The intent of this Data Privacy Statement is to clarify the processing of personal data (hereinafter referred to as „data“) regarding the scope, purpose and types of such processing within our online offerings and the related web pages, functionality and content as well as external online presences such as our social media profiles (hereinafter referred to as „online offerings“). Other sections contain information on the types, scope and purpose of the processing of personal data of customers, prospective buyers, business partners, visitors, job applicants and other third parties. Regarding the expressions used in this document, such as „Processing“ or „Controller“, please refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
'Personal Data' refers to any information relating to an identified or identifiable natural person (hereinafter referred to as „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This expression is far-reaching and comprises virtually every aspect of handling data.
'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Applicable Legal Foundation
In compliance with Article 13 of the GDPR, we hereby inform you about the legal foundation of our data processing. Unless otherwise specified, the following applies: the legal foundation for obtaining consent is Article 6 para. 1 lit. a and Article 7 of the GDPR, the legal foundation for data processing necessary for the performance of a contract, the fulfillment of our services as well as answering enquiries is Article 6 para. 1 lit. b of the GDPR, the legal foundation for data processing necessary to fulfill our legal duties is Article 6 para. 1 lit. c of the GDPR and the legal foundation for the data processing required for protecting our own legitimate interests is Article 6 para. 1 lit. f. In case vital interests of the data subject or another natural person require the processing of personal data, the legal foundation is Article 6 para. 1 lit. d of the GDPR.
We kindly ask you to keep up to date regarding the content of our Data Privacy Statement. We will update this document as soon as modifications to our data processing require us to do so. We will notify you prior to such modifications requiring your cooperation (e.g. your consent) or any other individual notification.
Cooperation with Processors and Third Parties
In case we disclose data to other persons or corporations (processors or third parties) within the scope of our data processing, transmit such data to them or grant access to such data in any other way, this will be carried out only on the basis of a legal authorisation to do so (e.g. if the transmission of data to a third party such as a payment service provider is necessary to fulfill a contract in compliance with Article 6 para. 1 lit. b of the GDPR), if you have given consent, if a legal obligation requires us to do so or on the basis of our vested interest (e.g. for authorised agents, web hosting companies, etc.).
In case we hire a third party for data processing based on a so-called 'Commissioned-Processing Contract', the legal foundation for such a contract is Article 28 of the GDPR.
Transmission to Third Countries
In case we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if such processing occurs by using third-party services or disclosure or transmission of such data to third parties, this will only occur if this is necessary to fulfill our (pre-) contractual obligations, based on your consent, based on a legal obligation or based on our vested interests. Unless otherwise provided by legal or contractual permissions, we only allow data processing under the specific circumstances described in Article 44 et seq. of the GDPR, i.e. such processing is only performed on the basis of special provisions, such as the officially acknowledged verification of the existence of a data protection level corresponding to that of the EU (e.g. for the USA through the 'Privacy Shield') or by complying with officially acknowledged special contractual obligations (so-called 'standard contractual clauses').
Rights of Data Subjects
You are entitled to obtain a confirmation whether your personal data are being processed as well as information on that data and further information and a copy of that data in compliance with Article 15 of the GDPR.
According to Article 16 of the GDPR, you are entitled to the completion of your personal data or the rectification of incorrect personal data relating to you.
In compliance with Article 17 of the GDPR, you are entitled to demand the immediate deletion of your personal data or, alternatively, the limitation of the processing of your personal data according to Article 18 of the GDPR.
You are entitled to receive your personal data that have been made available to us and demand the transmission thereof to other controllers according to Article 20 of the GDPR.
In addition, according to Article 77 of the GDPR, you are entitled to register a complaint with the responsible regulating authority.
Right to Withdraw
You are entitled to withdraw your given consent for future use according to Article 7 para. 3 of the GDPR.
Right to Object
You can object to the future processing of your personal data at any given time according to Article 21 of the GDPR. In particular, you may object to processing your personal data for the purpose of direct mail.
Deletion of Data
The personal data processed by us are deleted or limited in processing in compliance with Article 17 and 18 of the GDPR. Unless otherwise specified within this document, all personal data stored on our behalves will be deleted as soon as they are no longer required for their original purpose and there are no legal obligation for the retention of such data. In case the data are not deleted because they are required for other purposes permitted by law, their processing will be limited, i.e. the data will be locked and not be processed for other purposes. This applies e.g. for data that need to be retained in terms of commercial or fiscal law.
According to German law, certain categories of data records are retained for stipulated periods of time, e.g. a duration of 10 years according to §§ 147 para. 1 AO (German fiscal code), 257 para. 1 no. 1 und 4, para. 4 HGB (German Commercial Code) (books, records, status reports, accounting records, books of account, tax-relevant documents, etc.) and for a duration of 6 years according to § 257 para. 1 Nr. 2 and 3, para. 4 HGB (business letters).
'Cookies' are small files that are saved on a user’s computer. In such a cookie, a variety of information can be stored. A cookie primarily serves to store information about a user (or the device that the cookie is situated on) during and / or after his visit of an online offering. Cookies that are deleted after a user has left an online offering or after closing the browser window are referred to as temporary cookies, 'session cookies' or 'transient cookies'. Such a cookie can store e.g. the user’s shopping cart content of an online shop or his or her login status. Cookies are referred to as 'permanent' or 'persistent' when their content is still present after the browser has been closed. Thus, e.g. the login status may be stored and reused when the user returns to the site after some days. Likewise, the user’s areas of interest might be stored in such a cookie in order to measure the range of influence or for marketing purposes. 'Third-Party Cookies' are cookies that do not originate from the controller who operates the online offering (in that case, they would be referred to as 'First-Party Cookies'). Als 'Cookies' werden kleine Dateien bezeichnet, die auf Rechnern der Nutzer gespeichert werden.
We might be using permanent or temporary cookies and will inform you about this in this Data Privacy Statement.
If a user does not want cookies to be stored on their computer, we ask them to disable the respective option in their browser’s preference settings. Cookies that have already been stored can be deleted in the browser’s preferences. Rejecting cookies can potentially limit the functionality of our online offerings.
When contacting us (e.g. by means of our online contact form, email, phone or via social media, possibly also by handing over a business card), the user’s data will be processed for the purpose of handling and executing his or her enquiry according to Article 6 para. 1 lit. b of the GDPR; in that case, the purposes are the efficient communication with our customers, interested parties, business partners as well as their customers and employees as well as third parties and potential marketing and direct mail activities. The user data can be stored in a customer relationship management system ('CRM system') or comparable facilities to organize enquiry data.
Enquiries that are no longer needed will be deleted. We check the relevance of such data every two years; apart from that, we comply with the record retention regulations required by law.
In addition to the data categories listed below for the visitors of our web presence, we also process:
- Contractual data (e.g. contract subject, term of validity, customer category, contact person)
- Payment data (e.g. bank account information, payment history)
of our customers, interested parties and business partners as well as third parties for the purpose of fulfilling contractual obligations, services and customer care, marketing, advertising and market research.
Administration, Accounting, Office Organization and Contact Management
Within the scope of administrative tasks and our corporate organization, accounting and complying with legal obligations such as archiving, we process data. During those activities, we process the same data that are processed for fulfilling our contractual obligations. The legal foundation for that processing is comprised of Article 6 para. 1 lit. c. of the GDPR, Article 6 para. 1 lit. f. of the GDPR. Customers, interested parties, business partners and their employees are affected by this processing. Our interest in and the purpose of this processing is administration, financial accounting, office organization, data archival – i.e. activities that help us keep up our business operations, fulfill our tasks and perform our services. The deletion of data in terms of contractual services and contractual communication corresponds to the tasks mentioned with the processing activities below.
In this context, we disclose and transfer data to the financial administration, consultants, e.g. tax accountants or chartered accountants as well as other clearing houses and payment service providers.
Based on our economic interests, we also store data about suppliers, organizers and other business partners, e.g. for the purpose of contacting them at a later date. As a basic principle, these primarily corporate data are stored permanently.
Business Assessment and Market Research
In order to operate our business in an economic fashion and to be able to identify market tendencies, customer and user preferences, we analyze the available data about business activities, contracts, enquiries etc. In this context, we process inventory data, communication data, contract data, payment data, usage data and metadata in compliance with Article 6 para. 1 lit. f of the GDPR, and customers, interested parties, business partners, visitors and users of our online offerings may be affected in our doing so.
Such analyses are performed for management reports, marketing and market research. For that, we can take into account the profiles of registered users with information on e.g. their purchase activities. Those analyses serve to improve user friendliness, optimize our offerings and the operating efficiency. The results of such analyses are used exclusively by us and will not be exposed externally with the exception of anonymized data with consolidated values.
As far as these analyses or profiles are personal data, they are deleted upon the cancelation of the user or anonymized. In other cases, the deletion is performed after two years following the conclusion of contract. Moreover, the consolidated economic analyses and general trend analyses are generated anonymously wherever possible.
Special Information for Visitors of our Web Site
Types of Processed Data
- Master File Data (e.g. names, addresses).
- Contact Data (e.g. email, phone numbers).
- Content Data (e.g. text input, photographs, videos).
- Usage Data (e.g. visited websites, interest in content, access times).
- Meta and Communication Data (e.g. device information, IP addresses).
Purpose of the Data Processing
- Making Online Offerings, Functions and Content available.
- Answering Contact Enquiries and Communicating with Users.
- Safety Measures.
- Measuring Range of Influence / Marketing
When visiting our website, temporary or permanent cookies may be stored (see above).
Acquisition of Access Data and Log Files
Based on our vested interests and in compliance with Article 6 para. 1 lit. f. of the GDPR, we acquire data about every access to the services on this server (so-called 'server log files'). These data include the name of the requested web page, file, timestamp of the request, transferred data quantity, information about the successful response, browser name and version, the user’s operating system, the referrer URL (the page visited before), IP address and the requesting provider.
For security reasons (e.g. for fraud or abuse detection), log file information is stored for a maximum duration of 7 days and deleted thereafter. If such data represents necessary evidence, is excepted from deletion until the incident is settled.
Inclusion of Third-Party Services and Content
Based on our vested interests (i.e. interest in analyzing, optimizing and increasing the economic efficiency of our online offerings in compliance with Article 6 para. 1 lit. f of the GDPR), we employ content and service offerings of third parties in order to include their content and services, e.g. scripting libraries, videos and fonts (hereinafter referred to as 'content').
One precondition for that is that the third parties offering such content recognize the IP addresses of the users as they cannot deliver that content to the browser without knowing the IP address. Thus, the IP address is required for displaying that content. We endeavour to use only content whose provider uses the IP address only for delivering their content. Moreover, third parties might use so-called pixel tags (invisible images also referred to as 'web beacons') for statistical or marketing purposes. By means of such pixel tags, information like web site traffic can be analyzed. Pseudonymous information can also be stored in cookies on the user’s device and may contain technical details about browser and operating system, referring web pages, access times and further information about the usage of our online offerings and might also be connected with information from other sources.
Based on our vested interests (i.e. interest in analysis, optimization and economic operation of our online offerings in compliance with Article 6 para. 1 lit. f of the GDPR), we use Google Analytics, a web analysis service by Google LLC ('Google'). Google is using cookies. The information gained with the help of that cookie is normally transferred to a Google server in the USA and stored there.
Google is certified under the Privacy Shield Agreement and therefore offers a guarantee to comply with European privacy regulations (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use that information acting on our instructions in order to analyze the usage of our online offerings by the user and assemble reports about his or her activity within our online offering and in order to fulfill other services related to this online offering and internet usage for us. In the course of that, pseudonymous user profiles can be generated based on the processed data.
We only use Google Analytics with active IP anonymization, i.e. the user’s IP address will be shortened by Google within the member countries of the European Union and other member countries of the European Economic Area. Only in exceptional cases, the full IP address will be transferred to a server in the USA and is shortened there.
The IP address transferred by the user’s browser will not be consolidated with other data processed by Google. The users can prevent the storage of those cookies by setting the respective preference in their browser software; in addition, users can prevent the acquisition of the data from the cookie and the data related to the usage of our online offering as well as processing that data by Google by installing the browser plugin available under the following URL: http://tools.google.com/dlpage/gaoptout?hl=de.
Further information on the usage of data by Google as well as your options to object to data processing and the related settings is available in Google’s privacy statement (https://policies.google.com/technologies/ads) as well as in the settings for the display of ads by Google (https://adssettings.google.com/authenticated).
The user’s personal data will be deleted or anonymized after 14 months.
cdnjs.com / Cloudflare
We include some scripting libraries from Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Privacy Statement: https://www.cloudflare.com/security-policy/. Cloudflare is certified under the Privacy Shield Agreement and therefore offers a guarantee to comply with European privacy regulations. (https://www.privacyshield.gov/participant?id=a2zt0000000GnZKAA0&status=Active).
Online Presences in Social Media
We provide online presences in social networks and platforms in order to communicate with customers, interested parties and users active on those platforms and to inform them about our services. When using those networks and platforms, the general conditions and privacy policies of the respective operator are in effect.
Unless otherwise stipulated in our Data Privacy Statement, we process personal data of our users if they communicate with us within those social networks and platforms, e.g. by posting comments on our online presences or sending messages.
Special Advice for Customers, Interested Parties, Business Partners and Third Parties
Consulting, Software Development, Software Maintenance, Other Agency Services
We process data from our customers in the context of our contractual obligations comprising conceptual and strategic consulting, campaign planning, software and design development and consulting or maintenance, realization of campaigns and processes / handling, server administration, data analyses, consulting services and training.
In this connection, we process inventory data (e.g. customer master data such as names and addresses), contact data (e.g. email, phone numbers, appointments), content data (e.g. text input, photographs, videos), contract data (e.g. subject of contract, contract period), payment data (e.g. bank account information, payment history), usage and meta data (e.g. in the context of analyses of the success of marketing measures). Generally, we do not process special categories of personal data except if they are part of the processing agreed upon. The persons affected by such processing are our customers and interested parties as well as their customers, users, website visitors, employees as well as third parties. The purpose of such processing is the fulfillment of our contractual obligations, billing and our customer service. The legal foundation for that processing results from Article 6 para. 1 lit. b of the GDPR (contractual services), Article 6 para. 1 lit. f of the GDPR (Processing and Execution of Contracts, e.g. with employees of our customers, analysis, statistics, optimization, safety measures). We process data required for the execution of contractual services and inform about the necessity of disclosing them. A disclosure to third parties is only performed if it is required for the execution of the order. When processing the data provided to us in the context of an order, we act according to the instructions of the customer as well as in compliance with the legal obligations regarding order processing according to Article 28 of the GDPR and we will not process the data for any purpose not part of the order.
We delete that data after the expiry of the legal obligations regarding warranty and similar aspects. The requirement to retain the data is checked once every three years; in the case of record retention duties, the data will be deleted after their expiry (6 years according to § 257 para. 1 HGB (German Commercial Code, 10 years according to § 147 para. 1 AO (German Fiscal Code)). In the case of data that has been disclosed to us within the scope of an order by the client, the data will be deleted according to the provisions of the order, as a basic principle after finishing the order.
User Accounts for Customers and their Employees
Customers and interested parties as well as their employees can obtain a user account for using our software systems in line with the fulfillment of contract services (e.g. systems for documentation, ticket management, project management, version control, data exchange or video conferencing). The required information for the registration of those accounts will be requested by our IT department. The data acquired for the registration will be used for the purposes of the service. The users can be informed via email about details relevant to the service or the registration, such as a change of the scope of the offering or of the technical details. When a user terminates his or her user account or when the contract services have been completed, the data related to that user account will be deleted except if that information needs to be retained for legal reasons (commercial or tax-relevant) in compliance with Article 6 para. 1 lit. c of the GDPR. It is upon the users to backup their data before terminating their account or before the end of the contract respectively. We are entitled to delete any and all user data stored during the course of the contract fulfillment irrecoverably.
Depending on the software system, temporary or permanent cookies (see above) can be generated. In general, those are not used for tracking. Also depending on the software system and configuration, the inclusion of services and content from third parties is possible (see above under „Web Site“).
In line with the usage of user accounts we store the IP address and the timestamp of the respective user action. The storage is performed on the basis of our vested interests and of those of the user, as well as for the protection against abuse and other illegal usage. As a basic principle, that data are never disclosed to third parties, except if necessary for the pursuit of our claims or if we are obliged thereto according to Article 6 para. 1 lit. c of the GDPR. The IP addresses will be anonymized or deleted after a maximum of 7 days. If the retention of data is necessary for the purpose of later evidence, they will be excepted from deletion until the incident has been finally clarified.
Special Advice for Visitors of our Offices
Reception / Visitors Directory
We process data of our visitors on the basis of Article 6 para. 1 lit. f. of the GDPR in order to ensure well-ordered work processes and to protect our own data and trade secrets and those of our customers. For that purpose, we acquire master file and contact data (e.g. name, company, the car’s registration) of our visitors. For security reasons, said data are stored for a maximum duration of 14 days and subsequently deleted. If the retention of data is necessary for the purpose of later evidence, they will be excepted from deletion until the incident has finally been clarified.
Accessing the Guest WLAN
We may allow our visitors to connect their devices to our guest WLAN for a limited time. Based on our vested interests as stipulated in Article 6 para. 1 lit. f. of the GDPR we acquire the name and the company name of the guest as well as meta and communication data (e.g. device information, IP addresses). For security reasons (e.g. for investigations in cases of abuse or fraud), these data are stored for a maximum duration of 7 days and deleted thereafter. If the retention of data is necessary for the purpose of later evidence, they will be excepted from deletion until the incident has finally been clarified.
Special Information for Applicants
Privacy Notice regarding the Application Process
We process the personal data of applicants only for the purpose and within the scope of the application process in compliance with the respective legal obligations. The processing of an applicant’s data is performed for the fulfillment of our (pre-) contractual obligations within the scope of the application process according to Article 6 para. 1 lit. b. of the GDPR and Article 6 para. 1 lit. f. of the GDPR if the data processing becomes necessary for us, e.g. in line with legal proceedings (in Germany § 26 BDSG is also in effect).
One precondition for the application process is that the applicants disclose their application data to us. The necessary application data are marked as such if we provide an online application form. Otherwise, they result from the job posting. As a basic principle, this includes personal data, mail and contact addresses and the documents that are part of the application, such as cover letter, CV and certificates / letters of reference. In addition, the applicants may supply us with additional information.
With the submission of the job application, the applicants agree to the processing of their data for the purpose of the application process according to the methods described in this Data Privacy Statement.
If special categories of personal data according to Article 9 para. 1 of the GDPR are provided within the scope of the application process on a voluntary basis, these data will be processed in addition according to Article 9 para. 2 lit. b of the GDPR (e.g. health-related data, such as ethnic group or a severe handicap). As far as special categories of personal data according to Article 9 para. 1 of the GDPR are requested from the applicants within the scope of the application process, these data will be processed in addition according to Article 9 para. 2 lit. a of the GDPR (e.g. health-related data if those are required for exercising the respective professional activities).
If available, the applicants may use an online form on our website to submit their applications. The data will be transferred using best-practice encryption technology.
Applicants may also send their applications by email. However, we would like to point out that email is not encrypted per se and that the applicants themselves need to take care of the encryption. Hence, we cannot be held responsible for the secure transmission of the application from the sender to our server and would recommend using an online form or sending the application by mail.
The data supplied by the applicants can be processed further in case of a successful application for the purpose of an employment relationship. Otherwise, if the application for a job posting is not successful, the applicants’ data are deleted. If an application is revoked, which may be done by the applicant at any given time, the data are deleted as well.
Unless the applicant files a revocation for legitimate reasons, the deletion will be performed after a period of six months in order to enable us to answer follow-up questions to the applications and to fulfill our obligations to prove the compliance with the German equality act. Receipts for travel expense compensation are being archived according to the obligations of the German tax code.
In the course of the application process, we offer the opportunity to our applicants to join our 'talent pool' for a period of two years based on their consent according to Article 6 para. 1 lit. b. and Article 7 of the GDPR.
The application documents in our talent pool will be processed for the sole reason of future job postings and talent search and will be deleted after the expiry of the stipulated period. The applicants are informed that their consent to joining the talent pool is optional and that they may revoke their consent at any time as well as declare their objection according to Article 21 of the GDPR.