This privacy notices informs you of the type, scope and purpose of processing of personal data (hereinafter “data”) as part of the provision of our services and our online offer and the associated websites, functions and contents as well as external online presence, such as our social media profile (hereinafter “online offer”). Regarding the terminology used, such as “processing” or “controller”, we would like to refer to the definitions in Art. 4 of the General Data Protection Regulations (GDPR).
Spiesheimer Weg 15-17
T +49 6732 9 64 87 48
F +49 6732 9 33 00 76
Managing Director: Dr. Enzio Kirsten (responsible for data protection)
Imprint: see here
Type of data processed
- Inventory data (for example personal master data, names or addresses)
- Contact data (for example telephone, e-mail)
- Content data (for example text input, photos, videos)
- Usage data (for example visited websites, interest in content, access times)
- Meta and communication data (for example device information, IP addresses).
Categories of data subjects
Visitors and users of the online offer (hereinafter, we will refer to the data subjects as “Users”).
Purpose(s) of processing
- Provision of online offer, its functions and contents
- Reply to contact requests and communication with users
- Safety measures
- Range measurement / Marketing
“Personal data” is all data referring to an identified or identifiable natural entity (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as cookies) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” refers to procedures performed with or without the support of automated systems or any such sequence of procedures related to personal data. The term is loosely defined and basically includes any handling of data.
“Pseudonymization” is the processing of personal data in such a way that the personal data cannot be matched to a specific person without additional information, as long as such as information is stored separately and is subject to technical and organizational measures which ensure that the personal data is not matched to an identified or identifiable natural person.
“Profiling” is any type of automated processing of personal data to analyze certain personal aspects relating to a natural person, especially to analyze or predict aspects regarding job performance, economic situation, health, personal preferences, interests, reliability, behavior, whereabouts or location change of this natural person.
The “controller” is the natural or legal entity, public authority, institution or any other body which, solely or in cooperation with others, makes decisions about the purposes and means of processing of personal data.
“Order processor” is a natural or legal person, authority, institution or other body which processes personal data at the request of the controller.
Significant legal foundations
Pursuant to Art. 13 GDPR, we will share the legal foundation of our data processing with you. For users from the scope of validity of the General Data Protection Regulation (GDPR), meaning in the EU and in the EEA, the following applies where the legal foundation in the privacy notice is not mentioned:
The legal foundation for obtaining consent is Art. 6 Para. 1 lit. a and Art. 7 GDPR;
The legal foundation for data processing to fulfill our services and perform contractual measures as well as reply to requests is Art. 6 Para. 1 lit. b GDPR;
The legal foundation for data processing to fulfill our legal obligations is Art. 6 Para. 1 lit. c GDPR;
The legal foundation for data processing obligatory due to the vital interests of the data subject or of any other natural person is Art. 6 Para. 1 lit. d GDPR.
The legal foundation for the required processing for completing a task which lies in the public interest or is performed in the exercise of public authority transferred to the controllers is Art. 6 Para. 1 lit. e GDPR.
Art. 6 Para. 1 lit. f GDPR serves as legal basis for processing personal data to maintain our legitimate interests.
The processing of data for other purposes than those for which such data was recorded is determined by the specifications of Art. 6 Para. 4 GDPR.
The processing of special categories of data (as defined by Art. 9 Para. 1 GDPR) is determined by the specifications of Art. 9 Para. 2 GDPR.
We take suitable technical and organizational measures to ensure a level of protection appropriate for the risk as defined by legal provisions with consideration of the status of technology, the implementation costs and type, the scope, circumstances and purposes of processing as well as the different likelihoods of occurrence and seriousness of the risk for the rights and freedoms of natural persons.
In particular, such measure include safeguarding confidentiality, integrity and availability of data through regulation of physical access to the data as well as access, input, passing on, securing the availability and the separation. Furthermore, we have implemented procedures which ensure the awareness of subject rights, deletion of data and reaction to data endangerment. In addition, we consider the protection of personal data already during the development and selection of hardware, software and procedures, following the principle of data protection through technology design and data protection-friendly default settings.
Cooperation with order processors, controllers and third parties
Where we disclose data to other persons and companies (contract processors, controllers or third parties) during our processing or transmit them or grant other persons and companies access to such data, we only do so on the basis of legal permission (for example, if transmission of data to third parties is mandatory, such as payment service providers), if users have provided consent, if provided for by a legal obligation or on the basis of our legitimate interests (for example when using representatives, web hosting services, etc.).
Where we disclose data to other companies which are part of our corporate group or transmit such data or grant access in any other way, we do so for administrative purposes as legitimate interest and beyond based on one of the legal provisions.
Transmission to third countries
Where we process data in a third country (meaning outside of the European Union (EU) or of the European Economic Area (EEA) or the Swiss Confederation) or data is processed as part of the utilization of services of third parties or is disclosed and/or transmitted to other persons or companies, we do so only to fulfill our (pre-)contractual obligations, if based on your consent, due to a legal obligation or on the basis of our own legitimate interests. Subject to explicit consent or contractually required transmission, we process or have the data processed only in third countries with a recognized data protection level, which include US processing companies certified under the Privacy Shield, or on the basis of special guarantees, such as contractual obligation due to standard safeguard clauses of the EU commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, Information page of the EU Commission).
Rights of the data subjects
You have the right to request information whether certain data is being processed and the right to information about such data and further information and copies of the data pursuant to legal provisions.
Pursuant to legal provisions, you have the right to demand completion of your data or correction of your data where incorrect.
Pursuant to legal provisions, you have the right to demand erasure of your data or a restriction of processing of your data as defined by legal provisions.
You have the right to demand that you receive the data you have provided to use pursuant to legal provisions and demand transmission of such data to other controllers.
Furthermore, pursuant to legal provisions, you have the right to lodge a complaint with the responsible supervisory authority.
Right of withdrawal
You have the right to withdraw your granted consent pursuant to legal provisions with effect for the future.
Right to object
You may object to the future processing of your personal data any time pursuant to legal provisions. Such an objection may be particularly directed against processing for the purposes of direct marketing.
Cookies and right to object in case of direct marketing
“Cookies” are small files which are stored on the computers of users. Cookies may contain different kinds of information. Primarily, the purpose of a cookie is to store information regarding a user (or the device on which the cookie is stored) as part of an online offer during or even after the visit. Temporary cookies, also referred to as “session cookies” or “transient cookies” are cookies which are deleted after a user leaves an online offer and closes the browser. Such a cookie may store the contents of a shopping basket in an online shop or the login status, for example. Cookies are “permanent” or “persistent” if they are stored even after the browser is closed. That way, the login status may be stored, for example, if users return after several days. Such cookies may also contain interests of users which are generally used to measure reach or for marketing purposes. “Third-party cookies” are those offered by other providers than the controller operating the online offer (otherwise we refer to “first-party cookies”).
We may use temporary and permanent cookies, providing explanation about their use within the context of our privacy statement.
If users do not want cookies to be stored on their computers, they are asked to deactivate the corresponding option in the system settings of their browser. Cookies which have been stored may be deleted in the system settings of your browser. However, the deletion of cookies may lead to functional restrictions of the online offer.
Data processed by us is deleted pursuant to legal provisions or restricted in processing. Unless specified otherwise in this privacy statement, stored data is deleted once it is no longer required for the original purpose and if such an erasure is not opposed by legal retention periods.
Where data is not deleted because it is required for other and legally permitted purposes, the processing of such data will be restricted. That means, the data is blocked and not processed for other purposes. This may be data, for example, which must be stored for commercial or tax reasons.
Changes and updates of the privacy statement
We would ask you to please obtain information about the content of our privacy statement regularly. We adjust the privacy statement as soon as changes of the data processing performed by us require this. We will inform you as soon as your action is required (such as consent) or any other individual notification is required due to changes.
We also process
- Contractual data (for example contract subject matter, contractual terms, customer category)
- Payment information (for example account information, payment history)
of our customers, of interested parties and business partners in order to provide contractual services, service and customer support, marketing, advertisements and market research.
We process the data of our contractual partners and of interested parties as well as of other customers, clients or contractual partners (hereinafter collectively “contractual partners”) as defined by Art. 6 Para. 1 lit. b. GDPR to provide our contractual or precontractual services to such parties. The data processed as well as the kind, scope, purpose and necessity of such processing is determined by the underlying contractual relationship.
The data to be processed includes the master data of our contractual partners (for example names and address), contact data (for example e-mail addresses and telephone numbers) as well as contractual data (for example services used, contractual content, contractual communication, names of contact persons) and payment information (for example account information, payment history).
We categorically do not process special categories of personal data unless such categories are part of commissioned or contractual processing.
We process data required for justification and fulfillment of contractual services and refer to the necessity of providing such data if this is not evident to the contractual partner. Disclosure to external persons or companies is only made where required as part of a contract. When processing data provided to us as part of an order, we act in accordance with the instructions of the customer and with legal provisions.
We may store the IP address and the time of the user action when using our online services. Such storage is based on our legitimate interests and on the interests of the user in protection from misused or any other unauthorized use. Such data is not transferred to third parties, unless required for us to pursue our claims as defined by Art. 6 Para. 1 lit. f. GDPR or required by law as defined by Art. 6 Para. 1 lit. c. GDPR.
The data will be deleted once the data is no longer required to fulfil contractual or legal obligations nor is it required for handling any possible warranty claims or comparable duties. The necessity to retain data will be reviewed every three years, all statutory retention periods apply.
Administration, financial accounting, office organization, contact management
We process data as part of administrative tasks and for the organization of our operation, financial accounting and compliance with all legal obligations, such as archival. When doing so, we process the same data as during the performance of contractual services. The foundations for processing are Art. 6 Para. 1 lit. c. GDPR, Art. 6 Para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by such processing. The purpose of and out interest in processing lies in the administration, financial accounting, office organization, archival of data, meaning tasks required to maintain our business activities, assume our tasks and perform our services. The deletion of data regarding contractual services and contractual communication corresponds with the tasks mentioned for such processing activities.
In doing so, we publish or transmit data to the financial authorities, consultants, including tax consultants or financial auditors as well as other billing center and payment service providers.
Furthermore, we store information regarding suppliers, event organizers and other business partners, for example for contacting them later, on the basis of our economic interests. We always store this data, primarily company-related, without limitation.
Microsoft cloud services
We use the cloud and cloud software services (software as a service, such as Microsoft Office) by Microsoft for the following purposes: Storage and administration of documents, calendar management, e-mail dispatch, table calculations and presentations, exchange of documents, contents and information with specific recipients or publication of websites, forms or other contents and information as well as chats and participation in audio and video conferences.
In doing so we process the personal data of users where such data is part of the documents and contents processed during the described services or of communication processes. This may include the master and contact data of users, data regarding processes, contracts, other processes and contents. Microsoft also processes usage data and meta data to be used for security purposes and service optimization.
As part of the use of publicly accessible documents, websites or other contents, Microsoft may store cookies on computers for the purposes of web analysis or to remember the user settings.
We user the Microsoft cloud services on the basis of our legitimate interests as defined by Art. 6 Para. 1 lit. f GDPR in efficient and secure administration and cooperation processes. In addition, processing takes place on the basis of an order processing agreement with Microsoft.
More information available in the privacy statement by Microsoft (https://privacy.microsoft.com/de-de/privacystatement) and the security information regarding Microsoft cloud services (https://www.microsoft.com/de-de/trustcenter). You may object to your data being processed in the Microsoft cloud in accordance with legal provisions. Incidentally, the deletion of data within Microsoft cloud services is determined by the remaining processing procedures how the data is processed (for example deletion for contractual purposes of data no longer required or storage for purposes of the assessment of required data).
The Microsoft cloud services are offered by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States of America. Where data is processed in the United States, we refer to the certification of Microsoft under the Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active).
When contacting us (for example via contact form, e-mail, telephone or social media), the information provided by the user will be processed for the purposes of processing the contact request as per Art. 6 Para. 1 lit. b) (as part of contractual/precontractual relations), Art. 6 Para. 1 lit. f (other requests) GDPR. The user information may be stored in a customer relationship management system (CRM system) or a comparable request organization.
We will delete the requests when they are no longer required. We review the requirement every two years. In addition, the statutory archival obligations apply.
Hosting and e-mail dispatch
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacities, storage space and database services, e-mail dispatch, security services and technical maintenance services which we use for the purposes of operating this online offer.
In doing so, we or our hosting provider, process existing data, contact data, content data, contractual data, usage data, meta data and communication data of our customers, interested parties and visitors of this online offer on the basis of our legitimate interests in efficient and secure provision of such an online offer as defined by Art. 6 Para. 1 lit. f GDPR in combination with Art. 28 GDPR (conclusion of order processing agreement).
Collection of access data and log files
We or our hosting provider collect data about each access to the server hosting this service (server log files) on the basis of our legitimate interests as defined by Art. 6 Para. 1 lit. f GDPR. The access data includes the name of the visited website, the file, date and time of access, transmitted data volume, report about successful activation, browser type and version, operating system of the user, referrer URL (the previously visited site), IP address and the requesting provider.
Log file information is stored for a period of max. 7 days for security reasons (for example to resolve misuse or fraudulent acts) and then deleted. Where required to retain data as further proof, such data will not be deleted until the situation has been fully clarified and solved.
We integrate the fonts (“Google Fonts”) offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, into our offer. According to Google, the data of the users will solely be used for displaying font types in the users’ browsers. The integration is based on our legitimate interests in a technologically secure, maintenance-free and efficient use of fonts, their harmonized display and considerations of possible licensing restrictions for integration. Privacy Notice: https://www.google.com/policies/privacy/.