Privacy policy
Preamble
The following Privacy Policy is to inform you which personal data (hereinafter referred to as ‘data’) we will process, to what extent and for which purposes. This Privacy Policy applies to all processing of personal data, whether related to delivery of services or, in particular, on our websites, in mobile applications and in external social media accounts and blog posts (hereinafter collectively referred to as ‘online services’).
Used terms are not gender specific.
As of: March 6, 2023
Contents
- Preamble
- Controller
- Privacy Officer Contact Details
- Processings Overview
- Applicable Law
- Security Measures
- Transmission of Personal Data
- Processing in Third Countries
- Erasure of Data
- Use of Cookies
- Business Services
- Use of Online Platforms for Advertising and Distribution
- Payment Methods
- Provision of Online Services and Webhosting
- Specific Notes on Applications (Apps)
- Contact and Request Administration
- Communication via Messenger
- Chatbots and Chat Functions
- Video Conferences, Online Meetings, Webinars and Screen Sharing
- Job Application Procedure
- Cloud Services
- Sweepstakes and Contests
- Web Analysis, Monitoring and Optimization
- Online Marketing
- Customer Reviews and Ratings
- Profiles on Social Networks (Social Media)
- Plug-ins, Embedded Functions and Content
- Management, Organization and Utilities
- Changes and Updates to the Privacy Policy
- Rights of Data Subjects
- Terminology and Definitions
Controller
Steinberg GmbH
Schiess-Strasse 30
40549 Düsseldorf
Germany
Authorized representatives:
Johannes Löhnert, Marcus Löhnert
Email:
info@steinberg-armaturen.de
Phone:
+49 (0) 211 5202490
Legal Notice:
Privacy Officer Contact Details
SZ IT-Solutions UG (limited)
Fritz-Gressard-Platz 4–9
40721 Hilden
Germany
Authorized representative: Selman Sezek
Phone: +49 (0) 2103 9773378
Email: selman.sezek@steinberg-armaturen.de
Website: http://www.szit.eu
Processings Overview
The following table lists the types of data processed, the purposes for which they are processed and the persons concerned (hereinafter referred to as ‘data subjects’).
Categories of Processed Data
- Inventory data.
- Location data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communications and processing data.
- Job applicant details.
- Images and/or video recordings.
Categories of Data Subjects
- Customers.
- Employees.
- Prospective customers.
- Communication partners.
- Users.
- Job applicants.
- Participants in sweepstakes and contests.
- Business and contractual partners.
- Persons depicted.
Purposes of Processing
- Contract performance and customer support.
- Contact requests and communication.
- Security Measures
- Direct marketing.
- Web Analytics.
- Tracking.
- Office and organizational procedures.
- Remarketing.
- Conversion tracking.
- Managing of and responding to inquiries.
- Job application procedure.
- Conducting sweepstakes and contests.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online services and usability.
- IT infrastructure.
Applicable Law
The following is to give you an outline of GDPR provisions pursuant to which we process personal data. Please note that, in addition to applicable GDPR provisions, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal provisions are applicable in individual cases, information on these will be given in this Privacy Policy.
- Consent (Article 6 (1) (a) GDPR) -–The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Contract performance and prior requests (Article 6 (1) (b) GDPR) – Data processing is necessary to perform a contract that the data subject is party to, or in order to take steps at the request of the data subject prior to entering into a contract.
- Compliance with a legal obligation (Article 6 (1) (c) GDPR) – Processing is necessary for compliance with a legal obligation that the Controller is subject to.
- Legitimate interests (Article 6 (1) (f) GDPR) – Processing is necessary for pursuing the legitimate interests of the controller or a third party, except where such interests are overidden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data.
- Job application process as a pre-contractual or contractual relationship (Article 6 (1) (b) GDPR) – If special categories of personal data within the meaning of Article 9 (1) GDPR (e.g., health data, such as severely handicapped status or ethnic origin) are requested from applicants within the framework of the application procedure, so that the controller or data subject can exercise their rights and obligations as set forth in labor, social security and social protection law, processing shall be carried out pursuant to Article 9 (2) (b) GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Article 9 (2) (c) GDPR, or for the purposes of preventive health care or occupational medicine, the assessment of the employee’s ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector pursuant to Article 9 (2) (h) GDPR. In the case of disclosure of special categories of data based on voluntary consent, processing is carried out pursuant to Article 9 (2) (a) GDPR.
In addition to the data protection regulations of the General Data Protection Regulation, national regulations apply to data protection in Germany. This includes, in particular, the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act/BDSG). In particular, the BDSG contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing within the framework of an employment relationship (Paragraph 26 BDSG), in particular with respect to the establishment, execution or termination of employment relationships as well as the consent of employees. Furthermore, individual federal state data protection law may apply.
Security Measures
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk incurred.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to input, transmission, securing and separation of the data. In addition, we have established procedures to ensure data subjects’ rights to be respected and data to be erased, and data threats to be quickly responded to. Furthermore, we take the protection of personal data into account as early as in the development or selection of hardware, software and service providers, following the principle of privacy by design and by default.
Masking of the IP address: If IP addresses are processed by us or by the service providers and technologies used, and the processing of complete IP addresses is not necessary, IP addresses are truncated (also referred to as ‘IP masking’). In this process, the last two digits or the last part of the IP address after a full stop are removed or replaced by wildcards. IP masking is intended to prevent the identification of a person by means of their IP address or to make such identification significantly more difficult.
TLS encryption (https): To protect your data transmitted via our online services, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Transmission of Personal Data
In the context of our processing of personal data, it may happen that data is transferred or disclosed to other bodies, companies, legal entities or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are embedded in a website. In such a case, we ensure legal requirements to be observed and, in particular, enter into corresponding contracts or agreements catering to the protection of your data with the respective recipients.
Data Transmission within the Group of Companies: We may transfer personal data to other companies within our group of companies or otherwise grant them access to this data. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and economic interests or is otherwise done if necessary to fulfill our contractual obligations or upon the data subjects’ consent or by other legal permission.
Processing in Third Countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing is done in the context of the use of third-party services or disclosure or transfer of data to other persons, bodies or companies, this will only be done in accordance with legal requirements.
Subject to express consent or transfer required by contract or law, we process or have processed the data only in third countries with an approved level of data protection, on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission, or if certifications or binding internal data protection regulations justify the processing (Articles 44 to 49 GDPR, information page of the EU Commission https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
Erasure of Data
The data processed by us will be erased pursuant to statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g., if the purpose of processing no longer applies or the data are not required for the purpose). If the data is not erased because it is required for other and legally permissible purposes, their processing will be limited to these purposes. This means that access to the data will be restricted and the data will not be processed for other purposes. This applies, for example, to data that must be stored as required by commercial or tax law, or to data which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.
In the context of our information on data processing, we may provide users with further information on the erasure and retention of data specific to the respective processing operation.
Use of Cookies
Cookies are small text files or other data records that store information on and read information from terminal devices, for example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the contents accessed or the online service functions used. Cookies can also be used for various other purposes, e.g., for functionality, security and convenience of online services as well as for analyzing visitor flows.
Information on consent: We use cookies in accordance with the statutory provisions. Therefore, we obtain prior consent from users, except when not required by law. Consent is not required, in particular, if the storage and reading of information, including cookies, is strictly necessary in order to provide an information society service (i.e., our online services) explicitly requested by the subscriber or user. The revocable consent will be clearly communicated to the user and will contain information on the respective cookie use.
Information on legal bases under data protection law: The legal basis under data protection law on which we process users’ personal data by means of the use of cookies depends on whether we ask users for their consent. If users consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed by means of cookies is processed on the basis of our legitimate interests (e.g., in a business operation of our online services and for improvement of its usability) or, in the context of the fulfillment of our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We clarify in the course of this Privacy Policy or in the context of our consent and processing procedures for which purposes we process cookies.
Retention period: With respect to the retention period, a distinction is drawn between the following types of cookies:
- Temporary cookies (also known as ‘session cookies’): Temporary cookies are deleted at the latest after a user has left an online service and closed their terminal device (e.g., browser or mobile application).
- Permanent cookies: Permanent cookies remain stored after the terminal device is closed. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Likewise, user data collected by means of cookies can be used for web analytics. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and storage period may extend to two years.
General information on revocation and objection (opt-out): Users can revoke the consent they have given at any time and also file an objection to processing pursuant to Article 21 GDPR. Users can also declare their objection in the settings of their browser, e.g., by deactivating the use of cookies (which however may also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared on the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
- Processed data types: Meta, communication and processing data (e.g., IP addresses, time stamps, device IDs and status of consent).
- Data subjects: Users (e.g., website visitors and users of online services).
- Purposes of processing: Provision of our online services and usability.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Processing cookie data on the basis of consent: We use a cookie management solution in which users’ consent to the use of cookies, or the procedures and providers mentioned in the cookie management solution, can be obtained, and in which such consent can be managed and revoked by the users. The declaration of consent is stored so that it does not need to be retrieved again and its presence can be proven pursuant to the legal obligation hereto. Storage can be done on the server and/or in a cookie (so-called opt-out cookie, or comparable technology) in order to be able to assign the consent to a specific user or their terminal device. Subject to individual details of the providers of cookie management services, the following applies: The declaration of consent may be stored for up to two years. For this purpose, a pseudonymous user identifier is stored together with the date and time of consent and information on the scope of the consent (e.g., categories of cookies and service providers), as well as information on the browser, system and terminal device used.
- OneTrust: Cookie Consent Manager; Service provider: OneTrust Technology Limited, 82 St John St, Farringdon, London EC1M 4JN, United Kingdom (UK); Website: https://www.onetrust.com/; Privacy Policy: https://www.onetrust.com/privacy/.
- CookiePro: Cookie Consent Manager; Service provider: OneGTrust, London, 82 St. John Street, EC1M 4JN+44, London, Großbritannien; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.cookielaw.org; Privacy Policy: https://www.onetrust.com/privacy-notice.
- Klaro!: Cookie Consent Manager; Service provider: KIProtect GmbH, Bismarckstr. 10-12, 10625 Berlin, Germany; Website: https://kiprotect.com/klaro; Privacy Policy: https://kiprotect.com/resources/privacy.
Business Services
We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as ‘contractual partners’) within the context of contractual and comparable legal relationships and related actions and communication with the contractual partners, or pre-contractually, e.g., to answer inquiries.
We process this data in order to fulfill our contractual obligations. These include, in particular, the obligation to provide the agreed services, applicable update obligations and remedies in the event of warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of administrative tasks and company organization related to these obligations. Furthermore, we process the data on the basis of our legitimate interests in sound and economical business management as well as in security measures to protect our contractual partners and business operations from misuse and endangerment of their data, secrets, information and rights (e.g., for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we disclose data of contractual partners to third parties only to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g., for marketing purposes, within the scope of this Privacy Policy.
We inform the contracting partners before, or in the context of, the data collection, e.g., in online forms by special marking (e.g., colors), and/or symbols (e.g., asterisks or the like), or personally, which data are necessary to be collected for the aforementioned purposes.
We erase the data after expiry of statutory warranty and comparable obligations, i.e., in principle after expiry of 4 years, unless the data is stored in a customer account or must be kept for legal reasons of archiving. The statutory retention period for documents relevant under tax law as well as for commercial books, inventories, opening balance sheets, annual financial statements, for instructions required to understand these documents, and for other organizational documents and accounting records is ten years, and for received commercial and business letters and reproductions of sent commercial and business letters six years. Any such period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report was prepared, the commercial or business letter was received or sent, or the accounting document was created, furthermore the record was made or the other documents were created.
If we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms shall apply in the relationship between users and providers.
- Processed data types: Inventory data (e.g., names and addresses); Payment Data (e.g., bank details, invoices and payment history); Contact data (e.g., e-mail addresses and telephone numbers); Contract data (e.g., contract object, duration and customer category); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Customers; Prospective customers; Business and contractual partners.
- Purposes of Processing: Provision of contractual services and customer support; Security measures; Contact requests and communication; Office and organizational procedures; Managing of and responding to inquiries.
- Performance Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Customer Account: Contractual partners can create a customer or user account. If the registration of a customer account is required, contractual partners will be informed of this as well as of the details required for registration. Customer accounts are not public and cannot be indexed by search engines. In the course of registration and subsequent log on to and use of the customer account, we store the IP addresses of the contractual partners along with access times in order to be able to prove the registration and prevent any misuse of the customer account. If customers have closed their customer account, the related data will be erased unless its retention is required by law. It is the responsibility of the customer to secure their data upon termination of the customer account. Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
- Online Shop and e-Commerce: We process the data of our customers in order to enable them to select, purchase or order the selected products, goods and related services, as well as payment and delivery, or performance of other services. If necessary for the execution of an order, we use service providers, in particular postal, freight and shipping businesses in order to effect delivery or execution. For the processing of payment transactions we use the services of banks and payment service providers. The required details are identified as such in the course of the ordering or comparable purchasing process and include the details required for delivery, or other way of making the product available, and for invoicing as well as contact information in order to enable subsequent consultation or assistance. Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Use of Online Platforms for Advertising and Distribution
We offer our services on online platforms operated by other service providers. In addition to our Privacy Policy, the privacy policies of the respective platforms apply. This holds true particularly with respect to the payment process, to the methods of reach measurement (web analytics) used on the platforms, and to behavior-related marketing.
- Processed data types: Inventory data (e.g., names and addresses); Payment Data (e.g., bank details, invoices and payment history); Contact data (e.g., e-mail addresses and telephone numbers); Contract data (e.g., contract object, duration and customer category); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g. IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Customers.
- Purposes of Processing: Provision of contractual services and customer support; Marketing.
- Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Further information on processing methods, procedures and services used:
- Architonic: Online Search Platform; Provider: Architonic AG, Müllerstrasse 71, CH 8004 Zürich, Switzerland; Website: https://www.architonic.com/; Privacy Policy: https://daaily.com/privacy-policy.html.
- BIMobject: Digital imaging of construction parts; Provider: BIMobject Deutschland GmbH, Radlkoferstraße 2, 81373 München, Germany; Website: https://www.bimobject.com; Privacy Policy: https://accounts.bimobject.com/privacypolicy.
- Furioos: 3-D Configurator; Provider: Unity Technologies, San Francisco, California, USA; Website: https://www.furioos.com/; Privacy Policy: https://unity3d.com/legal/privacy-policy.
- Sketchfab: 3-D/VR Content Configurator; Provider: Epic Games c/o Sketchfab, 440 9th Ave, Suite 1700, New York, NY 10001, USA; Website: https://sketchfab.com; Privacy Policy: https://sketchfab.com/privacy.
Provision of Online Services and Webhosting
We process user data in order to be able to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or terminal device.
- Processed data types: Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent); Inventory data (e.g., names and addresses); Payment Data (e.g., bank details, invoices and payment history); Contact data (e.g., e-mail addresses and telephone numbers); Contract data (e.g., contract object, duration and customer category).
- Data subjects: Users (e.g., website visitors and users of online services); Prospective customers; Business and contractual partners.
- Purposes of Processing: Provision of our online services and usability; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.); Security measures; Provision of contractual services and customer support; Conversion tracking (Measurement of the effectiveness of marketing activities); Marketing.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Provision of our online services on rented hosting space: For the provision of our online services we use storage space, computing capacity and software that we rent or otherwise obtain from a qualified server provider (also referred to as ‘web hoster’). Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
- Collection of Access Data and Log Files: The access to our online services is logged in the form of so-called server log files. Server log files may contain the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, operating system, referrer URL (the previously visited page) and, as a general rule, IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server stability and optimal load allocation. Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Retention period: Log file information is stored for a maximum of 30 days and then erased or anonymized. Data that has to be retained for evidence purposes is excluded from deletion until the respective incident has been finally clarified.
- Shopify: Platform for offering and performing e-commerce services. The services and related processes include, in particular, online stores, websites, their offers and content, community elements, purchase and payment transactions, customer communication, as well as analysis and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland; Website: https://www.shopify.com; Privacy Policy: https://www.shopify.com/legal/privacy
- Microsoft Cloud Services: Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://microsoft.com; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
- webgo: Services in the field of the provision of IT infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: webgo GmbH, Wandsbeker Zollstr. 95, 22041 Hamburg, Germany; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.webgo.de/; Privacy Policy: https://www.webgo.de/datenschutz/.
Specific Notes on Applications (Apps)
We process the data of the users of our application to the extent necessary to provide the users with the application and its functionality, to monitor its security and to develop it further. Furthermore, we may contact users in compliance with applicable statutory provisions if communication is necessary for the purposes of administration or use of the application. In addition, we refer to the information given in this Privacy Policy with respect to data protection in the course of processing user data.
Legal basis: The processing of data necessary for the provision of the functionality of the application serves to fulfil contractual obligations. This also applies if the provision of the functions requires user authorization (e.g., release of terminal device functions). If the processing of data is not necessary for the provision of the functionality of the application but serves the security of the application or our business interests (e.g., collection of data for the purpose of optimizing the application or for security purposes), it is done on the legal basis of our legitimate interests. If users are expressly requested to give their consent to the processing of their data, the data covered by the consent is processed on the basis of such consent.
- Processed data types: Inventory data (e.g., names and addresses); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent) Payment Data (e.g., bank details, invoices and payment history); Contract data (e.g., contract object, duration and customer category).
- Data subjects: Users (e.g., website visitors and users of online services).
- Purposes of Processing: Contract performance and customer support.
- Legal Basis: Consent (Article 6 (1) (a) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Commercial use: We process the data of the users of our application, registered and possible test users (hereinafter uniformly referred to as ‘users’) in order to provide them with our contractual services and, on the basis of legitimate interests, to ensure the security of our application and to develop it further. The required details are identified as such within the scope of the conclusion of the contract on the use of the application, the conclusion of an order, an order or a comparable contract, and may include the details required for the provision of services and invoicing as well as contact information in order to enable subsequent consultation and assistance. Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
- Device authorizations for access to functions and data: The use of certain functions of our application may require access to certain functions of, or to data accessible by, the user’s terminal device. By default, these permissions must be granted by the user and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the user’s terminal device and software. Users may contact us if they require further explanation. We point out that the refusal or revocation of permissions may affect the functionality of our application.
Contact and Request Administration
When contacting us (e.g., via contact form, e-mail, telephone or social media) as well as in the context of existing user and business relationships, the information given by the inquiring person is processed to the extent necessary to respond to the contact requests and any requested measures.
- Processed data types: Contact data (e.g., e-mail addresses and telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Communication partners.
- Purposes of processing: Contact requests and communication; Managing of and responding to inquiries; Feedback (e.g., as collected via online form); Provision of our online services and usability.
- Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Further information on processing methods, procedures and services used:
- Contact form: If users contact us via contact form, e-mail, telephone or other means of communication, we process the data communicated in this context for the purpose of answering the respective inquiry. Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests Article 6 1 f).
Communication via Messenger
We use messenger services for communication purposes and therefore ask you to observe the following information regarding the functionality of messenger services, encryption, use of metadata and your options to object.
You may also contact us by alternative means, e.g., telephone or e-mail. Please use the contact options provided or the contact options included in our online services.
In the case of content encryption (i.e., encryption of the content of your message and attachments), the communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means that the content of the message is not accessible, not even by the messenger service providers themselves. Make sure to use a current version of the messenger service with activated encryption to guarantee your message contents to be effectively encrypted.
However, we point out to our communication partners that although messenger service providers do not have access to content, they are able to detect that and when communication partners communicate with us and to process technical information on the communication partner’s device used and, depending on the settings of their device, also location data (so-called metadata).
Information on legal basis: If we ask communication partners for permission before communicating with them via messenger services, the legal basis of our processing of their data is their given consent. Otherwise, if we do not request consent and you contact us, for example, on your own initiative, we use messenger services in our dealings with our contractual partners and as part of the contract initiation process as a contractual measure, and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication, and in meeting the needs of our communication partners for communication via messenger services. We also point out that we do not transmit the contact data provided to us to the messenger service providers for the first time without your consent.
Withdrawal, objection and erasure: You may withdraw your consent or object to communication with us via messenger service at any time. In the case of communication via messenger services, we delete the messages in accordance with our general data retention policy (i.e., as described above after the end of contractual relationships, archiving requirements, etc.) and otherwise as soon as we can assume that we have answered all requests by the communication partners, that no reference to a previous conversation is to be expected, and that there are no legal obligations to store the messages to prevent their erasure.
Reservation of reference to other means of communication: Finally, we point out that we reserve the right, for reasons of your safety, not to answer inquiries via messenger services. This is the case if, for example, internal contractual matters require special secrecy or if an answer via messenger service does not meet formal requirements. In such cases we refer you to more adequate means of communication.
- Processed data types: Contact data (e.g., e-mail addresses and telephone numbers); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent); Content data (e.g., entries in online forms).
- Data subjects: Communication partners.
- Purposes of processing: Contact requests and communication; Direct marketing (e.g., via e-mail or mail). Legal Basis: Consent (Article 6 (1) (a) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Instagram: Messaging via the social network Instagram; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
- Facebook-Messenger: Facebook-Messenger with end-to-end encryption (end-to-end Facebook Messenger encryption requires activation, unless enabled by default); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum.
- Microsoft Teams: Microsoft Teams – Messenger; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy Policy: https://privacy.microsoft.com/en-GB/privacystatement; Security information: https://www.microsoft.com/en-GB/trust-center; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Chatbots and Chat Functions
We provide online chats and chatbot functions as a means of communication (collectively referred to as ‘chat services’). A chat is an online conversation conducted with a certain degree of immediacy. A chatbot is a software that answers users’ questions or informs them about messages. If you use our chat functions, we are able to process your personal data.
If you use our chat services on an online platform, your identification number is also stored on the respective platform. We can also collect information as to which users interact with our chat services and when. Furthermore, we store the content of your conversations conducted via chat services and log registration and consent processes in order to be able to prove these pursuant to legal requirements.
We hereby inform users that the respective platform provider may detect that and when users communicate via our chat services and can collect technical information about the user’s terminal device used and, depending on the settings of their terminal device, also location data (so-called metadata) for the purpose of optimizing the respective services and for security purposes. Likewise, the metadata of communication via chat services (i.e., information about who has communicated with whom) can be used by the respective platform providers for marketing purposes or to display personalized advertising in accordance with their regulations, to which we refer for further information.
If users subscribe to regular information via chatbot messages, they have the possibility to unsubscribe from the chatbot messages at any time for the future. The chatbot will inform users as to how and with which terms unsubscription is effected. By unsubscribing from the chatbot messages, users’ data will be deleted from the directory of message recipients.
We use the aforementioned information to operate our chat services, e.g., to address users personally, to answer their inquiries, to transmit requested content, and to improve the quality of our Chat Services (e.g., to ‘teach’ chatbots answers to frequently asked questions or to identify unanswered inquiries).
Information on Legal basis: We use the chat services on the basis of a consent if we are granted permission by the users to process their data prior to their use of our chat services (this applies when users are asked for consent, e.g., so that a chatbot regularly sends them messages). We use the chat services for contractual and pre-contractual communication if we answer user inquiries about our services or our company. In addition, we use chat services based on our legitimate interests in optimizing the chat services, its operating efficiency and enhancing user experience.
Withdrawal, objection and deletion: You may revoke a given consent at any time or contradict the processing of your data in the context of using our chat services.
- Processed data types: Inventory data (e.g., names and addresses); Contact data (e.g., e-mail and telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Communication partners.
- Purposes of Processing: Contact requests and communication; Managing of and responding to inquiries; Direct marketing (e.g., e-mail or mail).
- Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Consent (Article 6 (1) (a) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Further information on processing methods, procedures and services used:
- LiveChat: Chatbot and assistance software and related services; Service provider: LiveChat Inc., One International Place, Suite 1400 Boston, Massachusetts 02110, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.livechatinc.com; Privacy Policy: https://www.livechatinc.com/legal/privacy-policy/.
Video Conferences, Online Meetings, Webinars and Screen Sharing
We use platforms and applications of third-party providers (hereinafter referred to as ‘conference platforms’) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as ‘conference’). When using conference platforms and their services, we comply with applicable legal requirements.
Data processed by conference platforms: In the course of participation in a conference, the personal data of the participants listed below are processed. The scope of the processing depends on which data is requested in the context of a specific conference (e.g., provision of access data or real names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, participants’ data may also be processed by the conference platforms for security purposes or service optimization. The processed data includes personal information (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile images, information on professional position/function, the IP address of the internet access, information on the participants’ terminal devices, their operating system, the browser and its technical and language settings, information on the content-related communication processes, i.e. entries in chats and audio and video data, as well as the use of other available functions (e.g., surveys). The content of the communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms further data may be processed pursuant to the agreement with the respective conference provider.
Logging and recording: If text entries, participation results (e.g., from surveys) as well as video or audio recordings are logged, this will be transparently communicated to the participants in advance and the participants will be asked for their consent if necessary.
Data protection measures of the participants: Please refer to the data privacy information of the respective conference platform for details on the processing of your data and select your optimum security and data privacy settings from the setting options provided by the conference platform. Furthermore, ensure data and privacy protection in the background of your recording for the duration of a conference (e.g., by notifying roommates, locking doors, and using the background masking function if technically possible). Links to the conference rooms as well as access data must not be disclosed to unauthorized third parties.
Notes on legal basis: Insofar as we, in addition to the conference platforms, also process users’ data and ask users for their consent to use conference platforms or certain functions (e.g., consent to a conference being recorded), the legal basis of the processing is the consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g., in participant lists and in the reprocessing of conference results). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.
- Processed data types: Inventory data (e.g., names and addresses); Contact data (e.g., e-mail and telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Communication partners; Users (e.g., website visitors and users of online services); Persons depicted.
- Purposes of Processing: Contract performance and customer support; Contact requests and communication; Office and organizational procedures.
- Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Microsoft Teams: Microsoft Teams – Messenger and Conference sofware; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy Policy: https://privacy.microsoft.com/en-GB/privacystatement; Security information: https://www.microsoft.com/en-GB/trust-center; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
- TeamViewer: Conference software; Service provider: TeamViewer GmbH, Jahnstr. 30, 73037 Göppingen, Germany; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.teamviewer.com/en/; Privacy Policy: https://www.teamviewer.com/en/privacy-policy/.
Job Application Procedure
The application process requires applicants to provide us with the data necessary for assessment and selection. What information is required can be derived from the job description or is asked for in the corresponding online forms.
In principle, the required information includes personal information such as name, address, a contact option and proof of the qualifications required for a particular employment. We will gladly also provide you with the details as to what information is necessary upon request.
If made available, applicants may submit their applications via an online form. The data will be transmitted encrypted according to current technical standards. Applicants may also submit their application by e-mail. Please note, however, that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted only during transport and not on outgoing and incoming servers. We can therefore accept no responsibility for the transmission path of the application between the sender and the reception on our server.
For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management and recruitment software, platforms and services of third-party providers in compliance with legal requirements.
Applicants are welcome to contact us about how to submit their application, or to submit their application by regular mail.
Processing of special categories of data: If special categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data, such as severely handicapped status or ethnic origin) are requested from applicants within the framework of the application procedure, so that the controller or the person concerned can exercise their rights and fullfill their duties arising from labor, social security and social protection law, processing of such data is done pursuant to Article 9 (1)(b) GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Article 9 (1)(c) GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector pursuant to Article 9 (1)(h) GDPR. In the case of disclosure of special categories of data based on voluntary consent, processing is done pursuant to Article 9 (1) (a) GDPR.
Erasure of data: In the event of a successful application, we may further process the data provided by the applicants for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant’s data will be erased. Applicants’ data will also be erased if an application is withdrawn, which applicants are entitled to at any time. Subject to a justified revocation by the applicant, their data will be erased after the expiry of a period of six months at the latest, so that we are able to answer possible follow-up questions with respect to the application and to comply with our duty of proof under the regulations on equal treatment of applicants. Invoices for possible reimbursement of travel expenses are archived pursuant to applicable tax law.
Admission to a talent pool: Admission to a talent pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary and has no influence on the current application process, and that they may revoke their consent at any time for the future.
- Processed data types: Inventory data (e.g., names and addresses); Contact data (e.g., e-mail and telephone numbers); Content data (e.g., entries in online forms); Job applicant details (e.g., personal data, postal and contact addresses and the documents pertaining to the application and the information contained therein, such as cover letter, curriculum vitae, certificates as well as other personal information or qualification details disclosed by applicants voluntarily or with respect to a specific job offer).
- Data subjects: Job applicants.
- Purposes of Processing: Job Application Process (establishment and possible later execution and termination of the employment relationship).
- Legal Basis: Job application process as a pre-contractual or contractual relationship pursuant to Article 6 (1) (b) GDPR.
Cloud Services
We use Internet-accessible software services (so-called cloud services, also referred to as ‘Software as a Service’) executed on the servers of its providers for the storage and management of content (e.g., document storage and management, exchange of documents, content and information with certain recipients, or publication of content and information).
In this context, users’ personal data may be processed and stored on the provider’s servers insofar as it is part of the communication between the user and us or is otherwise processed by us as described in this Privacy Policy. Such data may include, in particular, master data and contact data of data subjects, data on processes, contracts and other proceedings and their contents. Cloud service providers furthermore process usage data and metadata for security and service optimization purposes.
If we use cloud services to provide forms or other documents and content to other users or publicly accessible websites, providers may store cookies on users’ terminal devices for web analysis or to remember user settings (e.g., for media control).
- Processed data types: Inventory data (e.g., names and addresses); Contact data (e.g., e-mail and telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent); Images and/or video recordings (e.g., photographs or video recordings of a person).
- Data subjects: Customers; Employees (e.g., employees, job applicants and former employees); Prospective customers; Communication partners.
- Purposes of Processing: Office and organizational procedures; IT infrastructure (Operation and provision of information systems and technical devices such as computers, servers, etc.); Provision of contractual services and customer support.
- Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Adobe Creative Cloud: Applications and cloud storage for photo and video editing, graphic design and web development; Service provider: Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.adobe.com/creativecloud.html; Privacy Policy: https://www.adobe.com/privacy.html; Data Processing Agreement: Provided by the service provider; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): Inclusion in the Data Processing Agreement.
- Dropbox: Cloud storage service; Service provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.dropbox.com; Privacy Policy: https://www.dropbox.com/privacy; Data Processing Agreement: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf.
- Microsoft Cloud Services: Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA;Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).Website: https://microsoft.com; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA;Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Sweepstakes and Contests
We process personal data of participants in contests, raffles, prize-draws or sweepstakes (hereinafter collectively referred to as ‘competitions’) only in compliance with applicable data protection regulations and if the processing is contractually necessary for the provision, execution and handling of the competition, or the participants have consented to the processing, or the processing serves our legitimate interests (e.g., in the security of the competition, or in the protection of our interests against misuse by possible recording of IP addresses when submitting entries.)
In the event that entries are published as part of the competition (e.g., for a vote, for presenting the entries or the winner/s, or for reporting on the competition), we point out that the names of participants may also be published in this context. The participants may object to this at any time.
If the competition takes place on an online platform or a social network (e.g., Facebook or Instagram, hereinafter referred to as ‘online platform’), the usage and data protection provisions of the respective online platform apply too. In such cases, we are in charge of the information provided by the participants in the context of the competition, and inquiries with respect to the competition have to be directed to us.
Participants’ data will be erased as soon as the competition has ended, provided that the data is no longer required to inform the winners and questions about the competition cannot reasonably be expected. In general, participants’ data will be erased, at the latest, 6 months after the competition has ended. Winners’ data can however be retained for a longer period of time in order to, for example, answer questions about the prizes or to fulfill the prizes; in this case, the retention period depends on the type of prize and may extend to up to three years for items or services in order to, for example, be able to process warranty claims. Furthermore, participants’ data may be stored for longer in the form of, for example, coverage of the competition in online and offline media.
Insofar as data was collected in the course of the competition for other purposes, its processing and retention period shall be governed by the privacy regulation for the respective use (e.g., registration for a newsletter in the course of a competition).
- Processed data types: Inventory data (e.g., names and addresses); Content data (e.g., entries in online forms); Communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Participants in sweepstakes and contests.
- Purposes of Processing: Conducting sweepstakes and contests.
- Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Web Analysis, Monitoring and Optimization
Web analysis (also referred to as ‘reach measurement’) is used to evaluate the visitor traffic on our website and may cover user behavior, interests or demographic information such as age or gender, as pseudonymous values. With the help of web analysis we can, for example, recognize which time our online services or their functions or contents are most frequently used or most repeatedly requested at. Web analysis also helps us to detect areas that require optimization.
In addition to web analysis, we can also deploy test procedures in order to, for example, test and optimize different versions of our online services or their components.
Unless otherwise stated below, profiles, i.e., data aggregated for a usage process, can be created for these purposes and related information can be stored in and read from a browser or terminal device. The information collected includes, in particular, websites visited and elements used as well as technical information such as browser and operating system as well as usage times. If users have agreed to the collection of their location data by us or by the providers of the services we use, location data may also be processed.
Users’ IP addresses are also stored. However, we use IP masking (i.e., pseudonymization by truncating the IP address) to protect the user. In general, in the context of web analysis, A/B testing and optimization, no non-anonymized user data (such as real e-mail addresses or names) is stored, only pseudonyms. This means that we, as well as the providers of the software used, do not know the users’ actual identity but only the information stored in their profiles for the purposes of the respective processes.
- Processed data types: Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Users (e.g., website visitors and users of online services).
- Purposes of Processing: Remarketing; Web Analytics (e.g., access statistics and recognition of returning visitors); Profiles with user-related information (Creation of user profiles); Provision of our online services and usability.
- Security Measures: IP Masking (Pseudonymization of IP addresses).
- Legal Basis: Consent (Article 6 (1) (a) GDPR).
Further information on processing methods, procedures and services used:
- Google Universal Analytics: Web Analytics and Reach Measurement – We use Universal Analytics, a version of Google Analytics, to perform user analysis based on a pseudonymous user identification number. This identification number does not contain any non-anonymized data, such as real names or e-mail addresses. It is used to assign analysis information to a user to recognize, for example, which content users have accessed within a session or whether they return to our online services. This involves creating pseudonymous user profiles with information from the use of various terminal devices. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://marketingplatform.google.com; T&C: https://business.safety.google/adsprocessorterms/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://business.safety.google/adsprocessorterms ; Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the Display of Advertisements: https://adssettings.google.com/authenticated; Further Information: https://privacy.google.com/businesses/adsservices (Types of processing and data processed).
- Google Analytics 4: We use Google Analytics to measure and analyze usage of our online services based on a pseudonymous user identification number. This identification number does not contain any non-anonymized data, such as real names or e-mail addresses. It is used to assign analysis information to a terminal device to recognize which content users have accessed within a session or several sessions, which search keywords were used and whether these have been repeated, or whether users have interacted with our online services. Furthermore, usage time and duration are logged, as well as users’ sources linked to our online services and technical details of their terminal device and browser. This involves creating pseudonymous user profiles with information from the use of various terminal devices, possibly by deploying cookies. Analytics provides higher-level location data, logging the following metadata derived from IP search: ‘city’ (including corresponding latitude and longitude), ‘continent’, ‘country’, ‘region’, ‘subcontinent’ (and their ID-based equivalents). To guarantee protection of user data within the EU, Google receives and processes all user data through EU-based domains and servers. Users’ IP addresses are not logged and are, by default, truncated by the last two digits. Truncation of IP addresses is done on EU servers for users within the EU. Furthermore, all sensitive data collected from users within the EU will be erased before being logged through EU-based domains and servers. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy;; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://business.safety.google/adsprocessorterms.Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the Display of Advertisements: https://adssettings.google.com/authenticated; Further Information: https://privacy.google.com/businesses/adsservices (Types of processing and data processed).
- Google Tag Manager: Google Tag Manager is a solution to administer so-called website tags via an interface, enabling us to integrate third-party services into our online services (refer to further details in this Privacy Policy). The Tag Manager itself (which implements the tags) creates, for example, no user profiles nor stores cookies. Google only receives the user’s IP address, which is necessary to run Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy;; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://business.safety.google/adsprocessorterms.
- Use of SalesViewer® technology: Our website uses the SalesViewer® technology of SalesViewer® GmbH, Germany, to collect and store data for the purposes of marketing, market research and optimizing on the legal basis of legitimate interests of the owner of the website (Article 6 (1) (f) GDPR).
The technology deploys a JavaScript-based code to collect and process business related data corresponding to the purposes outlined before. All such data is encrypted using a one-way hash function. The data is pseudonymized immediately and is not used to personally identify the user of the website.
Data stored by SalesViewer® will be erased as soon as no longer required for the above mentioned purposes unless retention is statutory pursuant to applicable law.
You may contradict the collection and storage of data by Salesviewer® at any time for the future by going to this link: https://www.salesviewer.com/opt-out. Consequently, an opt-out cookie will be stored on your terminal device. If you purge your browser cache of cookies, you need to return to this link to reactivate the opt-out.
Online Marketing
We process personal data for the purposes of online marketing, which may include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as ‘content’) based on the potential interests of users and the measurement of the content’s effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called cookie) or a similar procedure is deployed by which the user information relevant for the display of the content is stored. Such information may include, for example, content viewed, websites visited, online networks used, communication partners and technical details such as browser and operating system used, and information on usage times and used functions. If users have consented to the collection of their location data, these may also be processed.
Users’ IP addresses are also stored. However, we use IP masking (i.e., pseudonymization by truncating the IP address) to protect the user. In the context of online marketing techniques, in general, no non-anonymized user data (such as real e-mail addresses or names) is stored, only pseudonyms. This means that we, as well as the providers of the online marketing technology used, do not know the users’ actual identity but only the information stored in their profiles for the purposes of the respective processes.
The information in the profiles is usually stored in cookies or by similar memorizing procedures. The cookies can later, generally also on other websites that use the same online marketing technology, be read and analyzed for purposes of content display, as well as supplemented with other data and stored on the server of the online marketing technology provider.
As an exception, non-anonymized data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing technology we use, and the network links the profiles of the users to the corresponding data. Please note that users may enter into additional agreements with the social network providers or other service providers, e.g., by consenting as part of a registration process.
On principle, we only gain access to summarized information about the performance of our advertisements. However, in the context of so-called conversion tracking, we can detect which of our online marketing processes have led to a so-called conversion, i.e., to the conclusion of a contract with us. Conversion tracking is used only for the performance analysis of our marketing activities.
Unless otherwise stated, please consider that cookies will be stored for a period of two years.
- Processed data types: Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Users (e.g., website visitors and users of online services).
- Purposes of Processing: Web Analytics (e.g., access statistics and recognition of returning visitors); Tracking (e.g., interest/bahavior-related profiling and use of of cookies); Marketing; Profiles with user-related information (creation of user profiles).
- Security Measures: IP Masking (Pseudonymization of IP addresses).
- Legal Basis: Consent (Article 6 (1) (a) GDPR).
- Opt-Out: We refer to the privacy policies of the respective service providers and the possibilities for objection (opt-out). If no explicit opt-out option has been specified, it is possible to deactivate cookies in the settings of your browser. However, this may restrict the functionality of our online services. We therefore recommend the following additional opt-out options offered collectively for each area: a) Europa: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.
Further information on processing methods, procedures and services used:
- Criteo: Criteo; Service provider: Criteo GmbH, Gewürzmühlstr. 11, 80538 München, Germany; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.criteo.com; Privacy Policy https://www.criteo.com/de/privacy/; Opt-Out: https://www.criteo.com/privacy/.
Customer Reviews and Ratings
We participate in review and rating procedures to evaluate, optimize and advertise our services. If users rate us via the participating rating platforms or methods or provide feedback otherwise, the terms and conditions for use and business and privacy policies of the providers also apply. As a rule, the rating also requires registration with the respective provider.
In order to ensure that the persons giving a review or participating in a rating have actually made use of our services, we transmit, with the consent of the customer, the necessary data relating to the customer and the service or products used to the respective rating platform (this includes the costumer’s name and e-mail address, and the order or article number). This data is used solely to verify the authenticity of the user.
- Processed data types: Contract data (e.g., contract object, term and customer category); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Feedback (e.g., collecting feedback via online form); Marketing.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Google Customer Reviews: Service for obtaining and/or displaying customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); T&C: https://support.google.com/merchants/topic/7259129?hl=de&ref_topic=7257954; Privacy Policy: https://policies.google.com/privacy; Further Information: In the context of collecting customer reviews, an identification number and a time for the business transaction to be evaluated, and in the case of review requests sent directly to customers, the customer’s e-mail address and country of residence as well as the review information itself are processed. Further information on types of processing and data processed: https://privacy.google.com/businesses/adsservices; Google Ads Data Protection Terms: Information on services; Data Protection Terms between controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
Profiles in Social Networks (Social Media)
We maintain media profiles on social networks and process user data in this context in order to communicate with the users active there, or to offer information about us.
We point out that user data may be processed outside the European Union in this context. This may entail risks for users, for example, by making it more difficult to enforce their rights.
In addition, user data is usually processed on social networks for market research and advertising purposes. For example, user profiles can be created on the basis of their user behavior and associated interests. The user profiles can then be used, for example, to place advertisements both on and off the networks that are presumed to correspond to users’ interests. For these purposes, cookies are usually stored on the user’s computer containing information on user’s usage behavior and interests. Furthermore, data can be stored in the user profiles also independently of users’ terminal devices (in particular, if the users maintain accounts on the respective networks and are logged on).
For a detailed description of the respective processing types and available opt-out options, we refer to the privacy policies of and information provided by the providers of the respective networks.
In the case of requests for information and the exercise of rights of data subjects, we point out that these can also be most effectively pursued with the providers. Only the providers have access to the users’ data and can directly provide information and take appropriate measures. If you need further help however, feel free to contact us.
- Processed data types: Contact data (e.g., e-mail addresses and telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Users (e.g., website visitors and users of online services).
- Purposes of Processing: Contact requests and communication; Feedback (e.g., collecting feedback via online form); Marketing.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Instagram: Social network; Service provider: Meta Platforms Irland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland; Legal basis: Legitimate interests (Art. 6 (1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.
- Facebook Pages: Profiles on the Facebook social network – We are jointly responsible (‘joint controller’) with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (so-called fan page). This data includes information about the types of content users view or interact with, or the actions they take (see ‘Things that you and others do and provide’ in the Facebook privacy policy: https://www.facebook.com/policy), and information about the users’ terminal devices (e.g., IP addresses, operating system, browser type, language settings and cookie data; see ‘Device Information’ in the Facebook privacy policy: https://www.facebook.com/policy). As explained in the Facebook privacy policy under ‘How we use this information?’ Facebook also collects and uses information to provide analytics services, known as ‘page insights,’ to site operators to help them understand how people interact with their pages and related content. We have concluded a special agreement with Facebook (see ‘Information about Page Insights’, https://www.facebook.com/legal/terms/page_controller_addendum) that regulates, in particular, the security measures to be observed by Facebook, and pursuant to which Facebook agrees to fulfill the rights of the persons concerned (i.e., users may send requests for information access or erasure directly to Facebook). The users’ rights (in particular, to access to information, erasure, objection and complaint to the supervisory authority in charge) are not restricted by the agreements with Facebook. For further information refer to ‘Information about Page Insights’ (https://www.facebook.com/legal/terms/information_about_page_insights_data); Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland; Legal Basis: Legitimate Interests (Art. 6 (1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Joint Controllership Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint controllership is limited to the collection and transfer of the data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with respect to the transfer of data to the parent company Meta Platforms, Inc. in the USA (on the basis of standard contractual clauses agreed upon by Meta Platforms Ireland Limited and Meta Platforms, Inc.).
- LinkedIn: Social network; Service provider: LinkedIn Irland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Irland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Data Processing Agreement: https://legal.linkedin.com/dpa; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://legal.linkedin.com/dpa; Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Pinterest: Social network; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Irland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR; Website: https://www.pinterest.com; privacy Policy: https://policy.pinterest.com/de/privacy-policy; Further information: Pinterest Data Sharing Addendum (APPENDIX A): https://business.pinterest.com/de/pinterest-advertising-services-agreement/.
- YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy: https://policies.google.com/privacy; Opt-Out: https://adssettings.google.com/authenticated.
Plug-ins, Embedded Functions and Content
Our online services use functional and content elements obtained from the servers of their respective providers (hereinafter referred to as third-party providers). These may, for example, be graphics, videos or city maps (hereinafter uniformly referred to as content).
Their use always presupposes that the third-party providers process the user’s IP address as otherwise they could not make the content visible in the user’s browser. The IP address is therefore required for the presentation of the content. We strive to use only content whose offerers use the IP address only for the distribution of the respective content. Third-party providers may further use so-called pixel tags (i.e., invisible graphics also known as ‘web beacons’) for statistical or marketing purposes. Pixel tags allow to analyze and evaluate information such as visitor traffic on the respective pages of our website. The pseudonymous information may also be stored in cookies on the user’s terminal device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our website, as well as may be linked to such information from other sources.
- Processed data types: Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent); Inventory data (e.g., names and addresses); Contact data (e.g., e-mail and telephone numbers); Location data (data on the geographic position of a device or person).
- Data subjects: Users (e.g., website visitors and users of online services).
- Purposes of processing: Provision of our online services and usability.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Google Fonts (Provision on our own server): Provision of font files for the purpose of a user-friendly presentation of our online services; Service provider: Google fonts are hosted on our own server, no data is transmitted to Google; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
- Font Awesome (Provision on our own server): Display of fonts and symbols; Service provider: Font Awesome icons are hosted on our own server, no data is transmitted to the provider of Font Awesome; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
- Google Maps: Our online services use maps of the Google Maps service of Google. The data processed may include, in particular, users’ IP addresses and location data. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Irland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy.
- YouTube-Videos: Video contents; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the Display of Advertisements: https://adssettings.google.com/authenticated.
Management, Organization and Utilities
We use services, platforms and software from other providers (hereinafter referred to as third-party providers) for the purposes of organizing, administering, planning and providing our services. When selecting third-party providers and their services, we observe applicable legal requirements.
In this context, users’ personal data may be processed and stored on the third-party provider’s servers. This may include data we process under this Privacy Policy. Such data may include, in particular, master data and contact data of data subjects, data on processes, contracts and other proceedings and their contents.
If users, in the context of communication, business or other relationships with us, are referred to third-party providers or their software or platforms, third-party providers may process usage and metadata for security purposes, marketing and service optimization. We therefore also refer to the third-party providers’ privacy policies in this respect.
- Processed data types: Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content and access times); Meta, communication and processing data (e.g., IP addresses, time stamps, ID numbers and status of consent).
- Data subjects: Communication partners; Users (e.g website visitors and users of online services).
- Purposes of Processing: Contact requests and communication; Contract performance and customer support; Office and organizational procedures.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- WeTransfer: Transferring files on the Internet; Service provider: WeTransfer BV, Oostelijke Handelskade 751, Amsterdam, 1019 BW, Netherlands; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://wetransfer.com; Privacy Policy: https://wetransfer.com/legal/privacy.
Changes and Updates to the Privacy Policy
We kindly ask you to inform yourself about the contents of this Privacy Policy on a regular basis. We will update this Privacy Policy as changes in our data processing practices make this necessary. We will inform you as soon as such changes require your cooperation (e.g., consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this Privacy Policy, please note that addresses may change over time and make sure to verify contact information to be up to date before entering into communication.
Rights of Data Subjects
As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
- Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on letter (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right to withdrawal of consent: You have the right to revoke your consent at any time.
- Right to access: You have the right to request confirmation as to whether your personal data in question will be processed, to be informed of this data, and to receive further information and a copy of the data pursuant to applicable legal provisions.
- Right to rectification: You have the right, pursuant to applicable legal provisions, to request the completion of incomplete data, or the rectification of incorrect data, concerning you.
- Right to erasure and to restriction of processing: You have the right, pursuant to applicable legal provisions, to demand your personal data be erased immediately or, alternatively, to demand that the processing of your personal data be restricted.
- Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format pursuant to applicable legal provisions, or to request its transmission to another controller.
- Complaint to the supervisory authority: Pursuant to applicable law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular, a supervisory authority in the EU member state where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
Terminology and Definitions
This section provides an overview of the terms used in this Privacy Policy. Many of these terms are extracted from the wording of applicable law and are defined mainly in Article 4 GDPR. Legal definitions are binding. The following explanations, on the other hand, are primarily given for the purpose of comprehension. The terms are listed in alphabetical order.
- Controller: Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with third parties, determines the purposes and means of processing personal data.
- Conversion tracking: Conversion tracking is a method used to evaluate the effectiveness of marketing measures. For this purpose, usually a cookie is stored on the users’ terminal devices on the websites which the marketing measures are implemented on and reactivated on the target website. In this manner, we can, for example, detect whether advertisements we placed on other websites have been successful.
- Location data: Location data is created when a mobile device (or another device with the technical requirements for a location determination) connects to a radio cell, a WLAN or similar technical means and functions of location determination. Location data serve to indicate which geographically determinable position on earth the respective device is located at. Location data can be used, for example, to display map functions or other location-dependent information.
- Personal Data: Personal data are all information relating to an identified or identifiable natural person (‘data subject’); an identifiable person, in this context, is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing: Processing is any procedure or series of procedures carried out with or without automated technologies with respect to personal data. The term covers a broad range of tasks and functions, and includes practically every handling of data, whether collection, analysis and evaluation, storage, transmission or erasure.
- Profiles with user-related information: The processing of ‘profiles with user-related information’, or ‘profiles’ for short, includes any kind of automated processing of personal data that consists of using these personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior and interests, such as interaction with websites and their content, etc.) (e.g., interests in certain content or products and click behavior on a website or location). For profiling, often cookies and web beacons are deployed.
- Remarketing: Remarketing, or retargeting, is the term used for logging which products on a certain website users are interested in in order to place a reminder of these products on other websites, e.g., as advertisement.
- Tracking: Tracking is the term used when the behavior of users can be followed across several websites. As a rule, behavior and interest information with respect to the websites visited is stored in cookies or on the servers of the tracking technology providers (so-called profiling). This information can then be used, for example, to display advertisements presumably corresponding to users’ interests.
- Web Analytics: Web Analytics serves the analysis and evaluation of visitor traffic of online services and can include user behavior or interests in certain information, such as website content. Web analytics helps website owners, for example, detect at what time visitors visit their website and what content they are interested in. This allows them, for example, to adjust the content of the website to the needs of their visitors. For purposes of web analytics, often pseudonymous cookies and web beacons are deployed in order to recognize returning visitors to make analyses of the use of an online service more precise.