Branch, 1 Sheldon Square, London W2 6TT, GB;
          Privacy policy
        • PayPal
          PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
          Privacy policy
        • Paymetric Inc.
          300 Colonial Center Pkwy #130, Roswell, GA 30076, United States
          Privacy policy
        • Computop
          Computop Paygate GmbH, Schwarzbergstraße 4, D-96050 Bamberg, Germany
          Privacy policy
      • For some ZEISS products ZEISS provides a warranty of two years from the date of purchase. For some of these products this warranty period can be extended to three years if the product is registered via ZEISS online registration within four weeks of the date of purchase.
        The legal basis for this data processing is the fulfillment of a contract or the performance of pre-contractual measures pursuant to Art. 6(1)(b) GDPR.

      • In order to analyze and find a solution to the problem you have contacted our support team about, you may be asked to send us analysis files or a ZEISS employee may have to connect to your system's computer.

        The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR.

      • For some of our services, we offer single sign-on procedures. This procedure allows you to log in to some of our services with the help of a user account of a provider of single sign-on procedures (e.g. Facebook or Apple ID). The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR, the fulfillment of a contract or the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR or to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR. You have the right to revoke your consent at any time with effect for the future.

        Our overriding legitimate interest follows from our obligation to ensure the security of the services offered. For this purpose, certain personal data is processed by ZEISS and transmitted to us in the course of the single sign-on procedure.

      • ZEISS also offers you extensive contact and information options via our presence in social media. These social media services may independently collect personal data, e.g. via your created profile. In the process, data is also processed outside the European Union. The legal basis for this data processing is to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR.

         

        Social media platforms

        We offer you extensive contact and information options via our presence on social media on the basis of Art. 6(1)(f) GDPR. These social media services may independently collect personal data, e.g. via your created profile.

        On some ZEISS websites you will find buttons to social plugins of other online services. These buttons do not yet establish contact with the provider's server. Only by clicking on these buttons do you give your consent to communication with the provider of the respective platform and a connection is activated.

        If you are already logged in to a social network of your choice, this takes place without another window. Since this transmission is direct, we do not obtain knowledge of the transmitted data. What is transmitted is the fact that you have called up the corresponding page. If you are logged into Facebook & Co. at the same time, this information is assigned to your social media account and is thus associated with your person.

        For more information about the further use and storage of your personal data by Facebook and Twitter, please contact these social media companies directly.

        It is also possible to block social plugins with add-ons through your browser.

         

        Facebook for Business - Automatic advanced matching

        This functionality is only active if you have consented in our Cookie Consent banner to use Facebook's tracking pixel. If you give this consent, automatic advanced matching will be used on some ZEISS websites. This function transmits your email address and/or phone number when you enter it in a form on a ZEISS website and submit the form. The data is encrypted before transmission and is used by Facebook to better assign people to specific target groups. Afterwards, the transmitted data is deleted by Facebook.

         

        Facebook Fanpages

        According to a ruling by the European Court of Justice in 2018, running a Facebook Fanpage is a shared responsibility between Facebook and the company operating the page. Facebook collects and processes personal data to provide insights about how people interact with the page, but this information is only given to ZEISS in an anonymous form, so we can't see individual users' information. ZEISS uses these insights to understand how people interact with their content and improve it. The legal basis for this data processing is to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR.

      • Customer satisfaction surveys

        ZEISS has a legitimate interest in improving its own products and services. We may therefore invite you to participate in customer surveys. The questionnaires used for this purpose are generally designed to be anonymous, so that you do not have to provide any personal data. If you nevertheless provide personal data in a questionnaire or survey, ZEISS may use this personal data to improve its own products and services.

        The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR or to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR.. You have the right to revoke any consent given at any time with effect for the future.

        Our overriding legitimate interest is to improve the products and services we offer.

         

        Surveys for user research

        We use information from user research surveys to test prototypes or concepts and ideas on our website and to improve our services based on feedback we receive from website visitors or users recruited through agencies. The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

        What information do we collect?

        • Name
        • E-mail address
        • Behavioral data (user interactions with the prototype, likes, dislikes, preferences)
        • Location (country)
        • Demographic data: Age, age range, gender (not always required)
        • Job title

        If videos and images are recorded as part of user research, this will only happen if you have given us your consent. You can unsubscribe at any time and without giving any reason by sending an e-mail to research.panel@zeiss.com. We store this information in our databases because it is possible that not all members of the project team will participate in the interview (if applicable).

        The service provider maze.co is used to conduct the user research surveys. A data protection agreement has been concluded with the service provider. Your personal data will not be shared with any other service provider.

        We store personal data collected as part of user research for a period of 2 years. Anonymized data (i.e. data that cannot identify you) may be stored for longer.

      • In order to conduct sweepstakes, ZEISS collects personal data of the participants to determine the winner. This normally includes the salutation, full name, address, e-mail address and telephone number if contact by telephone is required.

        This data is used to notify the winners by e-mail, post or telephone. The address data will be used to send the prize, except in the case of personal delivery.

        The data will be collected and processed exclusively by the company of the ZEISS Group that is organizing the sweepstake. The data will not be transferred to other external companies unless the sweepstake is organized by an external company.

        The legal basis for data processing is your consent pursuant to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

      • ZEISS may record telephone conversations or chat sessions to improve the quality of our services. A recording is only started after you have been asked for and agreed to your consent at the beginning of the phone call or chat.

        The legal basis of the data processing is your consent according to Art. 6(1)(a) GDPR. You have the right to revoke your consent at any time with effect for the future.

      • ZEISS monitors security-relevant areas inside and outside buildings and premises by means of video recording. Video surveillance of public areas does not take place as a matter of principle. As soon as you are in the detection range of the cameras, you are the subject of this data processing. The legal basis for this data processing is to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR.

        ZEISS has an overriding legitimate interest in the use of video surveillance. This helps to ensure largely full building and personal security. Video surveillance pursues the following purposes:

        • Exercise of domiciliary rights
        • Detection of illegal access attempts
        • (Necessary) monitoring of alarmed doors
        • Detection of blocked emergency exits
        • Clarification and prosecution of unauthorized access
        • Prevention, containment and clarification of criminally relevant behavior, e.g. vandalism

        Video surveillance enables the prompt initiation of measures to eliminate grievances arising from the above-mentioned points. It thus serves not only to protect the building, but also your personal safety and the safety of ZEISS employees.

        Video data is only evaluated on an ad hoc basis. In the event of a violation of the house rules, the commission of a crime, or certain legal requirements, the recordings may be handed over to security authorities.

        As a rule, the data is recorded or stored for 7 days. Depending on the location, the data may be recorded for a different period (for a maximum of  one month). Normally, a notice is posted at each location where video surveillance is conducted to inform data subjects of their rights.

        In the case of a specific reason, these image sequences are required for the duration of the investigation.

      • The Virtual Try-on Service of Carl Zeiss Vision GmbH gives you recommendations for eyeglass frames based on a previously created virtual avatar of you. The biometric data collected will only be processed by ZEISS as part of the Virtual Try-on Service.

        The legal basis of the data processing is your consent according to Art. 6(1)(a) GDPR.

      • In our webshops you can order different products. For the processing of the order process, various personal data are processed.

        To process an order, we process your contact data, i.e. title, surname, first name, telephone number and the delivery and billing address. We use your e-mail address to send you an order confirmation and other important information about your order and to verify your identity when creating a customer account. Furthermore, we collect your payment data during the ordering process. If necessary for the fulfillment of an order, we use postal, forwarding and shipping companies. In the event of a delay in payment, we transmit - if the other legal requirements are met - the data necessary for the enforcement of our claim to a collection service provider. The processing of credit card payments and PayPal is also carried out by an external service provider.

        The legal basis for this data processing is the fulfillment of a contract or the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR. Deviating from this, data processing for the above-described credit check and, if necessary, the involvement of a debt collection service provider is carried out on the basis of Art. 6(1)(f) GDPR. Our overriding legitimate interest is to avoid payment defaults.

        Some data accrue automatically and for technical reasons already when you visit our webshops. You can find detailed information on this under "Access data to websites and webshops".

      • As a rule, you can use the ZEISS websites without providing us with any personal information. Exceptions are so-called technically necessary cookies, which are required to provide certain functionalities such as secure login or cookie management. For some functionalities offered on the websites, we will request personal information from you in order to be able to process the respective service quickly and in a user-friendly manner or to be able to offer the service at all. See also "Use of cookies and similar technologies".

        Some data is already collected automatically and for technical reasons when you visit our website. You can find detailed information on this under "Access data on websites and webshops".

        The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR or to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR. You have the right to revoke your consent at any time with effect for the future.

      • Carl Zeiss AG processes the personal data provided by the whistleblower for the purpose of receiving and processing compliance notices regarding violations of applicable laws and internal rules, as well as investigating and sanctioning such violations.

        The data provided by the whistleblower includes, among other things, data categories such as communication data (e.g. name, telephone, e-mail, address), employee data of ZEISS employees and, if applicable, names and other personal data relating to persons included in the notice.

        The processing of data when receiving and investigating compliance notices, as well as the determination of appropriate measures, is based on Art. 6(1)(f) GDPR. This is based in particular on the legitimate interest of ZEISS as a company for the prosecution of criminal offenses, the assertion of claims under civil law, the implementation or termination of an employment relationship or the detection of criminal offenses in the employment relationship, as well as the prevention of violations of regulatory offences along the applicable laws.

        Data processing in the central administration and forwarding of cross-Group matters by Corporate Compliance is generally carried out in accordance with the legitimate interest of the company to obtain a Group-wide overview of compliance notices and thereby existing risks within the scope of the governance function, as well as for the assertion and defense of rights pursuant to Art. 6(1)(f) GDPR.

        If there is a legal obligation to provide a whistleblowing system or complaints mechanism, the legal basis may result from Art. 6(1)(c) GDPR.

        Insofar as the complaint mechanism requires the consent of the data subjects to the data processing, the processing is carried out in accordance with Art. 6(1)(a) GDPR. Consent given for the processing of personal data can be revoked at any time with effect for the future.

        In accordance with our legitimate interest pursuant to Art. 6(1)(f) GDPR, we anonymize personal data under certain circumstances so that no information and identifiers relating to specific individuals are included.

        Retention obligations and deletion periods

        As a matter of principle, we store personal data only for as long as is necessary to clarify the facts to which the compliance notice relates or as required by law. The specific retention obligations and deletion periods for personal data processed in the course of processing and clarifying compliance notices depend on the investigation result of the specific facts, as well as on the type of violation and legal consequences.

        Disclosure and transmission of personal data

        When processing compliance notices in accordance with the internally defined procedure and, if applicable, legally prescribed procedures, it may be necessary to involve other internal functions in the course of clarifying the facts and determining measures. Only to the extent that it is absolutely necessary for the processing of the compliance notice or required for the fulfillment of legal obligations will personal data be passed on to the following bodies in this context:

        • Management and/or local compliance officer of the ZEISS company concerned;
        • Internally responsible office in the event of (specialist) specific information (e.g. Group Data Protection, Group Security, Legal Department, Purchasing Department, Human Rights Officer, Internal Audit);
        • Responsible HR department and managers of the employees concerned;
        • If necessary, external law firms and other partners to assist in clarifying compliance indications;
        • Other responsible parties, such as government investigative authorities like public prosecutors.

        If you, as a whistleblower, have provided your identity as part of the compliance report, we are generally obligated under the GDPR to inform any accused persons of your identity as the source of personal data no later than one month after receipt of your report (Art. 14(3)(a) GDPR). If there is a substantial risk that such notification would jeopardize the effective investigation of the allegation or otherwise interests worthy of protection (e.g., protection of the whistleblower), the notification may be postponed as long as this risk exists (Art. 14(5)(b) GDPR).

        Personal data will only be transferred to a recipient (e.g. a ZEISS company or authority) in a third country (based outside the EU or EEA) if this is necessary for processing the compliance notice. The relevant requirements of Art. 44 et seq. GDPR are taken into account accordingly.

        ZEISS Integrity Line" whistleblower system

        The "ZEISS Integrity Line" enables whistleblowers to anonymously report compliance notices and communicate via an encrypted connection.

        Carl Zeiss AG has commissioned EQS Group AG, Karlstraße 47, 80333 Munich, Germany ("EQS") with the technical provision of the "ZEISS Integrity Line" platform. The service provider was carefully selected. He is responsible for regular monitoring in the careful handling and securing of data. For the technical implementation, we transfer personal data to EQS. For this purpose, we have concluded an order data processing agreement with EQS. Processing by EQS takes place exclusively in ISO 27001 certified high-security data centers in Germany and Switzerland.

        When using the platform for reporting compliance notices and when communicating via the platform, the personal data provided by the whistleblower in the notice is processed on a specially secured database by EQS and encrypted according to the current state of the art. The IP address and the current location are not processed at any time.

        Only ZEISS Corporate Compliance, i.e. Head of Corporate Compliance, Corporate Compliance Officer and Senior Corporate Compliance Manager, as well as specially authorized administrators of EQS are permitted to view the data on the "ZEISS Integrity Line".

      • ZEISS ID is the identity and access management system for all ZEISS applications that can be used by customers, partners, suppliers and employees. In this way, digital services from ZEISS can be used via a single access point. The integrated "single sign-on" function makes it possible to switch between different services without having to log in again - and this is also possible within the ZEISS companies through automatic registration.

        For registration, the user must provide his surname, first name, e-mail address and, if required for the service used, his title, customer number, telephone number, delivery and billing address. We use the data provided for the purpose of user administration. Insofar as this user data is required for the implementation of further applications, e.g. for the processing of orders in the web store, the data required for the corresponding application will be transmitted to them.

        Within the ZEISS ID account profile, you can view and change your personal data or the status of your marketing consent, optional data can be deleted. A ZEISS ID can also be deleted as such. In this case, your data will be deleted and you will lose access to the ZEISS ID applications. Your ZEISS ID account and your data will be automatically deleted if your account is inactive for 2 years.

        The legal basis for the data processing is your consent pursuant to Art. 6(1)(a) GDPR.

      • In the ZEISS Quality Software Store we collect various personal data, including your name and your ZEISS ID. We use this data to be able to offer software trial versions and add-ons, to give you the opportunity to write reviews and to improve the service and product range.

        The legal basis for this data processing is to safeguard the legitimate interests of ZEISS pursuant to Art. 6(1)(f) GDPR.


      • 1

        Last updated: November 5th, 2024