1. Atheneum Partners
Atheneum Partners is a primary research service provider that facilitates decision makers with relevant market insights through expert network. We connect professionals across different industries and geographies into Atheneum Expert Network.
The controller responsible for the data Processing (Art. 4(7) GDPR) for all Processing activities listed below is:
Atheneum Partners GmbH
Telephone: +49 (0) 30 679 661 400
3.Contact details of the Data Protection Officer and Atheneum Compliance Office
Our data protection officer can be reached via post, telephone or email under the following contact details:
Mr. Benjamin Kühn
HC Plus Gesellschaft für Datenschutz UG (haftungsbeschränkt)
Telephone: +49 (0) 30 959 984 571
Also, you can reach directly Compliance Office of Atheneum Partners:
Mr. Timur Mansuraliev,
Director – Compliance Operations
4. Processing of Personal Data – General Rules
Atheneum Processes Personal Data in different ways. This Privacy Notice applies without exception for all operations, transactions, business processes, workflows, applications, tools, databases, electronic or physical files, communication, and documentation at Atheneum that have as their objective or subject matter, relate to or concern the Processing of Personal Data.
4.1 Basis for processing personal data
We Process Personal Data provided by Data Subjects if they communicate with us via emails, messengers, telephone, online apps, letters or other communication means.
Legal basis for the Processing can be the Data Subjects’ consent to the Processing for this specific purpose (Art. 6 (1)(a) GDPR). Data Subjects may withdraw their consent at any time. The withdrawal of consent will not affect the lawfulness of Processing based on consent before its withdrawal.
Furthermore, we also Process Personal Data (in the absence of consent), if this is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract (Art. 6 (1)(b) GDPR).
Also, we Process Personal Data of data subjects based on a legitimate interest that does not infringe or overrides interests, rights and freedoms of the data subject or preventing establishment, exercise or defence of legal claims. (Art. 6 (1)(f) GDPR).
Atheneum may receive personal data from its clients, business partners and vendors.
4.2 Specific Processing Activities
Further, this Privacy Notice provides information on the Processing of Personal Data concerning various categories of Data Subjects. In particular,
- Section 5 informs Users of the Atheneum Website about the Processing in the context of their use of the Atheneum Website,
- Section 6 informs Experts about Atheneum Processes their Personal Data,
- Section 7 concerns all Data Subjects whose Personal Data is Processed in the context of a business relationship with Atheneum,
- Section 8 informs Data Subjects about the Processing of their Personal Data in the context of virtual meetings and online conferences, and
- Section 9 informs Data Subjects about the Processing of their Personal Data in the context of events hosted or organized by Atheneum.
5.Processing in the context of the use of the Atheneum Website
In the context of the provision of the Atheneum Website, we Process Personal Data of persons that visit our Website (the “Users”). This includes inter alia Personal Data provided to us by the Users, e.g. via User’s page, a contact form, or data that are Processed automatically by our IT systems when a User visits the Atheneum Website.
If you are a User of the Atheneum Website, we Process your Personal Data as follows:
5.1 Log files
We automatically Process some technical data upon access of the Atheneum Website concerning our Users (collectively “Log files”). These are:
- Browser type and browser version,
- Operating system used,
- Referrer URL,
- Host name of the accessing computer,
- Time of the server request, and
- IP address.
Log files will not be combined with data from other sources.
We Process Logfiles for the future optimization of the Atheneum Website, data protection control, and data security based on our overriding legitimate interest to identify malfunctions, ensure the security of our systems and detect and respond to any attempts of unauthorized access (Art. 6(1)(f) GDPR).
We also process log files to ensure the proper functioning of and access to the Atheneum Website. Legal basis for the processing of the log files is the performance of the contract between the User and Atheneum regarding the provision of the Atheneum Website (Art. 6(1)(b) GDPR).
5.2 Contact form queries
We Process Personal Data that is provided to us by Users of the Atheneum Website via the contact form available there, and that is included in the subsequent correspondence between Atheneum and the User regarding the User’s query or any follow-up queries. This concerns, inter alia, contact details provided by the User.
Information provided via the contact form may be or may not be shared with third parties depending on Atheneum’s decision.
Legal basis for the Processing is the User’s consent (Art. 6(1)(a) GDPR). The User has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of Processing based on consent before its withdrawal.
5.3 Registration on the Platform (Expert Users)
Users can register an account on the Atheneum Website as “Expert Users” to become a member of Atheneum Expert Network and access additional functions offered on Atheneum’s technology platform (“Platform”). We process the registration data to create an Expert User account so that the User can access the Platform equipped with the access rights associated with the Expert User group.
The Personal Data Processed to create the Expert User account includes:
– full name
– email address(es)
– contact phone(s)
– spoken languages
– industry experience
For rendering payments under the projects, Atheneum also collects the following information:
– address, city, postal code, state, country
– paypal account or bank account/IBAN
– account owner name
– SWIFT / Routing Number
– bank name
– bank address, city, postal code, state, country
We Process any additional Personal Data that the Expert Users have provided in their account for the purpose of matching them with clients according to their profile of expertise and abilities.
The collected information will be used for engaging users for Atheneum projects, communication on projects and rendering relevant payments, as well as for sending newsletters. Names of the Users may be or may not be disclosed to Atheneum’s Clients depending on Atheneum’s decision.
Legal basis for the Processing is the performance of the contract between Atheneum and the respective Expert User regarding the use of Atheneum’s Platform (Atheneum Partners Expert Agreement) (Art. 6(1)(b) GDPR).
5.4 Use of the Platform
We Process log in data (email address and password) to enable Expert Users and Client Users to log in to the Platform using their respective accounts, and Process further Personal Data in the context of their use of the Platform.
Legal basis for the Processing is the performance of a contract between Atheneum and the respective Platform User regarding the use of Atheneum’s Platform (Art. 6(1)(b) GDPR).
5.5 Changes to the Platform
We Process the email address associated with an account to inform Platform Users about important changes to the Platform such as those within the scope of our site or of technical nature.
Legal basis for the Processing is the performance of a contract between Atheneum and the respective Platform User regarding the use of Atheneum’s Platform (Art. 6(1)(b) GDPR).
5.6 Leaving comments on the Atheneum Website
When User are logged in with their Platform User account at the time of the comment, we Process the user name and email address associated with their account.
We Process the Personal Data in case we find that a comment includes illegal or slanderous content in order to take action against the respective author. We do not, however, review the content of comments before they are published on the Atheneum Website. This Processing is based on our overriding legitimate interest to ensure compliance of the Atheneum Website’s content with applicable laws and enable the exercise of legal claims (Art. 6(1)(f) GDPR).
5.7 Provision of our newsletter
We Process Personal Data when a User subscribes to the newsletter offered on the Atheneum Website or though membership in Atheneum Expert Network. We process the email address submitted in the subscription form and use it (a) to verify that the subscriber is actually the owner of the email address, (b) obtain consent to the receipt of the newsletter from the owner of the email address (Double Opt-in), and (c) deliver the newsletter in case of a successful subscription, i.e. in case the requirements under (a) and (b) are met. After successful subscription we further Process Personal Data to analyze our newsletter campaigns and categorize the subscribers into certain clusters.
For instance, we Process Personal Data to see whether a newsletter message has been opened and, if so, which links may have been clicked. This enables us to determine, which links drew an extraordinary number of clicks. Moreover, we are also able to see whether once the email was opened or a link was clicked, any previously defined actions were taken (conversion rate). This allows us to determine whether a subscriber made a purchase after clicking on the newsletter.
Further, we divide the subscribers to our newsletter into various categories (i.e. to “clusters” of recipients). For instance, newsletter recipients can be categorized based on age, gender or place of residence. This enables us to tailor our newsletter more effectively to the needs of the respective target groups.
This Processing is based on the subscriber’s consent (Art. 6(1)(a) GDPR). This consent to the can be withdrawn at any time, for instance by clicking on the “Unsubscribe” link contained in each newsletter. The withdrawal of consent will not affect the lawfulness of the Processing based on consent before its withdrawal.
We may Process a subscriber’s email address after unsubscribing to prevent future mailings (blacklisting). The data from the blacklist is used only for this purpose and will not be merged with other data. This Processing is based on our overriding legitimate interest in complying with the legal requirements when sending newsletters (Art. 6(1)(f) GDPR). It also serves the interest of the Data Subject to not receive future mailings.
We will not share such data with any third parties within the meaning of Art. 4(10) GDPR.
6.Processing of Experts’ Personal Data
6.1 Search for Experts
We manually search for persons with specific expertise (“Experts”) and their contact details throughout the information available on Atheneum platform or Internet, inter alia from publicly accessible sources, and also use tools and other services for this purpose. In this context of searching for Experts we Process the Personal Data of persons to be considered as prospective Experts. This includes information such as name, profession, contact details, and employment status.
The Personal Data originate from the various sources, which include the following:
- professional social media networks, inter alia LinkedIn, Xing, Viadeo, Expertscape, ResearchGate, ZoomInfo, Maimai, Ushi, Tianjin. The list of professional networks is updated on a regular basis and supplemented with newly appeared social media networks,
- online publications,
- company websites,
- business directories,
- publication of conference participants,
- industry on-line forums,
- social networks,
- data aggregators
- contact data solutions providers
- our clients
Legal basis for this Processing is our overriding legitimate interest in offering our services of finding appropriate Experts for our clients (Art. 6(1)(f) GDPR), whereas the impact on the Data Subjects is rather low as we conduct the searches only within pools of information that are already publicly available.
6.2 Inclusion in Atheneum Platform and membership in Atheneum Expert Network
We Process Personal Data when we include and maintain our database of Experts on our Platform. This includes information such as name, job titles and company names, period of work there, professional background, contact details, country, city and spoken languages.
When an Expert registers an account on the Platform, we include their data in our Platform in the context of their registration and they become a member of Atheneum Expert Network. This is based on the necessity for the performance of the contract regarding the Expert’s joining of the Platform (the Atheneum Partners Expert Agreement) (Art. 6(1)(b) GDPR).
We also include data of Experts into the Platform that we have found in the search as described above under Section 6.1.
Any expert may terminate membership in the Atheneum Expert Network within 2 working days after sending a request to cancel the membership or to remove the expert from Atheneum Platform database. In this case, Atheneum removes the expert from Active database of experts, but keeps a record in blacklist (“do not contact” list), which is used to avoid any repetitive emailing to those experts, or who do not want to be become a member of Atheneum Expert Network.
Legal basis for this Processing is our overriding legitimate interest in maintaining a database of appropriate Experts which we can use to find Experts within the context of our services (Art. 6(1)(f) GDPR), whereas the impact on the Data Subjects is rather low as we only include information that was already publicly available or was provided by users with an Expert User account to the Atheneum Platform.
6.3 Contacting Experts
When we receive a client’s request for certain expertise, we Process Personal Data of Experts, such as name, postal or email address, and telephone number, to contact them for the purpose of ascertaining whether they are interested, suitable and available for the respective task, and if so, establish the contact with the requesting client, if they have previously consented to receive such communication from us. We further use the information provided by Experts via their Expert User account to the Platform to call them on the grounds of their assumed consent.
Legal basis for this Processing is our overriding legitimate interest in offering our services of finding appropriate Experts for our clients (Art. 6(1)(f) GDPR), whereas the Experts have an advantage in possibly being awarded the assignment.
When an Expert uses the “Refer a Colleague” option on the Atheneum Website, we process the personal data of the referring Expert (name and email address) and the referred Expert (name, title, company, email and telephone number) for the purpose of sending the referred Expert a recommendation of our services on the referring Expert’s behalf.
Legal basis for the Processing of the referring Expert’s personal data is their consent (Art. 6(1)(a) GDPR). Legal basis for the Processing of the referred Expert’s personal data is our overriding legitimate interest in offering our services of finding appropriate Experts for our clients and expanding our Platform (Art. 6(1)(f) GDPR).
6.5 Processing in the context of life science projects
We Process Personal Data of Experts in the context of projects relating to the life science sector, e.g. medical or pharmaceutical trials.
In case an Experts takes part in a life science research project for which the respective sponsor is obligated to issue reports about the project itself (e.g. adverse event reporting) or the details of the relationship with the Expert to supervisory authorities under applicable laws (e.g. the Physician Payments Sunshine Act), we will disclose Experts’ Personal Data to the sponsor for reporting purposes, if the Expert has consented to this Processing (Art. 6(1)(a) GDPR).
6.6 Consultation recordings
In case of virtual consultations by an Expert, we will share audio or video recordings of the consultation with our clients, if the Expert has consented to this Processing (Art. 6(1)(a) GDPR).
We Process Experts’ payment details to renumerate them for services rendered within their use of Atheneum’s Platform. This is based on the necessity for the performance of a contract regarding the Expert’s consultation services (Atheneum Partners Expert Agreement) (Art. 6(1)(b) GDPR).
7.Processing in the context of a business relationship
If you are in a business relationship with us, for example if you are a customer, prospect, partner or vendor of Atheneum or if you are personnel thereof, the following applies to the Processing of your Personal Data:
In the context of a business relationship with a client, prospect, partner or vendor we Process the Personal Data related to the client, prospect, partner or vendor themselves, where applicable, and their respective personnel that we interact with for the purpose of communication, transactions, orders, Client User account management, and any other activities related to our respective business relationship. The Personal Data concerned includes inter alia name, profession, contact details, name of employer and business address.
The Processing is carried out for the performance of a contract between Atheneum and the client, prospect, partner or vendor, or between the client or vendor and their personnel or in order to take steps at the request of the Data Subject prior to entering into a contract (Art. 6(1)(b) GDPR).
We also Process Personal Data in business relationships based on our overriding legitimate interest to build and strengthen our business relationships (Art. 6(1)(f) GDPR), whereas the impact on the Data Subjects is relatively low, as we only process Personal Data that was provided in a professional context.
7.2 Customer relationship management (CRM)
We Process Personal Data related to the customers, prospects, partners, and vendors, where applicable, and their respective personnel that we interact with, for the purpose specifies above by using market standard CRM systems and tools.
8.Virtual meetings and online conferences
We use third-party service provider video conferencing tools to run virtual meetings. In the context of the execution and organization of virtual meetings and online conferences we inter alia Process name, email address, and potentially the phone number of potential attendees, , as well as recordings of the meeting or conference, if the attendees have consented to the recording. In the event such Personal Data is shared with the video conferencing tool service provider, we enter into a data Processing agreement to ensure the service provider is acting upon our instructions and in line with applicable data protection and privacy laws.
Where the virtual meetings and online conferences are based on a mutual agreement with the attendees, the Processing is based on its necessity to perform a contract to which the Data Subject is party (Art. 6(1)(b) GDPR). In all other cases the legal basis for the Processing is our overriding legitimate interest in conducting our meetings virtually (Art. 6(1)(f) GDPR).
In the context of the execution, organization, and hosting of events, we inter alia Process name, email address, phone number, job titles and company names, period of work there, professional background, contact details, country, city and spoken languages of potential attendees, as well as video or audio recordings of the event, if the attendees have consented to the recording.
Legal basis for the Processing is the attendees’ consent (Art. 6(1)(a) GDPR).
10.Categories of data recipients
We share Personal Data of Data Subjects with the following categories of recipients:
10.1 Atheneum subsidiaries
We share Personal Data Processed via the Platform internationally with other Atheneum companies, all of which wholly owned subsidiaries of Atheneum. This Processing of Personal Data is based on our overriding legitimate interest in offering our services of finding appropriate Experts for our clients worldwide in line with global demand and the interconnectedness of the international market and research landscape (Art. 6(1)(f) GDPR).
10.2 Service Providers
Recipients of the Personal Data Processed by us include our service providers, e.g. IT service providers and vendors (“Service Providers”). We share Personal Data with these Service Providers that is necessary for the provision of their services.
Some of the Service Providers Process the Personal Data on our behalf and in accordance with our instructions, acting as our processors. We have concluded data processing agreements (Art. 28(3) GDPR) with all our processors to ensure an appropriate level of data protection within the context of their service provision to Atheneum.
Our service providers include the following:
- Website hosting
We use Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109-5210, USA, (“AWS”) as a sub-processor to host the Atheneum Website.
The Personal Data Processed on our behalf includes inter alia: IP addresses, contact requests, metadata and communications, contract information, contact information, names, web page access, and other data generated through a website.
The data is only stored in a certified German data center (Frankfurt / Main). The data will not be replicated or mirrored at data centers located outside the European Economic Area.
For further information on the transfer of personal data see Section 11.
- Newsletter feature
We use the services of Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany (“Sendinblue”), for the sending and organising of newsletters as well as analytics in relation to newsletter reach as described in Section 5.7.
Sendinblue’s servers are located in Germany.
- Customer relationship management (CRM)
We use the services HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141 USA (“HubSpot”) for the provision of our CRM system.
- Translation and Transcription Agencies
We use the services of various translation and transcription agencies to provide our clients with consultation advice in their local or required language.
- Analytics and advertising
Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”) provides us with its web analytics services Google Analytics and Google reCAPTCHA for the Atheneum Website. In this context, Google and Atheneum act as joint controllers (Art. 26 GDPR).
For further information on the transfer of personal data see Section 11.
- Online Conferences
For the provision of online conferences, we use the service provided by Zoom Video Communications, Inc., San José, California, USA (“Zoom”). In this context, Zoom and Atheneum have entered into a data processing agreement (Art. 28 GDPR) to govern the Personal Data Processing.
For further information on the transfer of Personal Data see Section 11.
10.3 Authority requests
We share Personal Data with competent authorities, including courts of law, upon request if necessary for compliance with a legal obligation to which we are subject (Art. 6(1)(c) GDPR) or based on our overriding legitimate interest in the establishment, exercise or defence of legal claims, e.g. in litigation (Art. 6(1)(f) GDPR).
10.4 Mergers and acquisitions
In the event of a merger or acquisition of our company with or by another company, we will share Personal Data with the other company, inter alia for due diligence purposes, where we have an overriding legitimate interest in doing so, and in line with applicable laws (Art. 6(1)(f) GDPR).
In some cases, we transfer Personal Data protected by the GDPR to countries that are not members of the European Union (“EU”) or the European Economic Area (“EEA”) (“Third Countries”). This transfer is subject to suitable safeguards guaranteeing a level of data protection not undermining the data protection level under the GDPR.
In particular, we will transfer Personal Data only where the Third Country, a territory or one or more specified sectors within that Third Country has been found to ensure an adequate level of protection by the European Commission in an “Adequacy Decision” (Art. 45 GDPR). A list of Third Countries for which the European Commission has issued Adequacy Decisions can be found on its website, here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
If an Adequacy Decision does not exist, we will transfer Personal Data only to a Third Country if other appropriate safeguards, such as Standard Contractual Clauses (“SCCs”) (Art. 46(2)(c) GDPR), apply.
When transferring Personal Data to a Third Country on the basis of SCCs, we will assess on a case-by-case basis if the Third Country provides an adequate level of data protection, taking into account the circumstances of the transfer as well as appropriate supplementary measures. We will transfer Personal Data only if we find that an adequate level of data protection is ensured.
We retain Personal Data only for as long as necessary for the specific purpose of the processing. For individual retention periods in specific use cases see Sections 12.1 to 12.2 below.
In some cases we are obliged by law to retain Personal Data for a longer period, e.g. for tax and bookkeeping purposes. We then retain the Personal Data for as long as is required by law.
12.1 Retention of Experts’ Data
We retain Experts’ Personal Data processed for the purpose to maintain their membership in the Atheneum Expert Network for the performance of respective contracts to which the experts are a party as described in Section 5.3. Also, Atheneum retains Personal Data of experts to maintain Atheneum Database as described in section 6.2, which is used for rendering Atheneum services. For both cases, Atheneum retains Personal Information of experts until experts have a membership in Atheneum Expert Network or until they request to be unsubscribed or to be removed from Atheneum mailing lists solicitating to participate in Atheneum projects.
After cancelation of the membership or unsubscribing the email address may be stored by us or the newsletter service provider in a blacklist indefinitely to prevent future mailings.
We retain Applicant data for as long as is necessary for the pending job application process and for an additional term of two years during which the Applicant data may be required to clarify issues or settle claims related to the application process.
12.2 Retention of Logfiles
Where Personal Data is stored in Logfiles, we retain these Personal Data no longer than two years.
13.Data Subject rights
If you are a Data Subject regarding the Processing activities described in this Privacy Notice, you have the following rights:
13.1 Right of access
Data Subjects have the right to obtain from the controller confirmation as to whether or not Personal Data concerning them are being Processed, and, where that is the case, access to the Personal Data and certain information (Art. 15 GDPR).
13.2 Right to rectification
Data Subjects have the right to obtain from the controller without undue delay the rectification of inaccurate Personal Data concerning them (Art. 16 GDPR).
13.3 Right to erasure (“right to be forgotten”)
Data Subjects have the right to obtain from the controller the erasure of Personal Data concerning them without undue delay if and to the extent that the Personal Data are no longer necessary in relation to the purposes for which they were Processed, the Data Subject withdraws consent on which the Processing is based and where there is no other legal ground for the Processing. In addition, deletion will be conducted if, the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing, the Personal Data have been unlawfully Processed, or the Personal Data have to be erased for compliance with a legal obligation in the EU or Member State to which the controller is subject (Art. 17 GDPR).
13.4 Right to restriction of Processing
Data Subjects have the right to obtain from the controller a restriction of the Processing if the Data Subject contests the accuracy of the Personal Data or if the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead. Also, the Processing will be restricted if the controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. We also restrict the Processing if the Data Subject concerned has objected to Processing pending the verification whether the legitimate grounds of the controller override those of the Data Subject (Art. 18 GDPR).
13.5 Right to data portability
Data Subjects have the right to receive the Personal Data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format. Also, they have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided. This applies where the Processing is based on consent or on a contract and the Processing is carried out by automated means (Art. 20 GDPR).
13.6 Right to object
Data Subjects have the right to object, on grounds relating to their particular situation, at any time to Processing of Personal Data concerning them which is based on a task carried out in the public interest or on a legitimate interest. The controller will no longer Process the Personal Data in case of such objection unless the controller demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims (Art. 21 GDPR).
13.7 Right to withdraw consent
Where the Processing is based on the Data Subject’s consent, they have the right to withdraw their consent at any time. The withdrawal of consent will not affect the lawfulness of Processing based on consent before its withdrawal.
13.8 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the Processing of Personal Data relating to him or her infringes the GDPR (Art. 77(1) GDPR).
14.Amendments to this Privacy Notice
We may amend this Privacy Notice from time to time to reflect legal or factual changes. Please be advised to regularly inform yourself of any such changes. We will always keep an up to date version of the Privacy Notice available on this page.
Last updated: 13.07.2022