1.  Introduction

This Privacy Notices to Business Contacts (“Notice”) describes the steps Tecan Ltd, Tecan Way,  Weymouth, UK. DT4 9TU (“Company”), part of IDEX Corporation (“IDEX”), takes to protect the Personal  Data that we Process about Business Contacts. The Company is committed to the protection of the  Personal Data that we process about you in line with the data protection principles set out in the  applicable Data Protection Law. This Notice informs you how we Process your Personal Data if you are  one of our Business Contacts.

This Notice may be amended from time to time. The Company will post any change to this Notice a  reasonable period of time in advance of the effective date of the change.

  1.  Definitions

The following terms are used within this Notice and are defined as follows:

Term  Definition
Business

Contacts

All Consumers, Corporate Partners or employees of a Corporate Partner or  any other person which IDEX contacts or interacts with in the context of  establishing, developing, maintaining, servicing or otherwise furthering the  business relationship.
Consent Any freely given, specific, informed and unambiguous indication of the  Data Subject’s wishes by which he/she, by a statement or by a clear  affirmative action, signifies agreement to the specific processing of his/her  Personal Data. It has to be a clear affirmative act (“Opt-In”). Silence or  inactivity are not sufficient. Consent may be withdrawn at any time with  effect for the future.
Consumer A person that buys goods or services mainly for personal purposes.
Corporate

Partner

Persons or organizations that buy goods or services from IDEX mainly for  their own business purposes, or other business partners with which we have  a contractual or commercial relationship, like subcontractors and suppliers;  this includes existing as well as prospective Corporate Partners.
Data Controller The natural or legal person, public authority, agency or other body which  alone, or jointly with others, determines the purposes and means of the  Data Processing.
Data Processing Any operation, or set of operations, which is performed on Personal Data  or on sets of Personal Data, whether or not by automated means, such as  collection, recording, organization, structuring, storage, adaptation or  alteration, retrieval, consultation, use, disclosure by transmission,  dissemination or otherwise making available, alignment or combination,  restriction, erasure or destruction.
Data Processor A natural or legal person, public authority, agency or other body, which  processes Personal Data on behalf of the Data Controller

(Article 28 GDPR).
Data Protection  Procedures Any local BU internal policies/procedures supplementing this Policy.
Data Protection  Law All applicable state, local and federal/national laws related to data  protection including, but not limited to, GDPR.
Data Protection  Officer (“DPO”) The person which is appointed by the Company (only where required by law)  to protect the Data Subjects’ rights and to act as the point of contact between the Company and you in order to ensure that the Company  complies with all applicable Data Protection Law.
Data Subject Any person to whom the respective Personal Data refers.
Personal Data Any information relating to an identified or identifiable natural person  (Article 4 GDPR).

  1.  Details of the Data Controller

The Company is responsible for Processing your Personal Data.

If you have any questions about this Notice, please contact us at

Tecan Ltd

Tecan Way, Weymouth, UK. DT4 9TU

Privacy@IDEXcorp.com

  1.  Categories and Sources of Personal Data Processed

The Company Process different categories of Personal Data of our Business Contacts. These may  include:

  • Identity details, including name; information about your job title and hierarchical position; and  educational level or work experience.
  • Business contact details, including company address, business telephone number and e-mail address.
  • Information you provide us during the course of our business relationship, including in response to  corporate surveys or questionnaires; or other correspondence.
  • Data from initiation, maintenance and execution of our business relationship, including performed and  planned orders and related data such as delivery modalities or insurance coverages; user login and  subscription data; use of our web services or newsletters; and data about your budget.
  • Company data of our Corporate Partners, such as company name and company business registration  number; information from our due-diligence or other onboarding procedures; or our Corporate Partner´s business needs.
  • Data relating to the assertion or defense against legal claims, including the prevention of misconduct; compliance checks or investigations; and information regarding compliance violations or other  infringements.

Most of the Personal Data we Process, you have provided directly to us. Other Personal Data may be  provided by your employer, our Corporate Partners or other instances involved in the initiation of your  business relationship and/or the execution of contracts with our Corporate Partners. In addition, we may  process Personal Data which we permissibly obtain from publicly accessible sources (such as LinkedIn) or  that are legitimately transmitted to us by third parties (such as credit agencies).

  1.  Purposes of Data Processing

The Company Processes Personal Data of Business Contacts for various business purposes in connection  with your business relationship with the Company or our Corporate Partner:

  • For the initiation, performance and execution of a contract with you or our Corporate Partners,  including to meet our contractual obligations; necessary due diligence and other onboarding  requirements in regard to our Corporate Partners.
  • For market analysis, including through surveys, to better understand the markets in which we do  business; and for product and service development.
  • For business communication and promotion of our products and services.
  • For the fulfilment of legal obligations, including local tax and commercial law, as well as audits by  governmental and regulatory authorities.
  • For security control of the IDEX’ physical premises or for IT security and data breach procedures.
  • For asserting or the defense of legal claims or the prevention of misconduct, compliance violations or  other infringements, such as routine inspections; internal investigations; or dispute resolution cases.
  • For customer services activities, such as responding to queries; or investigating and resolving complaints.
  • For customer relationship management, including listing important contacts for our business;  connecting individuals with accounts of our Corporate Partners; listing important stakeholders; and for customers surveys.
  • For business process optimization, such as account management, including establishing and on-going  management of business relationships; maintenance of a supplier or customer database; risk  management; and activities geared toward preventing or detecting crime.
  1. 6Legal Bases for Processing Personal Data

The Company Processes Personal Data relating to its Business Contacts based on multiple different legal  bases:

  • Once you have been informed about the intended Processing of your Personal Data and you have  provided your consent. You may withdraw your consent at any time. The withdrawal of consent will not  affect the lawfulness of processing based on your consent before the withdrawal. Article 6 GDPR.
  • If the Processing of your Personal Data is necessary in order to carry out the contract concluded between  you and us. Article 6 GDPR.
  • If the Processing is necessary for the Company to comply with an applicable legal obligation. E.g., a  court orders the release of certain information for legal proceedings). Article 6 GDPR. • If the Processing is necessary for purposes of the legitimate interests pursued by the Company or by a  third party except where overridden by Employee interests or fundamental rights and freedoms of a Data  Subject which require protection of Personal Data. Article 6 GDPR. These legitimate interests can  include:

Management of our business relationships with our Corporate Partners, including meeting our  contractual obligations; and corresponding communications in relation to our business relationship.

The optimization of our business processes, including the implementation of optimized customer  service and/or customer management systems, including with regard to you as an employee of our  Corporate Partner.

For the security of our property and infrastructure, such as IT Security and Data Breach Procedures; and  measures to ensure operational, building and plant safety and for business management; o For the assertion and defence of legal claims and the prevention of compliance violations or other  infringements;

To grow the Company’s business by networking and market research and analysis of potential  business opportunities as well as through direct marketing, including marketing activities and  communications or in regard to product or service development processes.

  1.  Your Rights

The GDPR provides you with rights relating to the Processing of your Personal Data. These rights  include:

  • Request access to Personal Data about you (commonly known as a “data subject access request”). This  enables you to receive information about the Personal Data we hold about you and to check that we are  lawfully Processing it.
  • Request rectification, correction, or updates to Personal Data that we hold about you. This enables you  to correct any incomplete or inaccurate information.
  • Request Personal Data to be transferred in machine-readable format (“data portability”) to the extent  this right is relevant in the employment context.
  • Request erasure of Personal Data. This enables you to request deletion or the removal of Personal Data  where there is no legitimate reason for us to continue to Process it. You also have the right to ask us to  delete or remove Personal Data where you have exercised your right to object to Processing (see below).
  • Request the restriction of Processing of your Personal Data. This enables you to ask us to suspend the  Processing of Personal Data about you if you want us to establish its accuracy or the reason for  Processing it.
  • Withdraw consent you have given at any time without affecting the lawfulness of processing based on  consent before its withdrawal.

Object to the Processing of your Personal Data in certain circumstances. 

This right may apply where the Processing of your Personal Data is based on the  

legitimate interests of Company, as described in Annex 1, or where decisions about  you are based solely on automated processing, including profiling.  

Notwithstanding, you have the right to object at any time to Processing of your Personal Data for direct marketing purposes.

These rights are not absolute and are subject to various conditions under Data Protection Law and any  other applicable laws and regulations.

You may exercise these rights by contacting your Privacy Lead (see Section 3). You also have the right to  lodge a complaint with a Supervisory Authority.

  1.  Data Sharing and International Data Transfers: Intra-Group and External Third Parties Intra-group transfers 

As a member of a multinational enterprise operating under a decentralized management structure, the  Company may share Employee Personal Data with IDEX affiliates / BUs listed here, for the purposes set  out in this Notice. Please note that the Company only shares Employee Personal Data with those  listed companies where this is covered by a lawful basis for such Processing.  

These transfers are protected by the obligations set out in intra-group agreements that we have entered  into between the various IDEX legal entities. International transfers within the IDEX are governed by EU  Commission-approved Standard Contractual Clauses for Data Controllers and, where relevant, for Data

Processors. You may receive a copy of these Standard Contractual Clauses used in our intra-group  agreements by contacting the Privacy Lead (see Section 3).

External Third Parties  

The Company may share Personal Data with external vendors whom we engage to perform services or  functions on our behalf and under our instructions. Where applicable, their Processing of your data will  be subject to the GDPR requirements. The Company will also ensure that its contracts with these parties  ensure they only Process Personal Data in accordance with our instructions and in order to provide the  agreed services and protect the integrity and confidentiality of the Personal Data entrusted to them, in  line with the GDPR requirements.

For the purposes set out in this Notice, we may also disclose your Personal Data to our IT service  providers, auditors, lawyers, consultants, law enforcement, courts and tribunals and other public  authorities, such as tax and social security bodies. Some of these recipients are themselves responsible  to determine the purposes and means of the Processing and for the lawfulness of the Processing on their  end. Where necessary, we will ensure that appropriate contractual measures are in place to ensure the  protection of your Personal Data.

Some of the vendors we engage to Process your Personal Data are located outside the European  Economic Area. We will ensure that these transfers are either:

  • To countries, which fall under an adequacy decision by the EU-Commission and have been deemed to  provide an adequate level of protection, currently including Switzerland, Uruguay, Argentina, Japan,  Israel, Isle of Man, New Zealand, Guernsey, Canada, Andorra, Faroe Islands and Jersey; or are
  • Governed by one of the following safeguards: EU Commission-approved Standard Contractual Clauses; GDPR-compliant Data Processor clauses where the US vendor is certified under the EU-US Privacy Shield  Framework; or Binding Corporate Rules approved by an EU data protection authority. You may receive a  copy of these data protection safeguards by contacting us at the contact details given in Section 3 above.
  1.  Retention of Personal Data

The Company will keep and Process your Personal Data only for as long as is necessary for the purposes  for which it was collected or for legal obligations. Such legal obligations may arise particularly under tax  and commercial law. If your data is no longer necessary for the fulfilment of contractual or legal  obligations it will be deleted; unless they are needed to secure, assert or enforce legal claims. In this  case, we will retain them in accordance with the regular limitation period. During this period, this data is  blocked and is no longer available for any other use.

  1.  Statutory/Contractual Requirements

You may choose to not provide us with your Personal Data and/or provide incomplete Personal Data.  However, please be aware that, in certain cases, we may not be able to engage in, or continue a business relationship with you, as your Personal Data is required for administrative purposes and/or to fulfill  statutory requirements.

  1.  Automated Decision-Making and Profiling

Your Personal Data will not be used for automated decision-making and/or profiling.