Immatics N.V. Data Privacy Notice

Thank you for visiting our website. This Privacy Policy informs you about the collection, storage and other processing of your personal data, as well as your related rights, when you visit our website at www.immatics.com (“Website“) and use its various functionalities and services. It also explains which cookies we use, for what purposes they are used, and what choices you have to control the use of cookies. In this context, personal data are all data that can be used to identify you personally.

I. Who is responsible for data processing and whom can you contact?

This Website is a joint project of the parties named below, who have agreed that the controllers shall jointly share responsibility for the Website. This also applies to the processing of your personal data. Within the scope described below, the controllers are therefore jointly responsible for processing your personal data (Article 26 GDPR).

The joint controllers within the meaning of Article 26 GDPR are:

1. Immatics Biotechnologies GmbH, Paul-Ehrlich-Str. 15 – 19, 72076 Tuebingen, Germany (hereinafter Immatics Germany)
2. Immatics US, Inc. 13203 Murphy Road Stafford, TX 77477, USA (hereinafter Immatics USA)

You can contact Immatics Germany and Immatics USA by using the e-mail: info@immatics.com.

If you have any questions about data protection regulations, please contact our Data Protection Officers using the following contact details:

DPO of Immatics Germany: data-privacy@immatics.com

DPO of Immatics USA: data-privacy@immatics.com

In the context of our responsibility for data protection, we have agreed on which obligations arising from the GDPR each controller will fulfill. This applies in particular to protecting the rights of data subjects and the information to be provided to data subjects as per Articles 13 and 14 GDPR.

II. General information about data processing

1. Extent of data processing

In general, if you visit our Website and use its functionalities and services, only those data are collected that we require to provide the Website and its functionalities and perform our services. Should we request further data from you, the provision of such information will be voluntary. Personal data are processed exclusively in the performance of the services requested and to protect our legitimate business interests.

In order to protect your data against unauthorized access, we use an encryption process on our Website. Your data are transferred from your computer to our server and back via the internet using 256-bit TLS (Transport Layer Security) encryption. You can recognize this from the lock symbol in the status bar of your browser and the fact that the address starts with https://.

2. Legal basis for processing personal data

The legal basis for us to process your personal data is provided by:

• Article 6(1)(a) GDPR – you have given us your consent
• Article 6(1)(b) GDPR – data processing is necessary for the conclusion or performance of a contract
• Article 6(1)(c) GDPR – we have a legal obligation to collect the data
• Article 6(1)(f) GDPR – we have a legitimate interest in processing the data and our interests override your interests and rights and freedoms

3. Storage duration / deletion of data

As a matter of principle, we delete or block all personal data as soon as the purpose for storage no longer exists. If we have a legal obligation to retain data, such data will not be blocked or deleted until after expiration of the mandated retention period, unless the continued retention of the data is necessary for the conclusion or performance of a contract or necessary for the establishment, exercise or defence of legal claims. In Germany, retention and documentation obligations may in particular derive from the German Commercial Code (Handelsgesetzbuch – HGB) and the German Fiscal Code (Abgabenordnung – AO). The retention periods for data and documentation described in these codes range from six to a maximum of ten years. Ultimately, the storage duration may also be dictated by limitation periods, which in Germany are usually three years as per Section 195 of the German Civil Code (Bürgerliches Gesetzbuch – BGB).

4. Recipients of the data collected

To provide this Website and its functionalities and services, we use the services provided by processors (web hosters, technical support). These processors may have access to the data collected via our Website, however they only process the data on our behalf and based on our instructions. This is ensured by way of binding data processing agreements concluded with these processors.

To the extent necessary, we may also disclose your data to courts, law enforcement agencies, and other authorities and public bodies where this is necessary to comply with legal or regulatory requirements, or to establish, exercise or defend legal claims.

5. Transfer of data to other countries

In certain cases, the aforementioned recipients may be located in countries outside the European Union (EU) and the contracting states of the European Economic Area (EEA), so called “Third Countries”. The laws of these countries may not ensure a level of data protection as determined to be adequate by the European Commission based on an adequacy decision. In these cases, we have put into place adequate and appropriate measures to ensure that your data will be protected appropriately also by the recipients in Third Countries and that the level of data protection does not fall below the level required by European laws (e.g., by concluding EU Standard Contractual Clauses and implementing supplementary measures).

As Immatics USA is headquartered in the USA – a country outside the European Union, the joint data processing involves data processing in a Third Country that may not ensure a level of data protection as determined to be adequate by the European Commission based on an adequacy decision. We have put into place adequate and appropriate measures to ensure that your data will be protected appropriately and that the level of data protection does not fall below the level required by European laws (e.g., by concluding EU Standard Contractual Clauses and implementing supplementary measures).

For more information on the recipients of your data, the Third Countries concerned and the measures implemented by us to protect your data, and in order to receive a copy of these measures, please contact us at the contact details set out in Section 1.

6. Profiling / automated decision-making

We do not perform any profiling or automated decision-making as defined by the GDPR.

7. Obligation to provide data

By visiting our Website, you have no legal or contractual obligation to provide personal data. However, if you do not provide the personal data required for the use of our Website, this may mean that we can only provide our services to a limited extent or not at all.

III. Data processing when visiting our Website

1. General

     1.1. Extent of data processing

Each time our Website is visited, our system – which is administered solely by Immatics Germany and hosted in Germany – automatically records data and information about the computer system making the call.

The following data are recorded:

(1)          Information about the browser type and the access provider used

(2)          The user’s operating system

(3)          The IP address of the computer making the call

(4)          Date, time and duration of access

(5)          Website from which the user accessed our Website (referrer URL)

(6)          Name and URL of the Website visited

These data are also stored in the log files (records of all or certain processes on a computer system) on our system. These data are not stored together with other personal data of you.

     1.2. Legal basis for processing data

The legal basis for temporarily storing data and log files is found in Article 6(1)(f) GDPR and Article 6(1)(c) GDPR in case we are obliged to provide the necessary data to law enforcement agencies in the event of a cyber attack for prosecuting purposes.

     1.3. Purpose of processing data

The purpose of the processing is the technical provision of our Website and to ensure the security of our information technology systems and the possibility of providing law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

These purposes constitute our legitimate interest in processing data as per Article 6(1)(f) GDPR.   In certain instances  please note that the data collected when you are visiting our Website or stored in the log files may be transferred to Immatics USA such as in instances where required for certain regulatory or legal reasons.

     1.4. Storage duration

The data collected are generally deleted as soon as they are no longer required for the purpose for which they were collected. The data stored in log files, will be deleted after 14 days, unless further storage is necessary to comply with our legal obligations and/or to establish, exercise or defend legal claims.

2. Use of cookies

     2.1. Extent of data processing

A cookie is a small unit of information stored on your computer or mobile device by a server, and only that server can retrieve or read the contents of the cookie. Most websites use cookies to enhance the user experience by allowing the site to “remember” you – either for the duration of your visit (using a “session cookie”) or for repeat visits (using a “persistent cookie”). Cookies perform many different tasks, such as enabling efficient navigation between pages, storing your preferences, and generally improving your experience with a website. Cookies make the interaction between you and the website faster and easier.

The user data collected by technically necessary cookies are not used to create user profiles. However, our Website also uses cookies that enable us to analyze users’ browsing behavior. More information can be found under “Google Analytics” in this Privacy Policy.

Cookie consent using Borlabs

To manage technically unnecessary cookies in compliance with data protection laws, we use the software solution from Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg, Germany. When you visit our Website, an essential cookie is stored in your browser to record your cookie consent or the withdrawal of that consent. These data are not transferred to the software provider.

We use Borlabs GmbH to generate a cookie banner for you to give your consent to the use of cookies. The first time you visit www.immatics.com, the cookie banner informs you about the use of cookies and asks for your consent to their use. Until you give your consent, all non-essential cookies used on our Website will be blocked automatically. The cookie banner also gives you the option to decline unwanted cookies but still continue to use the Website.

If you give your consent via the cookie banner, the following data will be recorded automatically:

• Cookie lifetime
• Cookie version
• Date and time of consent
• Website domain and link
• UID (randomly generated ID)
• End-user’s consent status, which serves as verification of acceptance

The consent you have given is automatically deleted from the log after 12 months and at most will then only be used in aggregated and anonymized form for statistical purposes.

You can withdraw the consent you have given at any time.

     2.2. Legal basis for processing personal data

We use cookies that are strictly necessary, as well as cookies that are not strictly necessary. Your consent is not required for the use of strictly necessary cookies in accordance with Section 25(2) No. 2 German Telecommunication-Digital-Services-Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TDDDG).

The processing of any personal data contained in these strictly-necessary-cookies is based on our overriding legitimate interest in providing a technically flawless and secure operation and smooth functionality of our Website (Article 6(1)(f) GDPR).

The use of non-essential cookies only takes place if you give your consent (Section 25(1) TDDDG and Article 6(1)(a) GDPR). Your consent is voluntary and can be given or withdrawn at any time for the future by accessing the cookie settings. The withdrawal of your consent does not affect the lawfulness of the processing based on your consent before its withdrawal. You can also generally disable the use of cookies in your browser. Please note that this may affect the functionality of our Website.

     2.3. Purpose of processing data

The purpose of using strictly necessary cookies is to offer a technically flawless and secure operation of our Website and the smooth functioning of our Website and its functionalities and services. Some functions of our Website cannot be offered without the use of such strictly necessary cookies. We do not use the data collected via strictly necessary cookies to create user profiles.

Analytical cookies are used to improve the quality of our Website and its content. They show us how the Website is used, thus enabling us to continuously improve our online presence.

The purpose of the analytical cookies is further described in Section 3 of this Privacy Policy.

     2.4. Storage duration; opt-out and removal option

Cookies are saved on your computer or mobile device. The default storage duration of each cookie is shown in the cookie settings. However, you as the user have full control over the use of cookies. You can control your cookie preferences for our Website using our cookie settings. You also can change your internet browser settings to disable or limit the transmission of cookies. Previously saved cookies can be deleted from our computer or mobile device by you at any time. This may also be done automatically. However, if you delete or disable cookies for our Website, this may affect the functioning of the Website and its functionalities and services.

You can also prevent the storage of cookies through a setting in your browser software (e.g., by using the “incognito mode”). Once you close an incognito browsing session, the cookies will automatically be deleted. However, please note that this may affect the functioning of the Website and its functionalities and services in case you visit the Website again.

3. Web analytics / Google Analytics

     3.1. Extent of data processing

We use Google Analytics to analyze browsing behavior on our Website. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for users located in the EU/EEA, and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, for users located outside the EU/EEA.

Google Analytics involves the use of cookies on your computer or mobile device. Google Analytics does not log or store your IP address to measure and report statistics about your interactions with the Website. However, your IP address is processed to provide a coarse geo-location by deriving the following metadata from your IP address:

• City (and the derived latitude, and longitude of the city),
• Continent,
• Country,
• Region,
• Subcontinent (and ID-based counterparts).

For EU-based traffic, your IP-address is used solely for geo-location data derivation before being immediately discarded. It is not logged, accessible, or used for any additional use cases.

When Google Analytics collects measurement data, all IP lookups are performed on EU-based servers before forwarding traffic to Google Analytics servers for processing. However, the use of Google Analytics may still involve data transfers to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google LLC is certified under the EU-U.S. Data Privacy Framework.

More information on the handling of data when using Google Analytics can be found here: Safeguarding your data – Analytics Help

     3.2. Legal basis

The legal basis for the use of analytical tools derives from Article 6(1)(a) GDPR (the consent you give us via our cookie banner).

     3.3. Purpose of processing data

By processing your personal data with analytical tools, we can analyze your browsing behavior. By analyzing the data we collect, we can understand how the individual components of our Website are used and thus constantly optimize and customize our online presence.

We also use Google Analytics in our own economic interests.

     3.4. Storage duration; opt-out and removal option

Cookies are saved on your computer or mobile device. The default storage duration of each cookie is shown in the cookie settings. However, you as the user have full control over the use of cookies. You can control your cookie preferences for our Website using our cookie banner. You also can change your internet browser settings to disable or limit the transmission of cookies. Previously saved cookies can be deleted from our computer or mobile device by you at any time. This may also be done automatically.

You can also prevent the storage of cookies through a setting in your browser software (e.g., by using the “incognito mode”). Once you close an incognito browsing session, the cookies will automatically be deleted. In addition, Google Analytics supports a browser add-on that disables measurements by Google Analytics once installed and enabled. The browser add-on can be found here: Google Analytics Opt-out Browser Add-on Download Page

4. Contact

     4.1. Extent of data processing

Our Website provides you with our contact details that enable you to contact us via email, phone or fax, or post. If you contact us, the content and circumstances (e.g., data and time) and any additional information you may provide will be processed by us.

If you contact us by emailing info@immatics.com, your personal data sent with the email will initially only be stored by Immatics Germany and subsequently will be forwarded to the relevant contact person, who may also be at Immatics USA.

If you contact us by fax or phone, your phone number will be stored by the recipient of that message and may also be forwarded to the relevant contact person at Immatics Germany or Immatics US.

If you contact us by postal service, your address will be stored by the recipient of that message and may also be forwarded to the relevant contact person at Immatics Germany or Immatics US.

These contact data will only be used to process the conversation or query, unless further processing is necessary to comply with a legal obligation or the establish, exercise or establish legal claims.

     4.2. Legal basis for processing data

The legal basis for processing these data derives from Article 6(1)(f) GDPR. If the purpose of the contact is to conclude a contract, Article 6(1)(b) GDPR applies.

     4.3. Purpose of processing data

We process the personal data provided when you contact us to process the conversation or query or to comply with a legal obligation or the establish, exercise or establish legal claims. This also constitutes our legitimate interest. As you initiate the contact at your own discretion and we inform you in advance what we do with the data you provide, our legitimate interest therefore overrides your personal rights.

     4.4. Storage duration

The data are deleted as soon as they are no longer needed for the purpose for which they were collected, unless a further storage is necessary to comply with a legal obligation or the establish, exercise or establish legal claims.

In the case of personal data provided by email or fax, this generally happens once the conversation with you has ended. The conversation is considered to have ended when it is apparent that the matter raised has been fully clarified.

We save calls in our telephone system for 30 days.

     4.5. Opt-out and removal option

At any time, you may opt against the storage of your personal data. In such a case, the conversation cannot be continued. The opt-out can be communicated by email or mail. We will then delete all personal data stored during the contact, unless a further storage is necessary to comply with a legal obligation or the establish, exercise or establish legal claims.

There is no opt-out option if data have been collected in the context of a contractual relationship as these data are necessary for the performance of the contract.

 

IV. Social media links

On our Website we provide links to various social media channels. These are merely links to the external websites of third-party social media providers. They are not plug-ins. Therefore, when you visit our Website, no connections are established, and no data are transferred to those third-party social media providers. When you click on the button with the provider’s logo, you will be routed to that provider’s website and our social media channel on this social media platform.

In connection with our social media channel, we may receive statistical evaluations from the providers of the respective social networks about the users of the social network and their interactions on our social media channel.

For this purpose, the providers of the social networks collect your personal data and use cookies and similar tracking technologies (e.g. pixels) to collect information about your use of our social media pages. From this data, the providers of the social networks create aggregated analysis data, which is made available to us exclusively in anonymized form. We do not have any access to the underlying personal data. Unless otherwise stated below, the respective providers of the social networks are independently responsible for the processing of your data.

1. Instagram

Instagram provides us with so-called Page Insights. These are created as aggregated analytics data by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland („Meta“) based on the data you provide in your Instagram profile (e.g., demographic information, interests, etc.) as well as any usage data that Meta collects about your interaction with our Instagram page, and are made available to us in anonymized form. With regard to the processing of your personal data for the creation and provision of Page Insights with regard to our social media channel, we and Meta act as joint controllers (within the meaning of Art. 26 GDPR). In this respect, Meta has committed itself to us to assume responsibility for the processing of Page Insights data and the fulfilment of your rights under the GDPR (see Section V) and to provide you with the essence of the Joint Controller Arrangement (

 

) applicable to this purpose.

For more details on Meta’s processing of your data on the Instagram platform, please refer to Instagram’s privacy policy (https://privacycenter.instagram.com/policy/). The legal basis for the processing of your data within the framework of the joint controllership is the legitimate interests of Meta and us in determining user behaviour and preferences (e.g. statistical information about interactions of certain user groups with individual page areas or user statistics by age, geography and language) in order to identify the target groups with whom we wish to get in touch, as well as the groups of people who use our products and services and to better understand the people who interact with our content and websites, products and services, and in order to adapt and improve the offer and content on our social media channels as target group-oriented as possible (Art. 6(1)(f) GDPR).

The legal basis for Meta’s possible collection of user behavior by means of cookies or similar tracking technologies is your prior consent (Section 25(1) TDDDG). You can withdraw your consent at any time with effect for the future (see Instagram’s cookie policy https://privacycenter.instagram.com/policies/cookies/).

2. LinkedIn

LinkedIn provides us with so-called Page Insights. These are created as aggregated analytics data by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn“) based on the data you provide in your LinkedIn profile (e.g., job description, country, industry, seniority, company size, etc.) as well as any usage data that LinkedIn collects about your interaction with our LinkedIn page, and are made available to us in anonymized form. With regard to the processing of your personal data for the creation and provision of Page Insights with regard to our social media channel, we and LinkedIn act as joint controllers (within the meaning of Art. 26 GDPR). In this respect, LinkedIn has committed itself to us to assume responsibility for the processing of Page Insights data and the fulfilment of your rights under the GDPR (see Section V) and to provide you with the essence of the Joint Controller Arrangement (https://legal.linkedin.com/pages-joint-controller-addendum) applicable to this purpose.

For more details on LinkedIn’s processing of your data, please refer to LinkedIn’s privacy policy (https://www.linkedin.com/legal/privacy-policy). The legal basis for the processing of your data within the framework of the joint controllership is the legitimate interests of LinkedIn and us in determining user behaviour and preferences (e.g. statistical information on interactions of certain user groups with individual page areas or user statistics by age, geography and language) in order to adapt and improve the offer and content on our social media channels as target group-oriented as possible (Art. 6(1)(f) GDPR).

The legal basis for LinkedIn’s possible collection of user behavior by means of cookies or similar tracking technologies is your prior consent (Section 25(1) TDDDG). You can withdraw your consent at any time with effect for the future (see LinkedIn’s cookie policy https://de.linkedin.com/legal/cookie-policy; for more information on how to manage cookies, see https://www.linkedin.com/help/linkedin/answer/125463 as a LinkedIn member and https://www.linkedin.com/mypreferences/g/guest-cookies as a visitor).When you click on the button marked “in”, you will be taken to the website of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. You will find data privacy information here https://www.linkedin.com/legal/privacy-policy?_l=de_DE

V.  Data processing in the context of customer, supplier and service provider relationships

1. Extent of data processing

We store and process personal data we receive in the context of customer, supplier and service provider relationships. As a rule, these include data such as the contact person (name), contact data (address, phone number, email address) and the function and position of the contact person.

2. Legal basis for processing data

The legal basis derives from Article 6(1)(f) GDPR and, insofar as we have a legal obligation to store data, Article 6(1)(b) GDPR.

3. Purpose of processing data

The purpose of processing the data is to establish, operate and manage business relationships.

4. Storage duration

The data are deleted as soon as the purpose of processing the data no longer exists. In the case of business relationships, this is usually when the collaboration ends, unless we have a legal obligation to retain the data.

5. Recipients of the data

The data controllers are the recipients of the data. If we contract external service providers to perform contracts in respect of business relationships, data will only be transferred if this is permitted by law (e.g., by way of processing agreements).

 

VI.  Your rights as the data subject

If your personal data are processed, you are the data subject within the meaning of the GDPR and you therefore have the rights summarized below.

You have the right, subject to and in accordance with applicable law:

• to obtain information on your personal data processed and to obtain a copy of such data (right of access, Article 15 GDPR);
• to obtain the rectification of any inaccurate personal data and, taking into account the purposes of the processing, to have incomplete personal data completed (right to rectification, Article 16 GDPR);

• if there are legitimate grounds, to obtain the erasure of your personal data (right to erasure, Article 17 GDPR);
• to obtain the restriction of the processing of your personal data, if the legal requirements are met (right to restriction of processing, Article 18 GDPR); and
• if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transmit this data to another controller or, where technically feasible, to have it transmitted by us (right to data portability, Article 20 GDPR).

You further have the right to object at any time, in accordance with the statutory provisions, to the processing of your data, which is necessary for the purposes of our or a third party’s legitimate interests, on grounds relating to your particular situation (right to object, Article 21 GDPR). If your personal data is processed by us for direct marketing purposes, you have the right to object to this processing at any time, without any special reason.

If the data processing is based on your consent, you can withdraw the consent at any time, without affecting the lawfulness of processing of your data based on your consent before the withdrawal.

Immatics Germany serves as the point of contact for the exercise of your rights. In order to exercise your rights, including the withdrawal of your consent, please contact Immatics Germany or our DPO using the contact details set out in Section 1. You are free to also exercise your rights against Immatics USA.

Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time (Article 77 GDPR).

VII.  Data security

We deploy technical and organizational security measures to protect data concerning you that we have recorded against manipulation, loss, destruction or access by unauthorized persons. We are continually adapting our security measures to reflect the current state of the art.

If you send attachments to us by email, we recommend that you apply encryption. In such a case, you can notify us of the password by phone.

VIII. Right of modification

We reserve the right to modify this data privacy notice to conform with current legal requirements. When you again visit our internet presence, the updated data privacy notice as published shall apply.