Available 24/7 for you: +49 171 5846447

Privacy Policy

Preamble

With the following privacy policy we would like to inform you about what types of your personal data (hereinafter also briefly referred to as "data") we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are gender-neutral.

Last updated: 4 November 2025

Controller

wagner GmbH
Aachener Straße 79
52249 Eschweiler

Authorized representatives: Stefan Wagner

Email address: info@wagner-eschweiler.de

Phone: Tel.: +49 2403 8774-0

Imprint: https://wagner-eschweiler.de/impressum.htm

Contact Data Protection Officer

Kompass Datenschutz GmbH
external data protection officer Jan Besold
Email: besold (at) kompass-datenschutz.de
Phone: 02233 / 6290596

Overview of processing activities

The overview below summarizes the types of data processed and the purposes of their processing and refers to the data subjects concerned.

Types of data processed

  • Master data.
  • Employee data.
  • Payment data.
  • Location data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and procedural data.
  • Social data.
  • Applicant data.
  • Image and/or video recordings.
  • Audio recordings.
  • Log data.
  • Performance and behavior data.
  • Working time data.
  • Creditworthiness data.
  • Salary data.

Special categories of data

  • Health data.
  • Religious or ideological beliefs.
  • Trade union membership.

Categories of data subjects

  • Service recipients and clients.
  • Employees.
  • Prospects.
  • Communication partners.
  • Users.
  • Applicants.
  • Contest and competition participants.
  • Business and contractual partners.
  • Participants.
  • Depicted persons.
  • Third parties.
  • Whistleblowers.
  • Customers.

Purposes of processing

  • Provision of contractual services and performance of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Audience segmentation.
  • Organizational and administrative procedures.
  • Application procedures.
  • Conducting sweepstakes and competitions.
  • Feedback.
  • Surveys and questionnaires.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offering and user-friendliness.
  • Assessment of creditworthiness.
  • Establishment and execution of employment relationships.
  • IT infrastructure.
  • Public relations and information purposes.
  • Whistleblower protection.
  • Financial and payment management.
  • Public relations.
  • Sales promotion.
  • Business processes and commercial procedures.
  • Artificial Intelligence (AI).

Automated individual decisions

  • Creditworthiness report.

Applicable legal bases

Applicable legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the rules of the GDPR, national data protection provisions in your or our country of residence or registered office may apply. If, in individual cases, more specific legal bases are relevant, we will inform you of these in the privacy policy.

  • Consent (Art. 6(1)(1)(a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures at the request of the data subject.
  • Legal obligation (Art. 6(1)(1)(c) GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(1)(f) GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights and freedoms of the data subject which require protection of personal data do not override those interests.
  • Application procedure as pre-contractual or contractual relationship (Art. 6(1)(1)(b) GDPR) – If special categories of personal data pursuant to Art. 9(1) GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants in the course of the application process so that the controller or the data subject can exercise rights arising from employment law and social security and social protection law and comply with their related obligations, their processing takes place pursuant to Art. 9(2)(b) GDPR; in the case of protection of the vital interests of the applicants or other persons pursuant to Art. 9(2)(c) GDPR or for purposes of preventive or occupational medicine, to assess the working capacity of the employee, for medical diagnostics, care or treatment in the health or social sector or for the management of systems and services in the health or social sector pursuant to Art. 9(2)(h) GDPR. In the case of voluntary disclosure of special categories of data based on consent, their processing is based on Art. 9(2)(a) GDPR.
  • Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9(2)(h) GDPR) – The processing is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, care or treatment in the health or social sector or for the management of systems and services in the health or social sector on the basis of Union law or the law of a Member State or under a contract with a health professional.

National data protection rules in Germany: In addition to the data protection regulations of the GDPR, national data protection rules in Germany apply. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special provisions in particular on the right of access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making including profiling. In addition, state data protection laws of the individual federal states may apply.

Note on the applicability of the GDPR and the Swiss DPA: These privacy notices serve both the information obligations under the Swiss Data Protection Act (DSG) and under the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to their broader territorial application and comprehensibility. In particular, instead of the terms used in the Swiss DSG such as “processing” of “personal data”, “predominant interest” and “particularly sensitive personal data”, the terms used in the GDPR “processing” of “personal data”, “legitimate interest” and “special categories of data” are used. However, the legal meaning of the terms is still determined under the Swiss DSG within the scope of its applicability.

Security measures

We take appropriate technical and organizational measures in accordance with the statutory provisions, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the differing likelihoods of occurrence and severity of the threats to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transmission, availability protection and separation of the data concerned. In addition, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data and responses to data security incidents. Furthermore, we take into account the protection of personal data already during the development or selection of hardware, software and procedures in accordance with the principle of data protection by design and by default.

Securing online connections by TLS/SSL encryption technology (HTTPS): In order to protect users' data that is transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and encrypted.

Disclosure of personal data

As part of our processing of personal data, it may happen that these are transmitted to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of these data may include, for example, service providers entrusted with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the statutory provisions and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the organization: We may transfer personal data to other departments or units within our organization or grant them access to it. If the transfer of data is carried out for administrative purposes, it is based on our legitimate business and commercial interests or is carried out if it is necessary to fulfill our contractual obligations or if consent of the data subjects or a legal permission exists.

International data transfers

Data processing in third countries: If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of the use of services of third parties or the disclosure or transmission of data to other persons, bodies or companies (which becomes apparent from the postal address of the respective provider or if the privacy policy explicitly refers to the data transfer to third countries), this is always carried out in accordance with the statutory provisions.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the European Commission dated 10 July 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the European Commission and establish contractual obligations to protect your data.

This twofold safeguarding ensures comprehensive protection of your data: the DPF forms the primary layer of protection, while the standard contractual clauses serve as an additional safeguard. Should changes occur within the DPF, the standard contractual clauses act as a reliable fallback option. In this way we ensure that your data remains adequately protected even in the event of political or legal changes.

For the individual service providers we inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, in particular standard contractual clauses, explicit consents or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General information on data retention and deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or no further legal bases for the processing exist. This applies to cases in which the original purpose of processing no longer applies or the data are no longer required. Exceptions to this rule exist when statutory obligations or legitimate interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that apply specifically to certain processing procedures.

If several indications are given for the period of retention or deletion periods for a datum, the longest period shall always apply. Data that are retained not for the originally intended purpose but because of legal requirements or other reasons will only be processed for the reasons that justify their retention.

Retention and deletion of data: The following general periods apply to retention and archiving under German law:

  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets as well as the working instructions and other organizational documents necessary to understand them (§ 147(1) No. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) No. 1 in conjunction with (4) HGB).
  • 8 years - Accounting documents, such as invoices and expense receipts (§ 147(1) No. 4 and 4a in conjunction with (3) sentence 1 AO and § 257(1) No. 4 in conjunction with (4) HGB).
  • 6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g. hourly wage slips, departmental accounting sheets, calculation documents, price markings, but also payroll accounting documents insofar as they are not already accounting documents and cash register receipts (§ 147(1) Nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) Nos. 2 and 3 in conjunction with (4) HGB).
  • 3 years - Data required to take account of potential warranty and compensation claims or similar contractual claims and rights and to process related inquiries, based on previous business experiences and customary industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Start of the period at the end of the year: If a period does not explicitly begin on a specific date and is at least one year, it starts automatically at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships in which data are stored, the triggering event is the moment of the effectiveness of the termination or other termination of the legal relationship.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular arising from Articles 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. If personal data are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw given consents at any time.
  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to obtain access to those data and further information and a copy of the data in accordance with the statutory provisions.
  • Right to rectification: You have the right to request, in accordance with the statutory provisions, the completion of the personal data concerning you or the correction of inaccurate personal data concerning you.
  • Right to erasure and restriction of processing: You have the right, subject to the statutory provisions, to request that personal data concerning you be deleted without delay, or alternatively, subject to the statutory provisions, to request the restriction of processing of the personal data.
  • Right to data portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to have those data transmitted to another controller where technically feasible and in accordance with statutory provisions.
  • Complaint to a supervisory authority: In accordance with the statutory provisions and without prejudice to other administrative or judicial remedies, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State in which you habitually reside, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Business services

We process data of our contractual and business partners, e.g. customers and prospects (collectively referred to as "contractual partners"), within the scope of contractual and comparable legal relationships as well as related measures and with regard to communication with the contractual partners (or pre-contractually), for example to answer inquiries.

We use this data to fulfill our contractual obligations. These include in particular the obligations to provide the agreed services, any updating obligations and remedy in the event of warranty and other performance defects. In addition, we use the data to assert our rights and for administrative tasks associated with these obligations as well as for corporate organization. In addition, we process the data on the basis of our legitimate interests in proper and businesslike management as well as in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or financial authorities). Within the scope of applicable law, we disclose contractual partner data to third parties only insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, such as for marketing purposes, within the framework of this privacy policy.

Which data are required for the aforementioned purposes will be communicated to the contractual partners before or at the time of data collection, e.g. in online forms, by special marking (e.g. colors) or symbols (e.g. asterisks or similar), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data are stored in a customer account, e.g. as long as they must be retained for statutory reasons (e.g. for tax purposes usually ten years). Data that were disclosed to us by the contractual partner in the context of an order are deleted in accordance with the specifications and generally after the end of the order.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers); Contract data (e.g. subject matter of the contract, duration, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Service recipients and clients; Prospects. Business and contractual partners.
  • Purposes of processing: Provision of contractual services and performance of contractual obligations; Security measures; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and commercial procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Legal obligation (Art. 6(1)(1)(c) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

  • Online shop, order forms, e-commerce and service fulfillment: We process our customers' data to enable them to select, purchase or order the chosen products, goods and associated services, as well as their payment and provision or delivery or execution. If necessary for the execution of an order, we use service providers, in particular postal, shipping and delivery companies, to carry out the delivery or execution for our customers. For the processing of payment transactions we use the services of banks and payment service providers. The required information is marked accordingly as part of the order or comparable purchase process and includes the information required for delivery or provision and billing as well as contact information in order to be able to make inquiries if necessary; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).
  • Consulting: We process the data of our clients as well as prospects and other principals or contractual partners (collectively referred to as "clients") in order to provide them with our services. Procedures that belong to and serve the purposes of consulting include: contacting and communicating with clients, conducting needs and requirements analyses, planning and implementing consulting projects, documenting project progress and results, recording and managing client-specific information and data, scheduling and organizing appointments, providing consulting resources and materials, billing and payment management, post-processing and follow-up of consulting projects, quality assurance and feedback processes. The data processed, the type, scope, purpose and necessity of their processing are determined by the underlying contract and client relationship.

    If it is necessary for the performance of our contract, to protect vital interests or required by law, or if the clients have given consent, we disclose or transmit the clients' data to third parties or processors, taking professional and regulatory requirements into account, such as authorities, subcontractors or those in the field of IT, office or comparable services; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).
  • Technical services: We process the data of our customers and principals (hereinafter uniformly referred to as "customers") to enable them to select, acquire or commission the chosen services or works and associated activities as well as their payment and provision or execution or delivery.

    The information required is marked accordingly as part of the order, purchase or comparable conclusion of contract and includes the information required for the provision of services and billing as well as contact information in order to be able to make inquiries if necessary. If we have access to information of end customers, employees or other persons, we process this information in accordance with legal and contractual requirements; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).
  • Event management: We process the data of participants of events, functions and similar activities offered or organized by us (hereinafter uniformly referred to as "participants" and "events") to enable them to participate in the events and use the services or activities associated with participation.

    If in this context we process health-related data, religious, political or other special categories of data, this will be done in the context of obviousness (e.g. for themed events), for health protection, safety or with the consent of the data subjects.

    The required information is marked accordingly as part of the order, booking or comparable conclusion of contract and includes the information required for the provision of services and billing as well as contact information in order to be able to make inquiries if necessary. If we have access to information of end customers, employees or other persons, we process this information in accordance with legal and contractual requirements; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).

Business processes and procedures

Personal data of service recipients and clients – including customers, clients or in special cases mandatees, patients or business partners as well as other third parties – are processed in the context of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting and project management.

The collected data are used to fulfill contractual obligations and to design operational processes efficiently. This includes handling business transactions, managing customer relationships, optimizing sales strategies and ensuring internal accounting and financial processes. In addition, the data support the protection of the controller's rights and facilitate administrative tasks as well as company organization.

Personal data may be disclosed to third parties if necessary to fulfill the aforementioned purposes or statutory obligations. After statutory retention periods expire or if the purpose of processing ceases to exist, the data are deleted. This also includes data that must be retained for a longer period due to tax or legal evidentiary obligations.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation); Contract data (e.g. subject matter of the contract, duration, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); Log data (e.g. log files regarding logins or access times of data retrieval). Employee data (information about employees and other persons in an employment relationship).
  • Data subjects: Service recipients and clients; Prospects; Communication partners; Business and contractual partners; Third parties; Users (e.g. website visitors, users of online services); Employees (e.g. employees, applicants, temporary staff and other staff). Customers.
  • Purposes of processing: Provision of contractual services and performance of contractual obligations; Office and organizational procedures; Business processes and commercial procedures; Communication; Marketing; Sales promotion; Public relations; Financial and payment management; Security measures. IT infrastructure (operation and provision of information systems and technical devices (computers, servers etc.)).
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Legitimate interests (Art. 6(1)(1)(f) GDPR). Legal obligation (Art. 6(1)(1)(c) GDPR).

Further notes on processing procedures, processes and services:

  • Customer management and Customer Relationship Management (CRM): Procedures required within customer management and Customer Relationship Management (CRM) (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaint management and customer service with due regard to data protection, data management and analysis to support the customer relationship, management of CRM systems, secure account management, customer segmentation and audience building); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Contact management and maintenance: Procedures required for organizing, maintaining and securing contact information (e.g. setting up and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementation of data protection measures, ensuring access controls, performing backups and restores of contact data, training employees in effective handling of contact management software, regular review of communication history and adaptation of contact strategies); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • General payment transactions: Procedures required for carrying out payment transactions, monitoring bank accounts and controlling cash flows (e.g. creation and verification of transfers, processing of direct debit transactions, control of bank statements, monitoring incoming and outgoing payments, management of returned direct debits, account reconciliation, cash management); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Accounts payable and accounts receivable: Procedures required for recording, processing and controlling business transactions in the area of accounts payable and accounts receivable (e.g. creation and verification of incoming and outgoing invoices, monitoring and management of open items, processing of payment transactions, dunning procedures, account reconciliation within receivables and payables, accounts payable and accounts receivable); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Financial accounting and taxes: Procedures required for recording, managing and controlling financially relevant business transactions and for calculating, reporting and paying taxes (e.g. posting and booking of business transactions, creation of quarterly and annual financial statements, execution of payment transactions, handling of dunning procedures, account reconciliation, tax advice, preparation and submission of tax returns, handling of tax matters); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Procurement: Procedures required for the procurement of goods, raw materials or services (e.g. supplier selection and evaluation, price negotiations, order placement and monitoring, inspection and control of deliveries, invoice verification, order management, inventory management, creation and maintenance of procurement policies); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Sales: Procedures required for the planning, execution and monitoring of measures for the marketing and sale of products or services (e.g. customer acquisition, preparation and tracking of offers, order processing, customer advice and support, sales promotion, product training, sales controlling and analysis, management of distribution channels); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Marketing, advertising and sales promotion: Procedures required for marketing, advertising and sales promotion (e.g. market analysis and audience determination, development of marketing strategies, planning and execution of advertising campaigns, design and production of promotional materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion activities, performance measurement and optimization of marketing activities, budget management and cost control); Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Economic analyses and market research: For business purposes and to detect market trends and the wishes of contractual partners and users, existing data on business transactions, contracts, inquiries, etc. are analyzed. The group of data subjects may include contractual partners, prospects, customers, visitors and users of the controller's online offering. The analyses serve the purposes of business evaluations, marketing and market research (e.g. to determine customer groups with different characteristics). If available, profiles of registered users including their information on services used are taken into account. The analyses are used exclusively by the controller and are not disclosed externally, unless they are anonymous analyses with aggregated, i.e. anonymized values. In addition, user privacy is taken into account; data are processed pseudonymized and, where feasible, anonymized for analysis purposes (e.g. as aggregated data); Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Public relations: Procedures required for public relations and PR (e.g. development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media resonance, organization of press conferences and public events, crisis communication, creation of content for social media and corporate websites, management of corporate branding); Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Guest Wi-Fi: Procedures required for the setup, operation, maintenance and monitoring of a wireless network for guests (e.g. installation and configuration of Wi-Fi access points, creation and management of guest accounts, monitoring of network connection, ensuring network security, troubleshooting connection issues, updating network software, compliance with data protection requirements); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).

Providers and services used in the course of business activities

In the course of our business activities we use additional services, platforms, interfaces or plugins from third-party providers (briefly "services"), taking into account the statutory provisions. The use of these is based on our interests in proper, lawful and economical management of our business operations and our internal organization.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation). Contract data (e.g. subject matter of the contract, duration, customer category).
  • Data subjects: Service recipients and clients; Prospects; Business and contractual partners. Employees (e.g. employees, applicants, temporary staff and other staff).
  • Purposes of processing: Provision of contractual services and performance of contractual obligations; Office and organizational procedures. Business processes and commercial procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

Payment methods

In the context of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use, in addition to banks and credit institutions, other service providers (collectively "payment service providers").

Data processed by payment service providers include master data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, amount and recipient-related information. The information is necessary to carry out the transactions. However, the data entered are only processed and stored by the payment service providers. That means we do not receive account or credit card related information, but only information confirming or denying the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit reporting agencies. This transmission is intended for identity and credit checks. For this we refer to the terms and conditions and privacy notices of the payment service providers.

The terms and conditions and privacy notices of the respective payment service providers apply to payment transactions and can be accessed on the respective websites or transaction applications. We refer to these for further information and to assert revocation, access and other data subject rights.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. subject matter of the contract, duration, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Service recipients and clients. Business and contractual partners.
  • Purposes of processing: Provision of contractual services and performance of contractual obligations. Business processes and commercial procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Credit checks

If we provide advance services or assume comparable economic risks (e.g. for purchases on account), we reserve the right to obtain identity and credit information from specialized service companies (credit agencies) in order to assess the credit risk based on mathematical-statistical procedures to protect our legitimate interests.

The information received from credit agencies about the statistical probability of default is processed within the scope of an appropriate discretionary decision concerning the initiation, execution and termination of the contractual relationship. In the event of a negative result of the credit check, we reserve the right to refuse payment on account or other advance performance.

The decision whether we provide advance services is made in accordance with legal requirements solely on the basis of an automated individual decision made by our software on the basis of the report of the credit agency.

If we obtain an explicit consent from contractual partners, the legal basis for the credit report and the transmission of the customer's data to the credit agencies is the consent. If no consent is obtained, the credit report is conducted on the basis of our legitimate interests in securing our payment claims.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers); Contract data (e.g. subject matter of the contract, duration, customer category). Creditworthiness data (e.g. received credit score, estimated default probability, risk classification based on this, historical payment behavior).
  • Data subjects: Service recipients and clients; Prospects. Business and contractual partners.
  • Purposes of processing: Assessment of creditworthiness.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Automated individual decisions: Credit report (decision based on a credit check).

Provision of the online offering and web hosting

We process users' data to be able to provide our online services. For this purpose we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); Log data (e.g. log files regarding logins or data retrieval or access times). Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers etc.)). Security measures.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

  • Provision of the online offering on rented storage space: For the provision of our online offering we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called "web host"); Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the retrieved web pages and files, date and time of retrieval, amount of data transferred, message about successful retrieval, browser type including version, the user's operating system, referrer URL (the previously visited page) and usually IP addresses and the requesting provider. Server log files can be used on the one hand for security purposes, e.g. to prevent overload of servers (especially in the event of abusive attacks, so-called DDoS attacks), and on the other hand to ensure server load and stability; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.
  • Hosting.de: Services in the field of provision of IT infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: hosting.de GmbH, Franzstr. 51, 52064 Aachen, Germany; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.hosting.de/; Privacy policy: https://www.hosting.de/ueber-uns/datenschutz/. Data processing agreement: Provided by the service provider.

Use of cookies

Under the term "cookies" we understand functions that store information on users' end devices and read it out. Cookies can also be used for different purposes, such as functionality, security and convenience of online offerings as well as for creating analyses of visitor flows. We use cookies in accordance with the statutory provisions. For this purpose, if necessary, we obtain the consent of the users in advance. If consent is not necessary, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and functions. These include, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We clearly inform about its scope and which cookies are used.

Notes on legal bases under data protection law: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Retention period: With regard to retention periods, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes his or her end device (e.g. browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored even after the end device is closed. For example, login status can be stored and preferred content can be displayed directly when the user visits a website again. Likewise, user data collected via cookies can be used for reach measurement. If we do not provide users with explicit information about the type and retention period of cookies (e.g. as part of obtaining consent), they should assume that these are persistent and that the retention period can be up to two years.

General notes on revocation and objection (opt-out): Users can revoke the consents they have given at any time and also object to the processing in accordance with the statutory provisions, also by using the privacy settings of their browser.

  • Types of data processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR). Consent (Art. 6(1)(1)(a) GDPR).

Further notes on processing procedures, processes and services:

  • Processing of cookie data on the basis of consent: We use a consent management solution where users' consent to the use of cookies or to the procedures and providers named in the consent management solution is obtained. This procedure is used to obtain, log, manage and revoke consents, in particular with regard to the use of cookies and comparable technologies that are used to store, read and process information on users' end devices. As part of this procedure, users' consents for the use of cookies and the associated processing of information, including the specific processing and providers named in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. The declarations of consent are stored in order to avoid repeated queries and to be able to provide evidence of consent in accordance with legal requirements. The storage is carried out server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to assign the consent to a specific user or his or her device. If no specific information about the providers of consent management services is available, the following general information applies: The retention period of the consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, the information on the scope of the consent (e.g. categories of cookies and/or service providers concerned) as well as information about the browser, the system and the device used; Legal bases: Consent (Art. 6(1)(1)(a) GDPR).
  • Cookiefirst: Storage and management of consents (consent to cookies and data processing), logging of user decisions, display of notices on data protection and cookies, enabling revocation or adjustment of consents by users; Service provider: Digital Data Solutions B.V., Plantage Middenlaan 42a, 1018 DH Amsterdam, Netherlands; Website: https://cookiefirst.com/de/; Privacy policy: https://cookiefirst.com/legal/privacy-policy/; Further information: Stored data (on the service provider's server): the user's IP number, date and time of consent, browser information, the URL from which the consent was sent, an anonymous, random and encrypted key value, the user's consent status.

Contact and request management

When contacting us (e.g. by post, contact form, email, telephone or via social media) and within the scope of existing user and business relationships, the information of the persons making inquiries is processed insofar as it is necessary to answer the contact requests and any requested measures.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; Organizational and administrative procedures; Feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).

Further notes on processing procedures, processes and services:

  • Contact form: When contacting us via our contact form, by email or other means of communication, we process the personal data transmitted to us in order to respond to and process the respective concern. This usually includes information such as name, contact details and, if applicable, further information provided to us and required for proper processing. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).

Artificial Intelligence (AI)

We use Artificial Intelligence (AI) in which personal data are processed. The specific purposes and our interest in the use of AI are stated below. By AI we understand, in accordance with the term "AI system" pursuant to Article 3(1) of the AI Act, a machine-assisted system that is designed for varying degrees of autonomous operation, can be adaptable after its introduction and produces results from the inputs received such as predictions, content, recommendations or decisions that may influence physical or virtual environments.

Our AI systems are used in strict compliance with statutory provisions. These include both specific regulations for Artificial Intelligence and data protection requirements. In doing so, we in particular adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization and integrity as well as confidentiality. We ensure that the processing of personal data always takes place on a legal basis. This may be either the consent of the data subjects or a legal permission.

When using external AI systems, we carefully select their providers (hereinafter "AI providers"). In accordance with our legal obligations, we ensure that the AI providers comply with the applicable provisions. We also observe our obligations when using or operating the acquired AI services. The processing of personal data by us and the AI providers takes place exclusively on the basis of consent or legal authorization. We place particular emphasis on transparency, fairness and maintaining human control over AI-assisted decision-making processes.

To protect the processed data we implement appropriate and robust technical and organizational measures. These ensure the integrity and confidentiality of the processed data and minimize potential risks. Through regular reviews of the AI providers and their services we ensure ongoing compliance with current legal and ethical standards.

  • Types of data processed: Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Users (e.g. website visitors, users of online services). Third parties.
  • Purposes of processing: Artificial Intelligence (AI).
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications of other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "conference"). When selecting conference platforms and their services we pay attention to the legal requirements.

Data processed by conference platforms: In the course of participation in a conference the conference platforms process the personal data of the participants listed below. The scope of processing depends on which data are required in the context of a specific conference (e.g. provision of access data or real names) and which optional data are provided by the participants. In addition to processing for the implementation of the conference, the data of participants may also be processed by the conference platforms for security purposes or service optimization. Processed data include personal data (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the internet access, information about the participants' end devices, their operating system, the browser and its technical and language settings, information about the content of communications, i.e. entries in chats as well as audio and video data, as well as the use of other available functions (e.g. polls). Content of communications is encrypted to the technical extent provided by the conference providers. If participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. from polls) as well as video or audio recordings are logged, this will be made transparent to the participants in advance and they will be asked - if required - for their consent.

Data protection measures by participants: Please refer to the conference platforms' privacy notices for details on how they process your data and choose the optimal security and privacy settings within the conference platforms' settings. Please also ensure during a video conference that the background of your recording protects data and privacy (e.g. by informing roommates, locking doors and using, where technically possible, the function to blur the background). Links to conference rooms and access data must not be passed on to unauthorized third parties.

Notes on legal bases: If, in addition to the conference platforms, we also process users' data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to recording conferences), the legal basis for the processing is that consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. for participant lists, in the case of processing meeting outcomes, etc.). Otherwise, users' data are processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Image and/or video recordings (e.g. photographs or video recordings of a person); Audio recordings. Log data (e.g. log files regarding logins or data retrieval or access times).
  • Data subjects: Communication partners; Users (e.g. website visitors, users of online services). Depicted persons.
  • Purposes of processing: Provision of contractual services and performance of contractual obligations; Communication. Office and organizational procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

  • Microsoft Teams: Used to conduct online events, conferences and communication with internal and external participants. Used features include voice transmission, direct messages, group communication and collaboration functions; name, business contact details, work profile, participation and content (audio/video, speech, chat, files, speech transcription) are processed for purposes and interests in efficiency and productivity improvements, cost efficiency, flexibility, mobility, improved communication, IT security, use of a central platform and Microsoft's business processing. Audio signals are generally not stored unless recording is enabled. Meeting and conference recordings are stored by default for 90 days unless another duration is specified. Chat and file contents are stored according to policies set by the administrator or the user; no automatic deletion is preset. Channels must be renewed every 180 days otherwise contents are deleted. In addition, system-generated log, diagnostic and metadata are processed and diagnostic data are collected for product stability, security and improvement; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-teams/; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

Cloud services

We use software services accessible via the Internet and executed on the servers of their providers (so-called "cloud services", also referred to as "software as a service") for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).

In this context, personal data can be processed and stored on the providers' servers insofar as they are part of communication processes with us or are otherwise processed by us as set out in this privacy policy. These data may in particular include master data and contact data of users, data on transactions, contracts, other processes and their content. The cloud service providers also process usage data and metadata, which they use for security purposes and for service optimization.

If we provide forms or other documents and content for other users or publicly accessible websites using cloud services, the providers may store cookies on users' devices for web analytics purposes or to remember users' settings (e.g. in the case of media control).

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Prospects; Communication partners. Business and contractual partners.
  • Purposes of processing: Office and organizational procedures. IT infrastructure (operation and provision of information systems and technical devices (computers, servers etc.)).
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

  • Microsoft 365 and Microsoft cloud services: Provision of applications, protection of data and IT systems as well as use of system-generated logs, diagnostic and metadata for contract fulfillment by Microsoft. Processed data include contact data (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (badge swipe) as well as log and metadata. Processing is carried out for the purposes of efficiency and productivity improvements, cost efficiency, flexibility, mobility, improved communication, integration of Microsoft services, IT security and Microsoft's business processing. The retention of data is governed by the respective documents and company policies, with Defender (protection of data and IT systems) up to 12 months, and print management 10 days. In addition, diagnostic data are collected for product stability and improvement; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://microsoft.com/de-de; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).
  • Microsoft EU Data Boundary: Our use of Microsoft cloud services is within the so-called "EU Data Boundary" (also referred to as "EU data boundary"), which ensures that data are stored and processed within the European Union (EU) and the European Free Trade Association (EFTA).

    The EU Data Boundary is a defined region in which Microsoft commits to storing and processing customer data and personal data for certain online services (Microsoft 365, Azure, Dynamics 365 and the Power Platform) within the EU/EFTA region. Companies that use these services can ensure that their data remain within the EU/EFTA region. This includes both general customer data and support data that arise in the context of technical services. In many cases pseudonymized data are also processed within this region.

    The EU Data Boundary covers all EU countries as well as the EFTA states (Liechtenstein, Iceland, Norway and Switzerland). Microsoft operates data centers in several of these countries, including Germany, France, Ireland, the Netherlands, Sweden, Spain and Switzerland. Additional locations may be added.

    Microsoft automatically creates logs as part of operations to ensure the security and functionality of its services. These logs mainly contain technical information but may in certain cases also include personal data, e.g. when user actions are documented.

    To protect these data, Microsoft uses techniques such as encryption, masking and tokenization (replacing sensitive data with non-traceable character strings). This ensures that Microsoft employees only see pseudonymized data and cannot draw direct conclusions about individual users. There are also strict access rules and deletion deadlines for these data.

    Microsoft has assured that data transfers outside the EU take place only in a few, precisely defined cases. This may be necessary, for example, to implement global cybersecurity measures or to ensure the functionality of the cloud services. These transfers always take place under high security standards such as encryption and pseudonymization.

    Further information on the EU Data Boundary and Microsoft's data protection measures can be found in the Microsoft EU Data Boundary Trust Center: https://www.microsoft.com/de-de/trust-center/privacy/european-data-boundary-eudb.

Newsletters and electronic notifications

We send newsletters, e-mails and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or on the basis of a legal basis. If the content of the newsletter is specified when registering for the newsletter, this content is decisive for the user's consent. For registration to our newsletter usually entering your email address is sufficient. However, in order to be able to offer you a personalized service, we may ask you to provide your name for personal address in the newsletter or for further information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of these data is restricted to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the previous existence of a consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called "blocklist").

The logging of the subscription process is carried out on the basis of our legitimate interests for the purpose of proving its proper course. If we commission a service provider with the sending of e-mails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.

Content:

Information about us, our services, promotions and offers.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (e.g. by e-mail or post).
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR).
  • Opt-out possibility: You can unsubscribe from our newsletter at any time, i.e. revoke your consent or object to further receipt. A link to unsubscribe from the newsletter can be found either at the end of each newsletter or you can use one of the contact options given above, preferably e-mail.

Further notes on processing procedures, processes and services:

  • Measurement of open and click rates: The newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from our server or from that of the dispatch service provider when the newsletter is opened. In the context of this retrieval, technical information such as information about the browser and your system as well as your IP address and the time of retrieval are initially collected. This information is used to technically improve our newsletter based on technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when the newsletter was opened and which links were clicked. The information is assigned to the individual newsletter recipients and stored in their profiles until deletion. The evaluations serve to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of open and click rates as well as the storage of the measurement results in the users' profiles and their further processing is carried out on the basis of users' consent. A separate revocation of the success measurement is unfortunately not possible; in that case the entire newsletter subscription must be cancelled or objected to. In that case the stored profile information will be deleted; Legal bases: Consent (Art. 6(1)(1)(a) GDPR).

Promotional communication via e-mail, post, fax or telephone

We process personal data for the purpose of promotional communication, which may be carried out via various channels, such as email, telephone, post or fax, in accordance with the statutory provisions.

Recipients have the right to withdraw consent given at any time or to object to promotional communication at any time.

After withdrawal or objection we store the data required to prove prior authorization to contact or send for up to three years after the end of the year of the withdrawal or objection on the basis of our legitimate interests. The processing of these data is restricted to the purpose of a possible defense against claims. On the basis of the legitimate interest to permanently observe users' withdrawal or objection, we also store the data required to prevent renewed contact (e.g. depending on the communication channel the email address, telephone number, name).

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers). Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation).
  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (e.g. by email or post); Marketing. Sales promotion.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Competitions and sweepstakes

We process personal data of participants in competitions and sweepstakes only in compliance with the applicable data protection provisions, insofar as the processing is contractually necessary for the provision, execution and processing of the competition, the participants have consented to the processing or the processing serves our legitimate interests (e.g. in the security of the competition or the protection of our interests against misuse by possibly collecting IP addresses when submitting entries).

If entries of participants are published in the context of the competition (e.g. as part of a vote or presentation of the entries or the winners or reporting on the competition), we point out that the names of the participants may also be published in this context. Participants can object to this at any time.

If the competition takes place within an online platform or social network (e.g. Facebook or Instagram, hereinafter referred to as "online platform"), the terms of use and privacy policies of the respective platforms also apply. In these cases we point out that we are responsible for the information provided by participants in the context of the competition and that inquiries regarding the competition should be directed to us.

Participants' data will be deleted as soon as the competition or contest has ended and the data are no longer required to inform the winners or because no further inquiries concerning the competition are expected. As a rule, participants' data will be deleted no later than six months after the end of the competition. Winners' data may be retained longer in order to answer inquiries about prizes or to be able to fulfill prize services; in this case the retention period depends on the type of prize and is, for example, up to three years for goods or services in order to be able to process warranty claims. Furthermore, participants' data may be stored for longer, e.g. as part of coverage of the competition in online and offline media.

If data are collected for other purposes in the context of the competition, their processing and retention period are governed by the privacy notices for that use (e.g. in the case of registration for a newsletter as part of a competition).

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers). Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation).
  • Data subjects: Competition and sweepstake participants.
  • Purposes of processing: Conducting competitions and sweepstakes.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Surveys and questionnaires

We conduct surveys and questionnaires to collect information for the survey's stated purpose. The surveys and questionnaires we carry out (hereinafter "surveys") are evaluated anonymously. Personal data are processed only to the extent necessary to provide and technically conduct the surveys (e.g. processing of the IP address to display the survey in the user's browser or to allow resumption of the survey using a cookie).

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Participants. Users (e.g. website visitors, users of online services).
  • Purposes of processing: Feedback (e.g. collecting feedback via online form). Surveys and questionnaires (e.g. surveys with input options, multiple choice questions).
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

Web analytics, monitoring and optimization

Web analytics (also called "reach measurement") serves to evaluate visitor flows of our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis we can, for example, find out at what time our online offering or its functions or contents are used most frequently or invite reuse. It is also possible for us to trace which areas need optimization.

In addition to web analytics, we may also use test procedures to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e. data combined into a usage event, may be created for these purposes and information may be stored and then read out in a browser or on a device. The collected information includes in particular visited websites and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, processing of location data may also be possible.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear personal data of users (such as e-mail addresses or names) are stored in the context of web analytics, A/B testing and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, consent constitutes the legal basis for data processing. Otherwise, user data are processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context we would also like to refer you to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years.).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

  • Google Analytics: We use Google Analytics to measure and analyze the usage of our online offering on the basis of a pseudonymous user identification number. This identification number contains no unique data such as names or email addresses. It serves to assign analysis information to an end device in order to determine which content users have accessed within one or more usage sessions, which search terms they used, revisited or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their end devices and browsers.
    In doing so, pseudonymous profiles of users are created with information from the use of different devices, whereby cookies may be used. Google Analytics does not log and store individual IP addresses for EU users. However, Analytics provides coarse geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data are used exclusively for this derivation of geolocation data before they are immediately deleted. They are not logged, are not accessible and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out possibility: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for ad personalization: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and processed data).
  • Google as recipient of the consent: The consent given by users in the context of a consent dialog (also known as "cookie opt-in/consent", 'cookie banner', etc.) serves several purposes. On the one hand, it serves us to fulfill our duty to obtain consent for the storage and reading of information on and from users' end devices (in accordance with ePrivacy guidelines). On the other hand, it covers the processing of users' personal data in accordance with data protection requirements. In addition, this consent also applies to Google, since the company is obliged by the Digital Markets Act to obtain consent for personalized services. Therefore, we share the status of consents given by users with Google. Our consent management software informs Google whether consents have been given or not. The aim is to ensure that the consents given or not given by users are taken into account when using Google Analytics and when integrating functions and external services in our online offering. In this way, users' consents and their revocation can be dynamically adjusted within Google Analytics and other Google services in our online offering depending on the user's choice; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(1)(a) GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy policy: https://policies.google.com/privacy.
  • Google Tag Manager: We use Google Tag Manager, a Google software that allows us to centrally manage so-called website tags via a user interface. Tags are small code elements on our website that are used to record and analyze visitor activities. This technology helps us to improve our website and the content offered on it. The Google Tag Manager itself does not create user profiles, does not store cookies with user profiles and does not perform independent analyses. Its function is limited to simplifying and making more efficient the integration and management of tools and services that we use on our website. Nevertheless, when using Google Tag Manager the user's IP address is transmitted to Google for technical reasons, which is necessary to implement the services we use. Cookies may also be set. However, this data processing only occurs if services are embedded via the Tag Manager. For more detailed information on these services and their data processing, we refer to the further sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Data processing agreement:
    https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms).

Online marketing

We process personal data for the purpose of online marketing, which may include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as "content") based on potential interests of users and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar procedures are used to store information relevant to the user for the display of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on usage times and functions used. If users have consented to the collection of their location data, these may also be processed.

In addition, users' IP addresses are stored. However, we use available IP masking procedures (i.e. pseudonymization by shortening the IP address) to protect users. In general, no clear personal data of users (such as email addresses or names) are stored in the context of online marketing procedures but pseudonyms. This means that neither we nor the providers of the online marketing procedures know the real identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or by similar procedures. These cookies can later generally be read on other websites that use the same online marketing procedure and analyzed for the purpose of displaying content as well as supplemented with further data and stored on the online marketing provider's server.

In exceptional cases it is possible to assign clear personal data to the profiles, mainly when users are members of a social network whose online marketing procedures we use and the network links user profiles with the aforementioned information. Please note that users may make additional agreements with providers, e.g. by granting consent during registration.

We generally only gain access to aggregated information about the success of our advertisements. However, within so-called conversion measurement we can check which of our online marketing procedures led to a so-called conversion, i.e. for example to a contract with us. Conversion measurement is used solely for success analysis of our marketing activities.

Unless otherwise stated, please assume that cookies used are stored for a period of two years.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the data processing is the permission. Otherwise, users' data are processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context we would also like to refer you to the information on the use of cookies in this privacy policy.

Notes on revocation and objection:

We refer to the privacy notices of the respective providers and the objection options (so-called "opt-out") provided by the providers. If no explicit opt-out option is indicated, one option is to disable cookies in your browser settings. However, this can restrict the functions of our online offering. We therefore recommend the following opt-out options in addition, which are offered in a summarized manner and directed to respective regions:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://youradchoices.ca/.

c) USA: https://optout.aboutads.info/.

d) Cross-region: https://optout.aboutads.info.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); Tracking (e.g. interest-/behavior-based profiling, use of cookies); Audience building; Marketing. Profiles with user-related information (creation of user profiles).
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years.).
  • Security measures: IP masking (pseudonymization of the IP address).

Digital badges

Digital badges, also known as Open Badges (hereinafter briefly "badges"), are digital certificates that attest to the skills, achievements and interests of individuals or organizations. They are issued by credible organizations. Badges are provided with metadata and information about the acquired skills and achievements. Typically, badges are represented by an image or a digital certificate that contains information about the recipient, issuer, metadata and other relevant information.

If badges are issued individually for certain persons, the metadata stored in the badges and used for assignment relating to skills, achievements and interests of the persons concerned are processed.

If cookies and comparable technologies that are not necessary for the badges are used and therefore consent of users is required, we obtain the corresponding consent from the users and inform them accordingly.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Service recipients and clients; Users (e.g. website visitors, users of online services). Business and contractual partners.
  • Purposes of processing: Marketing; Provision of our online offering and user-friendliness. Public relations and information purposes.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion". Deletion upon termination.
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Presences in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the territory of the European Union. This may entail risks for users because, for example, enforcement of users' rights may be more difficult.

Furthermore, users' data within social networks are generally processed for market research and advertising purposes. For example, usage profiles can be created based on users' usage behavior and resulting interests. These profiles may be used to place advertisements inside and outside the networks that are likely to match users' interests. Therefore, cookies are generally stored on users' computers in which users' usage behavior and interests are stored. In addition, data may also be stored in user profiles independently of the devices used by users (in particular if they are members of the respective platforms and are logged in there).

For a detailed presentation of the respective forms of processing and options for objection (opt-out) we refer to the privacy policies and information of the operators of the respective networks.

Also in the case of requests for information and asserting data subject rights we point out that these can be most effectively asserted with the providers. Only the latter have access to the user data and can take direct measures and provide information. If you nevertheless need help, you can contact us.

  • Types of data processed: Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Communication; Feedback (e.g. collecting feedback via online form). Public relations.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

  • Instagram: Social network enabling sharing of photos and videos, commenting and liking posts, sending messages, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
  • LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data of visitors that are used to create the "Page Insights" (statistics) of our LinkedIn pages. These data include information about the types of content that users view or interact with, as well as actions they take. Details about the devices used are also recorded, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, seniority level, company size and employment status. Information on data processing by LinkedIn can be found in LinkedIn's privacy information: https://www.linkedin.com/legal/privacy-policy.
    We have concluded a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which in particular regulates which security measures LinkedIn must observe and in which LinkedIn has undertaken to fulfil the rights of the data subjects (i.e. users can, for example, address requests for access or deletion directly to LinkedIn). The rights of users (in particular the right to access, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company with its registered office in the EU. The further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out possibility: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out possibility: https://myadcenter.google.com/personalizationoff.

Plugins and embedded functions and content

We embed functional and content elements in our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos or maps (hereinafter uniformly referred to as "content").

Embedding always requires that the third-party providers of these contents process the users' IP addresses, as they could not send the contents to their browsers without the IP address. The IP address is therefore required for the display of these contents or functions. We endeavor to use only such content whose respective providers use the IP address only to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the users' devices and, among other things, contain technical information about the browser and the operating system, referring websites, the visit time and further information about the use of our online offering, but may also be linked with such information from other sources.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the data processing is the permission. Otherwise, user data are processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context we would also like to refer you to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved). Location data (information on the geographical position of a device or a person).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; Reach measurement (e.g. access statistics, recognition of returning visitors); Tracking (e.g. interest-/behavior-based profiling, use of cookies); Audience building. Marketing.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years.).
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Further notes on processing procedures, processes and services:

  • Google Fonts (retrieval from Google server): Retrieval of fonts (and icons) for the purpose of a technically secure, maintenance-free and efficient use of fonts and icons with regard to timeliness and loading times, their uniform presentation and consideration of possible licensing restrictions. The font provider receives the user's IP address so that the fonts can be provided in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted that are necessary to provide the fonts depending on the devices and the technical environment used. These data may be processed on a server of the font provider in the USA - When visiting our online offering, the users' browsers send their HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving fonts). The Google Fonts Web API provides users with Google's Cascading Style Sheets (CSS) and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server and (3) the HTTP headers, including the user agent that describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e. the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google's servers and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent and referrer URL). Access to these data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. In the Google Fonts Web API the user agent must adapt the font generated for the respective browser type. The user agent is primarily logged for debugging and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the "Analytics" page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on the top integrations based on the number of font requests can be generated. According to Google, none of the information collected by Google Fonts is used to create end user profiles or to serve targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • Google Maps: We embed maps from the "Google Maps" service provider. The data processed may include, in particular, IP addresses and users' location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6(1)(1)(a) GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
  • YouTube videos: Videos stored on YouTube are embedded in our online offering. The integration of these YouTube videos is done via a special domain using the "youtube-nocookie" component in the so-called "enhanced privacy mode". In "enhanced privacy mode" only information such as your IP address and information about your browser and end device may be stored on your device in cookies or by similar procedures that YouTube needs for the output, control and optimization of video playback until the video is started. Once you play the videos, additional information may be processed for the analysis of usage behavior as well as for storage in the user profile and for personalization of content and advertisements by YouTube. The storage duration for cookies may be up to two years; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(1)(a) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://support.google.com/youtube/answer/171780?hl=de-DE#zippy=%2Cturn-on-privacy-enhanced-mode%2Cerweiterten-datenschutzmodus-aktivieren.

Management, organization and auxiliary tools

We use services, platforms and software of other providers (hereinafter referred to as "third-party providers") for the purposes of organization, administration, planning and provision of our services. When selecting third-party providers and their services we pay attention to the statutory requirements.

In this context personal data may be processed and stored on the servers of the third-party providers. Various data that we process in accordance with this privacy policy may be affected. These data may in particular include master data and contact data of users, data on transactions, contracts, other processes and their content.

If users are referred to the third-party providers or their software or platforms within the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, for service optimization or for marketing purposes. We therefore ask you to note the privacy notices of the respective third-party providers.

  • Types of data processed: Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Communication partners. Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and performance of contractual obligations. Office and organizational procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Processing of data in the context of employment relationships

In the context of employment relationships the processing of personal data is carried out with the aim of making the establishment, execution and termination of such relationships effective. This data processing supports various operational and administrative functions that are required for managing employee relationships.

In doing so, the data processing covers various aspects ranging from the initiation of the contract to its termination. Included are the organization and administration of daily working hours, management of access rights and authorizations as well as handling personnel development measures and employee discussions. The processing also serves payroll and administration of salary payments, which represent critical aspects of contract performance.

In addition, the data processing takes into account the legitimate interests of the employer responsible, such as ensuring workplace safety or capturing performance data to evaluate and optimize operational processes. The data processing also includes the disclosure of employee data in the context of external communication and publication processes where this is necessary for operational or legal purposes.

The processing of these data is always carried out in compliance with the applicable legal framework, the aim always being to create and maintain a fair and efficient working environment. This also includes taking into account the data protection of the employees concerned, anonymization or deletion of data after the processing purpose has been fulfilled or in accordance with statutory retention periods.

  • Types of data processed: Employee data (information about employees and other persons in an employment relationship); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. subject matter of the contract, duration, customer category); Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation); Social data (data that are subject to social confidentiality and are processed by social insurance institutions, social assistance providers or pension authorities, for example); Log data (e.g. log files regarding logins or data retrieval or access times.); Performance and behavior data (e.g. performance and behavior aspects such as performance evaluations, feedback from superiors, training participation, compliance with company policies, self-assessments and behavior evaluations.); Working time data (e.g. start of working time, end of working time, actual working time, target working time, break times, overtime, vacation days, special leave days, sick days, absences, home office days, business trips); Salary data (e.g. basic salary, bonus payments, premiums, tax class information, surcharges for night work/overtime, tax deductions, social insurance contributions, net payment); Image and/or video recordings (e.g. photographs or video recordings of a person); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Special categories of personal data: Health data; Religious or ideological beliefs. Trade union membership.
  • Data subjects: Employees (e.g. employees, applicants, temporary staff and other staff).
  • Purposes of processing: Establishment and execution of employment relationships (processing of employee data in the context of the establishment and execution of employment relationships); Business processes and commercial procedures; Security measures; Provision of contractual services and performance of contractual obligations; Public relations. Office and organizational procedures.
  • Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Legal obligation (Art. 6(1)(1)(c) GDPR); Legitimate interests (Art. 6(1)(1)(f) GDPR). Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9(2)(h) GDPR).

Further notes on processing procedures, processes and services:

  • Working time recording: Procedures for recording employees' working hours include both manual and automated methods, such as the use of time clocks, time recording software or mobile apps. Activities such as entering clock-in and clock-out times, break times, overtime and absences are recorded. Verification and validation of recorded working hours include matching with deployment or shift plans, checking absences and approval of overtime by supervisors. Reports and analyses are generated based on the recorded working hours to provide evidence of working times, overtime reports and absence statistics for management and HR; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Authorization management: Procedures required for defining, managing and controlling access rights and user roles within a system or organization (e.g. creation of authorization profiles, role- and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Special categories of personal data: Special categories of personal data are processed in the context of employment relationships or to fulfill legal obligations. The processed special categories of personal data include data concerning health, trade union membership or religious affiliation of employees. These data may be transmitted to health insurance funds or processed to assess employees' working capacity or for occupational health management or for submissions to the tax office; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Sources of processed data: Personal data processed are obtained in the context of applications and/or employment relationships. In addition, if required by law, personal data may be obtained from other sources. These may include tax authorities for tax-related information, the relevant health insurance fund for information on incapacity for work, third parties such as employment agencies or publicly accessible sources such as professional social networks in the context of application procedures; Legal bases: Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Video surveillance: Employee surveillance serves the security of the company, the protection of property and the safety of employees. For this purpose various procedures and data processing steps are carried out.
    First, surveillance cameras are installed and positioned after a site analysis to identify security-relevant areas. Cameras are then installed in appropriate locations, whereby notices of surveillance may be provided by posters or warning notices.
    Regular checks are carried out to ensure that the cameras are working properly and that no failures occur that could impair security.
    The actual monitoring is carried out by recording videos to capture and document potential security incidents. These recordings are then evaluated and analyzed to identify suspicious activities and respond appropriately.
    All recorded video data are archived in accordance with legal requirements and data protection guidelines. It should be noted that the data are deleted at the latest after 96 hours, unless there is a concrete suspicion that requires longer retention in order to clarify the facts or ensure company security.
    In addition, measures for data deletion are implemented as soon as retention periods have expired or the data are no longer required in order to comply with data protection policies and protect employees' privacy; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Purposes of data processing: The personal data of employees are processed primarily for the establishment, execution and termination of the employment relationship. In addition, the processing of these data is necessary to fulfill legal obligations in the area of tax and social security law. Besides these primary purposes, employee data are also used to meet regulatory and supervisory requirements, to optimize electronic data processing processes and to compile internal or inter-company data, possibly including statistical data. Furthermore, employees' data may be processed to assert claims and to defend against legal disputes; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Disclosure to the works council: Disclosure procedures to the works council include compiling relevant data and information and transmitting these to the works council. This includes the provision of information on personnel matters, working conditions, working time, remuneration and other topics that are of interest to the works council in the specific case, in accordance with statutory provisions and works agreements. The data collected include information about employees, working times, remuneration and other work-related aspects that are relevant to the works council; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR), Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9(2)(h) GDPR).
  • Disclosure of employee data: Employees' data are processed internally only by those departments that need them to fulfill business, contractual and legal obligations.
    The disclosure of data to external recipients takes place only if this is legally required or if the employees concerned have given their consent. Possible scenarios for this may be inquiries from authorities or the existence of asset formation benefits. In addition, the controller may transmit personal data to other recipients insofar as this is necessary to fulfill its contractual and legal obligations as an employer. These recipients may include: a) banks b) health insurance funds, pension insurance carriers, retirement provision institutions and other social security carriers c) authorities, courts (e.g. tax authorities, labor courts, further supervisory authorities in the context of fulfilling reporting and information obligations) d) tax and legal advisors e) third-party debtors in the case of wage and salary garnishments f) other bodies to which legally required declarations must be made.
    Furthermore, data may be disclosed to third parties if this is necessary for communication with business partners, suppliers or other service providers. Examples are information in the sender area of emails or letterheads as well as the creation of profiles on external platforms; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Transfer of employee data to third countries: The transfer of employee data to third countries, i.e. countries outside the European Union (EU) and the European Economic Area (EEA), takes place only if this is necessary for the fulfillment of the employment relationship, is legally required or if employees have given their consent. Employees are informed separately about the details, where legally required; Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Business trips and expense accounting: Procedures required for planning, execution and accounting of business trips (e.g. booking travel, organizing accommodation and transport, management of travel advances, submitting and reviewing expense reports, checking and posting incurred costs, compliance with travel policies, handling travel cost management); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Payroll and salary accounting: Procedures required for calculating, paying and documenting wages, salaries and other payments to employees (e.g. recording working times, calculating deductions and surcharges, remitting taxes and social security contributions, preparing payroll statements, maintaining payroll accounts, reporting to tax office and social insurance carriers); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR).
  • Deletion of employee data: Employee data are deleted under German law when they are no longer required for the purpose for which they were collected, unless they must be retained or archived due to statutory obligations or the employer's interests. The following retention and archiving obligations are observed:
    • General personnel records - General personnel records (such as employment contract, employment reference, ancillary agreements) are kept for up to three years after termination of the employment relationship (§ 195 BGB).
      Tax-relevant documents - Tax-relevant documents in the personnel file are kept for six years (§ 147 AO, § 257 HGB).
      Information on wages and working hours - Information on wages and working hours for insured persons (accident insurance) with wage records are kept for five years (§ 165 I 1, IV 2 SGB VII).
    • Payroll lists including lists for special payments - Payroll lists including lists for special payments, provided there is a booking evidence, are kept for ten years (§ 147 AO, § 257 HGB).
    • Payroll lists for interim, final and special payments - Payroll lists for interim, final and special payments are kept for six years (§ 147 AO, § 257 HGB).
    • Documents on employee insurance - Documents on employee insurance, if booking evidence is available, are kept for ten years (§ 147 AO, § 257 HGB).
    • Contribution statements to social insurance carriers - Contribution statements to social insurance carriers are kept for ten years (§ 165 SGB VII).
      Wage accounts - Wage accounts are kept for six years (§ 41 I 9 EStG).
    • Applicant data - Are stored for up to six months from receipt of rejection.
    • Working time records (for more than 8 hours on weekdays) - Are kept for two years (§ 16 II Working Time Act (ArbZG)).
    • Application documents (after online job advertisement) - Are kept for three to a maximum of six months after receipt of rejection (§ 26
    • Federal Data Protection Act (BDSG) new version, § 15 IV General Equal Treatment Act (AGG)).
    • Sick notes (AU) - Are kept for up to five years (§ 6 I Compensation Act (AAG)).
    • Documents on company pension scheme - Are kept for 30 years (§ 18a Act to Improve Company Pensions (BetrAVG)).
    • Employees' sickness data - Are kept for twelve months from the onset of the illness if absences in a year do not exceed six weeks.
    • Maternity protection documents - Are kept for two years (§ 27(5) MuSchG).
    Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR), Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9(2)(h) GDPR).
  • Personnel file management: Procedures required for organizing, updating and managing employee data and documents (e.g. recording of personnel master data, retention of employment contracts, references and certificates, updating data in case of changes, compiling documents for employee meetings, archiving personnel files, complying with data protection requirements); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR), Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9(2)(h) GDPR).
  • Personnel development, performance appraisal and employee discussions: Procedures required for promotion and development of employees as well as for assessing their performance and for employee discussions (e.g. needs analysis for further training, planning and conducting training measures, preparing performance assessments, holding target agreement and feedback discussions, career planning and talent management, succession planning); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR), Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9(2)(h) GDPR).
  • Obligation to provide data: The controller points out to employees that providing their data is necessary. This is generally the case when the data are necessary for the establishment and execution of the employment relationship or their collection is legally required. Providing data may also be necessary when employees assert claims or rights exist for the employees. The execution of these measures or the fulfillment of services depends on the provision of this data (for example, the provision of data in order to receive wages); Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legal obligation (Art. 6(1)(1)(c) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Publication and disclosure of employees' data: Employees' data are only published or disclosed to third parties if this is necessary for the performance of work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website or in public registers after coordination or by agreement or if the tasks include representative functions. This may also apply if image recordings are made as part of public relations. Otherwise employees' data are published only with their consent or on the basis of the employer's legitimate interests, for example in the case of stage or group photos during a public event; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), Legitimate interests (Art. 6(1)(1)(f) GDPR).

Application procedures

The application procedure requires applicants to provide us with the data necessary for their assessment and selection. Which information is required is specified in the job description or, in the case of online forms, in the information provided there.

Generally, the required information includes personal details such as name, address, a contact option and proof of qualifications necessary for a position. Upon request we will be happy to inform you which information is required.

Where available, applicants are welcome to submit their applications via our online form, which is encrypted according to the latest state of the art. Alternatively, it is also possible to send applications to us by email. However, we would like to point out that emails are generally not sent encrypted over the internet. Although emails are generally encrypted during transport, this does not apply on the servers from which they are sent and received. Therefore, we cannot accept responsibility for the security of the application during its transmission between the sender and our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may, in compliance with legal requirements, use applicant management or recruitment software and platforms and services of third-party providers.

Applicants are welcome to contact us regarding the method of submitting the application or to send the application to us by post.

Processing of special categories of data: Insofar as special categories of personal data (Art. 9(1) GDPR, e.g. health data such as severe disability status or ethnic origin) are requested from or provided by applicants in the course of the application procedure, their processing is carried out so that the controller or the data subject can exercise the rights arising from employment law and social security law and fulfill their related obligations, in the case of protection of the vital interests of the applicants or other persons or for purposes of preventive or occupational medicine, to assess the working capacity of the employee, for medical diagnostics, care or treatment in the health or social sector or for the management of systems and services in the health or social sector.

Deletion of data: The data provided by applicants can be further processed by us in the event of a successful application for the purposes of the employment relationship. Otherwise, if the application for a job offer is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion will take place, subject to a justified revocation by the applicants, no later than six months after the end of a period so that we can answer any follow-up questions about the application and meet our documentary obligations arising from equal treatment provisions for applicants. Invoices for possible travel expense reimbursements will be archived in accordance with tax requirements.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process and that they may revoke their consent at any time for the future.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation). Applicant data (e.g. personal information, postal and contact addresses, documents belonging to the application and the information contained therein, such as cover letter, CV, certificates and other information voluntarily provided by applicants regarding their person or qualifications).
  • Data subjects: Applicants.
  • Purposes of processing: Application procedures (initiation and any later execution as well as possible later termination of the employment relationship).
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Application procedure as a pre-contractual or contractual relationship (Art. 6(1)(1)(b) GDPR).

Data protection information for whistleblowers

This section contains information on how we handle the data of persons who provide information (whistleblowers) as well as of affected and involved parties in the context of our whistleblower procedure. Our aim is to offer an uncomplicated and secure way to report possible misconduct by us, our employees or service providers, in particular conduct that violates laws or ethical guidelines. In addition, we ensure appropriate processing and handling of the reports.

Types of data processed:

In the course of receiving and processing reports and in the subsequent whistleblower procedure we may collect various data. These include in particular the data provided by a whistleblower, such as:

  • Name, contact details and whereabouts of the person providing the report,
  • Names and data of possible witnesses or persons affected by the report,
  • Names and data of the persons against whom the report is directed,
  • Data about the alleged misconduct,
  • Further relevant details, insofar as provided by the whistleblower.

For the purposes of fact-finding and further proceedings we also process the following personal data:

  • Unique identification of the report,
  • Contact details of the reporting person, if provided,
  • Personal data of persons named in the report, if provided,
  • Personal data of persons indirectly affected by the fact-finding, if applicable,
  • Personal data of persons from other involved companies (e.g. in the context of legal advice), if relevant,
  • Other data related to the matter.

Special categories of personal data:

It may occur that we collect special categories of personal data in the course of our activities, especially if these are provided by a whistleblower. These include:

  • Health-related data of a person,
  • Data on racial or ethnic origin of persons,
  • Information on religious or philosophical beliefs of a person,
  • Information on a person's sexual orientation.

These data are only processed if they are relevant to the handling of the respective report and have been expressly provided by the whistleblower.

Use of our online forms: Please note that reports can be submitted anonymously. To ensure the security of your data when using our online forms, we recommend opening them in your browser's so-called incognito mode. To open an incognito window you can: a) On a Windows PC: open your browser and press Ctrl+Shift+N; b) On a Mac: open your browser and press Command+Shift+N; c) On mobile devices: switch to private mode via the tab menu.

When accessing our website in normal mode your browser automatically sends certain information to our server, such as browser type and version, date and time of your access. This also includes the IP address of your end device. These data are temporarily stored in a log file and automatically deleted after a maximum of 30 days.

The processing of the IP address serves technical and administrative purposes for connecting to our website. It ensures the security, stability and functionality of the whistleblower form and is an important part of our measures to ensure confidential whistleblowing.

The processing of the logged data is based on Article 6(1)(1)(f) GDPR. Our legitimate interest lies in the need for security and the necessity to ensure the technical prerequisites for smooth and trouble-free reporting.

Providing names: You have the option to submit reports anonymously. Where not prohibited by national laws, however, we recommend providing your name and contact details. This enables us to pursue the report more effectively and, if necessary, to contact you directly.

If you provide your name and contact details, your identity will be treated as strictly confidential. Exceptions to this confidentiality exist only if we are legally obliged to disclose your identity. This may be necessary to protect or assert our rights or the rights of our employees, customers, suppliers or business partners. Another exception exists if it is determined that the allegations were made with malicious intent.

Provision of data to third parties: Data relating to the reports will only be passed on by us to third parties under certain circumstances. This happens either a) if you have expressly given us your consent to do so, or b) if there is a legal obligation to pass on the data. Possible third parties include public authorities, government, regulatory or tax authorities if disclosure is necessary to fulfill a legal or regulatory duty. We may also engage lawyers and other professional advisors in accordance with statutory provisions. These are entitled to examine alleged misconduct and take necessary measures after an investigation, such as initiating disciplinary or legal proceedings. In addition, carefully selected and supervised service providers (for example the operator of a web-based reporting system) may receive data for these purposes. These service providers are contractually obliged to comply with applicable data protection provisions as part of a data processing contract.

Data retention and deletion: Personal data are processed only as long as they are necessary to achieve the processing purposes described above. If these data are no longer necessary for the stated purposes, they will be deleted. In certain situations, however, the data may be retained longer to meet legal requirements, as long as this is necessary and proportionate. In such cases, the data will be deleted as soon as they are no longer needed for these purposes.

Technical and organizational measures: We have implemented the necessary contractual, technical and organizational measures to ensure the security of all data processed by us. These data are processed exclusively for the specified purposes. Incoming reports are processed by authorized persons who receive access to the respective reports and carry out subsequent fact-finding. Our employees are specially trained for the proper conduct of fact-findings, trained and obliged to maintain the strictest confidentiality.

  • Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); Employee data (information about employees and other persons in an employment relationship); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions and the information relating thereto, such as authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Employees (e.g. employees, applicants, temporary staff and other staff); Third parties. Whistleblowers.
  • Purposes of processing: Whistleblower protection.
  • Retention and deletion: Deletion in accordance with the information in the section "General information on data retention and deletion".
  • Legal bases: Consent (Art. 6(1)(1)(a) GDPR); Legal obligation (Art. 6(1)(1)(c) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

Changes and updates

Please check our privacy policy regularly. We amend the privacy policy as soon as changes in the processing activities we carry out make this necessary. We will inform you as soon as a participation action on your part (e.g. consent) or another individual notification is required due to the changes.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and we ask you to verify the information before contacting them.

Definitions

This section provides an overview of the terms used in this privacy policy. Where terms are legally defined, their legal definitions apply. The following explanations are intended primarily to facilitate understanding.

  • Employees: Employees are persons who are in an employment relationship, whether as staff, employees or in similar positions. An employment relationship is a legal relationship between an employer and an employee, which is set out in an employment contract or agreement. It includes the employer's obligation to pay remuneration and the employee's obligation to provide work. The employment relationship includes various phases, including initiation, in which the employment contract is concluded, performance, in which the employee performs work, and termination, when the employment relationship ends, e.g. by dismissal, termination agreement or otherwise. Employee data are all information relating to these persons and that are related to their employment. This includes aspects such as personal identification data, identification numbers, salary and bank data, working hours, vacation entitlements, health data and performance evaluations.
  • Master data: Master data include essential information necessary for the identification and administration of contractual partners, user accounts, profiles and similar assignments. These data may include personal and demographic information such as names, contact information (addresses, phone numbers, email addresses), dates of birth and specific identifiers (user IDs). Master data form the basis for any formal interaction between persons and services, institutions or systems by enabling unique assignment and communication.
  • Credit report: Automated decisions are based on automated processing without human involvement (e.g. in the case of automatic rejection of a purchase on account, an online loan application or an online application procedure without any human intervention). Such automated decisions are permissible under Art. 22 GDPR only if data subjects consent, if they are necessary for the performance of a contract, or if national laws permit such decisions.
  • Content data: Content data include information generated in the course of creating, editing and publishing content of all kinds. This category of data can include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data are not limited to the actual content, but also include metadata that provide information about the content itself, such as tags, descriptions, author information and publication dates.
  • Contact data: Contact data are essential information that enable communication with persons or organizations. They include telephone numbers, postal addresses and email addresses, as well as communication media such as social media handles and instant messaging identifiers.
  • Artificial Intelligence (AI): The purpose of processing data by Artificial Intelligence (AI) includes automated analysis and processing of user data to recognize patterns, make predictions and improve the efficiency and quality of our services. This includes the collection, cleaning and structuring of data, the training and application of AI models as well as the continuous review and optimization of results and is carried out exclusively with users' consent or on the basis of statutory permissions.
  • Performance and behavior data: Performance and behavior data refer to information related to how persons perform tasks or behave in a certain context, such as in an educational, work or social environment. These data may include metrics such as productivity, efficiency, work quality, attendance and compliance with policies or procedures. Behavior data may include interactions with colleagues, communication styles, decision-making processes and reactions to various situations. These types of data are often used for performance evaluations, training and development measures and decision-making within organizations.
  • Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about how data are processed, transmitted and managed. Metadata, also known as data about data, include information that describe the context, origin and structure of other data. They may include information on file size, creation date, author of a document and change histories. Communication data capture the exchange of information between users across various channels such as email traffic, call logs, social media messages and chat histories, including the persons involved, timestamps and transmission routes. Procedural data describe processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, as well as audit logs used to track and verify operations.
  • Usage data: Usage data refer to information that capture how users interact with digital products, services or platforms. These data cover a wide range of information that show how users use applications, which features they prefer, how long they stay on certain pages and which paths they take through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content and improving products or services. In addition, usage data play a crucial role in identifying trends, preferences and potential problem areas within digital offerings.
  • Personal data: "Personal data" are all information relating to an identified or identifiable natural person (the "data subject"); a natural person is regarded as identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiles with user-related information: The processing of "profiles with user-related information", or simply "profiles", includes any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person (depending on the type of profiling this may include different information relating to demographics, behavior and interests, such as interaction with websites and their content, etc.), to analyze, assess or predict them (e.g. interests in particular contents or products, click behavior on a website or the place of stay). Cookies and web beacons are often used for profiling.
  • Log data: Log data are information about events or activities that have been logged in a system or network. These data typically contain information such as timestamps, IP addresses, user actions, error messages and other details about the usage or operation of a system. Log data are often used for analyzing system problems, security monitoring or generating performance reports.
  • Reach measurement: Reach measurement (also called web analytics) serves to evaluate the visitor flows of an online offering and may include the behavior or interests of visitors in relation to certain information, such as content of websites. With the help of reach analysis operators of online offerings can, for example, find out at which times users visit their websites and which content they are interested in. This enables them to adapt website content better to the needs of their visitors. For reach analysis, pseudonymous cookies and web beacons are often used to recognize returning visitors and obtain more accurate analyses of an online offering's usage.
  • Location data: Location data arise when a mobile device (or another device capable of localization) connects to a cell, a Wi-Fi network or similar technical means and functions for determining location. Location data are used to indicate the geographically determinable position of the respective device. Location data can be used to display map functions or other location-dependent information.
  • Tracking: "Tracking" refers to the ability to trace a user's behavior across multiple online offerings. Usually behavior and interest information are stored in cookies or on servers of the providers of tracking technologies in relation to the online offerings used (so-called profiling). This information can subsequently be used, for example, to display advertisements that are likely to be of interest to the users.
  • Controller: The "controller" is the natural or legal person, authority, institution or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and practically covers any handling of data, such as collection, evaluation, storage, transmission or deletion.
  • Contract data: Contract data are specific information related to the formalization of an agreement between two or more parties. They document the conditions under which services or products are provided, exchanged or sold. This data category is essential for the management and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include contract start and end dates, the type of services or products agreed upon, price agreements, payment terms, termination rights, renewal options and special conditions or clauses. They serve as the legal basis for the relationship between the parties and are crucial for clarification of rights and obligations, enforcement of claims and resolution of disputes.
  • Payment data: Payment data include all information needed to process payment transactions between buyers and sellers. These data are crucial for e-commerce, online banking and any other form of financial transaction. They include details such as credit card numbers, bank account details, payment amounts, transaction dates, verification numbers and invoice information. Payment data may also include information about payment status, chargebacks, authorizations and fees.
  • Audience building: Audience building (English "Custom Audiences") refers to the creation of target groups for advertising purposes (e.g. display of advertisements). For example, it can be inferred from a user's interest in certain products or topics on the internet that this user is interested in advertisements for similar products or the online store where they viewed the products. "Lookalike Audiences" (or similar audiences) refer to instances where suitable content is displayed to users whose profiles or interests are likely to match those of the users for whom the profiles were created. Cookies and web beacons are usually used to form Custom Audiences and Lookalike Audiences.

CookieFirst

Our website uses CookieFirst to obtain your consent for storing certain cookies on your device or for the use of certain technologies and to document this in a data protection compliant manner. The provider of this technology is Digital Data Solutions B.V. (CookieFirst), Plantage Middenlaan 42A, 1018 DH Amsterdam, Netherlands (hereinafter "CookieFirst").

When you enter our website, a connection to CookieFirst's servers is established to obtain your consents and other declarations regarding cookie usage. CookieFirst then stores a cookie in your browser so that the consents granted or their revocation can be assigned to you. In doing so, the IP address (anonymized), the browser and operating system user agent, as well as the URL from which the consent was given, are processed and integrated into CookieFirst. The data collected in this way are stored until you request us to delete them, delete the CookieFirst cookie yourself, or the purpose for storing the data ceases to apply. Mandatory statutory retention obligations remain unaffected.

CookieFirst transmits personal data to third-party providers. These include CDNs from Slovenia, IP geolocation from Romania, and hosting at OHV in Germany and France. CookieFirst has its company headquarters in Amsterdam, Netherlands.

The use of CookieFirst is carried out to obtain the legally required consents for the use of cookies. The legal basis for this is Article 6(1)(c) GDPR.

Data processing

We have concluded a data processing agreement (DPA) for the use of the service mentioned above. This is a contract required under data protection law that ensures that the service processes the personal data of our website visitors only on our instructions and in compliance with the GDPR.

Server log files

The provider of the site automatically collects and stores information in so-called server log files that your browser automatically transmits to us. These are:

  • browser type and browser version
  • operating system used
  • referrer URL
  • hostname of the accessing computer
  • time of the server request
  • IP address

These data are not merged with other data sources.

The collection of these data is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – for this purpose the server log files must be recorded.

Contact form

If you send us enquiries via the contact form, the details you provide in the enquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. We will not pass on these data without your consent.

The processing of these data is carried out on the basis of Article 6(1)(b) GDPR, provided that your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Article 6(1)(f) GDPR) or on your consent (Article 6(1)(a) GDPR) if this was requested; consent can be revoked at any time.

The data you enter in the contact form will remain with us until you ask us to delete them, revoke your consent to storage, or the purpose for storing the data no longer applies (e.g. after your enquiry has been finally processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

Enquiries by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry, including all personal data arising from it (name, enquiry), will be stored and processed by us for the purpose of dealing with your matter. We will not pass on these data without your consent.

The processing of these data is carried out on the basis of Article 6(1)(b) GDPR, provided that your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Article 6(1)(f) GDPR) or on your consent (Article 6(1)(a) GDPR) if this was requested; consent can be revoked at any time.

The data you send to us in enquiries via contact requests will remain with us until you ask us to delete them, revoke your consent to storage, or the purpose for storing the data no longer applies (e.g. after your matter has been finally processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

5. Analysis tools and advertising

Google Tag Manager

We use Google Tag Manager. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The Google Tag Manager is a tool that allows us to integrate tracking or statistics tools and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not store cookies and does not perform independent analyses. It only serves to manage and deploy the tools integrated via it. However, the Google Tag Manager does capture your IP address, which may also be transmitted to the parent company of Google in the United States.

The use of Google Tag Manager is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in a quick and uncomplicated integration and management of various tools on its website. If the corresponding consent was requested, the processing takes place exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

The company holds a certification under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards in data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. You can obtain further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.

Google Analytics

This website uses features of the web analytics service Google Analytics. Provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, duration of stay, operating systems used and the user's origin. These data are assigned to the respective user's device. They are not assigned to a user ID.

Furthermore, we can record, among other things, your mouse and scroll movements and clicks with Google Analytics. Google Analytics also uses various modeling approaches to supplement the collected datasets and employs machine learning technologies in data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to and stored on a Google server in the USA.

The use of this service is based on your consent pursuant to Article 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be revoked at any time.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://business.safety.google/adscontrollerterms/sccs/.

The company holds a certification under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards in data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. You can obtain further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.

IP anonymization

Google Analytics IP anonymization is activated. This shortens your IP address within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission to the USA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website use and internet usage to the website operator. The IP address transmitted by your browser to Google as part of Google Analytics will not be merged with other Google data.

Browser plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

More information on how Google Analytics handles user data can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Data processing

We have concluded a data processing agreement with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

6. Newsletter

Newsletter data

If you would like to receive the newsletter offered on the website, we require an e-mail address from you and information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. No further data will be collected or only on a voluntary basis. For the processing of the newsletter we use newsletter service providers described below.

CleverReach

This website uses CleverReach to send newsletters. Provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter "CleverReach"). CleverReach is a service with which newsletter sending can be organized and analyzed. The data you provide for the purpose of receiving the newsletter (e.g. e-mail address) are stored on CleverReach's servers in Germany and/or Ireland.

The newsletters we send via CleverReach enable us to analyze the behavior of newsletter recipients. Among other things, it can be analyzed how many recipients opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a predefined action (e.g. purchase of a product on this website) was performed after clicking the link in the newsletter. Further information on data analysis by CleverReach newsletters can be found at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/.

The data processing is based on your consent (Article 6(1)(a) GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The lawfulness of data processing carried out prior to the revocation remains unaffected.

If you do not want analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose we provide a corresponding link in each newsletter message.

The data you provide to us for the purpose of receiving the newsletter will be stored by us and the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after unsubscribing. Data that has been stored for other purposes remains unaffected.

After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist are used only for this purpose and are not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Article 6(1)(f) GDPR). The storage in the blacklist is not time-limited.  You can object to the storage if your interests outweigh our legitimate interests.

For more information, please refer to CleverReach's privacy policy at: https://www.cleverreach.com/de/datenschutz/.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required under data protection law that ensures that the service processes the personal data of our website visitors only on our instructions and in compliance with the GDPR.

7. Plugins and tools

Google Maps

This site uses the mapping service Google Maps. Provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. With the help of this service we can embed map material on our website.

To use the functions of Google Maps it is necessary to store your IP address. This information is usually transmitted to and stored on a Google server in the USA. The provider of this site has no influence on this data transfer. If Google Maps is activated, Google may use Google Fonts for the uniform display of fonts. When calling up Google Maps, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy findability of the locations we list on the website. This represents a legitimate interest within the meaning of Article 6(1)(f) GDPR. If the corresponding consent was requested, the processing takes place exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

More information on the handling of user data can be found in Google's privacy policy: https://policies.google.com/privacy?hl=de.

The company holds a certification under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards in data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. You can obtain further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.

Friendly Captcha

We use Friendly Captcha (hereinafter "Friendly Captcha") on this website. Provider is Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

With Friendly Captcha it is to be checked whether data input on this website (e.g. in a contact form) is made by a human or by an automated program. For this purpose, Friendly Captcha analyses the behavior of the website visitor based on various characteristics. Friendly Captcha evaluates various information for the analysis (e.g. anonymized IP address, referrer, visit time, etc.). Further information on this can be found at: https://friendlycaptcha.com/legal/privacy-end-users/.

The storage and analysis of the data is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated probing and from spam. If the corresponding consent was requested, the processing takes place exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data processing

We have concluded a data processing agreement (DPA) for the use of the service mentioned above. This is a contract required under data protection law that ensures that the service processes the personal data of our website visitors only on our instructions and in compliance with the GDPR.

8. Own services

Handling of applicant data

We offer you the possibility to apply to us (e.g. by e-mail, post or via an online application form). Below we inform you about the scope, purpose and use of the personal data collected during the application process. We assure you that the collection, processing and use of your data is carried out in accordance with applicable data protection law and all other legal provisions and that your data will be treated strictly confidentially.

Scope and purpose of data collection

If you send us an application, we process the personal data associated with it (e.g. contact and communication data, application documents, notes made during interviews, etc.) to the extent necessary to decide whether to establish an employment relationship. The legal basis for this is Section 26 BDSG under German law (initiation of an employment relationship), Article 6(1)(b) GDPR (general contract initiation) and – if you have given consent – Article 6(1)(a) GDPR. Consent can be revoked at any time. Your personal data will be disclosed within our company only to persons involved in processing your application.

If the application is successful, the data you submitted will be stored in our data processing systems for the purpose of carrying out the employment relationship on the basis of Section 26 BDSG and Article 6(1)(b) GDPR.

Retention period of the data

If we are unable to make you an offer of employment, you decline an offer of employment or you withdraw your application, we reserve the right to retain the data you submitted on the basis of our legitimate interests (Article 6(1)(f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). Afterwards the data will be deleted and physical application documents destroyed. The retention serves in particular as evidence in the event of legal disputes. If it is apparent that the data will be required after the expiry of the 6-month period (e.g. due to an impending or pending legal dispute), deletion will only take place when the purpose for further retention no longer applies.

Longer retention may also take place if you have given appropriate consent (Article 6(1)(a) GDPR) or if statutory retention obligations prevent deletion.

Your Contact Person
Stefan Wagner
Patrick Königshofen
Zentrale