PRIVACY POLICY

Status: 28.03.2024

Table of content

  • Person responsible
  • Contact data protection officer
  • Overview of processing
  • Relevant legal bases
  • Security measures
  • Transmission of personal data
  • Deletion of data
  • Use of cookies
  • Business services
  • Provision of the online offer and web hosting
  • Blogs and publication media
  • Contact and enquiry management
  • Communication via Messenger
  • Video conferences, online meetings, webinars and screen sharing
  • Application procedure
  • Cloud services
  • Web analysis, monitoring and optimisation
  • Online marketing
  • Presence in social networks (social media)
  • Plugins and embedded functions and content
  • Amendment and updating of the privacy policy
  • Rights of the data subjects
  • Definitions of terms

Person responsible

Manuel Simmerl & Sebastian Gleißner
SEMAsystems GmbH
Grubmühle 40
94513 Schoenberg I Bavaria I Germany

Persons authorised to represent the company:

Manuel Simmerl (Managing Director), Sebastian Gleißner (Managing Director)

E-mail address:

info@semasystems.de

Telephone:

+49(0)8554 / 89 69 030

Imprint:

https://www.rettpro.de/impressum/

Contact data protection officer

Peter Herwig
PHERSEC Data Protection and Information Security
Freiheitstraße 21/2
75045 Walzbachtal

Phone: 07203 / 34 65 29
E-Mail: kontakt@phersec.de
Homepage: www.phersec.de

Overview of processing

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Payment data.
  • Contact details.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and process data.
  • Applicant data.
  • Contact information (Facebook).
  • Event data (Facebook).

Special categories of data

  • Health data.
  • Data on sexual life or sexual orientation.
  • Religious or ideological beliefs.
  • Data revealing racial and ethnic origin.

Categories of affected persons

  •  
  •  
  • Interested parties.
  • Communication partner.
  •  
  •  
  • Business and contractual partners.
  • Pupils/ students/ participants.
  • Persons depicted.

Purposes of the processing

  • Provision of contractual services and customer service.
  • Contact enquiries and communication.
  • Safety measures.
  • Direct marketing.
  • Reach measurement.
  •  
  • Office and organisational procedures.
  •  
  • Conversion measurement.
  • Target group formation.
  • Managing and responding to enquiries.
  • Application procedure.
  •  
  •  
  • Profiles with user-related information.
  • Provision of our online services and user-friendliness.
  • Information technology infrastructure.

Relevant legal bases

Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 lit. b) GDPR) – Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data such as severely disabled status or ethnic origin) are requested from applicants as part of the application procedure health data, such as severely disabled status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise their rights under labour law and social security and social protection law and fulfil their obligations in this regard, their processing is carried out in accordance with Art. 9 para. 2 lit. b. GDPR. GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Art. 9 para. 2 lit. c. GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s ability to work, for medical diagnosis, health or social care or treatment or for the management of health or social care systems and services pursuant to Art. 9 para. 2 lit. h. GDPR. GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 para. 2 lit. a. GDPR.

In Germany, alongside the General Data Protection Regulation (GDPR), specific national data protection laws are in effect. Prominently, this includes the Federal Data Protection Act (BDSG), which addresses the misuse of personal data in data processing. The BDSG specifically provides regulations concerning rights to information and erasure, the right to object, processing of special categories of personal data, processing for purposes other than the original intent, data transmission, and automated decision-making in individual cases, including profiling. Additionally, data protection legislations of individual federal states within Germany may also be applicable.

Security measures

We implement suitable technical and organizational measures to safeguard data, adhering to legal requirements and considering factors such as the current state of technology, implementation costs, the nature and scope of processing, and potential risks to individual rights and freedoms. These measures aim to ensure a level of protection commensurate with the associated risks.

Key measures include maintaining the confidentiality, integrity, and availability of data by managing physical and electronic access, as well as controlling data entry, transfer, availability, and segregation. We have also established protocols to uphold data subject rights, facilitate data deletion, and address data security breaches. Additionally, we prioritize data protection in the development and selection of hardware, software, and processes, guided by the principles of privacy by design and privacy by default.

IP Address Shortening: When processing IP addresses, either directly or through service providers and technologies, and where full IP address processing is not necessary, we apply IP address truncation or „IP masking.“ This involves removing or anonymizing the last octet of the IP address to significantly reduce or prevent the identification of individuals from their IP addresses.

TLS Encryption (https): To secure data transmitted through our online service, we employ TLS encryption. You can identify these encrypted connections by the „https://“ prefix in your browser’s address bar, indicating a secure and encrypted communication channel.

 

Transmission of personal data

In our personal data processing activities, there may be instances where data is transferred or disclosed to other entities, companies, legally independent units, or individuals. These recipients might include service providers handling IT tasks, or providers of services and content embedded within a website. We strictly adhere to legal requirements in such circumstances and typically establish specific contracts or agreements with these recipients to safeguard your data.

Data transfer within the group of companies: We may transmit personal data to other entities within our corporate group, or grant them access to this data. When such transfers are for administrative purposes, they are based on our legitimate business and commercial interests, or when necessary to fulfill contractual obligations, provided there is consent from the data subjects or legal authorization..

Deletion of data

Data we process will be deleted in compliance with legal mandates once the provided consent for processing is withdrawn, or other authorizations are no longer applicable (e.g., the data’s processing purpose is no longer relevant or needed). If data is not deleted due to its necessity for other legally permitted purposes, its processing will be limited to those purposes only. This means the data is blocked and not processed for other reasons. For instance, this applies to data required to be kept for commercial or tax law purposes, or for asserting, exercising, or defending legal claims, or protecting the rights of another natural or legal person.

Additional Information: Our data protection notices may also offer more detailed information on the retention and deletion of data, which primarily apply to the specific processing operations involved.

Use of cookies

Cookies are small text files or other storage mechanisms that store and retrieve information on end devices. They are used for various functions such as maintaining login status in a user account, storing shopping cart contents in an e-shop, or tracking accessed content and features used in an online service. Cookies serve multiple purposes, including ensuring functionality, security, user convenience in online offers, and analyzing visitor traffic.

Notes on consent: Our use of cookies adheres to legal requirements. We seek prior consent from users, except in cases where consent is not legally mandatory. Specifically, consent is not needed when storing and reading information, including cookies, is essential for providing a telemedia service explicitly requested by the user (i.e., our online offering). Strictly necessary cookies typically facilitate the display and operation of the online service, load balancing, security, storing user preferences and choices, and other functions crucial to the service’s primary and secondary features as requested by the user. User consent, which can be revoked, is clearly communicated and includes information about the specific use of cookies.

Information on legal bases under data protection law: The legal basis for processing personal data using cookies depends on whether we obtain user consent. If users consent, their given consent is the legal basis for processing. Otherwise, cookie-based data processing is grounded in our legitimate interests (e.g., operating and improving the usability of our online offering) or contractual obligations fulfillment if cookies are necessary for these purposes. We detail the purposes of our cookie processing in this privacy policy and during our consent and processing procedures.

Storage period: With regard to the storage period, a distinction is made between the following types of cookies:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or favourite content can be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.

 

General information on revocation and objection (so-called „opt-out“): Users have the right to revoke their previously given consent at any time and to object to processing based on legal grounds. This includes the ability to limit the use of cookies through browser settings, though it should be noted that this may affect the functionality of our online services. Additionally, objections to the use of cookies for online marketing purposes can be declared through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. These platforms provide an avenue for users to manage their online marketing preferences comprehensively.

  • Processed data types: meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing operations, procedures and services:

  • Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which the user’s consent to the use of cookies or the processing and providers named in the cookie consent management procedure can be obtained, managed and revoked by the user. The declaration of consent is stored so that it does not have to be requested again and the consent can be proven in accordance with the legal obligation. Consent can be stored on the server and/or in a cookie (so-called opt-in cookie or with the help of comparable technologies) in order to be able to assign the consent to a user or their device. Subject to individual information on the providers of cookie management services, the following information applies: Consent may be stored for up to two years. A pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
  • Real Cookie Banner: Cookie consent management; Service provider: devowl.io GmbH, Tannet 12, 94539 Grafling, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://devowl.io/de/wordpress-real-cookie-banner/; Privacy Policy: https://devowl.io/de/datenschutzerklaerung/.

Business services

We process the data of our contractual and business partners, including customers and prospects (collectively referred to as „contractual partners“), within the framework of contractual and similar legal relationships, related actions, and communication (or pre-contractual interactions), such as responding to inquiries.

This data processing is vital for fulfilling our contractual obligations, including delivering agreed services, ensuring updates, and addressing warranty or other service issues. We also process data to protect our rights, manage administrative tasks, and organize company operations. Moreover, we process data based on our legitimate interests in conducting efficient business management and implementing security measures to safeguard our contractual partners and business operations from misuse and threats to their data, secrets, information, and rights. This may involve the involvement of telecommunication, transport, auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities. We share contractual partners‘ data with third parties only as necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed of any additional processing, such as for marketing purposes, in this privacy policy.

Prior to or during data collection, we inform contractual partners about the necessary data for these purposes, through methods like online forms, special labeling (e.g., colors), symbols (e.g., asterisks), or direct communication.

Data is deleted following the expiration of statutory warranty and related obligations, typically after 4 years, unless stored in a customer account for legal archival reasons. Tax-relevant documents and trading books, inventories, balance sheets, annual financial statements, work instructions, and other organizational documents and accounting records are retained for ten years; commercial and business letters received and copies of sent ones are kept for six years. These periods start at the end of the calendar year in which the last book entry was made, documents were prepared, letters were received or sent, or accounting documents and records were created.

 

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

  • Processed data types: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. email, telephone numbers); contract data (e.g. subject matter of contract, term, customer category).
  • Special categories of personal data: Health data (Art. 9 para. 1 GDPR); data concerning sex life or sexual orientation (Art. 9 para. 1 GDPR); religious or philosophical beliefs (Art. 9 para. 1 GDPR); data revealing racial or ethnic origin (Art. 9 para. 1 GDPR).
  • Persons concerned: Interested parties; business and contractual partners; pupils/students/participants.
  • Purposes of Processing: Provision of contractual services and customer support; Contact requests and communication; Office and organisational procedures; Managing and responding to enquiries.
  • Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Education and training services: We process the data of participants in our education and training programmes (uniformly referred to as „trainees“) in order to be able to provide them with our training services. The data processed in this context, the type, scope, purpose and necessity of its processing are determined by the underlying contractual and training relationship. The forms of processing also include the performance assessment and evaluation of our services and those of our instructors. As part of our activities, we may also process special categories of data, in particular information on the health of trainees and students as well as data revealing ethnic origin, political opinions, religious or philosophical beliefs. Where necessary, we obtain the express consent of the trainees for this purpose and otherwise only process the special categories of data if it is necessary for the provision of training services, for the purposes of health care, social protection or the protection of vital interests of the trainees; legal basis: fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Coaching: We process the data of our clients as well as interested parties and other clients or contractual partners (uniformly referred to as „clients“) in order to be able to provide our services to them. The processed data, the type, scope, purpose and necessity of its processing are determined by the underlying contractual and client relationship. As part of our activities, we may also process special categories of data, in particular information on the health of clients, possibly with reference to their sex life or sexual orientation, as well as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union Where necessary, we obtain the express consent of the client and otherwise process the special categories of data if this serves the health of the client, the data is public or other legal authorisations exist. If it is necessary for the fulfilment of our contract, for the protection of vital interests or by law, or if the client has given consent, we disclose or transfer the client’s data to third parties or agents, such as authorities, billing offices and in the area of IT, office or comparable services, in compliance with professional regulations; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Consulting: We process the data of our clients, customers, interested parties and other clients or contractual partners (uniformly referred to as „clients“) in order to be able to provide them with our consulting services. The processed data, the type, scope, purpose and necessity of its processing are determined by the underlying contractual and client relationship. If it is necessary for the fulfilment of our contract, for the protection of vital interests or by law, or with the consent of the client, we disclose or transfer the client’s data to third parties or agents, such as authorities, subcontractors or in the field of IT, office or comparable services, in compliance with professional regulations; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Online courses and online training: We process the data of participants in our online courses and online training programmes (uniformly referred to as „participants“) in order to be able to provide them with our course and training services. The data processed in this context, the type, scope, purpose and necessity of its processing are determined by the underlying contractual relationship. The data generally includes information on the courses and services utilised and, if part of our range of services, personal specifications and results of the participants. The forms of processing also include the performance assessment and evaluation of our services and those of the course and training instructors; legal basis: fulfilment of the contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Project and development services: We process the data of our customers and clients (hereinafter uniformly referred to as „customers“) in order to enable them to select, purchase or commission the selected services or works and related activities as well as their payment and provision or execution or performance. The required information is labelled as such in the context of the conclusion of the contract, order or comparable contract and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations. Insofar as we receive access to information from end customers, employees or other persons, we process this in accordance with the legal and contractual requirements; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Offer of software and platform services: We process the data of our users, registered users and any test users (hereinafter uniformly referred to as „users“) in order to be able to provide them with our contractual services and on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further. The required information is labelled as such in the context of the conclusion of an order, order or comparable contract and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations; legal basis: contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Provision of the online offer and web hosting

We process user data to deliver our online services effectively. This involves handling the user’s IP address, a critical step for transmitting the content and functionalities of our online services to the user’s browser or device.

  • Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; provision of contractual services and customer service.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Provision of online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called „web host“); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called „server log files“. The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files may be used for security purposes, e.g. to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure server utilisation and stability; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
  • 1&1 IONOS: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.ionos.deData protection declaration: https://www.ionos.de/terms-gtc/terms-privacy; Order processing contract: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.

Blogs and publication media

We utilize blogs or similar platforms for online communication and publication (collectively referred to as „publication medium“). The processing of readers‘ data within this medium is confined to what is essential for its display and the facilitation of interaction between authors and readers, or for security purposes. Additionally, we direct you to the information regarding the processing of visitor data in our publication medium, as detailed in this data protection notice.

  • Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and customer service; feedback (e.g. collecting feedback via online form); provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Contact and enquiry management

When contacting us (e.g. by post, contact form, email, telephone or via social media) and in the context of existing user and business relationships, the data of the enquiring persons are processed insofar as this is necessary to answer the contact enquiries and any requested measures.

  • Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Affected persons: Communication partner.
  • Purposes of processing: Contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form); provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing operations, procedures and services:

  • Contact form: If users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the communicated request; legal basis: fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Communication via Messenger

We employ messengers for communication and advise you to consider the following aspects regarding their functionality, encryption, the handling of communication metadata, and your opt-out options. Alternatively, you can contact us via phone or email using the provided contact details or those specified in our online offerings.

Content transmitted through messengers, including messages and attachments, is end-to-end encrypted. This ensures that the content is inaccessible to the messenger providers themselves. We recommend using the latest version of the messenger with encryption enabled to secure message content.

While messenger providers cannot access the content, they may collect data indicating when and how communication partners interact with us. This includes technical information about the device used and, depending on device settings, possibly location information (metadata).

Notes on legal bases: If we obtain consent from communication partners before using messengers, their data processing is based on this consent. If no consent is sought and you initiate contact, we use messengers for contractual partners and during contract initiation as a contractual measure. For other interested parties and communication partners, we rely on our legitimate interests in efficient and prompt communication and meeting the communication preferences of our partners. We assure you that we won’t transmit your contact data to Messenger without your consent.

Revocation, objection and deletion: Consent can be revoked at any time, and you may object to communication via messengers. We delete messages according to our general deletion guidelines (e.g., after contractual relationships end, considering archiving requirements) or once we believe we have responded to any information from communication partners, assuming no further follow-up is needed and there are no legal retention obligations.

For security reasons and to ensure confidentiality or compliance with formal requirements, we may choose not to respond to inquiries via messengers. In such cases, we will direct you to more suitable communication channels.

 

  • Processed data types: Contact data (e.g. e-mail, telephone numbers); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Affected persons: Communication partner.
  • Purposes of processing: contact enquiries and communication; direct marketing (e.g. by email or post).
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Smartsupp Live Chat: Smartsupp Live Chat – official plugin. Smartsupp is a free live chat with visitor recording. With the plugin you can create a free account or sign up with an existing one. Pre-integrated customer information with WooCommerce (you will see names and emails of logged in webshop visitors). Optional API for advanced chat box changes; service provider: Smartsupp.com Šumavská 31, building B 602 00 Brno Czechia; Website: https://www.smartsupp.comPrivacy policy: https://help.smartsupp.com/en_US/privacy-policy/.

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications of other providers (hereinafter referred to as „conference platforms“) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as „conference“). When selecting the conference platforms and their services, we observe the legal requirements.

Data processed by conference platforms: During conference participation, the conference platforms process participants‘ personal data as follows. The extent of processing depends on the specific conference’s requirements (e.g., access data or clear names) and any optional information provided by participants. Conference platforms may also process participants‘ data for security or service optimization purposes. Processed data includes personal data (first name, surname), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information about professional positions/roles, Internet access IP address, details about participants‘ end devices, operating systems, browsers, technical and language settings, content of communication (e.g., chat messages), and audio and video data. Communications content is encrypted to the extent technically supported by the conference providers. If participants are registered as users with the conference platforms, additional data may be processed in accordance with the respective provider’s agreement.

Logging and recordings: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, this will be communicated transparently to the participants in advance and – if necessary – they will be asked for their consent.

Data protection measures for participants: Please note the details of the processing of your data by the conference platforms in their data protection notices and select the optimum security and data protection settings for you in the conference platform settings. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by informing roommates, locking doors and using the function to make the background unrecognisable, if technically possible). Links to the conference rooms and access data must not be passed on to unauthorised third parties.

Notes on legal bases: If, in addition to the conference platforms, we also process users‘ data and ask users for their consent to use the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfil our contractual obligations (e.g. in participant lists, in the case of processing the results of discussions, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Communication partners; Users (e.g. website visitors, users of online services); Data subjects.
  • Purposes of processing: Provision of contractual services and customer service; contact requests and communication; office and organisational procedures.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

Application procedure

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the details provided there.

In principle, the required information includes personal details such as name, address, contact details and proof of the qualifications required for the position. On request, we will be happy to provide additional information on what details are required.

If provided, applicants can send us their applications using an online form. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent encrypted on the Internet. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of the application between the sender and receipt on our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us about how to submit their application or send it to us by post.

Processing of special categories of data: Insofar as special categories of personal data (Art. 9 para. 1 GDPR, e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants as part of the application procedure, their processing is carried out so that the controller or the data subject can exercise the rights arising from labour law and social security and social protection law and fulfil his or her obligations in this regard. fulfil their obligations in this regard, in the case of the protection of vital interests of applicants or other persons or for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s fitness for work, for medical diagnosis, for the provision of health or social care or treatment or for the management of health or social care systems and services (Art. 9 para. 2 lit. b), c) and h) GDPR).

Deletion of data: The data provided by applicants serves the purpose of evaluating job applications. In the event of a successful application, this data may be further processed for purposes related to the employment relationship. However, if an application is unsuccessful or withdrawn, the applicant’s data will be promptly deleted. Applicants have the right to withdraw their application at any time, and their data will be deleted accordingly. In cases where an application is not successful, and there is no justified objection from the applicant, data will be retained for up to six months. This retention period allows us to address any follow-up questions related to the application and fulfill our obligations to provide evidence in compliance with equal treatment regulations. Additionally, invoices for any reimbursement of travel expenses will be archived in accordance with tax regulations.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the ongoing application process and that they can revoke their consent at any time for the future.

  • Processed data types: inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); applicant data (e.g. personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, CV, certificates and other personal or qualification information provided by applicants with regard to a specific position or voluntarily).
  • Persons concerned: Applicants.
  • Purposes of processing: Application procedure (justification and possible subsequent implementation and possible subsequent termination of the employment relationship).
  • Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

Cloud services

We use internet-accessible software services known as „cloud services“ or „software as a service“ (SaaS) to store and manage content. These services are hosted on the servers of their respective providers. Within this context, personal data may be processed and stored on the servers of the cloud service providers, either as part of communication processes with us or in accordance with the details outlined in this privacy policy.

The data that may be processed includes user master data, contact information, transaction data, contract-related information, and the content of various processes. Additionally, cloud service providers may process usage data and metadata for security purposes and to enhance the functionality of their services.

 

If we use cloud services to provide other users or publicly accessible websites with forms or other documents and content, the providers may store cookies on users‘ devices for the purposes of web analysis or to remember user settings (e.g. in the case of media control).

  • Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Affected persons: Customers; employees (e.g. employees, applicants, former employees); interested parties; communication partners.
  • Purposes of processing: Office and organisational procedures; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

Web analysis, monitoring and optimisation

We employ web analysis, sometimes referred to as „reach measurement,“ to assess the traffic and engagement of visitors on our online platform. This analysis may encompass visitor behavior, interests, or demographic data, such as age or gender, presented as pseudonymous values. Through reach analysis, we gain insights into various aspects, including peak usage times for our online services, specific content or features that are frequently accessed, and areas that may benefit from optimization.

In addition to web analysis, we may also use test procedures, e.g. to test and optimise different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e. data summarised for a usage process, can be created for these purposes and information can be stored in a browser or in a terminal device and read out from it. The information collected includes, in particular, websites visited and the elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, location data may also be processed.

To safeguard user privacy, we retain IP addresses but implement an IP masking procedure, effectively pseudonymizing the IP address. It’s important to note that for web analysis, A/B testing, and optimization purposes, we do not store identifiable user data like email addresses or names. Instead, we use pseudonyms. This ensures that neither we nor the software providers have access to the actual identities of users; we only have access to the information stored in user profiles for specific process-related purposes.

  • Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of Processing: Remarketing; Web Analytics (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (Creating user profiles); Tracking (e.g. profiling based on interests and behaviour, use of cookies); Provision of our online services and usability.
  • Security measures: IP masking (pseudonymisation of the IP address).
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing operations, procedures and services:

  • Google Analytics: Web analytics, reach measurement and measurement of user flows; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/Data protection declaration: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms; Standard contractual clauses (guarantee of data protection level for processing in third countries): https://business.safety.google/adsprocessorterms; Possibility of objection (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=deSettings for the display of adverts: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (Types of processing and processed data).
  • Google Universal Analytics: Reach measurement and web analysis – We use Universal Analytics, a version of Google Analytics, to analyse users on the basis of a pseudonymous user identification number. This identification number does not contain any clear data, such as names or e-mail addresses. It is used to assign analysis information to a user, e.g. to recognise which content users have called up during use or whether they call up our online offer again. Pseudonymous profiles of users are created with information from the use of various devices; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.comTERMS AND CONDITIONS: https://business.safety.google/adsprocessorterms/; Privacy Policy: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms; Standard contractual clauses (guarantee of data protection level for processing in third countries): https://business.safety.google/adsprocessorterms; Possibility of objection (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=deSettings for the display of adverts: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (Types of processing and processed data).
  • Google Analytics 4: We use Google Analytics to measure and analyse the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or e-mail addresses. It is used to assign analysis information to an end device in order to recognise which content users have called up within one or more usage processes, which search terms they have used, which they have called up again or which they have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of the users who refer to our online offering and technical aspects of their end devices and browsers. Pseudonymised profiles of users are created with information from the use of various devices, whereby cookies may be used. Analytics provides higher-level geographic location data by collecting the following metadata based on IP searches: „city“ (and the derived latitude and longitude of the city), „continent“, „country“, „region“, „subcontinent“ (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data via domains and servers within the EU. The IP address of users is not logged and is shortened by the last two digits by default. The IP address is shortened on EU servers for EU users. In addition, all sensitive data collected from users in the EU is deleted before it is collected via EU domains and servers; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/Data protection declaration: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms/; Standard contractual clauses (guarantee of data protection level for processing in third countries): https://business.safety.google/adsprocessorterms; Possibility of objection (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=deSettings for the display of adverts: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (Types of processing and processed data).
  • Google Signals (Google Analytics function): Google signals are session data from websites and apps that Google associates with users who have signed in to their Google accounts and activated ad personalisation. This association of data with these logged-in users is used to enable cross-device reporting, cross-device remarketing and cross-device conversion measurement. This includes: Cross-platform reporting – linking data about devices and activity from different sessions using your User ID or Google Signals data, enabling an understanding of user behaviour at each step of the conversion process, from first contact to conversion and beyond; Remarketing with Google Analytics – creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; Demographics and interests – Google Analytics collects additional information about demographics and interests from users who are logged into their Google accounts and have ad personalisation enabled; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://support.google.com/analytics/answer/7532985?hl=deData protection declaration: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms; Standard contractual clauses (guarantee of data protection level for processing in third countries): https://business.safety.google/adsprocessortermsFurther information: https://privacy.google.com/businesses/adsservices (Types of processing and data processed).
  • Google Tag Manager: Google Tag Manager is a solution with which we can manage so-called website tags via an interface and thus integrate other services into our online offering (please refer to further information in this privacy policy). The Tag Manager itself (which implements the tags) therefore does not create user profiles or store cookies, for example. Google only learns the IP address of the user, which is necessary to run the Google Tag Manager; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.comData protection declaration: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms; Standard contractual clauses (guarantee of data protection level for processing in third countries): https://business.safety.google/adsprocessorterms.

Online marketing

We engage in the processing of personal data for online marketing purposes. This may encompass activities such as marketing advertising space, displaying advertisements and other content collectively referred to as „content.“ These activities are conducted with the aim of aligning the presented content with users‘ potential interests and measuring the effectiveness of such marketing efforts.

To achieve these objectives, user profiles are established and maintained through files known as „cookies“ or similar methods. These profiles contain information relevant to the presentation of content to users. This information may encompass details such as viewed content, visited websites, utilized online networks, as well as communication partners and technical data, including browser type, operating system, usage times, and features used. In cases where users have consented to the collection of their location data, this information may also be processed.

User IP addresses are also retained; however, we employ IP masking techniques (pseudonymization through IP address shortening) for user protection. Generally, no identifiable user data, such as email addresses or names, is stored within the online marketing process. Instead, pseudonymous data is used. Consequently, neither we nor the providers of the online marketing processes possess knowledge of the actual user identities; we only have access to the information stored within their profiles.

Information within these profiles is typically stored in cookies or via similar methods. These cookies may also be accessed by other websites employing the same online marketing processes. They are analyzed to facilitate content presentation, supplemented with additional data, and stored on the online marketing process provider’s server.

In rare cases, identifiable data may be linked to user profiles. For instance, this may occur if users are members of a social network that utilizes our online marketing processes and the network connects user profiles with the aforementioned data. It’s important to note that users can establish additional agreements with the providers, often by providing consent during registration.

In essence, we only receive access to aggregated information about the success of our advertisements. However, through conversion measurements, we can determine which of our online marketing processes led to a „conversion,“ such as the completion of a contract with us. Conversion measurements are solely employed for analyzing the effectiveness of our marketing efforts.

 

Unless otherwise stated, we ask you to assume that cookies used are stored for a period of two years.

  • Processed data types: Content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status); event data (Facebook) („event data“ is data that can be transmitted by us to Facebook via Facebook pixels (via apps or in other ways) and relates to people or their actions; the data includes, for example, information about visits to websites, interactions with content, installations of apps, purchases of products, etc.; the event data is used to create target groups for content and advertising information, etc.; the event data is used to create target groups for content and advertising information. The data includes, for example, information about visits to websites, interactions with content, functions, app installations, product purchases, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (custom audiences); event data does not include the actual content (such as comments written), no login information and no contact information (i.e. no names, email addresses and telephone numbers). Event data will be deleted by Facebook after a maximum of two years, the target groups formed from them with the deletion of our Facebook account); contact information (Facebook) („contact information“ is data that (clearly) identifies data subjects, such as names, e-mail addresses and telephone numbers, which can be transmitted to Facebook, e.g. via Facebook pixels or uploads for matching purposes for the purpose of creating custom audiences; after matching for the purpose of creating target groups, the contact information is deleted).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Targeting (e.g. profiling based on interests and behaviour, use of cookies); Conversion tracking (Measurement of the effectiveness of marketing activities); Custom Audiences; Marketing; Profiles with user-related information (Creating user profiles); Provision of our online services and usability.
  • Security measures: IP masking (pseudonymisation of the IP address).
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Possibility of objection (opt-out): We refer you to the data protection notices of the respective providers and the opt-out options specified for the providers (so-called „opt-out“). If no explicit opt-out option has been specified, you have the option of switching off cookies in your browser settings. However, this may restrict the functions of our online offering. We therefore recommend the following additional opt-out options, which are summarised for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territory: https://optout.aboutads.info.

Further information on processing operations, procedures and services:

  • Facebook pixel and target group formation (custom audiences): With the help of the Facebook pixel (or comparable functions, for the transmission of event data or contact information by means of interfaces in apps), Facebook is on the one hand able to determine the visitors of our online offer as a target group for the display of adverts (so-called „Facebook ads“). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to such users on Facebook and within the services of the partners cooperating with Facebook (so-called „Audience Network“). https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products that can be seen from the websites visited) that we transmit to Facebook (so-called „custom audiences“). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. With the help of the Facebook pixel, we can also track the effectiveness of Facebook adverts for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Facebook advert (so-called „conversion measurement“); service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacyFurther information: Event user data, i.e. behavioural and interest data, is processed for the purposes of targeted advertising and target group formation on the basis of the joint controllership agreement („Controller Addendum“,https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)
  • Extended comparison for the Facebook pixel: In addition to the processing of event data in the context of the use of the Facebook pixel (or comparable functions, e.g. in apps), contact information (data identifying individual persons, such as names, e-mail addresses and telephone numbers) is also collected by Facebook within our online offering or transmitted to Facebook. The processing of contact information is used to create target groups (so-called „custom audiences“) for the display of content and advertising information based on the presumed interests of users. The collection, transmission and comparison with data available on Facebook is not carried out in plain text, but as so-called „hash values“, i.e. mathematical representations of the data (this method is used, for example, when storing passwords). After the comparison for the purpose of creating target groups, the contact information is deleted. The contact information is processed on the basis of an order processing contract withMeta Platforms Ireland Limited („Data Processing Terms „, https://www.facebook.com/legal/terms/dataprocessing), the „Data Security Terms“ (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of standard contractual clauses („Facebook-EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). Further information on the processing of contact information can be found in the „Terms of Use for Facebook Business Tools“, https://www.facebook.com/legal/technology_terms.Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
  • Facebook Ads: Display of adverts within the Facebook platform and analysis of the ad results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacyPossibility of objection (opt-out): We refer to the data protection and advertising settings in the user’s profile on the Facebook platform as well as in the context of Facebook’s consent procedure and Facebook’s contact options for exercising information and other data subject rights in Facebook’s privacy policy; Further information: Users‘ event data, i.e. behavioural and interest data, is processed for the purposes of targeted advertising and target group formation on the basis of the joint controllership agreement („Controller Addendum“, https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)
  • Google Ads and conversion measurement: online marketing process for the purpose of placing content and adverts within the service provider’s advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the adverts. In addition, we measure the conversion of the adverts, i.e. whether users have taken them as an opportunity to interact with the adverts and use the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Further information: Types of processing and data processed: https://privacy.google.com/businesses/adsservices; Data processing conditions between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.
  • Extended conversions for Google Ads: When customers click on our Google adverts and subsequently use the advertised service (so-called „conversion“), the data entered by the user, such as the email address, name, home address or telephone number, can be transmitted to Google. The hash values are then compared with existing Google accounts of the users in order to better analyse and improve the interaction of the users with the ads (e.g. clicks or views) and thus their performance; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://support.google.com/google-ads/answer/9888656.
  • Instagram adverts: Placement of adverts within the Instagram platform and analysis of the ad results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacyPossibility of objection (opt-out): We refer to the data protection and advertising settings in the user’s profile on the Instagram platform and as part of Instagram’s consent procedure and Instagram’s contact options for exercising information and other data subject rights in Instagram’s privacy policy; Further information: Users‘ event data, i.e. behavioural and interest data, is processed for the purposes of targeted advertising and target group formation on the basis of the joint controllership agreement („Controller Addendum“, https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)

Presence in social networks (social media)

We maintain online profiles on social networks to engage with active users and provide information about our organization.

It’s important to note that user data may be processed outside the European Union, which could potentially pose risks for users, making it more challenging to enforce their rights.

Additionally, user data within social networks is typically used for market research and advertising purposes. For example, user profiles are created based on user behavior and their resulting interests. These user profiles may be utilized to display advertisements both within and outside the networks, targeting users based on their presumed interests. To achieve this, cookies are often stored on users‘ computers, capturing their usage patterns and interests. Moreover, data can be stored within user profiles independently of the devices used by users, especially if they are members of the respective platforms and are logged in.

For comprehensive information on the specific data processing methods and options for opting out, please refer to the data protection policies and guidance provided by the operators of the respective social networks.

In cases where users have inquiries or wish to assert their data subject rights, it’s worth noting that these matters are typically most effectively addressed directly with the network providers. These providers have access to user data and can implement appropriate measures and provide information directly. However, should users require further assistance, they are welcome to contact us.

 

  • Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication; feedback (e.g. collecting feedback via online form); marketing.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
  • Facebook pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (known as a „fan page“). This data includes information about the types of content users view or interact with, or the actions they take (see „Things you and others do and provide“ in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under „Device information“ in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under „How do we use this information?“, Facebook also collects and uses information to provide analytics services, known as „Page Insights“, for page operators so that they can gain insights into how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook („Information on Page Insights“, https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the „Information on Page Insights“ (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.facebook.com/legal/EU_data_transfer_addendumFurther information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)
  • Facebook events: Event profiles within the Facebook social network – We use the „Events“ function of the Facebook platform to draw attention to events and dates and to get in touch with users (participants and interested parties) and to exchange information. In doing so, we process personal data of the users of our event pages, insofar as this is necessary for the purpose of the event page and its moderation. This data includes information on first and last names, as well as published or privately communicated content, as well as values on the status of participation and the time details for the aforementioned data. We also refer to the processing of user data by Facebook itself. This data includes information about the types of content that users view or interact with, or the actions they take (see „Things you and others do and provide“ in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under „Device information“ in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under „How do we use this information?“, Facebook also collects and uses information to provide analytics services, known as „Insights“, to event providers to give them insights into how people interact with their event pages and the content associated with them; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy.
  • LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policyOrder processing contract: https://legal.linkedin.com/dpa; Standard contractual clauses (guaranteeing the level of data protection for processing in third countries): https://legal.linkedin.com/dpa; Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy Policy: https://policies.google.com/privacyOption to object (opt-out): https://adssettings.google.com/authenticated.
  • Xing: Social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.xing.de; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

Plugins and embedded functions and content

We enhance our online content with functional and visual elements obtained from the servers of various third-party providers, collectively referred to as „third-party providers.“ These elements can include graphics, videos, or maps, and we consistently label them as „content.“

To enable the display of this content or functionality in the user’s browser, the respective third-party providers must process the user’s IP address, as this is essential for transmitting the content. Our commitment is to select content providers who exclusively employ the user’s IP address for the purpose of content delivery.

Furthermore, third-party providers may utilize pixel tags, also known as „web beacons,“ for statistical or marketing purposes. These pixel tags can gather data such as visitor traffic on our website’s pages. The information collected is pseudonymous and may be stored in cookies on the user’s device. It can encompass technical details about the user’s browser and operating system, referral sources, the timing of visits, and other usage-related data concerning our online offering. Additionally, this data may be linked to information from other sources.

 

  • Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status); inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness; provision of contractual services and customer service.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Google Fonts (obtained from the Google server): Obtaining fonts (and symbols) for the purpose of a technically secure, maintenance-free and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform presentation and consideration of possible licence restrictions. The provider of the fonts is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted that are necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA – When visiting our online offer, the user’s browser sends HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving fonts). The Google Fonts Web API provides users with the Google Fonts Cascading Style Sheets (CSS) and then the fonts specified in the CCS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e. the web page on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analysed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wishes to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must adapt the font that is generated for the respective browser type. The user agent is primarily logged for debugging and used to generate aggregated usage statistics to measure the popularity of font families. These summarised usage statistics are published on the „Analyses“ page of Google Fonts. Finally, the referral URL is logged so that the data can be used for production maintenance and to generate an aggregated report on the top integrations based on the number of font requests. According to its own information, Google does not use any of the information collected by Google Fonts to create profiles of end users or to place targeted adverts; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fonts.google.com/Data protection declaration: https://policies.google.com/privacyFurther information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • reCAPTCHA: We integrate the „reCAPTCHA“ function in order to be able to recognise whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called „bots“). The processed data may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keyboard strokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). Data processing is carried out on the basis of our legitimate interest in protecting our online offering from abusive automated crawling and spam; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.com/recaptcha/Data protection declaration: https://policies.google.com/privacyOption to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of adverts: https://adssettings.google.com/authenticated.
  • YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.youtube.comData protection declaration: https://policies.google.com/privacyOption to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of adverts: https://adssettings.google.com/authenticated.

 

Amendment and updating of the privacy policy

We kindly request that you regularly review the contents of our privacy policy. In the event of any changes to our data processing practices that necessitate modifications to this policy, we will promptly make the necessary adjustments. If such changes require your involvement, such as granting consent or receiving individual notifications, we will ensure that you are duly informed.

Please be aware that the addresses and contact information of companies and organizations provided in this privacy policy may change over time. We recommend verifying this information before reaching out to us.

 

Rights of the data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to obtain information about this data and further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: In accordance with the statutory provisions, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
  • Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
  • Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
  • Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

Supervisory authority responsible for us:

Michael Will
Promenade 18
91522 Ansbach

Postal address:
P.O. Box 1349,
91504 Ansbach

Telephone: 0981/180093-0
E-Mail: poststelle@lda.bayern.de
Homepage: https://www.lda.bayern.de

Definitions of terms

In this section, we aim to provide you with an overview of the terminology used in this privacy policy. When specific terms are defined by law, their legal definitions take precedence. However, the explanations provided here are primarily intended to enhance comprehension.

  • Conversion measurement: Conversion measurement (also referred to as „visit action evaluation“) is a process that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the user’s device within the websites on which the marketing measures take place and then retrieved again on the target website. For example, this allows us to track whether the adverts we have placed on other websites have been successful.
  • Personal data: „Personal data“ means any information relating to an identified or identifiable natural person (hereinafter referred to as „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiles with user-related information: The processing of „profiles with user-related information“, or „profiles“ for short, includes any type of automated processing of personal data that consists of using this personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information relating to demographics, behaviour and interests, such as interaction with websites and their content, etc.) (e.g. interests in certain content or products, click behaviour on a website or location). Cookies and web beacons are often used for profiling purposes.
  • Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow ofvisitors to an online offering and can include the behaviour or interests of visitors in certain information, such as website content. With the help of reach analysis, website owners can, for example, recognise at what time visitors visit their website and what content they are interested in. This enables them, for example, to better customise the content of the website to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognise returning visitors and thus obtain more precise analyses of the use of an online offer.
  • Remarketing: The term „remarketing“ or „retargeting“ is used when, for example, it is noted for advertising purposes which products a user was interested in on a website in order to remind the user of these products on other websites, e.g. in adverts.
  • Tracking: The term „tracking“ is used when the behaviour of users can be traced across several online offers. As a rule, behavioural and interest information is stored in cookies or on the servers of the providers of the tracking technologies with regard to the online offers used (so-called profiling). This information can then be used, for example, to display adverts to users that are likely to correspond to their interests.
  • Controller: The „controller“ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: „Processing“ means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses practically every handling of data, whether it is collecting, analysing, storing, transmitting or deleting.
  • Target group formation: Target group formation (custom audiences) is when target groups are determined for advertising purposes, e.g. the display of adverts. For example, based on a user’s interest in certain products or topics on the Internet, it can be concluded that this user is interested in adverts for similar products or the online shop in which they viewed the products. In turn, „lookalike audiences“ (or similar target groups) are when the content deemed suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purpose of creating custom audiences and lookalike audiences.
Datenschutzerklärug