Privacy Policy

Ein Mann und eine Frau sitzen auf Lederstühlen und sprechen

Preamble

With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as “data” for short) we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

The terms used are not gender-specific.

Status: June 7, 2024

Table of contents

Person responsible

Hansen & Heinrich AG
Toni-Lessler-Strasse 23
14193 Berlin-Grunewald

Board of directors:
Timon Heinrich
Dr. Lars Slomka

email address: info@hansen-heinrich.de

Impressum: https://www.hansen-heinrich.de/impressum/

Contact data protection officer

datenschutz@hansen-heinrich.de

Responsible person for the group of companies

As the parent company, Hansen & Heinrich AG assumes data protection responsibility for the central data processing processes within the group of companies, which also includes the subsidiaries Hansen & Heinrich Vorsorgeberatung GmbH, Hansen & Heinrich Stiftungstreuhand GmbH and Hansen & Heinrich Immobilienservice GmbH. The reason for this is that the AG wants to ensure a uniform and consistent implementation of data protection by centrally managing and coordinating key processes and processing. This enables us to guarantee a high level of data protection and to fulfill our responsibility towards you as a data subject in the best possible way. The individual subsidiaries remain responsible for specific processing as part of the business activities of the individual subsidiaries.

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the persons concerned.

Types of data processed

  • inventory data.
  • Employment data.
  • payment details.
  • contact details.
  • Content data.
  • Contract data.
  • usage data.
  • Meta, communication and procedural data.
  • Applicant data.
  • Image and/or video recordings.
  • sound recordings.
  • log data.
  • credit rating data.

Categories of affected persons

  • Service recipient and client.
  • employees.
  • interested parties.
  • communication partner.
  • user.
  • Applicant.
  • Business and contract partners.
  • clients.
  • People pictured.
  • Third people.
  • Whistleblower.
  • customers.

Purposes of processing

  • Provision of contractual services and fulfilment of contractual obligations.
  • communication.
  • safety measures.
  • direct marketing.
  • Range measurement.
  • Office and organizational procedures.
  • organizational and administrative procedures.
  • application process.
  • feedback.
  • marketing.
  • Profiles with user-related information.
  • Provision of our online offering and user-friendliness.
  • Assessment of creditworthiness and creditworthiness.
  • Information technology infrastructure.
  • Whistleblower protection.
  • Financial and payment management.
  • public relations.
  • sales promotion.
  • business processes and business procedures.

Relevant legal bases

Relevant legal bases under the GDPR: The following is an overview of the legal bases of the GDPR, on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or place of residence. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Article 6 (1) (a) GDPR) — The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or several specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures taken at the request of the data subject.
  • Legal obligation (Art. 6 (1) (c) GDPR) — Processing is necessary to fulfill a legal obligation to which the person responsible is subject.
  • Legitimate interests (Art. 6 (1) (f) GDPR) — processing is necessary to protect the legitimate interests of the controller or of a third party, provided that the interests, fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail.
  • Application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR) — If, as part of the application process, special categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data, such as status of severely disabled persons or ethnic origin) are requested from applicants so that the person responsible or the data subject can exercise the rights conferred on him or her under employment law and social security and social protection law and fulfill his or her obligations in this regard, their processing is carried out in accordance with Article 9 (2) lit. b. GDPR, in case of protection vital interests of applicants or other persons in accordance with Art. 9 para. 2 lit. c. GDPR or for health care or occupational medicine purposes, for the assessment of the employee's ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9 para. 2 lit. h. GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Article 9 (2) lit. a. GDPR.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes in particular the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act — BDSG). In particular, the BDSG contains special rules on the right to information, the right to deletion, the right of objection, the processing of special categories of personal data, processing for other purposes and transmission and automated decision-making in individual cases, including profiling. In addition, state data protection laws of the individual federal states may apply.

Note on the validity of the GDPR and Swiss DSG: This data protection notice is intended both to provide information in accordance with the Swiss DSG and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to the wider geographical application and comprehensibility. In particular, instead of the terms “processing” of “personal data”, “overriding interest” and “particularly sensitive personal data” used in the Swiss DSG, the terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” are used. However, within the scope of the Swiss DSG, the legal meaning of the terms continues to be determined in accordance with the Swiss DSG.

Safety measures

In accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transfer, availability and separation of data relating to it. We have also set up procedures that ensure the exercise of data subject rights, the deletion of data and responses to the data being compromised. In addition, we take the protection of personal data into account when developing or selecting hardware, software and processes in accordance with the principle of data protection, through technology design and through privacy-friendly default settings.

Securing online connections using TLS/SSL encryption technology (HTTPS): In order to protect user data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information that is transferred between the website or app and the user's browser (or between two servers), which protects the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator for users that their data is transmitted securely and encrypted.

Transfer of personal data

As part of our processing of personal data, it may be transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers tasked with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the group of companies: We may transfer personal data to other companies within our group of companies or grant them access to this data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate entrepreneurial and business interests or takes place where it is necessary to fulfill our contract-related obligations or if the data subject has the consent of the person concerned or a legal permission.

Data transfer within the organization: Data transfer within the group of companies: We may transfer personal data to other companies within our group of companies or grant them access to it. If the transfer of data is for administrative purposes, it is based on our legitimate entrepreneurial and business interests or takes place if it is necessary to fulfill our contract-related obligations or if the data subject has the consent of the person concerned or a legal permission.

International data transfers

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if processing takes place as part of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this is only done in accordance with legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for data transfer. In addition, data transfers only take place if the level of data protection is otherwise ensured, in particular by standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), express consent or, in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). In addition, we will provide you with the principles of third-country transfers with the individual providers from the third country, with the adequacy decisions taking priority as the basis. Information on transfers to third countries and existing adequacy decisions can be found in the information offered by the EU Commission: https://commission.europa.eu/law­/law-topic/data-protection/international-dimension-data-protection_en? preflang=en.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA as part of the adequacy decision of 10.07.2023. The list of certified companies and further information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframe­work.gov/ Remove (in English). As part of the data protection policy, we will inform you which service providers we use are certified under the Data Privacy Framework.

General information on data storage and deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consent is withdrawn or there is no further legal basis for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. There are exceptions to this regulation when legal obligations or special interests require the data to be stored or archived for a longer period of time.

In particular, data that must be stored for commercial or tax reasons or whose storage is necessary to prosecute or protect the rights of other natural or legal persons must be archived accordingly.

Our privacy policy contains additional information on the storage and deletion of data that applies specifically to specific processing processes.

If there is more information about the storage period or deletion periods of a date, the longest period is always decisive.

If a period does not expressly start on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the deadline is the effective date of the termination or other termination of the legal relationship.

We process data that is no longer stored for the originally intended purpose, but due to legal requirements or other reasons, exclusively for the reasons that justify their storage.

Further information on processing processes, procedures and services:

  • Retention and deletion of data: The following general deadlines apply for storage and archiving under German law:
    • 10 years — Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet and the work instructions and other organizational documents, accounting documents and invoices required for their understanding (Section 147 para. 3 in conjunction with Paragraph 1 No. 1, 4 and 4a AO, Section 14b Paragraph 1 No. 1 and 4 HGB).
    • 6 years — Other business documents: commercial or business letters received, reproductions of the sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g. hourly pay slips, operating statement sheets, calculation documents, price awards, but also payroll documents, insofar as they are not already accounting documents and cash strips (Section 147 (3) in conjunction with Paragraph 1 No. 2, 3, 5 AO, Section 257 Paragraph 1 No. 2 and 3, Paragraph 4 HGB).
    • 3 years — Data necessary to consider potential warranty and compensation claims or similar contractual claims and rights and to process related inquiries, based on previous business experience and usual industry practices, is stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right of objection: For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.
  • Right of withdrawal in case of consent: You have the right to withdraw your consent at any time.
  • Right to information: You have the right to request confirmation as to whether the relevant data is being processed and for information about this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request the completion of the data concerning you or the correction of incorrect data concerning you.
  • Right to delete and restrict processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted immediately or, alternatively, to request that the processing of the data be restricted in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, common and machine-readable format in accordance with legal requirements or to request that it be transmitted to another person responsible.
  • Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you believe that the processing of personal data relating to you is contrary to the GDPR.

Digital collaboration and clients

It is important to us to provide you, as a valued client, with secure and efficient digital collaboration. To do this, we provide you with modern tools and platforms that make it easier to exchange information, documents and data. The following sections provide an overview of the various options and explain how we ensure the security and confidentiality of your data.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and e-mail addresses or telephone numbers). Contract data (e.g. subject matter of contract, duration, customer category), communication data: e-mail traffic, logs of telephone calls, chat history; usage data: login data, usage behavior on the platform, IP addresses; technical data: browser type, operating system, access times, URL of the referring website, log file information.
  • Affected persons: Clients, clients' affiliated persons, business and contract partners.
  • Purposes of processing: Provision of contractual services and performance of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures. business processes and business procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • AM-One client portal: Client portal as a basis for digital collaboration Service provider: AM-One AG Hinterbergstraße 20 6312 Steinhausen

Business services

We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships and related measures and with regard to communication with the contractual partners (or pre-contractual), for example to answer inquiries.

We use this information to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other performance problems. In addition, we use the data to protect our rights and for the purpose of administrative tasks associated with these obligations and corporate organization. In addition, we process the data on the basis of our legitimate interests both in proper and business management and in security measures to protect our contractual partners and our business operations from misuse, risk of their data, secrets, information and rights (e.g. to involve telecommunications, transport and other assistance services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent necessary for the above purposes or to fulfill legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, as part of this privacy policy.

We will inform the contractual partners which data is required for the above purposes before or as part of data collection, e.g. in online forms, through special identification (e.g. colors) or symbols (e.g. asterisks, etc.), or personally.

We delete the data after expiry of legal warranty and comparable obligations, i.e. in principle after four years, unless the data is stored in a customer account, e.g. as long as it must be kept for archiving legal reasons (e.g. for tax purposes, usually ten years). We delete data that has been disclosed to us as part of an order by the contractual partner in accordance with the requirements and generally after the end of the order.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and e-mail addresses or telephone numbers). Contract data (e.g. subject matter of contract, duration, customer category).
  • Affected persons: Service recipients and clients; interested parties. Business and contract partners.
  • Purposes of processing: Provision of contractual services and performance of contractual obligations; communication; office and organizational procedures; organizational and administrative procedures. business processes and business procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Brokerage and brokerage services: We process the data of our customers, clients and prospects (uniformly referred to as “customers”) in accordance with the underlying mandate of the customers. We may also process information about the characteristics and circumstances of persons or objects belonging to them, if this is part of the subject of our order. This may include, for example, information on personal circumstances, mobile or immobile property and the financial situation. If required for contract performance or by law or approved by customers or based on our legitimate interests, we disclose or transfer customer data as part of coverage inquiries, transactions and processing of contracts to providers of the brokered services/properties, insurers, reinsurers, brokerage pools, technical service providers, other service providers, such as For example, cooperating associations, financial service providers, credit institutions and investment companies as well as social security institutions, tax authorities, tax advisors, legal advisors, auditors, insurance ombudsmen and the Federal Financial Supervisory Authority (BaFin). In addition, subject to other agreements, we may engage subcontractors, such as sub-agents; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).
  • Financial services: We process our clients' data to enable them to advise, broker and conclude financial transactions and related services. The required information is marked as such in the context of the conclusion of a consulting, brokerage or comparable contract and includes the information required for service provision and billing as well as contact information in order to be able to hold any consultations. Insofar as we obtain access to information from customers or other persons, we process it in accordance with legal and contractual requirements; Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Business processes and procedures

Personal data of service recipients and clients — including customers, clients or, in special cases, clients, patients or business partners as well as other third parties — is processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payments, accounting and project management.

The collected data is used to fulfill contractual obligations and to make operational processes efficient. This includes processing business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal billing and financial processes. In addition, the data supports the protection of the rights of the person responsible and promotes administrative tasks and the organization of the company.

Personal data may be passed on to third parties if this is necessary to fulfill the stated purposes or legal obligations. After expiry of legal retention periods or when the purpose of processing no longer applies, the data will be deleted. This also includes data that must be stored longer due to tax and legal documentation requirements.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or pictorial messages and contributions and the information relating to them, such as information on authorship or time of creation); contract data (e.g. contract subject, duration, customer category); protocol data (e.g. log files relating to logins or the retrieval of data, or access times.); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); credit rating data (e.g. credit score received, estimated failure probability, risk rating based on this, historical payment history). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: Service recipients and clients; interested parties; communication partners; business and contractual partners; third parties; users (e.g. website visitors, users of online services); clients. customers.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organizational procedures; business processes and business procedures; communication; marketing; sales promotion; assessment of creditworthiness and creditworthiness; financial and payment management; security measures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR). Legal obligation (Art. 6 (1) (c) GDPR).

Further information on processing processes, procedures and services:

  • Customer Management and Customer Relationship Management (CRM): processes required as part of customer management and customer relationship management (CRM) (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer loyalty and loyalty, effective customer communication, complaint management and customer service with regard to data protection, data management and analysis to support the customer relationship, administration of CRM systems, secure account management, customer segmentation and audience building); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Client management: Procedures that are required as part of client management include, for example, the acquisition and admission of new clients, the development of strategies to promote client loyalty, and ensuring effective client communication and scheduling appointments. A comprehensive client service is provided. These procedures also include maintaining and managing client records, securely documenting legal processes, and ensuring the confidentiality and integrity of client data. Processes are also defined for the transfer of client information to third parties, such as courts or other legal service providers. Procedures have been implemented for the secure and privacy-compliant deletion of client data as soon as it is no longer required or legal retention periods have expired; Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Contact management and contact maintenance: procedures required as part of organizing, maintaining, and securing contact information (such as establishing and maintaining a central contact database, regular contact information updates, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restores of contact data, training employees to use contact management software effectively, regularly reviewing communication history, and adjusting contact strategies); Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • General payment transactions: procedures necessary for carrying out payment transactions, monitoring bank accounts and controlling cash flows (e.g. preparation and verification of transfers, processing direct debits, checking account statements, monitoring incoming and outgoing payments, chargeback management, account reconciliation, cash management); Legal bases:Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
  • Bookkeeping, Accounts Payable, Accounts Receivable: procedures required for recording, processing and controlling transactions in the area of accounts payable and receivable accounting (e.g. preparation and verification of incoming and outgoing invoices, monitoring and administration of outstanding items, carrying out payment transactions, processing dunning, account reconciliation in the context of receivables and liabilities, accounts payable and accounts receivable); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Financial accounting and taxes: procedures required for recording, managing and monitoring financially-relevant business transactions and for calculating, reporting and payment of taxes (e.g. account assignment and accounting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, processing of dunning, account reconciliation, tax advice, preparation and submission of tax returns, handling tax matters); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).
  • Marketing, advertising and sales promotion: processes required in the context of marketing, advertising and sales promotion (e.g. market analysis and target group determination, development of marketing strategies, planning and execution of advertising campaigns, design and production of promotional materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management and cost control); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Guest WiFi: procedures required to set up, operate, maintain, and monitor a wireless network for guests (such as installing and configuring wireless access points, creating and managing guest accounts, monitoring network connectivity, ensuring network security, troubleshooting connectivity issues, updating network software, complying with data protection regulations); Legal bases: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Vendors and services used in the course of business

As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (“services” for short) in compliance with legal requirements. Their use is based on our interests in the proper, lawful and economic management of our business operations and internal organization.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or pictorial messages and contributions and information relating to them, such as information about authorship or time of creation). Contract data (e.g. subject matter of contract, duration, customer category).
  • Affected persons: Service recipients and clients; interested parties. Business and contract partners.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organizational procedures. business processes and business procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • InSign: Electronic signature of documents, sending documents for signature, tracking the status of documents, storing signed documents; Service provider:inSign GmbH, Am Bäckeranger 2, 85417 Marzling, Germany; Legal bases:legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.getinsign.de/. Privacy statement: https://www.getinsign.de/datenschutz/.

Provision of online services and web hosting

We process user data in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transfer the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time information, identification numbers, people involved). Log data (e.g. log files relating to logins or the retrieval of data or access times.).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.); security measures. Provision of contractual services and fulfilment of contractual obligations.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Provision of online services on rented storage space: To provide our online service, we use storage space, computing capacity and software, which we rent or otherwise obtain from an appropriate server provider (also known as a “web host”); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files may include the address and name of the retrieved websites and files, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used, on the one hand, for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure the workload of the servers and their stability; Legal bases:Legitimate interests (Art. 6 (1) (f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
  • 1&1 IONOS: services in the area of providing information technology infrastructure and related services (e.g. storage and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Strasse 57, 56410 Montabaur, Germany; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.ionos.de; Privacy statement:https://www.ionos.de/terms-gtc/terms-privacy. Order processing contract:https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.

Use of cookies

Cookies are small text files or other memory notes that store information on end devices and read from them. For example, to save the login status in a user account, shopping cart content in an e-shop, the content accessed or functions used on an online offer. Cookies can also be used to address various concerns, such as the functionality, security and convenience of online offerings and to analyse visitor flows.

Information on consent: We use cookies in accordance with legal regulations. We therefore obtain prior consent from users, unless this is not required by law. In particular, permission is not required if the storage and reading of information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e. our online offering) they have expressly requested. The revocable consent is clearly communicated to them and contains information on the respective use of cookies. You can find further details in our cookie policy.

Information on legal bases of data protection law: The data protection basis on which we process users' personal data using cookies depends on whether we ask them for consent. If users accept, the legal basis for using their data is their given consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g. in operating our online offering and improving its usability) or, if this is done as part of fulfilling our contractual obligations, if the use of cookies is necessary to meet our contractual obligations. We will explain the purposes for which we use cookies in the course of this privacy policy or as part of our consent and processing processes.

Storage period: With regard to storage time, the following types of cookies are differentiated:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).
  • Persistent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved and preferred content displayed directly when the user visits a website again. User data collected using cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. when obtaining consent), they should assume that they are permanent and that the storage period can be up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw their consent at any time and also declare an objection to processing in accordance with legal requirements, including using the privacy settings of their browser.

Cookie settings/objection option:

  • Types of data processed: Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Consent (Art. 6 (1) (a) GDPR).

Further information on processing processes, procedures and services:

  • Processing of cookie data based on consent: We use a consent management solution that obtains users' consent to the use of cookies or to the procedures and providers mentioned as part of the consent management solution. This procedure is used to obtain, log, manage and withdraw consent, in particular with regard to the use of cookies and comparable technologies, which are used to store, read and process information on users' devices. As part of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management process. Users also have the option to manage and withdraw their consent. The declarations of consent are stored in order to avoid a new request and to be able to provide proof of consent in accordance with legal requirements. The data is stored on the server side and/or in a cookie (so-called opt-in cookie) or using comparable technologies in order to be able to assign consent to a specific user or their device. If there is no specific information about the providers of consent management services, the following general information applies: The period of storage of consent is up to two years. This creates a pseudonymous user identifier, which is stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, the system and the device used; Legal bases: Consent (Art. 6 (1) (a) GDPR).

Contact and request management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) and within the framework of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to answer the contact requests and any requested measures.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: Communication partner; service recipient and client; interested parties. Business and contract partners.
  • Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form); provision of our online offering and usability. Office and organizational procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Further information on processing processes, procedures and services:

Video conferences, online meetings, webinars, and screen sharing

We use platforms and applications from other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (collectively referred to as “conference”). When selecting conference platforms and their services, we comply with legal requirements.

Data processed through conference platforms: As part of participating in a conference, the conference platforms process the personal data of the participants mentioned below. The extent of processing depends, on the one hand, on which data is required as part of a specific conference (e.g. provision of login details or real names) and which optional information is provided by the participants. In addition to processing to carry out the conference, the participants' data can also be processed by the conference platforms for security purposes or service optimization. The processed data includes personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, professional position/function information, the IP address of Internet access, information about the participants' terminal devices, their operating system, the browser and its technical and language settings, information about the content communication processes, i.e. inputs in chats and audio and video data, as well as the use of others for available Features (such as surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users on the conference platforms, then further data can be processed in accordance with the agreement with the respective conference provider.

Logging and recording: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, this is transparently notified to the participants in advance and they are asked — if necessary — for consent.

Participants' data protection measures: Please note the details of the processing of your data by the conference platforms in their privacy policies and, as part of the settings for the conference platforms, choose the optimal security and data protection settings for you. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by notifying roommates, locking doors and using, as far as technically possible, the function to obscure the background). Links to the conference rooms and access data must not be passed on to unauthorized third parties.

Information on legal bases: If, in addition to the conference platforms, we also process users' data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to recording conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. in lists of participants, in the case of processing of conversation results, etc.). In addition, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); image and/or video recordings (e.g. Photographs or video recordings of a person); sound recordings. Log data (e.g. log files relating to logins or the retrieval of data or access times.).
  • Affected persons: Communication partner; users (e.g. website visitors, users of online services). People pictured.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication. Office and organizational procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

cloud services

We use software services accessible via the Internet and run on their providers' servers (so-called “cloud services”, also known as “software as a service”) to store and manage content (such as document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information).

Within this framework, personal data may be processed and stored on the providers' servers, insofar as this is part of communication processes with us or is otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact details of users, data on processes, contracts, other processes and their content. Cloud service providers also process usage data and metadata, which are used by them for security purposes and service optimization.

If we use cloud services to provide forms or documents and content to other users or publicly accessible websites, the providers can store cookies on users' devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation). Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Affected persons: Interested parties; communication partners. Business and contract partners.
  • Purposes of processing: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

Newsletters and electronic notifications

We send newsletters, emails and other electronic notifications (hereinafter “newsletters”) exclusively with the consent of the recipients or on a legal basis. If the content of the newsletter is mentioned as part of a subscription to the newsletter, this content is decisive for the consent of the users. To subscribe to our newsletter, it is usually sufficient to provide your e-mail address. However, in order to be able to offer you a personalized service, we may ask you to provide your name so that we can personally address you in the newsletter or for further information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We can store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently comply with objections, we reserve the right to store the email address in a blocked list (so-called “block list”) for this purpose alone.

The registration process is logged on the basis of our legitimate interests for the purpose of proving that it has been completed correctly. Insofar as we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure delivery system.

Content:

Information about us, our services, promotions and offers.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: communication partner.
  • Purposes of processing: Direct marketing (e.g. via email or post).
  • Retention and deletion: 3 years — Contractual claims (AT) (data required to consider potential warranty and compensation claims or similar contractual claims and rights and to process related inquiries based on previous business experience and usual industry practices is stored for the duration of the regular legal limitation period of three years (Sections 1478, 1480 ABGB).). 10 years — Contractual claims (CH) (data) (data that to consider potential compensation claims or similar contractual claims and rights are necessary, as well as for the processing of related inquiries, based on previous business experience and standard industry practices, are stored for the period of the statutory limitation period of ten years, unless a shorter period of 5 years is decisive, which is relevant in certain cases (Art. 127, 130 OR)).
  • Legal bases: Consent (Art. 6 (1) (a) GDPR).
  • Objection option (opt-out): You can unsubscribe from our newsletter at any time, i.e. withdraw your consent, or object to further receipt. You will either find a link to cancel the newsletter at the end of each newsletter or you can otherwise use one of the contact options listed above, preferably e-mail.

Promotional communication via e-mail, post, fax or telephone

We process personal data for the purposes of promotional communication, which can be carried out via various channels, such as e-mail, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to object to promotional communication at any time.

After revocation or objection, we will store the data required to prove previous authorization to contact or send you information for up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of possible defense against claims. On the basis of the legitimate interest in permanently observing the user's revocation or objection, we also store the data required to avoid being contacted again (e.g. email address, telephone number, name, depending on the communication channel).

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers). Content data (such as textual or pictorial messages and contributions and information relating to them, such as information on authorship or when they were created).
  • Affected persons: communication partner.
  • Purposes of processing: Direct marketing (e.g. via email or post); marketing. sales promotion.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Web analysis, monitoring and optimization

Web analysis (also known as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online offering or its functions or content are used most frequently, or invite them to be reused. It is also possible for us to understand which areas require optimization.

In addition to web analysis, we can also use test methods to test and optimize different versions of our online offering or its components, for example.

Unless otherwise stated below, profiles, i.e. data summarized for a usage process, can be created for these purposes and information stored in a browser or in a terminal device and then read out. The information collected includes in particular websites visited and elements used there as well as technical information, such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data with us or with the providers of the services we use, it is also possible to process location data.

In addition, the IP addresses of users are stored. However, we use an IP masking process (i.e. pseudonymization by shortening the IP address) to protect users. In general, as part of web analysis, A/B testing and optimization, no clear user data (such as email addresses or names) is stored, but pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective processes.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Settings/objection option:

Deactivate tracking

  • Types of data processed: Usage data (such as page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors). Profiles with user-related information (creating user profiles).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section. Storage of cookies of up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
  • Safety measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

Presences on social networks (social media)

We maintain online presences within social networks and process user data within this framework in order to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This can result in risks for users because, for example, it could make it more difficult to enforce user rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably match the interests of users. Therefore, cookies are usually stored on users' computers, in which the usage behavior and interests of the users are stored. In addition, data can also be stored in the user profiles regardless of the devices used by the users (in particular if they are members of the respective platforms and logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

Even in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be asserted most effectively with the providers. Only the latter have access to user data and can directly take appropriate measures and provide information. Should you still need help, you can contact us.

  • Types of data processed: Contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or pictorial messages and contributions and information relating to them, such as information on authorship or time of creation). Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Communication; feedback (e.g. collecting feedback via online form). public relations.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • LinkedIn: Social network — Together with LinkedIn Ireland Unlimited Company, we are responsible for collecting (but not further processing) visitor data that is created for the purpose of creating the “page insights” (statistics) of our LinkedIn profiles.
    This data includes information about the types of content that users view or interact with or the actions they take, as well as information about the devices used by users (such as IP addresses, operating system, browser type, language preferences, cookie data) and information from the users' profile, such as job function, country, industry, hierarchical level, company size, and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy
    We have signed a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum (the 'Addendum')” https://legal.linkedin.com/pages-joint-controller-addendum), which in particular regulates which security measures LinkedIn must comply with and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to LinkedIn). Users' rights (in particular to information, deletion, objection and complaint with the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of data by and transmission to Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of Ireland Unlimited Company, in particular the transmission of the data to the parent company LinkedIn Corporation in the USA; Service provider:LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases:legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.linkedin.com; Privacy statement: https://www.linkedin.com/legal/privacy-policy; Basis for transfers to third countries: Data Privacy Framework (DPF). Objection option (opt-out):https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • Xing: social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.xing.com/. Privacy statement:https://privacy.xing.com/de/datenschutzerklaerung.

Plug-ins and embedded features and content

We integrate functional and content elements into our online offering, which are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or city maps (hereinafter uniformly referred to as “content”).

Integration always requires that the third-party providers of this content process the users' IP addresses, as they could not send the content to their browsers without an IP address. The IP address is therefore required to display this content or functions. We make every effort to use only content whose respective providers only use the IP address to deliver the content. Third parties can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information, such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and include technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offering, but can also be linked to such information from other sources.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time information, identification numbers, involved persons); inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers). Content data (such as textual or pictorial messages and contributions and information relating to them, such as information on authorship or when they were created).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness. Profiles with user-related information (creating user profiles).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section. Storage of cookies of up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
  • Legal bases: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

application process

The application process requires that applicants provide us with the data necessary for their assessment and selection. What information is required is derived from the job description or, in the case of online forms, from the information provided there.

In principle, the required information includes personal information, such as the name, address, a contact option and evidence of the qualifications required for a position. On request, we are also happy to inform you which information is required.

If available, applicants are welcome to submit their applications via our online form, which is encrypted using the latest technology. Alternatively, it is also possible to send us applications by e-mail. However, we would like to point out that emails on the Internet are generally not sent in encrypted form. Although emails are usually encrypted during transport, this is not done on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the security of the application as it is transmitted between the sender and our server.

For purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us about how to submit their application or send us the application by post.

Processing of special categories of data: If, as part of the application process, special categories of personal data (Article 9 (1) GDPR, e.g. health data, such as status of severely disabled persons or ethnic origin) are requested from or provided by applicants, they are processed so that the person responsible or the data subject can exercise the rights arising from employment law and social security and social protection law and fulfill his or her obligations in this regard, in the event of protection of vital interests of applicants or other persons or for health care or occupational medicine purposes, for the assessment of the employee's ability to work, for medical diagnostics, for care or treatment in the health or social sector, or for the administration of systems and services in the health or social sector.

Deletion of data: In the event of a successful application, the data provided by applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to justified withdrawal by applicants, the deletion will take place no later than after the expiry of a period of six months so that we can answer any follow-up questions about the application and comply with our obligations to provide evidence under the rules on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax requirements.

Inclusion in a pool of applicants: Admission to a pool of applicants, if offered, is based on consent. Applicants are informed that their consent to join the talent pool is voluntary, has no influence on the ongoing application process and that they can withdraw their consent at any time in the future.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation). Applicant data (e.g. personal details, postal and contact addresses, the documents associated with the application and the information contained therein, such as a cover letter, curriculum vitae, certificates and other information provided voluntarily by applicants about their person or qualification in relation to a specific position or qualifications).
  • Affected persons: Applicant.
  • Purposes of processing: Application process (justification and possible subsequent implementation as well as possible subsequent termination of the employment relationship).
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR).

Data protection information for whistleblowers

In this section, you will find information about how we handle data from individuals who provide information (whistleblowers) and from affected and involved parties as part of our whistleblower process. Our goal is to provide an easy and secure way to report potential misconduct by us, our employees or service providers, in particular for acts that violate laws or ethical guidelines. We also ensure appropriate processing and handling of the information.

Legal basis (Germany): Insofar as we process data to fulfill our legal obligations in accordance with the Whistleblower Protection Act (HinSchG), the legal basis for processing is Article 6 (1) (c) GDPR and, in the case of special categories of personal data, Article 9 (2) (g) GDPR, Section 22 BDSG, in each case in conjunction with Section 10 HinSchG. This includes the obligation to set up and operate an internal whistleblower reporting office, to fulfill its legal duties and, in the case of using the data collected in the reporting process, to take further investigations or action under employment law against persons who have been convicted of an infringement.

Insofar as we process data (in particular in the event of identified misconduct) as part of or in preparation for legal defense, this is done on the basis of our legitimate interests in legally compliant and ethical action in accordance with Article 6 (1) (f) GDPR.

Insofar as you have given us consent to process personal data for specific purposes, the processing is based on Article 6 (1) (a) GDPR and, in the case of special categories of personal data, Article 9 (2) (a) GDPR. An example of this would be disclosing the identity of the whistleblower or making a transcript during a personal meeting. Any consent given can be withdrawn at any time with effect for the future.

Types of data processed:

As part of the receipt and processing of reports and in the subsequent whistleblower procedure, we may collect various data. These include in particular the data provided by a whistleblower, such as:

  • the name, contact details and whereabouts of the person giving the report,
  • names and data on potential witnesses or persons affected by the report,
  • names and data of the persons against whom the notice is directed,
  • data about the alleged misconduct,
  • Other relevant details, if provided by the whistleblower.

For the purposes of the investigation and further proceedings, we also process the following personal data:

  • unique identification of the message,
  • contact details of the reporting person, if provided,
  • personal data of persons named in the notice, if provided,
  • personal data of persons who are indirectly affected by the factual review, if applicable,
  • personal data of persons from other participating companies (e.g. as part of legal advice), if relevant,
  • Other data that is related to the facts.

Special categories of personal data:

We may collect special types of personal data as part of our activities, in particular when provided by a whistleblower. This includes:

  • health-related data relating to an individual,
  • data on the racial or ethnic origin of people,
  • information about a person's religious or philosophical beliefs,
  • Information about a person's sexual orientation.

This data is only processed if it is relevant to the processing of the respective report and has been expressly provided by the whistleblower.

Use of our online forms: Please note that it is possible to submit information anonymously. To ensure the security of your data when using our online forms, we recommend that you access them in the so-called “incognito mode” of your browser. This is how you can open an incognito window: a) On a Windows PC: Open your browser and press Ctrl+Shift+N; b) On a Mac: Open your browser and press Command+Shift+N; c) On mobile devices: Switch to private mode via the tab menu.

When you visit our website in normal mode, your browser automatically sends certain information to our server, such as browser type and version, the date and time of your access. This also includes the IP address of your device. This data is temporarily stored in a log file and automatically deleted after 30 days at the latest.

The processing of the IP address is used for technical and administrative purposes of establishing a connection to our website. It ensures the security, stability and functionality of the whistleblower form and is an important part of our measures to ensure confidential reporting.

The processing of logged data is based on Article 6 (1) S.1 lit. f) GDPR. Our legitimate interest lies in the need for security and the need to ensure the technical requirements for a smooth and trouble-free submission of information.

Provide names: You have the option to submit information anonymously. However, unless prohibited by national legislation, we recommend that you provide your name and contact details. This enables us to respond to the report more effectively and, if necessary, to contact you directly.

If you provide your name and contact details, your identity will be kept strictly confidential. Exceptions to this confidentiality only exist if we are required by law to disclose your identity. This may be necessary to protect or defend our rights or the rights of our employees, customers, suppliers or business partners. Another exception is when it is found that the allegations were made with malicious intent.

Provision of data to third parties: Data related to the information provided will only be passed on by us to third parties under certain circumstances. This happens either a) when you have given us your express consent to do so, or b) when there is a legal obligation to share the data. Potential third parties include public authorities, government, regulatory, or tax authorities if the transfer is necessary to comply with a legal or regulatory obligation. We may also hire lawyers and other specialist advisors within the scope of legal requirements. They are entitled to investigate suspected misconduct and take necessary action following an investigation, such as initiating disciplinary or legal proceedings. In addition, carefully selected and monitored service providers may receive data from us for these purposes (such as operators of a web-based reporting system). However, as part of order data processing, these service providers are contractually obliged to comply with the applicable data protection regulations.

Data storage and deletion: Personal data is only processed for as long as is necessary to fulfill the processing purposes described above. If this data is no longer necessary for the stated purposes, it will be deleted. However, in certain situations, the data may be kept longer to comply with legal requirements, as long as this is necessary and proportionate. In such cases, the data will be deleted as soon as it is no longer required for these purposes.

Technical and organizational measures: We have implemented the necessary contractual, technical and organizational measures to ensure the security of all data we process. This data is processed exclusively for the specified purposes. The incoming information is processed by authorized persons who receive access to the respective information and carry out the subsequent review of the facts. Our employees are specially trained and trained to properly carry out the factual checks and are committed to maintaining strict confidentiality.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); employment data (information about employees and other persons in an employment relationship); contact details (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or pictorial messages and contributions and information relating to them, such as information about authorship or time of creation). Usage data (such as page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Affected persons: Employees (e.g. employees, applicants, temporary workers and other employees); third parties. Whistleblower.
  • Purposes of processing: Whistleblower protection.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Amendment and update

We ask you to regularly check the content of our privacy policy. We will adjust the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.