Version: November 22, 2022
Contents
- Business services
- Blogs and publication media
- Community features
- Single sign-on
- Contact and inquiry management
- Event follow-up
- Communication via Messenger
- Videoconferences, online meetings, webinars, and screen sharing
- Application processes
- Cloud services
- Newsletters and electronic notifications
- Marketing communications via email, fax, or phone
- Surveys and questionnaires
- Web analysis, monitoring, and optimization
- Social network presence (social media)
- Plugins as well as embedded features and content
- Management, organization, and auxiliary tools
Controller
Mayflower GmbH
Landsberger Straße 314
80687 München
Authorized representatives:
Albrecht Günther, Johann-Peter Hartmann, Björn Schotte
Email address: we@theagilehub.io
Phone: +49 89 2420540
Legal Notice: https://theagilehub.io/impressum
Contact for data privacy officer
When contacting the data privacy officer, please specify the company you are inquiring about. Please do not include any sensitive information in your inquiry, such as a copy of your government ID.
PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstr. 21
80802 München
Email address: datenschutzbeauftragter@datenschutzexperte.de
Overview of processing
The following overview summarizes the data that is processed and the purposes of the processing, and defines the data subjects.
Types of data processed
- Inventory data.
- Contact information.
- Content data.
- Usage data.
- Meta/communication data.
Categories of data subjects
- Customers.
- Employees.
- Potential employees.
- Communication partners.
- Users.
- Business and contractual partners.
Purposes of the processing
- Providing contractual services and customer service.
- Contact requests and communication.
- Security measures.
- Direct marketing.
- Reach measurement.
- Managing and responding to inquiries.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Making our online offering available and user-friendly.
Relevant legal bases
The following provides you with an overview of the legal bases defined by the GDPR, which we use as a basis for processing personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your and/or our country of residence or business. Furthermore, if more specific legal bases are relevant in individual cases, we shall inform you of these in the Privacy Policy.
- Consent (Art. 6 (1 ) p. 1 lit. a. GDPR) – The data subject has provided consent for the processing of personal data concerning him or her for one or more specific purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation (Art. 6 (1) p. 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6(1) p. 1 lit. f. GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal data to be protected.
- Application process as a pre-contractual and/or contractual relationship (Art. 9(2) lit. b GDPR) – Where special categories of personal data in the sense of Art. 9(1) GDPR are requested from applicants in the context of an application process (e.g. health data, such as severely handicapped status, or ethnic origin) so that the controller or the data subject can exercise his or her rights arising from labor law and social security law and social protections, and fulfill his or her duties in this regard, this data shall be processed pursuant to Art. 9(2) lit. b. GDPR in the event that vital interests of the applicants or other persons are protected pursuant to Art. 9(2) lit. c. GDPR or for the purposes of preventative or occupational medicine, for the assessment of the employee’s working capacity, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services pursuant to Art. 9(2) lit. h. GDPR. In the event that special categories of data are provided on the basis of voluntary consent, this data shall be processed on the basis of Art. 9(2) lit. a. GDPR.
In addition to the data protection rules in the General Data Protection Regulations, national regulations on data protection also apply in Germany. In particular, this includes the law protecting people from the misuse of personal data during data processing (Federal Data Protection Act, BDSG). In particular, the BDSG includes special provisions on the right to information, the right to erasure, and the right to object; on the processing of special categories of personal data, on processing for other purposes, and on data transfer as well as automated decision-making in individual cases, including profiling. It further regulates data processing for the purposes of the employment contract (§ 26 BDSG), particularly with regard to establishing, executing, and terminating employment contracts as well as employee consent. Furthermore, state data protection laws may apply in the individual federal states.
Security measures
As required by law, with consideration for the state of the art, implementation costs, and the type, scope, circumstances, and purposes of the processing as well as the differing likelihood of occurrence and the scope of threats to the rights and freedoms of natural persons, we take suitable technical and organizational measures to ensure a level of protection commensurate with this risk.
In particular, these measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as its editing access, input, sharing, ensuring availability, and separation. Furthermore, we have established processes that ensure the exercise of data subjects’ rights, the erasure of data, and responses to threats against data. We also consider the protection of personal data when developing and/or choosing hardware, software, and procedures according to the principle of data protection, through technology engineering, and through data-protection-friendly default settings.
Shortening the IP address: Where IP addresses are processed by us or by the chosen service providers and technologies, and where it is not necessary to process a complete IP address, the IP address is shortened (also known as “IP masking”). In this process, the last two digits and/or the last part of the IP address after a period are removed or replaced with a placeholder. Shortening the IP address helps prevent, or significantly complicates, the identification of a person using his or her IP address.
SSL encryption (https): We use SSL encryption to protect your data that is transferred via our online offering. You can identify encrypted connections by the prefix https:// in the address line of your browser.
Transfer of personal data
In the context of our processing of personal data, it may be that the data is transferred or disclosed to other entities, companies, or legally independent organizational units or persons. Recipients of this data can include, for instance, service providers contracted to perform IT tasks and providers of services and content integrated into a website. In this case, we consider the statutory requirements and in particular conclude corresponding contracts and/or agreements with the recipients of your data in order to protect your data.
Data transmission within the organization: We can transfer personal data to other offices within our organization or grant them access to this data. Where this transfer occurs for administrative purposes, the data sharing takes place on the basis of our legitimate entrepreneurial and business interests or where necessary to fulfill our contractual duties, or where consent has been obtained from the data subjects or legal permission has been granted.
Data processing in third countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or where the processing occurs in the context of using third-party services or disclosing and/or transferring data to other persons, entities, or companies, this shall occur only in compliance with the statutory requirements.
Subject to explicit consent or a contractually or legally required transfer, we only process the data or have it processed in third countries that have a recognized level of data protection, a contractual obligation through standard data protection clauses from the EU Commission, certifications, or binding internal data protection regulations (Art. 44 through 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
Erasure of data
The data we process is erased as required by law as soon as the consent granted for processing is withdrawn or other permission lapses (e.g. if the purpose of processing this data no longer applies, or the data is no longer needed for this purpose).
Where the data is not erased because it is needed for other, legally permissible purposes, its processing is restricted to these purposes. In other words, the data is blocked and cannot be processed for other purposes. This applies, for instance, to data that must be kept according to commercial or tax law, or that must be saved in order to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person.
In the context of our Privacy Policy, we can provide users with additional information about the erasure and storage of data that applies specifically to the respective type of processing.
Use of cookies
Cookies are small text files or other storage notes that save information on end devices and read information from these end devices, for instance to save the login status of a user account, the contents of a shopping cart in an online shop, the content retrieved from or features used on a website. Cookies can also be used for various purposes, e.g. for the functionality, security, and convenience of online offerings and for creating analyses of user flows.
About consent: We use cookies in compliance with the statutory requirements. Thus we obtain consent from the users in advance, except where this is not required by law. In particular, consent is not required where storage and retrieval of the information, including by cookies, is urgently necessary in order to provide users with a telemedia service (in other words, our online offering) that they explicitly wish to access. This revocable consent is communicated clearly to the users and includes information about cookie placement in each case.
About the legal basis for data protection: The legal basis for data protection that we use in processing the users’ personal data with the help of cookies depends on whether we ask the users to provide consent. If the users consent, the legal basis for processing their data is their declaration of consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. the economical operation of our online offering and improving its usability) or, where this occurs in the context of fulfilling our contractual duties, where the use of cookies is necessary in order to fulfill our contractual duties. We explain the purposes for which we use cookies in the course of this Privacy Policy and when we obtain declarations of consent and perform the processing.
Storage length: The following types of cookies are differentiated by the length of storage:
- Temporary cookies (also known as session cookies): Temporary cookies are erased at the latest when a user has left an online offering and has closed his or her end device (e.g. the browser or mobile application).
- Permanent cookies: Permanent cookies are stored even after the end device is closed. For instance, login status can be saved or preferred content can be displayed immediately the next time the user visits the website. User data collected with the help of cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage length of cookies (e.g. while obtaining the declaration of consent), users should assume that cookies are permanent and have a storage length of up to two years.
- General information about withdrawing consent and lodging an objection (opting-out): Users can withdraw their consent at any time and can also opt-out of processing according to the statutory provisions in Art. 21 GDPR (more information about objections will be provided in this Privacy Policy). Users can also opt-out by adjusting their browser settings.
More information about processing methods, procedures, and services:
- Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which users’ consent is obtained for the use of cookies and/or for the processing and providers named in the context of the cookie consent management procedure; this consent can also be managed and withdrawn by the users. The declaration of consent is saved so it does not need to be requested again and so consent can be proven as required by law. It can be stored by the server and/or in a cookie (known as an opt-in cookie) and/or using comparable technologies in order to assign the consent to a user or to his or her device. Subject to specific information about the providers of cookie management services, the following applies: Declarations of consent can be stored for up to two years. A pseudonymous user identifier is created and saved along with the time of consent, information about the scope of the consent (e.g. categories of cookies and/or service providers), and the browser, system, and utilized end device.
Plugins, embedded functions, and content
In our online offering, we integrate functional and content elements that are taken from the servers of their respective providers (hereinafter known as “third-party providers”). For instance, these can be graphics, videos, or city maps (hereinafter uniformly known as “content”).
Such integration always requires the third-party providers of this content to process the user’s IP address, since they cannot send the content to the user’s browser without an IP address. Thus the IP address is necessary in order to display this content or these functions. We strive to use only content for which the respective provider exclusively uses the IP address to deliver the content. Third-party providers can also use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The pixel tags can be used to analyze information such as visitor traffic on the pages of this website. This pseudonymous information can also be saved in cookies on the user’s device. Among other things, it can contain technical information about the browser and the operating system, about referring websites, and about the length of the visit and other information regarding the use of our online offering, and it can be combined with information from other sources.
- Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); location data (information about the geographic position of a device or a person).
- Data subjects: users (e.g. website visitors, users of online services).
- Purposes of the processing: Providing our online offering and making it user-friendly; providing contractual services and customer service.
- Legal basis: Legitimate interests (Art. 6(1) p. 1 lit. f) GDPR).
More information about processing methods, procedures, and services:
- Google Maps: We integrate maps from the “Google Maps” service provided by Google. In particular, the data processed can include users’ IP addresses and location data; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; legal basis: legitimate interests (Art. 6(1) p. 1 lit. f) GDPR); website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy.
- OpenStreetMap: We integrate maps from the “OpenStreetMap” service, offered on the basis of the Open Data Commons Open Database License (ODbL) by the OpenStreetMap Foundation (OSMF). OpenStreetMap utilizes the user data exclusively for the purpose of displaying the map function and for temporarily saving the chosen settings. In particular, this data can include users’ IP addresses and location data, but it is not collected without their consent (as a rule, this is done through the settings on their mobile devices); service provider: OpenStreetMap Foundation (OSMF); legal basis: legitimate interests (Art. 6(1) p. 1 lit. f) GDPR); website: https://www.openstreetmap.de; privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy.
Business services
We process data from our contractual and business partners, e.g. customers and potential customers (together jointly described as (“Contractual Partners”), in the context of contractual and comparable legal relationships as well as the associated measures, and in the context of communications with the Contractual Partners (or prior to the contract), e.g. in order to respond to inquiries.
We process this data in order to fulfill our contractual duties. In particular, this includes the duty to provide the agreed services, any duties to provide updates, and the duty to assist during warranty issues or other interruptions in performance. Furthermore, we process the data in order to protect our rights and for the purposes of the administrative tasks associated with these duties and for company organization. We also process the data on the basis of our legitimate interest in ensuring proper, economical business management as well as security measures to protect our Contractual Partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g. to participate in telecommunications, transport, and other ancillary services as well as sub-contractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the scope of applicable law, we share Contractual Partners’ data with third parties only where this is necessary for the abovementioned purposes or to fulfill statutory duties. This Privacy Policy provides information to the Contractual Partners about other forms of processing, e.g. for marketing purposes.
We inform the Contractual Partners about which data is necessary for the abovementioned purposes either before or in the course of data collection, e.g. in online forms, through special markings (e.g. colors) and/or symbols (e.g. asterisks, etc.), or in person.
We erase the data after the end of statutory warranty periods and comparable duties, i.e. at the latest after 4 years unless the data is stored in a customer account, e.g. as long as it must be retained for statutory archiving reasons (e.g. for tax purposes, generally 10 years). Data that is disclosed to us in the context of an order from the Contractual Partner is erased by us according to the requirements of the order, at the latest after the end of the order.
Where we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms shall apply to the relationship between the users and the providers.
Consulting
We process data from our clients, prospective customers, and other customers or contractual partners (jointly referred to as “Clients”) in order to provide them with our consulting services. The processed data and the type, scope, purpose, and necessity of its processing are determined according to the underlying contractual and client relationship.
Where necessary for our contract fulfillment, to protect vital interests, or as required by law, and/or where consent has been provided by the Clients, we disclose or transfer the Clients’ data to third parties or representatives, e.g. public agencies or subcontractors, and for IT, office-related or comparable services.
Events
We process data concerning participants at the events and similar activities that we offer or organize (hereinafter known jointly as “Participants” and “Events”) in order to allow them to participate in the Events and access the services or actions associated with their participation.
In this context, where we process health-related data or religious, political, or other special categories of data, this takes place within the scope of public knowledge (e.g. for thematically focused events or where data is used for preventative medicine, for security, or with the data subject’s consent).
Required information is characterized as such in the course of concluding the order or a comparable contract, and it includes the information necessary for performing the service and issuing invoices as well as contact information for any follow-up questions. Where we obtain access to information concerning the end customer, employees, or other persons, we process this in compliance with the statutory and contractual requirements.
- Types of data processed: Inventory data (e.g. names, addresses); payment data (e.g. banking details, invoices, payment history); contact information (e.g. email, phone numbers); contract data (e.g. subject of the contract, duration, customer category); applicant data (e.g. information about the person, mailing and contact addresses, materials that are part of the application and the information they contain, such as cover letter, CV, letters of reference as well as other information regarding a specific job or information provided voluntarily by applicants concerning their person and qualifications).
- Data subjects: Potential customers; business partners and contractual partners; applicants; customers.
- Purposes of the processing: Providing contractual services and customer service; contact requests and communications; office and organizational processes; managing and responding to inquiries.
- Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legal obligation (Art. 6(1) p. 1 lit. c. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
Blogs and publication media
We use blogs and comparable online communication media and publications (hereinafter “Publication Medium”). For the purposes of the Publication Medium, the readers’ data is processed only to the extent necessary to display it and to enable communications between authors and readers, or for security reasons. For the rest, please see the information on processing data concerning visitors to our Publication Medium, as provided in this Privacy Policy.
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses); contract data (e.g. subject of the contract, term, customer category).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of the processing: Providing contractual services and customer service; feedback (e.g. gathering feedback via an online form); making our online offering available and user-friendly; contact requests and communications; managing and responding to inquiries; security measures.
Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR); consent (Art. 6(1) p. 1 lit. a. GDPR).
More information about processing methods, procedures, and services:
- Comments and posts: If users leave comments or make other posts, their IP addresses can be saved on the basis of our legitimate interests. This is done for the sake of our security in case someone enters illegal content in comments or posts (insults, prohibited political propaganda, etc.). In this case, we can be prosecuted for the comment or post, so we are interested in the identity of the author. Furthermore, on the basis of our legitimate interests, we reserve the right to process the user’s information for the purpose of identifying spam. On the same legal basis, we reserve the right to save users’ IP addresses for the duration of a survey and to use cookies to prevent multiple responses. Information concerning the person, any contact or website information, and content-related information shared in the context of the comments and posts shall be saved permanently by us until the user objects to this.
- Comment subscriptions: Users can subscribe to comment responses by providing their consent. Users receive a confirmation email to determine whether they are the owner of the provided email address. Users can cancel ongoing comment subscriptions at any time. The confirmation email provides information about cancellation options. For the purpose of proving users’ consent, we save the sign-up time along with the user’s IP address and erase this information when users cancel the subscription. You can choose to stop receiving our subscription at any time, e.g. by withdrawing your consent. We can save the provided email addresses for up to three years on the basis of our legitimate interests before we erase them, for the purpose of proving that consent was previously provided. Processing of this data is restricted to the purpose of a defense against potential claims. It is possible to request individual erasure at any time as long as confirmation is simultaneously provided that consent previously existed.
- Retrieval of WordPress emojis and smileys: Retrieval of WordPress emojis and smileys – our WordPress blog, for the purpose of efficiently integrating content elements, uses graphical emojis (or smileys) – or small graphics files that express emotions – that are obtained from external servers. The providers of these servers collect users’ IP addresses. This is necessary in order to transfer the emoji files to the users’ browsers; service provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; website: https://automattic.com; privacy policy: https://automattic.com/privacy.
- Profile pictures from Gravatar: Profile pictures – we use the Gravatar service within our online offering and particularly in the blog. Gravatar is a service that allows users to log in and save their profile pictures and email addresses. When a user utilizes the respective email address to leave posts or comments on other online presences (especially on blogs), his or her profile picture can be displayed alongside the posts or comments. To this end, the email address provided by the user is transferred to Gravatar in encrypted form in order to check whether a profile has been saved under this address. This is the only purpose for which the email address is transferred. It is not used for any other purpose, but is erased afterward. The use of Gravatar is based on our legitimate interests because we use Gravatar to give the post and comment authors the option of personalizing their posts with a profile picture. When the pictures are displayed, Gravatar learns the users’ IP addresses, since this is necessary for communications between a browser and an online service. If users do not want a user image associated with their email address with Gravatar to appear in the comments, they should use an email address that is not saved with Gravatar when posting comments. Please also note that it is possible to use an anonymous email address or none at all if users do not want their own email address to be sent to Gravatar. Users can prevent data from being transferred entirely by not using our commenting system; service provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; website: https://automattic.com; privacy policy: https://automattic.com/privacy.
Community features
The community features that we provide allow users to enter into conversation or other types of exchanges with one another. Please note that use of the community features is permitted only with consideration for the applicable legal situation, our terms and conditions and guidelines, and the rights of other users and third parties.
- Types of data processed: Usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of the processing: providing contractual services and customer service; security measures.
- Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).
More information about processing methods, procedures and services:
- User posts are public: Posts and content created by users are publicly visible and accessible; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).
- Setting the visibility of posts: Users can adjust the settings to determine whether their posts and content are publicly visible or visible and/or accessible only to certain persons or groups; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).
- Saving data for security purposes: Users’ posts and other entries are processed for the purposes of the community and conversation features. Subject to statutory duties or statutory permission, they are not disclosed to third parties. In particular, a disclosure duty can apply for the purpose of prosecution in the case of illegal posts. Please note that in addition to the content of posts, the time of posting and the user’s IP address is also saved. This is done in order to take appropriate measures for the protection of other users and the community; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).
- Right to obtain erasure of content and information: The erasure of posts, content, or information from users is permissible following an appropriate consideration within the necessary scope, where there are concrete reasons to believe that these violate statutory regulations, our requirements, or third-party rights; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).
- Restriction on erasure of conversations: Out of consideration for other users, conversations by the user shall be saved even after cancellation and erasure of the user’s account so that the conversations, comments, suggestions, and similar communications between and among users do not lose or reverse their meaning. User names shall be erased or pseudonymized where they are not already pseudonyms. Users can request that we erase complete conversations at any time; legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).
- Protection of own data: Users make their own decisions about which data they will disclose within our online offering, for example when users provide information about themselves or participate in conversations. We ask that users protect their data and disclose personal data only with caution and within the necessary scope. In particular, we ask users to take special precautions to protect login data and to use secure passwords (e.g. particularly by using random character combinations that are as long as possible); legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).
Single sign-on
“Single sign-on” or “single sign-on authentication” means processes that allow users to register with a provider of single sign-on processes (e.g. a social network), including our online offering, via a user account. Single sign-on authentication requires users to be registered with the respective single sign-on provider and to confirm the single sign-on by clicking on a button.
Authentication takes place directly through the respective single sign-on provider. During this authentication, we receive a user ID notifying us that the user under this user ID is logged in with the respective single sign-on provider, along with an ID that we cannot use for any other purposes (“user handle”). Whether or not additional data is transferred to us depends solely on the implemented single sign-on process, the selected data sharing in the context of authentication, and which data the users chose to share in the single sign-on provider’s privacy or other settings. Depending on the single sign-on provider and the user’s selections, this data can vary. As a rule, it is the email address and user name. The password entered with the single sign-on provider during the single sign-on process cannot be viewed by us, nor do we save it. Users are asked to please note that their information saved with us can automatically be compared to their user account with the single sign-on provider; however, this is not always possible and does not always take place. For instance, if users’ email addresses change, they must manually update them in their user account with us.
Where agreed with the users, we can implement the process single sign-on during or after performance of the contract as long as users are consulted; we can process it within the context of a declaration of consent, and otherwise shall use it on the basis of legitimate interests on our part and the users’ interests in ensuring an effective, secure login system.
If users decide at any point that they no longer wish to use the connection to their user account with the single sign-on provider for the single sign-on process, they must block this connection inside their user account with the single sign-on provider. If users wish to erase their data with us, they must cancel their registration with us.
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of the processing: Providing contractual services and customer service; security measures; sign-in processes.
- Legal basis: Legitimate interests (Art. 6(1) p. 1 lit. f) GDPR).
More information about processing methods, procedures and services:
- LinkedIn single sign-on: Authentication service; service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; legal basis: legitimate interests (Art. 6(1) p. 1 lit. f) GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; data processing on behalf of another party: https://legal.linkedin.com/dpa; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://legal.linkedin.com/dpa; opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Contact and inquiry management
When you contact us (e.g. using the contact form, email, phone, or via social media), as well as within the context of existing user and business relationships, information concerning the inquirer is processed to the extent necessary to respond to contact requests and any requested measures.
We respond to contact requests, and manage contact and inquiry data, in the context of contractual and pre-contractual relationships in order to fulfill our contractual duties or to respond to (pre-)contractual inquiries, as well as on the basis of our legitimate interest in responding to inquiries and maintaining user and/or business relationships.
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms).
- Data subjects: Communication partners.
- Purposes of the processing: Contact requests and communications; providing contractual services and customer service.
- Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR); legal obligation (Art. 6(1) p. 1 lit. c. GDPR).
More information about processing methods, procedures, and services:
- Contact form: When users contact us via our contact form, email, or other communication methods, we process the data shared with us in this connection in order to handle the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships where this is necessary for their performance, as well as on the basis of our legitimate interests, the communication partners’ interest in obtaining a response to the inquiries, and our statutory retention obligations.
Event follow-up
We process personal data for the purposes of following up on events; this can take place through various channels, such as email, phone, mail, or fax, according to the statutory requirements.
Recipients have the right to withdraw their granted consent at any time or to opt-out of marketing communications at any time.
Following such withdrawal and/or opting-out by the recipient, we can save the data necessary to prove consent for up to three years on the basis of our legitimate interests before we erase it. Processing of this data is restricted to the purpose of a defense against potential claims. An individual erasure request can be made at any time as long as the previous declaration of consent is simultaneously confirmed.
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Event participants.
- Purposes of the processing: Direct marketing, contact requests, and communications; providing contractual services and customer service, managing and responding to inquiries.
- Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR); legal obligation (Art. 6(1) p. 1 lit. c. GDPR).
More information about processing methods, procedures and services:
- Communications: When users contact us on site or via the provided communication options (like chats or email), we process the data shared with us in this connection in order to handle the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships where this is necessary for their performance, as well as on the basis of our legitimate interests and the communication partners’ interest in obtaining a response to the inquiries, providing information about direct marketing, and our statutory retention obligations.
Communication via Messenger
We use Messenger for communication purposes and ask that you please read the following information about the functionalities of Messenger, encryption, the use of communication metadata, and your opt-out options.
You can also contact us by alternative means, e.g. via phone or email. Please use the specified contact methods or the contact methods indicated in our online offering.
In the case of end-to-end encryption of content (e.g. the content of your message and attachments), please note that the communication content (e.g. the content of the message and any attached images) will be encrypted end-to-end. That means the content of the messages cannot be viewed, not even by the Messenger providers. You should always use an updated version of Messenger with encryption enabled to ensure that the content of your messages is encrypted.
However, we also hereby inform our communication partners that while the providers of Messenger do not review the content, they can learn whether and when communication partners communicate with us as well as obtaining technical information about the communication partner’s implemented device; in addition, depending on your device settings, location information (metadata) may also be processed.
About the legal basis: Where we ask communication partners for permission before communicating with them via Messenger, their consent forms the legal basis for our processing of their data. For the rest, if we do not request agreement and you contact us voluntarily, for instance, we use Messenger as a contractual measure in the relationship with our contractual partners and in the context of contract initiation; for other potential customers and communication partners, we use it on the basis of our legitimate interest in fast, efficient communication and in meeting our communication partners’ needs to communicate via Messenger. Please also note that we do not initially provide Messenger with your contact information unless you grant us permission to do so.
Withdrawal, opt-out, and erasure: You can withdraw your granted consent at any time and opt-out of communicating with us via Messenger at any time. In the case of communication via Messenger, we shall erase messages according to our general erasure guidelines (e.g., for instance, as described above, after the end of a contractual relationship, in the context of archiving requirements, etc.); otherwise, we shall do so as soon as we can safely assume all inquiries from the communication partner have been answered, where we do not expect anyone to refer back to a previous conversation, and where there are no statutory retention obligations that oppose their erasure.
Reservation of the right to suggest other communication methods: Finally, we would like to note that for the sake of your security, we reserve the right not to respond to inquiries via Messenger. This is the case, for instance, where the contract content requires special confidentiality or where responding via Messenger does not fulfill the formal requirements. In such cases, we shall suggest more appropriate communication methods for you.
- Types of data processed: Contact information (e.g. email, phone numbers); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses); content data (e.g. information entered in online forms).
- Data subjects: Communication partners.
- Purposes of the processing: Contact requests and communications; direct marketing (e.g. by email or mail).
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures and services:
- Facebook Messenger: Facebook Messenger with end-to-end encryption (end-to-end encryption from Facebook Messenger must be enabled if it is not enabled by default); service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; data processing contract: https://www.facebook.com/legal/terms/dataprocessing.
- Slack: Instant messaging service; service provider: Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, USA; website: https://slack.com/intl/de-de/; privacy policy: https://slack.com/intl/de-de/legal; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://slack.com/intl/de-de/terms-of-service/data-processing; data processing contract: https://slack.com/intl/de-de/terms-of-service/data-processing; more information: security measures: https://slack.com/intl/de-de/security-practices.
- Twitter: Social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: https://twitter.com/privacy, (settings: https://twitter.com/personalization).
Videoconferences, online meetings, webinars, and screen sharing
We use platforms and applications from other providers (hereinafter known as “Conference Platforms”) for the purpose of holding video and audio conferences, webinars, and other types of video and audio meetings (hereinafter jointly known as a “Conference”). We take the statutory requirements into consideration when choosing the conference platforms and their services.
Data processed by Conference Platforms: In the context of their participation in a Conference, the Conference Platforms process the following personal data concerning the participants. The scope of processing depends in part on which data is required in the context of a specific Conference (e.g. login data or real names), as well as on the optional information provided by participants. In addition to the processing required to hold the Conference, participant data can also be processed by the Conference Platforms for security purposes or for service optimization. The processed data includes personal data (first and last name), contact information (email address, phone number), login data (access codes or passwords), profile pictures, information about the professional position/function, IP address of the internet connection, information about participants’ end devices and their technical and language settings, information about the content of communications, e.g. entries made in chats as well as audio and video data, as well as the use of other available features (e.g. surveys). Communication content shall be encrypted to the extent technically available through the Conference provider. If participants are registered as users with the Conference Platforms, additional data can be processed according to the agreement with the respective Conference provider.
Logging and recording: Where text entries, participation results (e.g. from surveys), and video or audio recordings are logged, this shall be transparently reported to the participants in advance; where necessary, they shall be asked to agree to this.
Data protection measures for participants: For more details about how your data is processed by the Conference Platforms, please read their privacy policies and use the settings on the Conference Platforms to choose the best security and data protection settings for your needs. Please also ensure data and privacy protection in the background of your recording for the duration of a videoconference (e.g. by notifying your roommates, closing doors, and, where technically possible, using the background blurring feature). Links to the conference rooms and login data shall not be shared with unauthorized third parties.
About the legal basis: Where we also process user data alongside the Conference Platforms, and ask users for their consent to use the Conference Platforms or certain features (e.g. agreeing to allow recording of Conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary for the performance of our contractual duties (e.g. participant lists, in the case of processing meeting results, etc.). For the rest, user data shall be processed on the basis of our legitimate interest in efficient and secure communication with our communication partners.
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Communication partners; users (e.g. website visitors, users of online services).
- Purposes of the processing: Providing contractual services and customer service; contact requests and communications; office and organizational processes.
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures and services:
- Google Hangouts / Meet: Messenger and conference software; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://hangouts.google.com/; privacy policy: https://policies.google.com/privacy.
- Zoom: Videoconferences, web conferences, and webinars; service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; website: https://zoom.us; privacy policy: https://zoom.us/docs/de-de/privacy-and-legal.html; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA); data processing contract: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA).
- Miro: Online whiteboard and collaboration platform; service provider: Realtimeboard Inc. dba Miro, 201 Spear Street Suite 1100, San Francisco, California 94105, USA; website: https://miro.com/; privacy policy: https://miro.com/legal/privacy-policy/.
- Gather: Videoconferences, web conferences, and webinars; service provider: Gather Presence Inc, 2261 Market Street #4095, San Francisco, CA 94114, USA; website: https://gather.town; privacy policy: https://www.gather.town/privacy-policy.
Cloud services
We use internet-accessible software services that are run on their providers’ servers (referred to as “Cloud Services,” also known as “Software as a Service”) for the following purposes: saving and administering documents; managing calendars; sending emails; performing spreadsheet analysis and creating presentations; sharing documents, content, and information with certain recipients; or publishing websites, forms, or other content and information as well as chats and participation in audio and videoconferences.
In this context, personal data can be processed and saved on the providers’ servers as long as this data is part of communications with us or is otherwise processed by us as described in this Privacy Policy. In particular, this data can include inventory data and contact information for users, data about transactions, contracts, other processes and their content. The providers of Cloud Services also process usage data and metadata, which they use for security purposes and for service optimization.
Where we use the Cloud Services to provide forms or the abovementioned documents and content for other users or publicly accessible websites, the providers can place cookies on users’ devices for the purposes of web analysis or in order to remember user settings (e.g. in the case of media control).
About the legal basis: Where we ask for your consent to use the Cloud Services, the legal basis for processing is this consent. Furthermore, their use can be part of our (pre-)contractual services where the use of Cloud Services was agreed in this context. Otherwise, the user data is processed on the basis of our legitimate interests (e.g. our interest in efficient and secure administration and collaboration processes).
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Customers; employees (e.g. staff, applicants, former employees); potential customers; communication partners.
- Purposes of the processing: Office and organizational processes.
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures and services:
- Google Cloud Storage: Cloud storage, cloud infrastructure services, and cloud-based application software; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://cloud.google.com/; privacy policy: https://cloud.google.com/terms/cloud-privacy-notice, security information: https://cloud.google.com/security/privacy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; data processing contract: https://cloud.google.com/terms/data-processing-terms.
- Google Workspace: Cloud-based application software (e.g. text and table processing, deadline and contact management), cloud storage and cloud infrastructure services; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/; privacy policy: https://cloud.google.com/terms/cloud-privacy-notice, security information: https://cloud.google.com/security/privacy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; data processing contract: https://workspace.google.com/terms/dpa_terms.html.
- Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; website: https://microsoft.com/de-de; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; data processing contract: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
- Nextcloud (hosted on own server): Cloud storage service in which the operation and storage of processed data take place on a server that we manage; service provider: Nextcloud GmbH, Hauptmannsreute 44a, 70192 Stuttgart, Germany; website: https://nextcloud.com/de/; privacy policy: https://nextcloud.com/de/privacy/.
Newsletters and electronic notifications
We send newsletters, emails, and other electronic notifications (hereinafter “Newsletters”) only with consent from the recipients or with legal permission. Where the content of a Newsletter is specifically described as part of the subscription process, this is definitive for the users’ consent. For the rest, our Newsletters contain information about our services and about us.
To subscribe to our Newsletters, it is fundamentally sufficient for you to provide your email address. However, we may ask you to provide a name for the purpose of addressing you personally in the Newsletter, or additional information as necessary for the purposes of the Newsletter.
Double opt-in process: Subscribing to our Newsletter fundamentally involves a double opt-in process. In other words, after subscribing, you will receive an email asking you to confirm your subscription. This confirmation is necessary to ensure that no one can subscribe using someone else’s email address. Newsletter subscriptions are recorded in order to provide proof of the subscription process in compliance with the legal requirements. That includes saving the subscription and confirmation times as well as the IP address. Any changes to your data saved with the delivery service provider shall also be recorded.
Erasure and restriction of processing: We can save the provided email addresses for up to three years on the basis of our legitimate interests before erasing them, in order to provide proof of prior consent. Processing of this data is restricted to the purpose of a defense against potential claims. An individual erasure request can be made at any time as long as the prior existence of consent is simultaneously confirmed. In the event of a duty to permanently observe objections, we reserve the right to save the email address in a “blocklist” solely for this purpose.
The subscription process is recorded on the basis of our legitimate interest in proving its proper execution. Where we hire a service provider to send out emails, this occurs on the basis of our legitimate interest in an efficient, secure delivery system.
About the legal basis: The Newsletter is sent out on the basis of consent from the recipients or, where consent is not required, on the basis of our legitimate interest in direct marketing if and to the extent that this is legally permissible, e.g. in the case of marketing to existing customers. Where we hire a service provider to send out emails, this occurs on the basis of our legitimate interest in an efficient, secure delivery system. The subscription process is recorded on the basis of our legitimate interest, to prove that it was executed in compliance with the law.
Information about us, our services, promotions, and offers.
Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); metadata/communication data (e.g. device information, IP addresses); usage data (e.g. websites visited, interest in content, access times).
Data subjects: Communication partners; users (e.g. website visitors, users of online services).
Purposes of the processing: Direct marketing (e.g. by email or mail); providing contractual services and customer service.
Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
Opt-out option: You can cancel our Newsletter at any time, in other words withdraw your consent or opt-out of receiving it. You can either find a cancellation link for the Newsletter at the end of each Newsletter, or you can use one of the abovementioned contact options, preferably email, to do so.
More information about processing methods, procedures and services:
- Measuring opening and click rates: The Newsletters contain a “web beacon,” a pixel-sized file that is retrieved by our server when you open the Newsletter, or by a delivery service provider’s server where we use a delivery service provider. In the context of this retrieval, we initially collect technical information, such as information about your browser and your system as well as your IP address and the time of the retrieval. This information is used for technical improvement of our Newsletter based on the technical data or on the target groups and your reading behavior, on the basis of your retrieval locations (which can be determined using the IP address) or access times. The analysis also includes a determination of whether Newsletters are opened, when they are opened, and which links are clicked. This information is assigned to the individual Newsletter recipients and saved in their profiles until these are erased. These evaluations help us recognize our users’ reading habits and adapt our content to them, or deliver different content according to the interests of our users. Measuring the opening rates and click rates, as well as saving measurement results in users’ profiles and further processing them, occurs on the basis of the users’ consent. Unfortunately it is not possible to opt-out of success measurement separately; in this case, the entire Newsletter subscription must be canceled or subject to an opt-out. As a result, the saved profile information shall be erased.
- Prerequisite for the use of free services: Consent for delivery of the mailings can be made a prerequisite for using free services (e.g. access to certain content or participation in certain promotions). If users wish to use the free service without subscribing to the Newsletter, we ask that they please contact us.
- Mailchimp: Email delivery and email marketing platform; service provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; website: https://mailchimp.com; privacy policy: https://mailchimp.com/legal/; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): component of the data processing contract; data processing contract: https://mailchimp.com/legal/; more information: special security measures: https://mailchimp.com/help/Mailchimp-european-data-transfers/.
Marketing communications via email, mail, fax, or phone
We process personal data for the purposes of marketing communications, which can take place through various channels such as email, phone, mail, or fax, according to the statutory requirements.
Recipients have the right to withdraw their consent at any time or to opt-out of marketing communications at any time.
Following a withdrawal or opt-out, we can save the data necessary to prove consent for up to three years on the basis of our legitimate interests before we erase it. Processing of this data is restricted to the purpose of a defense against potential claims. An individual erasure request can be made at any time as long as the prior existence of consent is simultaneously confirmed.
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers).
- Data subjects: Communication partners.
- Purposes of the processing: Direct marketing (e.g. via email or mail).
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
Surveys and questionnaires
The surveys and questionnaires that we carry out (hereinafter “Surveys”) are analyzed anonymously. Processing of personal data occurs only to the extent that this is necessary for the provision and technical performance of the Surveys (e.g. processing the IP address in order to display the Survey in the user’s browser, or using a temporary cookie (session cookie) to continue completing the Survey) or where the users have consented to this.
About the legal basis: Where we ask participants for consent for the processing of their data, this is the legal basis of the processing; otherwise, processing of participant data takes place on the basis of our legitimate interest in performing an objective Survey.
- Types of data processed: Contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Communication partners.
- Purposes of the processing: Contact requests and communications; direct marketing (e.g. by email or mail).
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures and services:
- Google Forms: Google Cloud Forms; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://firebase.google.com; privacy policy: https://policies.google.com/privacy; opt-out: opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying ads: https://adssettings.google.com/authenticated.
- Typeform: Creating forms and surveys, administering participant input; service provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 – Barcelona, Spain; website: https://www.typeform.com/; privacy policy: https://admin.typeform.com/to/dwk6gt/.
Web analysis, monitoring, and optimization
Web analysis (also known as “reach measurement”) is used to evaluate visitor flows for our online offering. It can include visitor behavior, interests, or demographic information, e.g. age or gender, expressed as pseudonymous values. With reach measurement, we can determine, for instance, when our online offering or its features and content are most frequently used, or invite visitors to use them again. We can also use it to understand which areas need to be optimized.
In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components, for example.
Unless otherwise stated below, profiles – in other words data summarized for a usage transaction – can be created, and information can be saved in a browser and/or end device and read out from there. The gathered information particularly includes the websites visited and the elements utilized there, as well as technical information such as the implemented browser and computer system as well as information about usage times. Where users have consented to the collection of their location data by us or by the providers of services that we utilize, location data can also be processed.
Users’ IP addresses are also saved. However, we use an IP masking process (e.g. pseudonymization, by shortening the IP address) to protect users. In general, no plain data concerning users (e.g. email addresses or real names) that is collected in the context of the web analysis, A/B testing, or optimization is saved; rather, pseudonyms are used. In other words, we and the providers of the implemented software do not know the actual identity of the users, only the information saved in their profiles for the purposes of the respective transaction.
About the legal basis: Where we ask users to consent to the use of third-party providers, the legal basis for processing data is this consent. Otherwise, users’ data shall be processed on the basis of our legitimate interests (e.g. our interest in providing efficient, cost-effective, and recipient-friendly services). In this context, please also note the information about the use of cookies in this Privacy Policy.
- Types of data processed: Usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of the processing: Reach measurement (e.g. access statistics, recognizing returning visitors); profiles with user-related information (creating user profiles).
- Security measures: IP masking (pseudonymization of the IP address).
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures and services:
- Google Analytics: Web analysis, reach measurement, and measurement of user flows; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://policies.google.com/privacy; more information: types of processing and types of data processed: https://privacy.google.com/businesses/adsservices; data processing conditions for Google advertising products and standard contractual clauses for third-country data transfers: https://business.safety.google/adsprocessorterms.
- Google Tag Manager: Google Tag Manager is a solution that we use to administer website tags via an interface, in order to integrate other services into our online offering (please note additional information in this Privacy Policy). Therefore Tag Manager itself (which implements the tags) does not yet create user profiles or save cookies, for instance. Google obtains only the user’s IP address, which is needed in order to run the Google Tag Manager; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy; data processing contract: https://business.safety.google/adsprocessorterms; more information: types of processing and types of data processed: https://privacy.google.com/businesses/adsservices; data processing conditions for Google advertising products and standard contractual clauses for third-country data transfers: https://business.safety.google/adsprocessorterms.
Social network presence (social media)
We maintain online presences within social networks and process user data in this context in order to communicate with users who are active in these networks, or to provide them with information about us.
Please note that user data can be processed outside the European Union in this case. This may produce risks for the users because it could, for instance, make it more difficult for users to exercise their rights.
Furthermore, as a rule, user data is processed within social networks for market research and marketing purposes. That means usage behavior and the user interests determined from this can be used to create usage profiles, for instance. These usage profiles can in turn be used to display ads inside and outside the networks, for example, that presumably correspond to the users’ interests. As a rule, cookies are saved on users’ computers for this purpose; the cookies record the users’ usage behavior and interests. Furthermore, usage profiles can also save data independently from the devices implemented by users (especially if the users are members of the respective platforms and are logged in to them).
For a detailed description of the respective processing forms and opt-out options, please also see the privacy policies and information from operators of the respective networks.
In the case of requests for information and for asserting data subjects’ rights, please also note that these can most effectively be asserted with the providers. Only the providers have access to user data in each case and can take corresponding direct measures and provide information. If you nonetheless need further help, you can also contact us.
- Types of data processed: Contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of the processing: Contact requests and communications; feedback (e.g. gathering feedback via an online form); marketing.
- Legal basis: Legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures and services:
- Facebook pages: Profiles within the social network Facebook – we are jointly responsible with Facebook Ireland Ltd. for the collection (but not the further processing) of data concerning visitors to our Facebook page (“Fanpage”). This data includes information about the types of content that users view or with which they interact, and about the actions they take (see “Things you and others do and provide” in the Facebook data policy: https://www.facebook.com/policy), as well as information about devices implemented by the users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in the Facebook data policy: https://www.facebook.com/policy). As explained in the Facebook data policy under “How do we use this information?,” Facebook also collects and uses information in order to provide analysis services, known as “page insights,” for page operators so they can learn how people interact with their pages and with the associated content. We have concluded a special agreement with Facebook (“Information about page insights”), https://www.facebook.com/legal/terms/page_controller_addendum), that in particular establishes which security measures Facebook must observe, and within which Facebook has agreed to fulfill the data subjects’ rights (e.g. users can direct their requests for information or erasure to Facebook). Users’ rights (especially regarding information, erasure, opting out, and lodging complaints with the responsible supervisory authorities) are not restricted by these agreements with Facebook. More information can be found in the “Information about page insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; more information: agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data.
- LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://legal.linkedin.com/dpa; opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out; data processing contract: https://legal.linkedin.com/dpa.
- Twitter: Social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: https://twitter.com/privacy, (settings: https://twitter.com/personalization).
- Xing: Social network; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; website: https://www.xing.de; privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
Plugins and embedded features as well as content
We integrate features and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter known as “Third-Party Providers”). These can be, for instance, graphics, videos, or city maps (hereinafter jointly known as “Content”).
Such integration always requires Third-Party Providers of this content to process the IP addresses of users, since they cannot send content to the users’ browsers without an IP address. Thus the IP address is necessary in order to display the content and features. We strive to use only content whose respective provider utilizes the IP address exclusively to deliver the content. Further, Third-Party Providers can use pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. The pixel tags can be used to analyze information such as visitor traffic to the pages of this website. The pseudonymous information can also be saved in cookies on the user’s device; among other things, it can include technical information about the browser and the operating system, about referring web pages, about the time of the visit, and other information about the use of our online offering. It can also be associated with such information from other sources.
About the legal basis: Where we ask users to consent to the use of Third-Party Providers, the legal basis for processing data is this consent. Otherwise, user data is processed on the basis of our legitimate interests (e.g. our interest in providing efficient, cost-effective, and recipient-friendly services). In this context, please also note the information on the use of cookies in this Privacy Policy.
- Types of data processed: Usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses); inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of the processing: Making our online offering available and user-friendly; providing contractual services and customer service; profiles with user-related information (creating user profiles); feedback (e.g. gathering feedback via an online form).
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures, and services:
- Integration of third-party software, scripts, or frameworks (e.g. jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g. feature libraries that we use to make our online offering available or user-friendly). In this context, the respective providers collect users’ IP addresses and can use these for the purposes of providing the software to the users’ browsers and for security purposes, as well as to analyze and optimize their offering.
- Font Awesome: Displaying fonts and symbols; service provider: Fonticons, Inc., 6 Porter Road Apartment 3R, Cambridge, MA 02140, USA; website: https://fontawesome.com/; privacy policy: https://fontawesome.com/privacy.
- reCAPTCHA: We integrate the “reCAPTCHA” feature to determine whether input (e.g. in online forms) is being provided by human beings and not machines automatically operating (“bots”). The processed data can include IP addresses, information about operating systems, devices, or implemented browsers, language settings, location, mouse movements, keystrokes, dwell time on websites, previously visited websites, interactions with reCaptcha on other websites, in some circumstances cookies, and results of manual recognition processes (e.g. answering questions or selecting objects in images); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.google.com/recaptcha/; privacy policy: https://policies.google.com/privacy; opt-out option: opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, display settings for ads: https://adssettings.google.com/authenticated.
- YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.youtube.com; privacy policy: https://policies.google.com/privacy; opt-out option: opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, display settings for ads: https://adssettings.google.com/authenticated.
- Xing plugins and buttons: Xing plugins and buttons – this can include, for instance, content such as images, videos or texts, and buttons with which users can share content from this online offering within Xing; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; website: https://www.xing.com; privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
Management, organization, and auxiliary tools
We use services, platforms, and software from other providers (hereinafter known as “Third-Party Providers”) for the purposes of organizing, administering, planning, and providing our services., We take the statutory requirements into consideration when choosing Third-Party Providers and their services.
In this context, personal data can be processed and saved on the servers of Third-Party Providers. This can affect a range of data that we process according to this Privacy Policy. In particular, this data can include master data and contact information for users as well as data about transactions, contracts, and other processes and their content.
Where users are referred to the Third-Party Providers and/or their software or platforms in the context of communications, business relationships or other relationships with us, the Third-Party Providers can process usage data and metadata for security purposes, for service optimization, or for marketing purposes. Therefore please note the privacy policies of the respective Third-Party Providers.
About the legal basis: Where we ask users to consent to the use of Third-Party Providers, the legal basis for processing data is this consent. Further, their use can be part of our (pre-)contractual services where the use of Third-Party Providers has been agreed in this context. Otherwise, user data shall be processed on the basis of our legitimate interests (e.g. our interest in providing efficient, cost-effective, and recipient-friendly services). In this context, please also note the information about the use of cookies in this Privacy Policy.
- Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Communication partners; users (e.g. website visitors, users of online services).
- Purposes of the processing: Office and organizational processes.
- Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).
More information about processing methods, procedures, and services:
- calendly: Online scheduling; service provider: Calendly LLC., 271 17th St NW, Ste 1000, Atlanta, Georgia, 30363, USA; website: https://calendly.com/de; privacy policy: https://calendly.com/pages/privacy.
- Confluence: Software for creating and administering wikis and knowledge platforms; service provider: Atlassian Inc. (San Francisco, Harrison Street location), 1098 Harrison Street, San Francisco, California 94103, USA; website: https://www.atlassian.com/software/confluence; privacy policy: https://www.atlassian.com/legal/privacy-policy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://www.atlassian.com/legal/data-processing-addendum; more information: data transfer impact assessment: https://www.atlassian.com/legal/data-transfer-impact-assessment.
- Jira: Web application for error management, troubleshooting and operational project management; service provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA; website: https://www.atlassian.com/software/jira; privacy policy: https://www.atlassian.com/legal/privacy-policy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://www.atlassian.com/legal/data-processing-addendum; more information: data transfer impact assessment: https://www.atlassian.com/legal/data-transfer-impact-assessment.
- snapADDY: Digital contact information collection; service provider: snapADDY GmbH, Haugerkirchgasse 7, 97070 Würzburg, Germany; website: https://www.snapaddy.com/; privacy policy: https://www.snapaddy.com/de/privacy-security-hub/datenschutz.html
- Unbounce Marketing Solutions Inc.: Web hosting and landing pages; service provider: Unbounce, 400-401 West Georgia St., Vancouver, BC, Canada, V6B 5A1; website: https://unbounce.com/; privacy policy: https://unbounce.com/privacy/.
Changes and updates to the Privacy Policy
Please review the content of our Privacy Policy regularly. We update the Privacy Policy as needed in order to account for changes to data processing we perform. We notify you whenever these changes require action on your part (e.g. consent) or where any other individual notification is necessary.
Where we provide addresses and contact information for companies in this Privacy Policy, please note that addresses can change over time, and please review the information before contacting them.
Rights of data subjects
As data subjects, you have various rights under the GDPR, particularly on the basis of Art. 15 through 21 GDPR:
- Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing processes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling where it is connected to such direct marketing.
- Right to withdraw consent: You have the right to withdraw your consent at any time.
- Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to the personal data as well as further information and a copy of the data according to the statutory provisions.
- Right to rectification: According to the statutory provisions, you have the right to request the completion of data concerning you or rectification of inaccurate data concerning you.
- Right to erasure and restriction of processing: As defined by the statutory provisions, you have the right to obtain the erasure of data concerning you without undue delay, and/or alternatively to request restriction of processing of such data as defined by the statutory provisions.
- Right to data portability: You have the right to receive the relevant data, which you provided to us, in a structured, commonly used and machine-readable format and the right to request that it be transmitted to another controller, as defined by the statutory provisions.
- Lodging a complaint with a supervisory authority: According to the statutory provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular a supervisory authority in the member state of your habitual place of residence, place of work, or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.
Responsible supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Mailing address:
Postfach 1349, 91504 Ansbach
Phone: 0981/180093-0
Email: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de
Definitions
This section provides an overview of the terms used in this Privacy Policy. Many of the terms come from the law, and most are defined in Art. 4 GDPR. The statutory definitions are binding. The following explanations, by contrast, are intended primarily for improved understanding. The terms are sorted alphabetically.
- Controller: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Personal data: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This is a broad term that includes almost every transaction involving data, from collection and analysis to storage, transfer, and erasure.
- Profiles with user-related information: The processing of “profiles with user-related information,” or “profiles” for short, includes all types of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person (depending on the type of profile, this can include a range of information regarding demographics, behavior and interests, such as interactions with web pages and their content, etc.), in particular to analyze, evaluate or make predictions (e.g. about interest in certain content or products, click behavior on a web page, or location). Cookies and web beacons are often used for profiling purposes.
- Reach measurement: Reach measurement (also known as web analytics) is used to analyze visitor flows to an online offering, and it can include visitors’ behavior or interest in certain information, such as website content. Reach measurement allows website owners to determine, for example, when visitors access their website and what content interests them. That allows them to better adapt the website content to their visitors’ needs, for instance. Pseudonymous cookies and web beacons are often used for the purposes of web analytics, to recognize returning visitors, and to obtain more precise analyses about how an online offering is used.