Data processing in the BASF Group

The BASF company with which you are in contact is responsible for data processing unless otherwise stated (hereinafter referred to as "BASF" or “Controller” or "we"). The Controller can be identified, for example, as follows:

• If you are a customer, service provider or supplier of ours or have any other business relationship with BASF, your BASF contractual partner is the Controller.
• On websites or on social media channels, the BASF company named in the privacy policy, imprint or terms of use is the Controller.
• If you are an attendee at a BASF event, the BASF company carrying out the event is the Controller.
• For digital events, the BASF company inviting to the respective digital event is the Controller.
• If you are a visitor to our factory premises, the BASF company with which you have an appointment and whose premises you enter is the Controller.
• If you book at a BASF hotel or are a guest at a BASF restaurant, the BASF company is the Controller which is operating the respective facility.

As an internationally active group, BASF has contact persons for data protection for each country. For countries of the European Union you will find  here an overview with the contact addresses.

In addition, you can address questions and concerns about data protection to our central Data Protection Office at any time:  data-protection.eu@basf.com

Within the BASF Group, BASF SE, as a holding company, performs central functions that require the processing of personal data and may also be performed for other BASF Group companies. Such central functions can be, for instance:

• Corporate Communications Department
• Human Resources Department
• Centralized management
• Legal Department, Compliance, Factory Security, Corporate Auditing, Data Protection
• Central Procurement

In addition, certain BASF Group companies process personal data as intra-group service providers, whereby data processing may also be carried out on behalf of the respective BASF Group companies. These can be, for example:

• IT Services
• Shared Service Centers

BASF also uses central data processing systems that enable standardized data processing processes. Such systems can be, for example:

• Central databases, such as CRM or supplier management systems
• Central archiving and document management systems
• Central communication systems

BASF processes personal data exclusively for specific purposes. In the course of our business activities, various processing situations arise, which we shall generally inform you of within the framework of the respective activity, e.g. in the form of a data protection declaration on a website.

In general, BASF processes your personal data for the following purposes:

• Contract
  If you or the company for which you work have entered into a contract with BASF, we process personal data if and to the extent that it is necessary for the performance of the contract. The data processing includes master and contact data as well as contract-relevant data, which may also contain personal data of our customers, sales partners, service providers, suppliers, sellers and other business partners.
  The legal basis for this data processing is Art. 6 Sec. 1 lit.b) GDPR and lit. f) GDPR, provided that the contract is concluded between BASF and another legal entity.
  
  If you work for us as a freight forwarder or transport company, we also process information in connection with the transport order for the purpose of product delivery and transport administration, in particular the tracking number, destination, contact details of the customer, supplier or other customer and contact details of your company. In addition, in order to display the live locations of the product delivery and to inform our customers, we process the status messages and GPS data of the transports carried out (in near real time), which are transmitted by the internal IT of the respective freight forwarder that has commissioned the carrier. We receive this information via interfaces of the respective freight forwarder, which carries out the transport of BASF in accordance with its contractual relationship. The legal basis for this data processing is Art. 6 para. 1 lit. b) and f) GDPR.
   
• Communication with contact persons
  If you contact us, we process your personal data provided in the respective contact form in order to process your request or to communicate with you. If necessary, we will forward your request internally to colleagues responsible for supporting your request.
  The legal basis for this data processing is Art. 6 Sec. 1 lit. f) GDPR.
   
• Collaboration with business partners
  Outside of customer, service provider, and supplier relationships; we also work with companies and institutions on projects, joint ventures, and other collaborations to advance scientific progress and contribute to topics relevant to our business goals. In particular, we process contact data of our collaboration partners and data relating to the respective cooperation for the purposes of project implementation and networking.
  The legal basis for this data processing is Art. 6 Sec. 1 lit. f) GDPR.
   
• Public relations and representation of interests in the public and political sector
  BASF closely follows current events and public discourses that affect our products and corporate goals. In this context, we regularly work with newspapers and journals in order to answer inquires from them and to coordinate articles. In addition, we use press mailing lists to inform selected representatives of the independent media about company-relevant developments. For these purposes, we process contact data of journalists and press representatives.
  The legal basis for this data processing is Art. 6 Sec. 1 lit. f) GDPR.
  
  In addition, BASF maintains and operates websites on which we provide information to interested parties, customers and other business partners. In this context, BASF processes personal data that is necessary for technical reasons for the presentation of the website (e.g., IP address and strictly necessary cookies). In addition, cookies are also occasionally used to measure the performance of the website. Further information on the specific use of such services and on the further processing of personal data can be found in the privacy policy of the respective website.
   
• Events
  If BASF conducts events, we process the contact details of the participating guests in order to carry out the event. Depending on the event, this may also include information relevant to catering, e.g. food intolerances or allergies. If photographs, video recordings or other recordings are made at the event, we will inform our participating guests separately, in particular if a publication of the recordings and recordings is planned, and obtain any necessary consents.
  The legal basis for this data processing is Art. 6 Sec. 1 lit. f) GDPR, unless otherwise stated.
   
• Marketing
  If we have your consent or are otherwise allowed, we will provide you with information on products and topics from BASF, including information related to events. For the purpose of providing you with this information, we process your contact data provided in the respective registration or request forms for the purpose of carrying out the respective marketing activity, e.g., sending the newsletter or the customer satisfaction survey. The exact information on the communication channel, the processing purposes and the processed personal data can be found in the respective request for consent and/or the associated data protection statement. If and to the extent that you provide us with feedback, we process your information in order to improve the quality of our products and services. In this case, we may contact you to discuss any follow-up questions that may arise from that feedback.
  The legal basis for this data processing is your consent, Art. 6 Sec. 1 lit. a) GDPR or the respective legal basis as communicated otherwise and specifically to you.
   
• Maintaining and protecting the security of our facilities, products and services
  For the purpose of preventing and detecting security risks, fraudulent procedures, or other criminal or harmful acts; we process master and contact data in order to identify data subjects, e.g. in the context of service provider onboarding or in the context of granting access to customer portals. Data processing also includes compliance with and fulfilment of BASF’s duties of care and due diligence. In such cases, we process your contact details to inform you about important changes to product formulations or approvals.
  If you visit us in person, we will issue day passes to grant you access to our premises and to control access for security reasons through processes such as issuing you with a visitor pass. For this purpose, we process specific information about you such as your name, your date of birth, the persons you visit, your identity card number, your telephone number and your visit duration in days. If necessary, you must answer test questions about the safe behavior on the factory premises in a safety test; in which case the test results shall be saved. For drivers, BASF also processes the license plate of the vehicle used. If you as a driver transport dangerous goods, the dangerous goods are checked and the control is documented. 
  The legal basis for this data processing is Art. 6 Sec. 1 lit. f) GDPR.
   
• Compliance with legal requirements
  If and to the extent required by law, we process your personal data in order to fulfil legal requirements. These can be, for example, tax and commercial retention obligations or regulations for the prevention of white-collar crime such as money laundering laws. 
  If you are a shareholder of BASF, we will also process your personal data required for your entry in BASF's shareholder register for corporate and stock corporation law reasons (e.g. on the basis of § 67 German Share Law - Aktiengesetz). We receive your personal data from the bank involved in the share purchase.
  If and to the extent necessary, we also work with representatives of the authorities to coordinate legally relevant issues with them. In this context, we process contact data and data relating to the respective cooperation for the purpose of legal coordination.
  The legal basis for this data processing is Art. 6 Sec. 1 lit.c) and f) GDPR.
  Personal data may be disclosed to supervisory authorities or other third parties if required to do so by law or in order to comply with legal obligations. The legal basis for this data processing is Art. 6 (1) (c) GDPR
   
• Data processing in the context of legal matters
  In the context of legal disputes, we may process personal data within the framework of these disputes. We therefore also process personal data if and to the extent it is required to settle legal disputes; enforce existing contracts; and to assert, exercise and defend legal claims.
  The legal basis for this data processing is Art. 6 Sec. 1 lit. f) GDPR.

As an international group, BASF relies on flexible and user-friendly forms of communication and at the same time has an interest in communicating efficiently and as needed internally and with external parties.

For these reasons, BASF uses digital conference systems for the implementation of digital events, in particular:

• Communication with internal and external stakeholders, e.g. in the context of meetings and online conferences
• Implementation of online events (e.g. webinars, training information events)

When using digital conference systems, we process the following categories of personal data for technical reasons when you use one of our digital conference systems:

• Communication data (e.g. your email address)
• Log files, log data (e.g. version of the conference system, IP address, audio and video codec)
• Metadata (e.g., time of participation, indication of the media node, the hardware used, version of the operating system, etc.)
• User profile data (e.g., your username (if you provide it yourself) and your profile picture, if and to the extent that it is technically available)
• BASF account information (when used by BASF employees)

Depending on the type and format of the digital event, we process the following categories of personal data, provided that you voluntarily provide it to us:

• Audio transmissions, unless you have muted your microphone
• Text input, if you use the respective chat function
• Video transmissions, if the camera function is activated by you
• Attachments, when you upload them during an event

We carry out the respective data processing on the basis of a legitimate interest in accordance with Art. 6 Sec. 1 f) GDPR. Our legitimate interest arises from the above-mentioned purposes for data processing.

BASF generally uses the following digital conference systems:

In order to optimize our services, products, internal processes and to increase general efficiency, personal data may be processed with the help of artificial intelligence (hereinafter referred to as "AI"), in particular in the context of the use of central applications and systems that serve the daily performance of tasks. For example, AI can be used to create documents (e.g., emails, orders or business letters), which can be automatically recognized according to the respective content and processed by AI; power IT services that can be provided via AI; and control robots autonomously. Furthermore, virtual events can be transcribed and summarized using AI to simplify the creation of conversation notes. Technical and organisational measures are taken to ensure that the data collected for this purpose is only processed for the purposes defined in advance. At BASF, AI does not make any decisions that have a legal effect on you or significantly affect you in a similar or other way. The legal basis for the use of artificial intelligence is generally BASF's overriding legitimate interest in increasing the efficiency of internal processes, Art. 6 (1) (f) GDPR and results in particular from the legal basis applicable to the respective purpose.

As a chemical company that deals with hazardous and harmful substances, among other things, we are interested in ensuring the safety of our plants and our employees. For this reason, BASF carries out video surveillance at selected sites on its premises if and to the extent necessary to ensure safety aspects at BASF. The public space as well as the private space of individuals (e.g. private gardens) are not monitored. BASF provides information on site by means of signs and pictograms placed near the video surveillance system about the specific video surveillance carried out in each case.

Further information on data protection can be found at the respective video surveillance system.

BASF is interested in presenting itself on as many channels as possible, being approachable for customers, service providers, other business partners, applicants and interested parties, and promoting topics and products via social networks.

We process personal data when you visit BASF on social media channels. With our various social media channels, we want to offer you a wide range of multimedia services and exchange ideas with you on topics that are important to you. In addition to the respective provider of a social network, we also collect and process personal user data on our social media channels. For the respective data processing purposes and data categories, we refer to the individual social media channels, which are explained in more detail below.

In principle, data processing serves the following purposes:

• Communication with the BASF social media channel visitors;
• Handling inquiries from our BASF social media channel visitors;
• Collecting statistical information about the reach of BASF's social media channels;
• Conducting customer surveys, marketing campaigns, market analyses, sweepstakes, competitions or similar promotions or events;
• Resolution of disputes and disputes, establishment, exercise or defense against legal claims or litigation, enforcement of existing contracts.

The processing of your personal data is necessary for the achievement of these purposes.

Within our company, only persons and entities receive access to your aforementioned personal data insofar as they need it to fulfil the above-mentioned purposes.

We also work with service providers. These service providers only act in accordance with our instructions and are contractually obliged to comply with the applicable data protection requirements.

Otherwise, we will only pass on your data to third parties if:

• you have given your express consent in accordance with Art. 6 Sec. 1 sentence 1 lit. a GDPR,
• the disclosure is necessary in accordance with Art. 6 Sec. 1 sentence 1 lit. f GDPR for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
• there is a legal obligation for the transfer pursuant to Art. 6 Sec. 1 sentence 1 lit. c GDPR, or
• this is legally permissible and is necessary for the fulfilment of contractual relationships with you in accordance with Article 6 (1) sentence 1 lit. b GDPR.

Your personal data will only be passed on to service providers in a third country if the special requirements of Art. 44 et seq. GDPR are met. If and to the extent that the service providers are located in a third country, it is possible that either the servers of the respective service provider are located in the third country or that the servers are located in the EU, but in support cases they are accessed from a third country. Some third countries do not have a level of data protection equivalent to that of the EU, as authorities may have simplified access to personal data or that there are limited rights against such measures. If and to the extent that you give your consent, you expressly agree to the transfer of personal data to the respective third country.

Insofar as no express declaration of consent during the collection (e.g., in the context of a declaration of consent) storage period, the personal data of data subjects will be deleted insofar as they are no longer required to fulfil the purpose of storage, unless statutory retention obligations (e.g. commercial and tax retention obligations) preclude deletion.

You have the rights described below under the General Data Protection Regulation,. The exercise of these rights is free of charge for you. However, you may need to prove your identity with two factors. We will use reasonable efforts in accordance with our legal obligations to enforce your rights.

To exercise your rights, please contact us by any method The contact details can be found in the section "Contact with the Data Protection Officer" and the Imprint or Disclaimer page.

Right of access: You can request information from the controller about the personal data stored about you (Art. 15 GDPR). If you have direct access to your data via portals/self-service, the right to information is deemed to have been fulfilled.

Right to rectification: If your personal data is incorrect, you have the right to request its correction (Art. 16 GDPR).

Right to revoke the declaration of consent: If the processing of your data is based on your consent, you have the right to revoke it at any time in accordance with Article 7 (3) GDPR. The revocation does not affect the lawfulness of the processing carried out until then. You can declare a revocation in writing, by e-mail and, if necessary, within the scope of the service offered.

Right to object in the case of processing to safeguard legitimate interests: If we process your data to safeguard legitimate interests, you can object to this processing in accordance with Article 21 GDPR for reasons arising from your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Right to erasure: Under the conditions set out in Article 17 GDPR, you have the right to request the deletion of your personal data. This is e.g., the case if you revoke a given consent or the data is no longer required for the purposes for which it was collected.

Right to restriction of processing: Under the conditions of Article 18 GDPR, you have the right to request a restriction of the processing of data concerning you.

Right to data portability: If you have provided us with personal data yourself, you have the right, in accordance with Article 20 GDPR, to request a transfer from us directly to another controller or to another organisation. Alternatively, you have the right to request that we ourselves provide you with the data in a machine-readable format. However, this only applies if we process your personal data on the basis of your consent or on the basis of a contract or in the context of contract negotiations and the processing is carried out using automated procedures.

Right to lodge a complaint: You have the possibility to lodge a complaint with the data protection officer referred to in this data protection declaration (contact details see above) or with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

In any case, you can contact: