This Data Protection Policy explains the nature, scope and purpose of processing personal data (hereinafter referred to as “data”) within our online offering and the related web pages, functions and content as well as our external online presences, such our social media profiles (hereinafter collectively referred to as the “online offering”). In relation to the terms used such as “processing” or “controller”, please refer to the definitions set out in Article 4 of the EU General Data Protection Regulation (GDPR).
Oliver Gurtschmann & Felix Bartz
Bendestorfer Str. 3-5
21244 Buchholz / Nordheide
Types of data processed:
– Master data (e.g. names, addresses).
– Contact data (e.g. email, telephone numbers).
– Content data (e.g. copy, photos, videos).
– Usage data (e.g. web pages visited, interest in content, visit duration).
– Meta/communications data (e.g. device information, IP addresses).
Data subject categories
Visitors and users of the online offering (hereinafter collectively referred to as “users”).
Purpose of processing
– Provision of the online offer, its functions and content.
– Answering inquiries and communicating with users.
– Security measures
– Audience measurement/marketing
Definition of terms
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term has a broad meaning and covers virtually any instance where data is handled.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Contract processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Pursuant to Article 13 GDPR we hereby inform you of the lawful basis of our data processing activities. Unless the lawful basis is stated in the Data Protection Policy, the following applies: The lawful basis for obtaining consent is Article 6(1)a and Article 7 GDPR; the lawful basis for processing to perform our services and to carry out contractual measures and to answer inquiries is Article 6(1)b GDPR; the lawful basis for processing to fulfill our legal obligations is Article 6(1)c GDPR; and the lawful basis for processing to safeguard our legitimate interests is Article 6(1)f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)d serves as the lawful basis.
Pursuant to Article 32 GDPR taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
Measures include ensuring the ongoing confidentiality, integrity and availability of data by controlling physical access to data as well as associated access to it, entry, transfer, protecting its accessibility and its storage on portable devices. Furthermore, we have established procedures that ensure the rights of data subjects are upheld, data can be erased and suitable measures can be taken if a risk is posed to personal data. Moreover, we take into account the protection of personal data right from the development and selection of hardware, software and procedures in accordance with the principle of data protection through the design of the technology and through the use of privacy-friendly default settings (Article 25 GDPR).
Collaboration with contract processors and third parties
If, in the course of our processing personal data, we disclose data to other persons and companies (contract processors or third parties), transfer data to them or otherwise grant them access to the data, this is done only on the basis of a legal permission (e.g. if the transfer of data to third parties, such as payment service providers, pursuant to Article 6(1)b GDPR is necessary for the performance of the contract), that you consented to it, that this is required by law or that this is done on the basis of our legitimate interests (e.g. use of agents, web hosting providers, etc.).
If we commission third parties to process data based on a processing contract, we will do this pursuant to Article 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or as part of the use of third-party services or disclosure or transfer of data to third parties, this will only be done if it is to fulfill our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if special requirements exist within the meaning of Article 44 et seq. GDPR. In other words, processing is performed such as on the basis of specific guarantees of compliance with European data protection regulations (e.g. for the US through the Privacy Shield) or compliance with officially recognized special contractual obligations (“standard contract clauses”).
Rights of the data subject
You have the right to ask for confirmation as to whether the data in question is being processed and for information about this data as well as for further information and a copy of the data in accordance with Article 15 GDPR.
Pursuant to Article 16 GDPR you have the right to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
Pursuant to Article 17 GDPR you have the right to request immediate erasure of your personal data or, alternatively, pursuant to Article 18 GDPR to restrict the processing of your data.
Pursuant to Article 20 GDPR you have the right to receive your personal data, which you provided to us, and to transfer that data to another controller without hindrance.
Furthermore, pursuant to Article 77 GDPR you have the right to lodge a complaint with a supervisory authority.
Withdrawal of consent
Pursuant to Article 7(3) GDPR you have the right to withdraw your consent without this affecting the lawfulness of processing based on consent before its withdrawal.
Right to object
Pursuant to Article 21 you have the right to object at any time to the processing of personal data. You may exercise this right to object in particular against processing for direct marketing purposes.
Cookies and right to object to direct advertising
“Cookies” are small files that are stored on a user’s computer. Different information can be stored within the cookies. A cookie is used primarily to provide information about a user (or the device on which the cookie is stored) during or after the user’s visit to an online offering. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online offering and closes the browser. The contents of a shopping cart in an online shop or a login status, etc., may be saved in such a cookie. The term “permanent” or “persistent” refers to cookies that remain stored even after the browser has been closed. Among other things, this means that the login status will be saved so users won’t need to re-enter their credentials when visiting the site again after several days. Likewise, the user’s interests can be stored in such a cookie and used for audience measurement or marketing purposes. A “third-party cookie” refers to cookies that are offered by providers other than the controller who manages the online offering (otherwise, if only the controller’s cookies are used, these are referred to as “first-party cookies”).
We may use temporary and permanent cookies, the use of which is explained in our Data Protection Policy.
If users do not want cookies stored on their computer, they will be prompted to disable the option in their browser settings. Saved cookies can be deleted via the browser settings. Refusing cookies may restrict the functionality of this online offering.
In general terms, you can object to the placement of cookies used for online marketing purposes, especially in the case of tracking, on a variety of services such as the US website http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, you can block the storage of cookies via your browser settings; however, be aware that in doing so you may not be able to use all of this online offering’s functions.
Erasure of data
The data we process will either be erased or its processing restricted pursuant to Articles 17 and 18 GDPR. Unless explicitly stated in this Data Protection Policy and insofar as we are not prevented by statutory data retention obligations, the data stored by us will be erased as soon as it is no longer required for the purpose for which it was collected or otherwise processed. If the data cannot be erased as it is required for legal or other permissible reasons its processing will be restricted. This means that the data will be blocked and not processed for other reasons. The same applies to data that must be retained for commercial or fiscal reasons.
Under German law, data will be retained for 10 years pursuant to Section 147 (1) AO [German Fiscal Code], Section 257(1)1 and 4, and Section 257(4) HGB [German Commercial Code] (books, recordings, management reports, books of account, company accounts, relevant for taxation documents, etc.) and 6 years pursuant to Section 257(1)2 and 3, and Section 257(4) HGB (business correspondence).
Under Austrian law, data will be retained for 7 years pursuant to Section 132(1) BAO [Austrian Fiscal Code] (accounting documents, receipts/invoices, accounts, documents, business papers, statements of account, etc.), for 22 years in connection with real estate and for 10 years in the case of documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-entrepreneurs in EU Member States and for which the Mini One Stop Shop (MOSS) is used.
In addition, we process – Contractual data (e.g. subject matter, term, customer category). – Payment data (e.g. account details, payment history) of our customers, interested parties and business partners for the purpose of performing contractual services, providing support and customer care, marketing, advertising and market research.
We process our customers’ data as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services. As part of this we process master data (e.g. customer master data, such as names or addresses), contact data (e.g. email addresses, telephone numbers), content data (e.g. copy, photographs, videos), contract data (e.g. subject matter, term), payment data (e.g. account details, payment history), usage and metadata (e.g. as part of evaluating and measuring the performance of marketing measures). In principle, we do not process specific categories of personal data unless these are components of a commissioned data processing activity. Data subjects include our customers, interested parties as well as their customers, users, website visitors or employees as well as third parties. Data is processed for the provision of contract services, billing and our customer service. The lawful bases for processing arise from Article 6(1)b GDPR (contractual services) and Article 6(1)f GDPR (analysis, statistics, optimization, security measures). We process data that is necessary to establish and perform contractual services and indicate the necessity of its provision. Disclosure to external parties will only be made if required within the scope of an order. When processing the data provided to us within the scope of an order, we act in accordance with the instructions of the client as well as the statutory requirements of order processing pursuant to Article 28 GDPR and process the data for no other than for order-related purposes. We delete the data after expiry of legal warranty and comparable obligations. The need to retain the data is reviewed every three years; in the case of legal archiving obligations, data is deleted after the expiry of those retention obligations (6 years, pursuant to Section 257(1) HGB; 10 years pursuant to Section 147(1) AO). If data is disclosed to us by the client within the context of an order, we will delete the data according to the requirements of the order or, in general, after the end date of the order.
We process the data of our contractual partners and interested parties as well as other clients, customers or contractual partners (uniformly referred to as “contractual partners”) pursuant to Article 6(1)b GDPR to perform our contractual services for them. The data processed, the nature, scope and purpose as well as the necessity of their processing are determined by the underlying contractual relationship. The processed data includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contacts) and payment data (e.g. bank details, payment history). In principle, we do not process specific categories of personal data unless these are components of a commissioned or contractually agreed data processing activity. We process data that is necessary to establish and perform contractual services and indicate the necessity of its provision if this is not evident to the contractual partners. Disclosure to external people or companies will only be made if required within the scope of a contract. When processing the data provided to us within the scope of an order, we act in accordance with the instructions of the client as well as the statutory requirements. As part of the use of our online services, we may save the IP address and the time of each user interaction. This information is stored based on our legitimate interests as well as the interests of the user in the protection against misuse and other unauthorized uses. In principle, this data will not be transferred to third parties unless processing is necessary for the purposes of the legitimate interests pursued by us pursuant to Article 6(1)f GDPR or it is necessary for compliance with a legal obligation to which we are subject pursuant to Article 6(1)c GDPR. The data will be erased if it is no longer required for the performance of contractual or statutory duties of care and for the performance of any warranty or comparable obligations, whereby the necessity of retaining the data will be reviewed every three years; otherwise statutory retention obligations apply.
External payment service providers
We use external payment service providers, through whose platforms users and we can perform payment transactions (such as, with links to their respective privacy statements, PayPal (https://www.paypal.com/webapps/mpp/ua/privacy-full), Skrill (https://www.skrill.com/en/footer/privacypolicy/) and Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/) [link in German].
As part of the performance of contractual services, we utilize the payment service providers on the basis of Article 6(1)b GDPR. Besides this, we use external payment service providers on the basis of our legitimate interests pursuant to Article 6(1)b GDPR to offer our users effective and secure payment options. The data processed by payment service providers includes master data, e.g. the name and the address, account details, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, amount and recipient-related information. These details are required to process transactions. The data entered will, however, only be processed by the payment service provider and stored by them. This means we do not receive any account or credit card related information; we only receive information confirming the payment has been made or declined. The data may be transferred by the payment service providers to credit reporting agencies for identity and credit checking purposes. For further information please refer to the payment service provider’s terms and conditions of business and privacy statement. The payment service provider’s terms and conditions of business and privacy statement, which are accessible on its website/within its payment app, apply to payment transactions. Please also refer to them for further information regarding the exercising of your right to withdraw consent, right to information and other data subject rights.
Administration, accounting, office organization, contact management
We process data in the context of administrative tasks, organizing our business, accounting and compliance with legal obligations, such as archiving. As part of this, we process the same data that we process within the framework of performing our contractual services. The lawful bases for processing arise from 6(1)c GDPR and Article 6(1)f GDPR. Customers, interested parties, business partners and website visitors are affected by this processing. The purpose and our legitimate interest in processing lies in the administration, accounting, office organization and archiving of data – in other words activities that serve the purpose of operating our business, performing our duties and providing our services. The deletion of data in respect of contractual services and contractual communication corresponds to the information stated for these processing activities. We disclose or transfer data to the fiscal authorities, consultants, such as tax accountants or auditors and other billing centers and payment service providers. Furthermore, based on our business interests, we store information about suppliers, promoters and other business partners such as for later contact. We generally store this data, which is mainly business related, permanently.
Business analysis and market research
To operate our business and identify market trends as well as the wishes of the contractual partners and users, we analyze the data we hold on business transactions, contracts and inquiries, etc. We process master data, communication data, contract data, payment data, usage data and metadata pursuant to Article 6(1)f GDPR, where data subjects include contractual partners, interested parties, customers, visitors and users of our online offering. The analyses are performed for business evaluations as well as marketing and market research purposes. In doing so, we may take into consideration the profiles of registered users including information such as which services they made use of. The analyses serve to increase user-friendliness as well as optimize our offering and its efficiency. The analyses are for us alone and will not be disclosed externally unless they are anonymized and aggregated. If these analyses or profiles relate to persons, they will be deleted or anonymized either upon termination by the user or after two years from the conclusion of the contract. Besides this, general business and trend analyses are produced anonymously if possible.
Data protection in the context of the application process
We process applicant data only for the purpose and in the context of the application process in accordance with statutory requirements. We process applicant data to fulfil our (pre-)contractual obligations in the context of the application process within the meaning of Articles 6(1)b and 6(1)f GDPR provided we are required to process data such as within the context of legal procedures (in Germany, Section 26 BDSG [German Federal Data Protection Act] applies additionally). The application process requires applicants to provide us with applicant data. The required applicant data is set out where we offer an online form; otherwise, it is derived from the job descriptions and essentially includes information on the person, postal and contact details and the application documents, such as a covering letter, resume and certificates. Applicants are also free to provide us with additional information voluntarily. By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in accordance with the nature and scope set forth in this Data Protection Policy. Insofar as special categories of personal data within the meaning of Article 9(1) GDPR are shared voluntarily within the context of the application process, they will be additionally processed pursuant to Article 9(2)b GDPR (e.g. health data such as the type of severe disability or ethnic origin). If the applicant is asked to provide information on special categories of personal data within the meaning of Article 9(1) GDPR within the context of the application process, it will be additionally processed pursuant to Article 9(2) GDPR (e.g. health data such as when this is required for professional practice). If we provide one, applicants may submit their applications to us using an online form on our website. The data will be encrypted and transferred to us using state-of-the-art methods. Furthermore, applicants may email us their applications; however, we hereby point out that emails are generally not sent in an encrypted form and that applicants themselves must ensure the emails are encrypted. We can therefore accept no responsibility for the transfer of the application between the sender and the reception on our server, so instead recommend either using an online form or the postal service. Instead of applying via the online form and email, applicants can still send us the application by post. The data provided by the applicants may be further processed by us for employment purposes in the event of a successful application. Otherwise, if the application for a vacancy is unsuccessful, the applicants’ data will be deleted. The applicants’ data will also be deleted if the application is withdrawn, which the applicants are also entitled to do at any time. The data will be deleted subject to a legitimate withdrawal by the candidate after the expiration of a six-month period to enable us to answer any follow-up questions in relation to the application and meet our obligations under the Gleichbehandlungsgesetz [German Equal Treatment Act]. Invoices for the repayment of any travel expenses incurred will be archived in accordance with statutory fiscal obligations.
Getting in touch
When getting in touch with us (e.g. using the contact form, email, telephone or social media) we process the user’s details pursuant to Article 6(1)b GDPR to deal with the inquiry. User details may be stored in a CRM (customer relationship management) system or similar inquiry system. We delete inquiries if these are no longer required. We review the necessity every two years; furthermore, statutory archiving obligations apply.
Newsletter – MailChimp
Newsletter – performance measurement
The newsletters contain a web beacon, a pixel-size file which, when opening the newsletter, is retrieved from either our server or, if we use a distribution service provider, its server. This initially involves technical information being retrieved such as information on the browser and your system as well as your IP address and the time of retrieval. This information is used to make technical improvements to services based on technical data or the target groups and their reading behavior based on their retrieval locations (that can be determined with the IP address) or visit duration. The statistical surveys also involve determining whether the newsletters are opened, when they are opened and which links are clicked on. This information may be attributed to individual newsletter recipients for technical reasons, but it is neither our intention nor that of the distribution service provider to monitor individual users. The evaluations instead help us to recognize the reading habits of our users and to adapt our content to them or to send different content based on our users’ interests. It is not possible to opt-out separately from performance measurement; in this case, the entire newsletter subscription must be cancelled.
Online presence in social media
We maintain an online presence on social networks and platforms to communicate with customers, interested parties and users who are active on those networks/platforms and to inform them about our services. When accessing the respective networks and platforms, the respective operator’s terms and conditions and data processing guidelines apply. Unless otherwise stated in our Data Protection Policy, we process users’ data if they communicate with us on social networks and platforms, e.g. write posts on our online presence or send us messages.
Embedding of third-party content and services
Within our online offering we utilize third-party content or service offerings based on our legitimate interests (i.e. interest in the analysis, optimization and efficiency of our online offering within the meaning of Article 6(1)f GDPR) to display their content and services such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party content providers collect the user’s IP address, since they could not send the content to the user’s browser without the IP address. The IP address is therefore required to display this content. We endeavor to use only content whose respective providers use the IP address solely for the delivery of the content. Third parties may also use pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Pixel tags allow the analysis of information such as visitor traffic to this website’s pages. The pseudonymized information may also be stored in cookies on the user’s device and may include, but is not limited to, technical information about the browser and operating system, referring web pages, visit duration and other information regarding the use of our online offering; it may also be combined with such information from other sources.
Within our online offering we may embed functions and content of the Xing service provided by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. This may include content such as images, videos, text or buttons which allow users to share content from this online offering within Xing. If users are Xing members, Xing can attribute the access of content and functions to the users’ Xing profiles. For its data protection statement see: https://www.xing.com/app/share?op=data_protection.
Created using Datenschutz-Generator.de by RA Dr. Thomas Schwenke