Immatics N.V. Data Privacy Notice

Thank you for visiting our website. Below we would like to inform you on how your personal data is processed while visiting www.immatics.com. In this context, personal data are all data that can be used to identify you personally.

I. Who is responsible for data processing and whom can you contact?

This website is a joint project of the parties named below, who have agreed that the controllers shall jointly share responsibility for the website. This also applies to the processing of your personal data. Within the scope described below, the controllers are therefore jointly responsible for protecting your personal data (Article 26 GDPR). When a website is operated jointly, the disclosure of data between the named companies (as the joint controllers) is not considered to require justification.

Joint controllers within the meaning of Article 26 GDPR are:

  1. Immatics Biotechnologies GmbH, Paul-Ehrlich-Str. 15, 72076 Tuebingen, Germany (hereinafter Immatics Germany)
  2. Immatics US, Inc. 2201 West Holcombe, Suite 205, Houston, TX 77030, USA (hereinafter Immatics USA)

If you have any questions about data protection regulations, please contact our Corporate Data Protection Officer:

Edward Sturchio at data-privacy@immatics.com

In the context of their responsibility for data protection, the above-mentioned controllers have agreed on which obligations arising from the GDPR each will fulfill. This applies in particular to protecting the rights of data subjects and the information to be provided to data subjects as per Articles 13 and 14 GDPR.

You will find further information about our company, its authorized representatives and other contact options in our imprint at https://immatics.com/imprint/ and in the imprint of the group company advertising the vacancy.

II. General information about data processing

   1. Extent of data processing

In general, if you use our services, only those data are collected that we require to perform such services. Should we request further data from you, the provision of such information will be voluntary. Personal data are processed exclusively in the performance of the services requested and to protect our legitimate business interests.

In order to protect your data against unauthorized access, we use an encryption process on our website. Your data are transferred from your computer to our server and back via the internet using 256-bit TLS (Transport Layer Security) encryption. You can recognize this from the lock symbol in the status bar of your browser and the fact that the address starts with https://.

   2. Legal basis for processing personal data

The legal basis for us to process your personal data is provided by:

  • Article 6(1)(a) GDPR – you have given us your consent
  • Article 6(1)(b) GDPR – data processing is necessary for the conclusion or performance of a contract
  • Article 6(1)(c) GDPR – we have a legal obligation to collect the data
  • Article 6(1)(f) GDPR – we have a legitimate interest in processing the data and our interests override your rights and freedoms

Moreover, we have concluded a joint controller agreement as per Article 26 GDPR.

   3. Storage duration / deletion of data

As a matter of principle, we delete or block all personal data as soon as the purpose for storage no longer exists. If we have a legal obligation to retain data, such data will not be blocked or deleted until after expiration of the mandated retention period, unless the continued retention of the data is necessary for the conclusion or performance of a contract. In Germany, retention and documentation obligations may also derive from inter alia the Civil Code (Bürgerliches Gesetzbuch – BGB), the Commercial Code (Handelsgesetzbuch – HGB) and the Fiscal Code (Abgabeordnung – AO). The retention periods for data and documentation described in these codes range from two to a maximum of ten years. Ultimately, the storage duration is also dictated by mandatory limitation periods, which in Germany are usually three years as per Article 195 et seq. of the Civil Code.

   4. Recipients of the data collected

The above-named controllers are the recipients of the data collected via the website. In addition, processors (web hosters, technical support) have access to the data collected via our website. However, compliance with legal requirements is ensured by way of processing agreements concluded with our processors located in the EU. Data are only transferred to third countries to the extent described below.

In addition, your data are only transferred to third parties within the context of our services if such transfer of your data is absolutely essential and data transfer is permitted.

   5. Transfer of data to other countries

As Immatics US is headquartered in the USA – a country outside the European Union, joint data processing involves data processing in a third country that is not considered to be secure. Please note that the transfer of data is associated with risks for the data subject because the level of data protection in the USA does not match the protection in Europe. You should be aware of this if, for example, you contact Immatics US directly by phone or fax.

   6. Profiling / automated decision-making

We do not perform any profiling or automated decision-making as defined by the GDPR.

   7. Obligation to provide data

By visiting our website, you have no legal or contractual obligation to provide personal data. 

III. Data processing on visiting our website

   1. General

     1.1 Extent of data processing

Each time our website is visited, our system – which is administered solely by Immatics Germany in Germany and is hosted in Germany – automatically records data and information about the computer system making the call.

The following data are recorded:

(1)          Information about the browser type and the access provider used

(2)          The user’s operating system

(3)          The IP address of the computer making the call

(4)          Date, time and duration of access

(5)          Website from which the user accessed our website (referrer URL)

(6)          Name and URL of the website visited

These data are also stored in the log files (records of all or certain processes on a computer system) on our system. These data are not stored together with other personal data of the user.

     1.2. Legal basis for processing data

The legal basis for temporarily storing data and log files is found in Article 6(1)(f) GDPR.

     1.3. Purpose of processing data

The temporary storage of the IP address by the system is necessary so that the website can communicate with the user’s computer. This means that the user’s IP address must be saved for the duration of the session.

The storage of data in log files further ensures the proper functioning of the website. These data also help us to optimize the website and ensure the security of our IT systems.

These purposes constitute our legitimate interest in processing data as per Article 6(1)(f) GDPR. As it is not easily possible for us to identify a natural person from an IP address, an IP address is not sensitive data, an IP address is deleted at the latest 14 days after visiting the website and we need an IP address to be able to offer our website, our interest overrides yours. Please also note that the data stored when you visit our website is not transferred to Immatics US.

     1.4. Storage duration

The data collected are deleted as soon as they are no longer needed for the purpose for which they were collected (provision of a website). If the data are stored in log files, they will be deleted after 14 days at the latest.

     1.5. Opt-out and removal option

It is essential that we collect data in order to provide the website and store the data in log files in order to operate the website. The user therefore has no opt-out option.

   2. Use of cookies

     2.1. Extent of data processing

Our website uses cookies. These are text files that are saved in the user’s internet browser or by the internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a unique string of characters that serves to clearly identify the browser the next time it visits the website.

We use cookies to make our website more user-friendly. Some elements of our website require that the visiting browser can also be identified after moving onto a new page.

The cookies we use are:

Name Function Storage duration
Admin cookies
DrupalVisitorMobile Identifies whether the user is working from a mobile device and transfers to the mobile version if available End of the browser session
Matomo Analytics SSESSXXXXXXXXXXXX Used only for authenticated users and not for anonymized users End of the browser session
Matomo Analytics
SimpleSAMLSessionID
and
SimpleSAMLAuthToken
Used only for authenticated users and not for anonymized users; checks whether users logged in via single sign-on End of the browser session
Adobe Analytics
s_vi
Checks whether the user accepts cookies or not 2 years
Adobe Analytics
s_cc
Tracks user’s movements on the website End of the browser session
Adobe Analytics
s_sq
Tracks the last link clicked by the user to access the Analytics suite; this cookie is set and read by a JavaScript code End of the browser session
IHS Markit
GZIP
“Standard compression/decompression flag” End of the browser session, after 60 minutes
IHS Markit
XXXX%5F0
For all requests for dynamic share price charts End of the browser session, after 60 minutes
NewRelic
JSESSIONID
Monitors the browser loading time End of the browser session
 
Admin cookies
WordPress
wordpress_[hash]
Storage of authentication data; use is restricted to the admin screen End of the browser session
WordPress
wordpress_logged_in_[hash]
After login, WordPress sets the WordPress_logged_in_[hash] cookie which shows that the user is logged in and who the user is; the latter information is relevant to some interface applications End of the browser session
WordPress
wordpress_test_cookie
This cookie is set when the user navigates to the login page;  it is used to check whether the browser has been set to allow cookies End of the browser session
WordPress
wp-settings-[UID] & wp-settings-{time}-[UID]
WordPress also sets several wp-settings-{time}-[UID] cookies; the number at the end is the unique user identification from the “users” database table; this is used to adapt your admin interface view and possibly also the main page interface 1 year

The user data collected by technically necessary cookies are not used to create user profiles. However, our website also uses cookies that enable us to analyze users’ browsing behavior. More information can be found under “Matomo” in this Data Privacy Notice.

Cookie consent using OneTrust

To manage technically unnecessary cookies in compliance with data protection laws, we use the software solution from OneTrust Technology Limited, Sonnenstraße 31, 80331 Munich, Germany. When users visit our website, an essential cookie is stored in their browser to record their cookie consent or the withdrawal of that consent. These data are not transferred to the software provider.

We use OneTrust to generate a cookie banner for you to give your consent to the use of cookies. The first time you visit www.immatics.com, the cookie banner informs you about the use of cookies and asks for your consent to their use. Until you give your consent, all non-essential cookies used on our website will be blocked automatically. The cookie banner also gives you the option to decline unwanted cookies but still continue to use the website.

In terms of consent, we distinguish between the following types of cookies:

  • Essential cookies
  • Performance cookies for analytical purposes (e.g., Matomo, Adobe Analytics)

 

If you give your consent via the cookie banner, the following data will be recorded automatically:

  • Cookie lifetime
  • Cookie version
  • Date and time of consent
  • Website domain and link
  • UID (randomly generated ID)
  • End-user’s consent status, which serves as verification of acceptance

The consent you have given is automatically deleted from the log after 12 months and at most will then only be used in aggregated and anonymized form for statistical purposes.

You can withdraw the consent you have given at any time.

     2.2. Legal basis for processing personal data

The legal basis for processing data by cookies is your consent within the meaning of Article 6(1)(a) GDPR, which we obtain via a cookie banner and which you can withdraw at any time. The cookie banner allows you to choose whether you consent to technically necessary cookies or to all cookies.

Irrespective of your consent, the legal basis for processing personal data through cookies, especially technically necessary cookies, is our legitimate interest – also Article 6(1)(f) GDPR.

     2.3. Purpose of processing data

The purpose of using the above-mentioned cookies is to make websites easier to use. Some functions of our website cannot be offered without the use of cookies. It must be possible to recognize the browser even after the user moves to a different page on the website. We do not use the cookies to create user profiles.

Analytical cookies and tools are used to improve the quality of our website and its content. They show us how the website is used, thus enabling us to continuously improve our online presence.

The exact purpose of the analytical cookies is described in Section 3 of this Data Privacy Notice.

These purposes also constitute our legitimate interest in processing personal data as per Article 6(1)(f) GDPR, which overrides your freedoms and rights.

     2.4. Storage duration; opt-out and removal option

Cookies are saved on the user’s computer and transmitted from there to our site. You as the user have full control over the use of cookies. You can change your internet browser settings to disable or limit the transmission of cookies. Previously saved cookies can be deleted at any time. This may also be done automatically. If you disable cookies for our website, it may no longer be possible to make full use of all the website’s functions.

You can also opt not to use cookies.

You can prevent the installation of cookies through a setting in your browser software. However, please note that you may then no longer be able to make full use of all the website’s functions.

   3. Web analytics / Matomo

     3.1. Extent of data processing

We use Matomo (formerly PIWIK), an open source tool, to analyze our users’ browsing behavior. This service is provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (“Matomo”). The software sets cookies on users’ computers. When individual pages of our website are viewed, the following data are recorded:

(1)          Two bytes of the IP address of the system making the call

(2)          The page viewed

(3)          The website from which the user accessed the page viewed (referrer)

(4)          The subpages accessed from the first page viewed

(5)          The duration of the page view

(6)          The frequency of page views

The software runs exclusively on our website’s servers, which are hosted in Germany by Immatics Germany. Users’ personal data are only saved there and are not transferred to third parties. As technical support is provided by Immatics Germany, the analysis of our website is performed exclusively in Germany by Immatics Germany.

The software is programmed not to record the full IP address but just the first two bytes with the rest blanked (e.g., 192.168.xxx.xxx). In this way, it is no longer possible to assign the truncated IP address to the computer making the call.

We delete the data once the purpose of processing the data no longer exists. In our case, this is done after six months.

Further information about the Matomo privacy settings can be found at: https://matomo.org/docs/privacy/.

If you do not wish the data about your visit to be stored and analyzed, you can opt out at any time by clicking “Change your consent” in the cookie declaration and selecting “Only necessary cookies” on the cookie banner. This will set an opt-out cookie in your browser and Matomo will therefore not collect any session data. Please note that complete deletion of your cookies will also remove the opt-out cookie which you will then have to reactivate.

     3.2. Legal basis

The legal basis for the use of analytical tools derives from Article 6(1)(a) GDPR (the consent you give us via our cookie banner) and Article 6(1)(f) GDPR (our legitimate interest).

     3.3. Purpose of processing data

By processing the personal data of our users with analytical tools, we can analyze their browsing behavior. By analyzing the data we collect, we can understand how the individual components of our website are used and thus constantly optimize and customize our online presence.

We also use the tool in our own economic interests.

These purposes also constitute our legitimate interest in processing data as per Article 6(1)(f) GDPR. The partial anonymization of the IP address adequately takes account of the users’ interest in protecting their personal data. Moreover, the customization of our service is also in the users’ interest. Therefore, our legitimate economic interest overrides users’ interests.

     3.4. Storage duration; opt-out and removal option

If you do not wish the data about your visit to be stored and analyzed, you can opt out at any time by clicking “Change your consent” in the cookie declaration and selecting “Only necessary cookies” on the cookie banner. This will set an opt-out cookie in your browser and Matomo will therefore not collect any session data. Please note that complete deletion of your cookies will also remove the opt-out cookie which you will then have to reactivate.

    4. Contact

     4.1. Extent of data processing

Our website enables users to contact us via the email addresses, phone and fax numbers, and postal address provided. If you contact us by emailing info@immatics.com, the user’s personal data sent with the email will initially only be stored by Immatics Germany and subsequently forwarded to the relevant contact person, who may also be at Immatics US. If you contact us by fax or phone, the data (content of the message, caller, caller’s phone number) will be saved by the recipient. These contact data will only be used to process the conversation or query.

     4.2. Legal basis for processing data

The legal basis for processing these data fundamentally derives from Article 6(1)(f) GDPR. If the purpose of the contact is to conclude a contract, Article 6(1)(b) GDPR additionally applies.

     4.3. Purpose of processing data

We process the personal data provided when you contact us solely to process the contact and your query. This also constitutes our legitimate interest. As you initiate the contact at your own discretion and we inform you in advance what we do with the data you provide, our legitimate interest therefore overrides your personal rights.

     4.4. Storage duration

The data are deleted as soon as they are no longer needed for the purpose for which they were collected. In the case of personal data provided by email or fax, this happens once the conversation with the user has ended. The conversation is considered to have ended when it is apparent that the matter raised has been fully clarified. We save calls in our telephone system for 30 days.

     4.5. Opt-out and removal option

At any time, a user may opt against the storage of their personal data. In such a case, the conversation cannot be continued. The opt-out can be communicated by email or mail. We will then delete all personal data stored during the contact.

There is no opt-out option if data have been collected in the context of a contractual relationship as these data are necessary for the performance of the contract.

 

IV. Data processing in connection with recruitment

You will find various vacancies advertised on our website (https://immatics.com/jobs/). When you send us your application, we treat this and your personal data in the following way:

   1. Extent of data processing

We process the data you have sent us in connection with your application. On receipt of your application, your data are reviewed by the HR department of the company that advertised the vacancy. The HR department in Tuebingen, Germany, is responsible for vacancies advertised in Germany while the HR department in Houston, Texas, USA, is responsible for vacancies advertised in the USA. Suitable applications are forwarded internally to the head of department seeking to fill the vacancy. The further procedure is agreed. As a matter of principle, your data can be accessed only by those employees of the company who need to do so for the proper conduct of the recruitment process.

We collect information you provide with your application such as your contact details, your resume, etc. We may also collect data about you from publicly accessible websites. Moreover, it is possible that we will collect data about you from third parties in order to verify your experience and suitability.

   2. Legal basis for processing data

The legal basis is Article 26 of Germany’s Data Protection Act in the version valid since May 25, 2018, which permits processing of the data required in connection with the decision to establish an employment relationship.

Should the data be required for a prosecution after conclusion of the recruitment process, these data may be processed on the basis of Article 6 GDPR, especially in protecting legitimate interests as per Article 6(1)(f) GDPR. In such a case, our interest would be to assert or defend against claims.

   3. Purpose of processing data

The purpose of processing the data is to verify your suitability for the position (or possibly for other vacant positions in our company) and to perform the recruitment process. Should legal claims be pursued after conclusion of the recruitment process, the purpose is to assert or defend against these claims.

   4. Storage duration

The data of unsuccessful applicants are deleted after six months.

If you have consented to the continued storage of your data, they will be transferred to our candidate pool. The data will be deleted from there after two years.

If your application is successful, your data will be transferred from the recruitment system to our HR information system.

   5. Recipients of the data

We use an external service provider – Coredi Recruiting GmbH & Co. KG, Elsenheimerstr. 63, 80687 Munich, Germany – to process applications. This company processes the applicants’ data in accordance with instructions on the basis of a processing agreement.

You have the option of allowing Coredi Recruiting GmbH & Co. KG to process the personal data you provide with your application for their own business purposes. This is based on you giving your separate, voluntary and explicit consent to Coredi Recruiting GmbH & Co. KG. If you do not give this consent, this will have no impact on our recruitment process.

V.  Social media links

On our website we provide links to various social media channels. These are merely links to the external websites of third-party social media providers. They are not plug-ins. Therefore, when you visit our website, no connections are established and no data are transferred to third-party providers. When you click on the button with the provider’s logo, you will be routed to that provider’s website. At that moment, you leave our website. If you have any questions about data collection by the third-party providers, please read those providers’ data privacy notices. We have links to the following social media:

   1. Twitter

When you click on the button with the bird symbol, you will be taken to the microblogging service of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. You will find data privacy information here: https://twitter.com/de/privacy

  2. LinkedIn

When you click on the button marked “in”, you will be taken to the website of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. You will find data privacy information here https://www.linkedin.com/legal/privacy-policy?_l=de_DE

 

VI.  Data processing in the context of customer, supplier and service provider relationships

   1. Extent of data processing

We store and process personal data we receive in the context of customer, supplier and service provider relationships. As a rule, these include data such as the contact person (name), contact data (address, phone number, email address) and the function and position of the contact person.

   2. Legal basis for processing data

The legal basis derives from Article 6(1)(f) GDPR and, insofar as we have a legal obligation to store data, Article 6(1)(b) GDPR.

   3. Purpose of processing data

The purpose of processing the data is to establish, operate and manage business relationships.

   4. Storage duration

The data are deleted as soon as the purpose of processing the data no longer exists. In the case of business relationships, this is usually when the collaboration ends, unless we have a legal obligation to retain the data.

   5. Recipients of the data

The data controllers are the recipients of the data. If we contract external service providers to perform contracts in respect of business relationships, data will only be transferred if this is permitted by law (e.g., by way of processing agreements).

VII.  Your rights as the data subject

If your personal data are processed, you are the data subject within the meaning of the GDPR and you therefore have the rights summarized below.

As Immatics Germany is responsible for managing the rights of data subjects in line with a joint controller agreement, please contact Immatics Germany if you have any queries on this matter.

You shall have:

  • The right of access to your personal data including information about possible recipients and the planned storage duration – Article 15 GDPR
  • The right to rectification if inaccurate data concerning you are processed – Article 16 GDPR

If the legal conditions are satisfied, you have the following additional rights:

  • Right to erasure – Article 17 GDPR
  • Right to restriction of processing – Article 18 GDPR
  • Right to notification – Article 19 GDPR
  • Right to data portability – Article 20 GDPR
  • Right to object – Article 21 GDPR
  • Right to withdraw consent given – Article 7(3) line 1 GDPR

If you believe that the processing of your personal data infringes data protection law, you have the right to complain to a data protection supervisory authority of your choice as per Article 77(1) GDPR.

Right to object – Article 21 GDPR

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f), including profiling based on those provisions.

The controller shall no longer process personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of the personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

VIII. Data security

We deploy technical and organizational security measures to protect data concerning you that we have recorded against manipulation, loss, destruction or access by unauthorized persons. We are continually adapting our security measures to reflect the current state of the art.

If you send attachments to us by email, we recommend that you apply encryption. In such a case, you can notify us of the password by phone.

IX. Right of modification

We reserve the right to modify this data privacy notice to conform with current legal requirements. When you again visit our internet presence, the updated data privacy notice as published shall apply.