Privacy Policy
Preamble
With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. The Privacy Policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offer”).
The terms used are not gender-specific.
Status: April 4, 2024
Table of Contents
- Preamble
- Person responsible
- Contact Data Protection Officer
- Overview of processing
- Relevant legal bases
- Security measures
- Transfer of personal data
- Internationale Datentransfers
- Business services
- Vendors and services used in the course of business
- Credit check
- Provision of the online offer and web hosting
- Use of cookies
- Contact and Request Management
- Communication via Messenger
- Video conferences, online meetings, webinars and screen sharing
- Application process
- Cloud-Dienste
- Newsletter and electronic notifications
- Advertising communication via e-mail, post, fax or telephone
- Polls and surveys
- Web analysis, monitoring and optimization
- Customer Reviews and Rating Procedures
- Presence in social networks (Social Media)
- Management, Organization and Auxiliary Tools
Responsible
Sirag AG
Sumpfstrasse 26
6312 Steinhausen
E-mail-Address: mail@sirag.ch
Contact Data Protection Officer
If you have any questions about data protection, please contact our data protection consultant:
PlanSec AG
Dieter Huber
Sinserstrasse 67
6330 Cham
Switzerland
mail@plansec.ch
https://www.plansec.ch
Overview of Processing
The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects.
Types of Data processed
- Filedaten.
- Paymentdata.
- Contact details.
- Content data.
- Contract data.
- Usagedata.
- Meta-, communication- and procedural Data.
- Applicant data.
- Image/video recordings.
Categories of Data Subjects
- Customers.
- Employees.
- Interested Parties.
- Communication Partner.
- Users.
- Applicants.
- Business Partners.
- Participants.
- Persons Pictured.
Purposes of Processing
- Provision of contractual services and fulfilment of contractual obligations.
- Contact Requests and Communication.
- Securitymeasures.
Direct marketing. - Range-measurement.
- Office and organizational procedures.
- Manage and respond to queries.
- Applications.
Feedback. Marketing. - Profiles with user-related information.
- Provision of our online offer and user-friendliness.
- Assessment of creditworthiness and creditworthiness.
- Information Technology Infrastructure.
Automated decisions in individual Cases
- Credit Report.
Relevant legal Bases
Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given his or her consent to the processing of personal data concerning him or her for a specific purpose or purposes.
- Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject.
- Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – the processing is necessary to safeguard the legitimate interests of the controller or a third party, provided that the interests, fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail.
- Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants in the context of the application process, so that the controller or the data subject can provide him or her with the information provided to him or her under employment law and the law of the social security and social protection and to fulfil his or her obligations in this regard, their processing is carried out in accordance with Article 9 (2) (b) of the GDPR, in the case of the protection of the vital interests of applicants or other persons in accordance with Article 9 (2) (c) of the GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9 (2) (h) GDPR. In the case of a notification of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 (2) (a) GDPR.
Relevant legal bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection (abbreviated “Swiss FADP”, valid from 1 September 2023). This also applies if our processing of your data otherwise affects you in Switzerland and you are affected by the processing. Unlike the GDPR, for example, the Swiss FADP does not provide for a legal basis for the processing of personal data. We only deal with the latter if the processing is carried out in good faith, is lawful and proportionate (Art. 6 paras. 1 and 2 of the Swiss FADP). In addition, personal data is only procured by us for a specific purpose that is recognisable to the data subject and is only processed in a way that is compatible with this purpose (Art. 6 para. 3 of the Swiss FADP).
Note on the applicability of the GDPR and the Swiss Data Protection Act: This data protection notice serves both the provision of information in accordance with the Swiss Federal Act on Data Protection (Swiss Data Protection Act) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the broader spatial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms “processing” of “personal data”, “overriding interest” and “particularly sensitive personal data” used in the Swiss FADP, the terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss FADP within the scope of the Swiss FADP.
Security Measures
In accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.
Measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability and separation. We have also put in place procedures to ensure that the rights of data subjects are exercised, that data is deleted and that data is compromised. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes in accordance with the principle of data protection, through technical design and through data protection-friendly default settings.
Securing online connections with TLS/SSL encryption technology (HTTPS): In order to protect the data of users transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), which protects the data from unauthorized access. TLS, as the evolved and more secure version of SSL, ensures that all data transfers meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and encrypted.
Transfer of Personal Data
As part of our processing of personal data, it may be transmitted to or disclosed to other bodies, companies, legally independent organisational units or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
Data transfers within the group of companies: We may transfer personal data to other companies within our group of companies or provide them with access to this data. If this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and business interests or takes place if it is necessary for the fulfilment of our contractual obligations or if the consent of the data subjects or legal permission has been obtained.
International Datentransfers
Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements. If the level of data protection in the third country has been recognised by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if the level of data protection is otherwise ensured, in particular by means of standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). In addition, we will inform you of the basis of the third-country transfer for the individual providers from the third country, with the adequacy decisions taking precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found in the EU Commission’s information service: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.
EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA as part of the adequacy decision of 10.07.2023. The list of certified companies as well as further information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). As part of the data protection notice, we will inform you which service providers we use are certified under the Data Privacy Framework.
Disclosure of personal data abroad: In accordance with the Swiss Data Protection Act (FADP), we only disclose personal data abroad if adequate protection of the data subjects is guaranteed (Art. 16 Swiss FADP). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we will take alternative security measures. These may include international contracts, specific safeguards, data protection clauses in contracts, standard data protection clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC), or corporate data protection rules pre-approved by the FDPIC or a competent data protection authority in another country.
According to Art. 16 of the Swiss FADP, exceptions for the disclosure of data abroad may be allowed if certain conditions are met, including consent of the data subject, execution of the contract, public interest, protection of life or physical integrity, data made public or data from a register provided for by law. These announcements are always made in accordance with the legal requirements.
Business Services
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”), in the context of contractual and comparable legal relationships as well as related measures and with regard to communication with the contractual partners (or pre-contractually), for example to answer inquiries.
We use this data to fulfil our contractual obligations. These include, in particular, the obligations to provide the agreed services, any updating obligations and remedy in the event of warranty and other service disruptions. In addition, we use the data to protect our rights and for the purpose of the administrative tasks associated with these obligations as well as the company organization. In addition, we process the data on the basis of our legitimate interests both in proper and business management and in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the scope of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations. The contractual partners are informed about other forms of processing, such as for marketing purposes, within the framework of this data protection declaration.
We inform the contractual partners of which data is required for the aforementioned purposes before or as part of the data collection, e.g. in online forms, by means of special marking (e.g. colours) or symbols (e.g. asterisks or similar), or personally.
We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal reasons of archiving (e.g. for tax purposes, usually ten years). We delete data that has been disclosed to us by the contractual partner in the context of an order in accordance with the specifications and in principle after the end of the order.
- Types of data processed: inventory data (e.g. names, addresses); Payment data (e.g. bank details, invoices, payment history); Contact details (e.g., email, phone numbers); Contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data Subjects: Customers; Interested parties. Business and contractual partners.
- purposes of processing: performance of contractual services and fulfilment of contractual obligations; Security measures; Contact requests and communication; Office and organizational procedures. Management and response to inquiries.
- Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- customer account: customers can create an account within our online offer (e.g. customer or user account, or “customer account” for short). If the registration of a customer account is required, customers will be informed of this as well as the information required for registration. The customer accounts are not public and cannot be indexed by search engines. As part of the registration as well as subsequent logins and use of the customer account, we store the IP addresses of the customers along with the access times in order to be able to prove registration and prevent any misuse of the customer account. If the customer account has been terminated, the customer account data will be deleted after the date of termination, unless it is retained for purposes other than making it available in the customer account or must be retained for legal reasons (e.g. internal storage of customer data, order processes or invoices). It is the responsibility of the customers to secure their data when the customer account is terminated; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
- online shop, order forms, e-commerce and delivery: We process the data of our customers in order to enable them to select, purchase or order the selected products, goods and related services, as well as their payment and delivery, or execution. If necessary for the execution of an order, we use service providers, in particular postal, forwarding and shipping companies, to carry out the delivery or execution for our customers. We use the services of banks and payment service providers to process payment transactions. The required information is marked as such in the context of the order or comparable purchase process and includes the information required for delivery, provision and invoicing, as well as contact information in order to be able to consult with us if necessary; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
- Technical Services: We process the data of our customers and clients (hereinafter referred to as “Customers”) in order to enable them to select, purchase or commission the selected services or works as well as related activities as well as their payment and provision or execution or provision.
The required information is marked as such in the context of the conclusion of the order, order or comparable contract and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations. Insofar as we gain access to information of end customers, employees or other persons, we process it in accordance with the legal and contractual requirements; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). - Metal processing: We process the data of our customers and clients in order to enable them to plan, manufacture and supply metal-processed products and components as well as related services. The required information includes the information required for production and invoicing, as well as contact information for necessary coordination. Insofar as we gain access to information of end customers, employees or other persons, we process it in accordance with the legal and contractual requirements; Legal bases: Performance of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Vendors and Services used in the Course of Business
As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (in short “Services”) in compliance with the legal requirements. Their use is based on our interests in the proper, lawful and economic management of our business operations and our internal organization.
- Types of data processed: inventory data (e.g. names, addresses); Payment data (e.g. bank details, invoices, payment history); Contact details (e.g., email, phone numbers); Content data (e.g. entries in online forms). Contract data (e.g. subject matter of the contract, term, customer category).
- Data Subjects: Customers; Interested parties; Users (e.g., website visitors, users of online services). Geschäfts- und Vertragspartner.
- Purposes of processing: Provision of contractual services and fulfilment of contractual obligations. Büro- und Organisationsverfahren.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Credit Check
If we make advance payments or take comparable economic risks (e.g. when ordering on account), we reserve the right to obtain an identity and creditworthiness report for the purpose of assessing the credit risk on the basis of mathematical-statistical procedures from specialized service companies (credit agencies) in order to protect our legitimate interests.
We process the information received from the credit agencies about the statistical probability of a payment default within the framework of an appropriate discretionary decision on the establishment, implementation and termination of the contractual relationship. In the event of a negative result of the credit check, we reserve the right to refuse payment on account or any other advance payment.
In accordance with the legal requirements, the decision as to whether we make an advance payment is made solely on the basis of an automated decision in the individual case, which our software makes on the basis of the information provided by the credit agency.
If we obtain explicit consent from contractual partners, the legal basis for the credit report and the transmission of the customer’s data to the credit agencies is consent. If consent is not obtained, the credit report is made on the basis of our legitimate interests in the reliability of our payment receivables.
- Types of data processed: inventory data (e.g. names, addresses); Payment data (e.g. bank details, invoices, payment history); Contact details (e.g., email, phone numbers). Contract data (e.g. subject matter of the contract, term, customer category).
- Data Subjects: Customers.
- Purposes of processing: Assessment of creditworthiness and creditworthiness.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Automated decisions in individual cases: Credit report (decision based on a credit check).
Provision of the online offer and Web Hosting
We process users’ data in order to be able to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.
- Types of data processed: usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data subjects: users (e.g., website visitors, users of online services).
- purposes of processing: provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- Provision of the online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also referred to as “web host”); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Collection of access data and log files: Access to our online offer is logged in the form of so-called “server log files”. The server log files can include the address and name of the websites and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the load on the servers and their stability; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.
Use of Cookies
Cookies are small text files or other memory notes that store information on end devices and read them out of them. For example, to store the log-in status in a user account, the contents of a shopping cart in an e-shop, the content accessed or the functions used in an online offer. Cookies can also be used in relation to various concerns, such as for the purposes of the functionality, security and convenience of online offers as well as the creation of analyses of visitor flows.
Notes on consent: We use cookies in accordance with the legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. In particular, permission is not necessary if the storage and reading of information, including cookies, is absolutely necessary in order to provide users with a telemedia service (i.e. our online offer) that they expressly request. The revocable consent will be clearly communicated to you and will contain the information on the respective use of cookies.
Information on data protection legal bases: The data protection basis on which we process users’ personal data using cookies depends on whether we ask them for consent. If the users accept, the legal basis for the use of their data is the declared consent. Otherwise, the data used with the help of cookies will be processed on the basis of our legitimate interests (e.g. in the business operation of our online offer and the improvement of its usability) or, if this is done in the context of the fulfilment of our contractual obligations, if the use of cookies is necessary to fulfil our contractual obligations. We will explain the purposes for which we use cookies in the course of this privacy policy or as part of our consent and processing processes.
storage period: With regard to the storage period, the following types of cookies are distinguished:
- Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his or her device (e.g. browser or mobile application).
- Persistent cookies: Persistent cookies remain stored even after the end device is closed. For example, the log-in status can be saved and preferred content can be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. as part of obtaining consent), they should assume that they are permanent and that the storage period can be up to two years.
General information on revocation and objection (opt-out): users can revoke the consent they have given at any time and also declare an objection to the processing in accordance with the legal requirements, also by means of the privacy settings of their browser.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
Further information on processing processes, procedures and services:
- Processing of cookie data on the basis of consent: We use a consent management solution in which the consent of the user is obtained for the use of cookies or for the procedures and providers specified in the consent management solution. This procedure serves to obtain, record, manage and revoke consent, in particular with regard to the use of cookies and similar technologies used to store, read and process information on users’ end devices. As part of this process, users’ consents are obtained for the use of cookies and the related processing of information, including the specific processing and providers mentioned in the consent management procedure. Users also have the option of managing and withdrawing their consents. The declarations of consent are stored in order to avoid a new query and to be able to provide proof of consent in accordance with the legal requirements. The storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to be able to assign the consent to a specific user or his device. Unless specific information is available on the providers of consent management services, the following general information applies: The duration of the storage of consent is up to two years. This involves the creation of a pseudonymous user identifier that is stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers), as well as information about the browser, the system and the device used; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Cookiebot: consent management: Procedures for obtaining, logging, managing and revoking consent, in particular for the use of cookies and similar technologies for storing, reading and processing information on users’ end devices as well as their processing; service provider: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark; website: https://www.cookiebot.com/de; Privacy Policy: https://www.cookiebot.com/de/privacy-policy/; Data Processing Agreement: Provided by the Service Provider; Other information: Data stored (on the Service Provider’s server): The User’s IP number in anonymized form (the last three digits are set to 0), date and time of consent, browser details, the URL from which consent was sent, An anonymous, random and encrypted key value. the user’s consent status.
Contact and request Management
When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the enquiring persons will be processed insofar as this is necessary to answer the contact enquiries and any requested measures.
- Types of data processed: Contact details (e.g., email, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data subjects: Communication partner.
- purposes of processing: contact requests and communication; Managing and responding to requests; Feedback (e.g. collecting feedback via online form). Provision of our online offer and user-friendliness.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Fulfilment of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Further information on processing processes, procedures and services:
- Contact form: If users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the request communicated; Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Communication via Messenger
We use messengers for communication purposes and therefore ask you to observe the following information on the functionality of the messengers, encryption, the use of the metadata of the communication and your objection options.
You can also contact us by alternative means, e.g. by phone or e-mail. Please use the contact options provided to you or the contact options provided within our online offer.
In the case of end-to-end encryption of content (i.e., the content of your message and attachments), please note that the communication content (i.e., the content of the message and attached images) is encrypted from end to end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of Messenger with encryption enabled to ensure that message content is encrypted.
However, we would also like to point out to our communication partners that although the providers of the messengers do not view the content, they can find out that and when communication partners communicate with us and that technical information about the device used by the communication partners and, depending on the settings of their device, location information (so-called metadata) is processed.
Information on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. In addition, if we do not ask for consent and you contact us on your own initiative, for example, we use Messenger as a contractual measure in relation to our contractual partners as well as in the context of the initiation of a contract and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and fulfilment of the needs of our communication partners in communication via Messenger. Furthermore, we would like to point out that we will not transmit the contact details provided to us to the messengers for the first time without your consent.
Revocation, objection and deletion: You can revoke your consent at any time and object to communication with us via Messenger at any time. In the case of communication via messenger, we delete the messages in accordance with our general deletion guidelines (e.g., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise, as soon as we can assume that we have answered any information from the communication partners, if no reference to a previous conversation is to be expected and the deletion is not precluded by any statutory retention obligations.
Reservation of reference to other communication channels: Finally, we would like to point out that for reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case, for example, if internal contractual matters require special secrecy or a response via messenger does not meet the formal requirements. In such cases, we refer you to more adequate communication channels.
- Types of data processed: Contact details (e.g., email, phone numbers); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and procedural data (e.g. IP addresses, times, identification numbers, consent status). Content data (e.g. entries in online forms).
- Data subjects: Communication partner.
- purposes of processing: contact requests and communication. Direct marketing (e.g. by e-mail or post).
- Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- Microsoft Teams: Microsoft Teams – Messenger; Dienstanbieter: Microsoft Irland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Irland; Legal basis: Legitimate interests (Art. 6 (1) (1) (f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Safety instructions: https://www.microsoft.com/de-de/trustcenter. Grundlage Drittlandtransfers: EU/EWR – Data Privacy Framework (DPF), Switzerland – Adequacy decision (Irland).
Video Conferencing, Online Meetings, Webinars, and Screen sharing
We use third-party platforms and applications (hereinafter referred to as “Conference Platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as the “Conference”). When selecting the conference platforms and their services, we observe the legal requirements.
Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of the participants listed below. The scope of the processing depends on the one hand on which data is required in the context of a specific conference (e.g. provision of access data or real names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, the data of the participants may also be processed by the conference platforms for security purposes or service optimization. The data processed includes personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the end devices of the participants, their operating system, the browser and its technical and linguistic settings, information on the content-related communication processes, i.e. entries in chats as well as audio and language settings. Video data, as well as the use of other available functions (e.g. surveys). The contents of the communications are encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms, then further data may be processed in accordance with the agreement with the respective conference provider.
Logging and recordings: If text inputs, participation results (e.g. from surveys) and video or audio recordings are logged, the participants will be informed of this transparently in advance and will be asked for consent if necessary.
data protection measures of the participants: Please refer to the details of the processing of your data by the conference platforms in their privacy policy and select the optimal security and data protection settings for you within the framework of the settings of the conference platforms. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by notifying roommates, locking doors and, as far as technically possible, using the function to blur the background). Links to the conference rooms as well as access data may not be passed on to unauthorized third parties.
Information on legal bases: If, in addition to the conference platforms, we also process the data of the users and ask the users for their consent to the use of the conference platforms or certain functions (e.g. consent to a recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary for the fulfilment of our contractual obligations (e.g. in participant lists, in the case of processing the results of conversations, etc.). In addition, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.
- Types of data processed: inventory data (e.g. names, addresses); Contact details (e.g., email, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data subjects: communication partners; Users (e.g., website visitors, users of online services). Persons pictured.
- purposes of processing: performance of contractual services and fulfilment of contractual obligations; Contact requests and communication. Office and organizational procedures.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- Microsoft Teams: conferencing and communication software; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://www.microsoft.com/de-de/microsoft-365; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Notes: https://www.microsoft.com/de-de/trustcenter. basis for thirdcountry transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
Application Process
The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information provided there.
In principle, the required information includes personal information, such as name, address, a contact option and proof of the qualifications necessary for a job. On request, we will also be happy to provide you with information that is required.
If provided, applicants can submit their applications to us using an online form. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications via e-mail. However, please note that e-mails on the Internet are generally not encrypted. As a rule, e-mails are encrypted during transport, but not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission of the application between the sender and the receipt on our server.
For the purposes of searching for applicants, submitting applications and selecting applicants, we may make use of applicant management and recruitment software and third-party platforms and services, in compliance with the legal requirements.
Applicants are welcome to contact us about the method of submitting the application or to send us the application by post.
Processing of special categories of data: To the extent that special categories of personal data (Art. 9 para. 1 GDPR, e.g. health data, such as severely disabled status or ethnic origin) are requested from or communicated by applicants in the context of the application process, their processing is carried out so that the controller or the data subject can provide him or her with the information he or she derives from labour law and social security and social security law. social protection rights and fulfil his or her obligations in this regard, in the case of the protection of the vital interests of candidates or other persons, or for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s capacity for work, for medical diagnosis, for health or social care or care, or for the management of health or social care systems and services. Social.
Deletion of data: In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. Candidates’ data will also be deleted when an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicants, the deletion will take place after a period of six months at the latest, so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.
Admission to an applicant pool: Admission to an applicant pool, if offered, is based on consent. Applicants are instructed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process and that they can revoke their consent at any time for the future.
- Types of data processed: inventory data (e.g. names, addresses); Contact details (e.g., email, phone numbers); Content data (e.g. entries in online forms). Applicant data (e.g. personal details, postal and contact addresses, the documents associated with the application and the information contained therein, such as cover letter, CV, certificates and other information relating to a specific position or voluntarily provided by applicants regarding their person or qualifications).
- Data subjects: applicants.
- Purposes of processing: Application procedure (justification and possible subsequent implementation as well as possible later termination of the employment relationship).
- Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Cloud Services
We use software services accessible via the Internet and running on their providers’ servers (so-called “cloud services”, also referred to as “software as a service”) for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).
In this context, personal data may be processed and stored on the providers’ servers, insofar as they are part of communication processes with us or are otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact details of the users, data on processes, contracts, other processes and their content. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.
If we use the cloud services to provide forms or similar documents and content to other users or publicly accessible websites, the providers may store cookies on users’ devices for web analysis purposes or to remember user settings (e.g. in the case of media control).
- Types of data processed: inventory data (e.g. names, addresses); Contact details (e.g., email, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and procedural data (e.g. IP addresses, times, identification numbers, consent status). Image and/or video recordings (e.g. photographs or video recordings of a person).
- Data Subjects: Customers; employees (e.g. employees, applicants, former employees); Interested parties; Communication; Users (e.g., website visitors, users of online services). Geschäfts- und Vertragspartner.
- purposes of processing: office and organisational procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Provision of contractual services and fulfilment of contractual obligations. Provision of our online offer and user-friendliness.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- Adobe Creative Cloud: cloud storage, cloud infrastructure services, and cloud-based application software, including photo editing, video editing, graphic design, web development; Service Providers: Adobe Systems Software Ireland, 4-6, Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.adobe.com/de/creativecloud.html; Privacy Policy: https://www.adobe.com/de/privacy.html; Data Processing Agreement: Provided by the Service Provider. basis for thirdcountry transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
- Microsoft cloud services: cloud storage, cloud infrastructure services, and cloud-based application software; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Notes: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. basis for thirdcountry transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
- Microsoft Azure: interface access (so-called “API”) to AI-based services designed to understand and generate natural language and associated inputs and data, analyze information and make predictions (“AI”, i.e. “Artificial Intelligence”) is to be understood in the applicable legal sense of the term); service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://azure.microsoft.com; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement; Data Processing Agreement: https://azure.microsoft.com/de-de/support/legal/. basis for thirdcountry transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
Newsletter and Electronic Notifications
We send newsletters, e-mails and other electronic notifications (hereinafter referred to as “newsletters”) only with the consent of the recipients or legal permission. If its contents are specifically described in the context of a registration for the newsletter, they are decisive for the consent of the users. In addition, our newsletters contain information about our services and ourselves.
To subscribe to our newsletter, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name for personal address in the newsletter or other information if this is necessary for the purposes of the newsletter.
double opt-in procedure: Registration for our newsletter is generally carried out in a so-called double opt-in procedure. This means that you will receive an e-mail after registration asking you for the corresponding confirmation. This is necessary so that no one can log in with other people’s e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of both the login and confirmation time as well as the IP address. Changes to your data stored by the shipping service provider will also be logged.
Deletion and restriction of processing: We may store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a potential defence against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe contradictions, we reserve the right to store the e-mail address in a blacklist (so-called “blocklist”) for this purpose alone.
The registration process is recorded on the basis of our legitimate interests for the purpose of proving that it is running properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.
Contentsa:
Information about us, our services, promotions and offers.
- Types of data processed: inventory data (e.g. names, addresses); Contact details (e.g., email, phone numbers); Meta, communication and procedural data (e.g. IP addresses, times, identification numbers, consent status). Usage data (e.g. websites visited, interest in content, access times).
- Data subjects: Kommunikationspartner.
- Purposes of processing: direct marketing (e.g. by e-mail or post).
- Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- opt-out: You can unsubscribe from receiving our newsletter at any time, i.e. . h. Withdraw your consent or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably e-mail, for this purpose.
Further information on processing processes, procedures and services:
- Measurement of opening and click-through rates: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our or its server when the newsletter is opened, if we use a shipping service provider. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval are initially collected. This information is used for the technical improvement of our newsletter on the basis of the technical data or the target groups and their reading behaviour on the basis of their access locations (which can be determined with the help of the IP address) or the access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The information is assigned to the individual newsletter recipients and stored in their profiles until it is deleted. The evaluations are used to identify the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of the opening and click rates as well as the storage of the measurement results in the profiles of the users as well as their further processing are carried out on the basis of the consent of the users. Unfortunately, it is not possible to revoke the performance measurement separately, in which case the entire newsletter subscription must be cancelled or objected to. In this case, the stored profile information will be deleted; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
- Mailchimp: email marketing, marketing process automation, survey. Storing and managing contact details, measuring campaign performance, recording and analysing recipients’ interaction with content, personalising content; service provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://mailchimp.com; Privacy Policy: https://mailchimp.com/legal/; Data Processing Agreement: https://mailchimp.com/legal/; basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Standard Contractual Clauses (Provided by the Service Provider). More information: Special security measures: https://mailchimp.com/de/help/mailchimp-european-data-transfers/.
Advertising Communication via E-mail, Post, Fax or Telephone
We process personal data for the purposes of advertising communication, which can be carried out via various channels, such as e-mail, telephone, post or fax, in accordance with the legal requirements.
Recipients have the right to revoke their consent at any time or to object to advertising communications at any time.
After revocation or objection, we store the data required to prove the previous authorisation for contacting or sending you data for up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. On the basis of the legitimate interest in permanently observing the revocation or objection of the users, we also store the data necessary to avoid renewed contact (e.g. e-mail address, telephone number, name, depending on the communication channel).
- Types of data processed: Inventory data (e.g. names, addresses). Contact details (e.g. e-mail, telephone numbers).
- Data subjects: Kommunikationspartner.
- Purposes of processing: direct marketing (e.g. by e-mail or post).
- Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Polls and Polls
We conduct surveys and surveys to collect information for the purpose of the respective survey or survey purpose. The surveys and surveys conducted by us (hereinafter referred to as “surveys”) are evaluated anonymously. Personal data is only processed to the extent necessary for the provision and technical execution of the surveys (e.g. processing of the IP address in order to display the survey in the user’s browser or to enable the survey to be resumed with the help of a cookie).
- Types of data processed: Contact details (e.g., email, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data subjects: communication partner. Participants.
- Purposes of processing: Feedback (e.g. collecting feedback via online form).
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Web Analysis, Monitoring and Optimization
Web analysis (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offer and can include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of the reach analysis, we can, for example, see at what time our online offer or its functions or content are used most often, or invite them to reuse. It is also possible for us to understand which areas need optimization.
In addition to web analysis, we may also use test procedures to test and optimize different versions of our online offer or its components.
Unless otherwise stated below, profiles, i.e. data combined into a usage process, may be created for these purposes and information may be stored in a browser or in an end device and then read. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used and information on times of use. If users have consented to the collection of their location data vis-à-vis us or the providers of the services we use, the processing of location data is also possible.
In addition, the IP addresses of the users are stored. However, we use an IP masking process (i.e. pseudonymization by shortening the IP address) to protect users. In general, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.
Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, the user data will be processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
- Types of data processed: usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data subjects: users (e.g., website visitors, users of online services).
- purposes of processing: reach measurement (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (creating user profiles). Provision of our online offer and user-friendliness.
- security measures: IP masking (pseudonymization of the IP address).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
Further information on processing processes, procedures and services:
- Google Analytics: We use Google Analytics to measure and analyze the use of our online offer on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to a terminal device in order to identify which content users have accessed within one or more usage processes, which search terms they have used, accessed again or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of the users who refer to our online offer and technical aspects of their devices and browsers.
Pseudonymous profiles of users are created with information from the use of various devices, whereby cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the city’s inferred latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). In the case of EU data traffic, the IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. They are not logged, are not accessible and are not used for other purposes. When Google Analytics collects metrics, all IP queries are performed on EU-based servers before traffic is routed to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; DPA: https://business.safety.google/adsprocessorterms/; basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – adequacy decision (Ireland); opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed). - Google Tag Manager: We use Google Tag Manager, a tool from Google, to be able to manage so-called website tags centrally via a user interface. Tags are small pieces of code on our website that are used, among other things, to measure and analyze visitor activity. This technique helps us to improve our website and the offer on it. The Google Tag Manager itself does not create user profiles, does not store cookies and does not perform independent analyses. It only serves to integrate the tools and services we use for our website more easily and efficiently. Nevertheless, when using the Google Tag Manager, the IP address of the user is transmitted to Google, which is technically necessary to carry out the various services we use. It is important to know that this data processing only takes place when services that require it are integrated via the Tag Manager. For details on these services and how they process data, please refer to the further sections in this Privacy Policy; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement:
https://business.safety.google/adsprocessorterms. basis for thirdcountry transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
Customer Reviews and Rating Methods
We participate in review and evaluation processes to evaluate, optimize and promote our services. If users rate us or otherwise provide feedback via the review platforms or procedures involved, the general terms and conditions of use and the data protection notices of the providers also apply. As a rule, the evaluation also requires registration with the respective providers.
In order to ensure that the reviewers have actually used our services, we transmit the necessary data with regard to the customer and the service used to the respective review platform (including name, e-mail address and order number or article number) with the consent of the customers. This data is used solely to verify the authenticity of the user.
- Types of data processed: contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data Subjects: Customers. Users (e.g. website visitors, users of online services).
- Purposes of processing: Feedback (e.g. collecting feedback via online form). Marketing.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- Google Customer Reviews: service for collecting and/or presenting customer satisfaction and customer opinions; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – adequacy decision (Ireland); Further information: As part of the collection of customer reviews, an identification number and the time of the business transaction to be evaluated are processed, in the case of review requests sent directly to customers, the customer’s e-mail address and its information on the country of residence as well as the review information itself; Further information on the types of processing and the data processed: https://business.safety.google/adsservices/. Data Processing Terms for Google Advertising Products: Information on Services Data Processing Terms between Controllers and Standard Contractual Clauses for Third-Country Transfers of Data: https://business.safety.google/adscontrollerterms.
Presences in Social Networks (Social Media)
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.
We would like to point out that user data may be processed outside the area of the European Union. This can result in risks for users, for example, because it could make it more difficult to enforce user rights.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the user behavior and the resulting interests of the users. The latter may in turn be used, for example, to place advertisements inside and outside the networks that presumably correspond to the interests of the users. Therefore, cookies are usually stored on the users’ computers, in which the user’s usage behaviour and interests are stored. In addition, data can also be stored in the user profiles regardless of the devices used by the users (in particular if they are members of the respective platforms and logged in there).
For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.
In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the latter have access to the user data and can directly take appropriate measures and provide information. If you still need help, you can contact us.
- Types of data processed: Contact details (e.g., email, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data subjects: users (e.g., website visitors, users of online services).
- purposes of processing: contact requests and communication; Feedback (e.g. collecting feedback via online form). Marketing.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- LinkedIn: social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – adequacy decision (Ireland); opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Further information: We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data for the purpose of creating the “page insights” (statistics) of our LinkedIn profiles.
This data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language preferences, cookie data) and information from users’ profiles, such as job function, country, industry, hierarchical level, company size, and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy
We have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum (the ‘Addendum’)”, https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to comply with the rights of data subjects (i.e. users can e.g. direct information or deletion requests directly to LinkedIn). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint controller is limited to the collection of the data by and transfer to Ireland Unlimited Company, a company based in the EU. The further processing of the data is exclusively the responsibility of Ireland Unlimited Company, in particular the transmission of the data to the parent company LinkedIn Corporation in the USA.
Management, Organization and Auxiliary Tools
We use services, platforms and software from other providers (hereinafter referred to as “Third Party Providers”) for the purposes of organizing, managing, planning and providing our services. When selecting third-party providers and their services, we observe the legal requirements.
In this context, personal data may be processed and stored on the servers of the third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of the users, data on processes, contracts, other processes and their content.
To the extent that users are referred to the third-party service providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.
- Types of data processed: content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time details, identification numbers, consent status).
- Data subjects: communication partner. Users (e.g. website visitors, users of online services).
- purposes of processing: contact requests and communication; Provision of contractual services and fulfilment of contractual obligations. Büro- und Organisationsverfahren.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
- Jira: web application for error management, troubleshooting and operational project management; service provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.atlassian.com/software/jira; Privacy Policy: https://www.atlassian.com/legal/privacy-policy; Data Processing Agreement: https://www.atlassian.com/legal/data-processing-addendum; basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Standard Contractual Clauses (Provided by the Service Provider). More information: Data Transfer Impact Assessment: https://www.atlassian.com/legal/data-transfer-impact-assessment.
- WeTransfer: transfer of files over the Internet; service provider: WeTransfer BV, Oostelijke Handelskade 751, Amsterdam, 1019 BW, The Netherlands; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://wetransfer.com; Privacy Policy: https://wetransfer.com/legal/privacy. basis for third-country transfers: Switzerland – Adequacy decision (Netherlands).