Privacy Policy

Version: November 22, 2022

Contents

Overview of processing

The following overview summarizes the data that is processed and the purposes of the processing, and defines the data subjects.

Relevant legal bases

The following provides you with an overview of the legal bases defined by the GDPR, which we use as a basis for processing personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your and/or our country of residence or business. Furthermore, if more specific legal bases are relevant in individual cases, we shall inform you of these in the Privacy Policy. 

• Consent (Art. 6 (1 ) p. 1 lit. a. GDPR) – The data subject has provided consent for the processing of personal data concerning him or her for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 (1) p. 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1) p. 1 lit. f. GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal data to be protected.
• Application process as a pre-contractual and/or contractual relationship (Art. 9(2) lit. b GDPR) – Where special categories of personal data in the sense of Art. 9(1) GDPR are requested from applicants in the context of an application process (e.g. health data, such as severely handicapped status, or ethnic origin) so that the controller or the data subject can exercise his or her rights arising from labor law and social security law and social protections, and fulfill his or her duties in this regard, this data shall be processed pursuant to Art. 9(2) lit. b. GDPR in the event that vital interests of the applicants or other persons are protected pursuant to Art. 9(2) lit. c. GDPR or for the purposes of preventative or occupational medicine, for the assessment of the employee’s working capacity, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services pursuant to Art. 9(2) lit. h. GDPR. In the event that special categories of data are provided on the basis of voluntary consent, this data shall be processed on the basis of Art. 9(2) lit. a. GDPR.

In addition to the data protection rules in the General Data Protection Regulations, national regulations on data protection also apply in Germany. In particular, this includes the law protecting people from the misuse of personal data during data processing (Federal Data Protection Act, BDSG). In particular, the BDSG includes special provisions on the right to information, the right to erasure, and the right to object; on the processing of special categories of personal data, on processing for other purposes, and on data transfer as well as automated decision-making in individual cases, including profiling. It further regulates data processing for the purposes of the employment contract (§ 26 BDSG), particularly with regard to establishing, executing, and terminating employment contracts as well as employee consent. Furthermore, state data protection laws may apply in the individual federal states.

Security measures

As required by law, with consideration for the state of the art, implementation costs, and the type, scope, circumstances, and purposes of the processing as well as the differing likelihood of occurrence and the scope of threats to the rights and freedoms of natural persons, we take suitable technical and organizational measures to ensure a level of protection commensurate with this risk.

In particular, these measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as its editing access, input, sharing, ensuring availability, and separation. Furthermore, we have established processes that ensure the exercise of data subjects’ rights, the erasure of data, and responses to threats against data. We also consider the protection of personal data when developing and/or choosing hardware, software, and procedures according to the principle of data protection, through technology engineering, and through data-protection-friendly default settings.

Shortening the IP address: Where IP addresses are processed by us or by the chosen service providers and technologies, and where it is not necessary to process a complete IP address, the IP address is shortened (also known as “IP masking”). In this process, the last two digits and/or the last part of the IP address after a period are removed or replaced with a placeholder. Shortening the IP address helps prevent, or significantly complicates, the identification of a person using his or her IP address. 

SSL encryption (https): We use SSL encryption to protect your data that is transferred via our online offering. You can identify encrypted connections by the prefix https:// in the address line of your browser.

Transfer of personal data

In the context of our processing of personal data, it may be that the data is transferred or disclosed to other entities, companies, or legally independent organizational units or persons. Recipients of this data can include, for instance, service providers contracted to perform IT tasks and providers of services and content integrated into a website. In this case, we consider the statutory requirements and in particular conclude corresponding contracts and/or agreements with the recipients of your data in order to protect your data.

Data transmission within the organization: We can transfer personal data to other offices within our organization or grant them access to this data. Where this transfer occurs for administrative purposes, the data sharing takes place on the basis of our legitimate entrepreneurial and business interests or where necessary to fulfill our contractual duties, or where consent has been obtained from the data subjects or legal permission has been granted.

Data processing in third countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or where the processing occurs in the context of using third-party services or disclosing and/or transferring data to other persons, entities, or companies, this shall occur only in compliance with the statutory requirements.

Subject to explicit consent or a contractually or legally required transfer, we only process the data or have it processed in third countries that have a recognized level of data protection, a contractual obligation through standard data protection clauses from the EU Commission, certifications, or binding internal data protection regulations (Art. 44 through 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Erasure of data

The data we process is erased as required by law as soon as the consent granted for processing is withdrawn or other permission lapses (e.g. if the purpose of processing this data no longer applies, or the data is no longer needed for this purpose).

Where the data is not erased because it is needed for other, legally permissible purposes, its processing is restricted to these purposes. In other words, the data is blocked and cannot be processed for other purposes. This applies, for instance, to data that must be kept according to commercial or tax law, or that must be saved in order to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person.

In the context of our Privacy Policy, we can provide users with additional information about the erasure and storage of data that applies specifically to the respective type of processing.

Use of cookies

Cookies are small text files or other storage notes that save information on end devices and read information from these end devices, for instance to save the login status of a user account, the contents of a shopping cart in an online shop, the content retrieved from or features used on a website. Cookies can also be used for various purposes, e.g. for the functionality, security, and convenience of online offerings and for creating analyses of user flows.

About consent: We use cookies in compliance with the statutory requirements. Thus we obtain consent from the users in advance, except where this is not required by law. In particular, consent is not required where storage and retrieval of the information, including by cookies, is urgently necessary in order to provide users with a telemedia service (in other words, our online offering) that they explicitly wish to access. This revocable consent is communicated clearly to the users and includes information about cookie placement in each case.

About the legal basis for data protection: The legal basis for data protection that we use in processing the users’ personal data with the help of cookies depends on whether we ask the users to provide consent. If the users consent, the legal basis for processing their data is their declaration of consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. the economical operation of our online offering and improving its usability) or, where this occurs in the context of fulfilling our contractual duties, where the use of cookies is necessary in order to fulfill our contractual duties. We explain the purposes for which we use cookies in the course of this Privacy Policy and when we obtain declarations of consent and perform the processing.

Storage length: The following types of cookies are differentiated by the length of storage:

• Temporary cookies (also known as session cookies): Temporary cookies are erased at the latest when a user has left an online offering and has closed his or her end device (e.g. the browser or mobile application).
• Permanent cookies: Permanent cookies are stored even after the end device is closed. For instance, login status can be saved or preferred content can be displayed immediately the next time the user visits the website. User data collected with the help of cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage length of cookies (e.g. while obtaining the declaration of consent), users should assume that cookies are permanent and have a storage length of up to two years.
• General information about withdrawing consent and lodging an objection (opting-out): Users can withdraw their consent at any time and can also opt-out of processing according to the statutory provisions in Art. 21 GDPR (more information about objections will be provided in this Privacy Policy). Users can also opt-out by adjusting their browser settings.

More information about processing methods, procedures, and services:

• Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which users’ consent is obtained for the use of cookies and/or for the processing and providers named in the context of the cookie consent management procedure; this consent can also be managed and withdrawn by the users. The declaration of consent is saved so it does not need to be requested again and so consent can be proven as required by law. It can be stored by the server and/or in a cookie (known as an opt-in cookie) and/or using comparable technologies in order to assign the consent to a user or to his or her device. Subject to specific information about the providers of cookie management services, the following applies: Declarations of consent can be stored for up to two years. A pseudonymous user identifier is created and saved along with the time of consent, information about the scope of the consent (e.g. categories of cookies and/or service providers), and the browser, system, and utilized end device.

Plugins, embedded functions, and content

In our online offering, we integrate functional and content elements that are taken from the servers of their respective providers (hereinafter known as “third-party providers”). For instance, these can be graphics, videos, or city maps (hereinafter uniformly known as “content”).
Such integration always requires the third-party providers of this content to process the user’s IP address, since they cannot send the content to the user’s browser without an IP address. Thus the IP address is necessary in order to display this content or these functions. We strive to use only content for which the respective provider exclusively uses the IP address to deliver the content. Third-party providers can also use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The pixel tags can be used to analyze information such as visitor traffic on the pages of this website. This pseudonymous information can also be saved in cookies on the user’s device. Among other things, it can contain technical information about the browser and the operating system, about referring websites, and about the length of the visit and other information regarding the use of our online offering, and it can be combined with information from other sources.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); location data (information about the geographic position of a device or a person).
• Data subjects: users (e.g. website visitors, users of online services).
• Purposes of the processing: Providing our online offering and making it user-friendly; providing contractual services and customer service.
• Legal basis: Legitimate interests (Art. 6(1) p. 1 lit. f) GDPR).

More information about processing methods, procedures, and services:

Business services

We process data from our contractual and business partners, e.g. customers and potential customers (together jointly described as (“Contractual Partners”), in the context of contractual and comparable legal relationships as well as the associated measures, and in the context of communications with the Contractual Partners (or prior to the contract), e.g. in order to respond to inquiries.

We process this data in order to fulfill our contractual duties. In particular, this includes the duty to provide the agreed services, any duties to provide updates, and the duty to assist during warranty issues or other interruptions in performance. Furthermore, we process the data in order to protect our rights and for the purposes of the administrative tasks associated with these duties and for company organization. We also process the data on the basis of our legitimate interest in ensuring proper, economical business management as well as security measures to protect our Contractual Partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g. to participate in telecommunications, transport, and other ancillary services as well as sub-contractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the scope of applicable law, we share Contractual Partners’ data with third parties only where this is necessary for the abovementioned purposes or to fulfill statutory duties. This Privacy Policy provides information to the Contractual Partners about other forms of processing, e.g. for marketing purposes. 

We inform the Contractual Partners about which data is necessary for the abovementioned purposes either before or in the course of data collection, e.g. in online forms, through special markings (e.g. colors) and/or symbols (e.g. asterisks, etc.), or in person.

We erase the data after the end of statutory warranty periods and comparable duties, i.e. at the latest after 4 years unless the data is stored in a customer account, e.g. as long as it must be retained for statutory archiving reasons (e.g. for tax purposes, generally 10 years). Data that is disclosed to us in the context of an order from the Contractual Partner is erased by us according to the requirements of the order, at the latest after the end of the order.

Where we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms shall apply to the relationship between the users and the providers.

Consulting

We process data from our clients, prospective customers, and other customers or contractual partners (jointly referred to as “Clients”) in order to provide them with our consulting services. The processed data and the type, scope, purpose, and necessity of its processing are determined according to the underlying contractual and client relationship.

Where necessary for our contract fulfillment, to protect vital interests, or as required by law, and/or where consent has been provided by the Clients, we disclose or transfer the Clients’ data to third parties or representatives, e.g. public agencies or subcontractors, and for IT, office-related or comparable services.

Events

We process data concerning participants at the events and similar activities that we offer or organize (hereinafter known jointly as “Participants” and “Events”) in order to allow them to participate in the Events and access the services or actions associated with their participation.

In this context, where we process health-related data or religious, political, or other special categories of data, this takes place within the scope of public knowledge (e.g. for thematically focused events or where data is used for preventative medicine, for security, or with the data subject’s consent).

Required information is characterized as such in the course of concluding the order or a comparable contract, and it includes the information necessary for performing the service and issuing invoices as well as contact information for any follow-up questions. Where we obtain access to information concerning the end customer, employees, or other persons, we process this in compliance with the statutory and contractual requirements.

• Types of data processed: Inventory data (e.g. names, addresses); payment data (e.g. banking details, invoices, payment history); contact information (e.g. email, phone numbers); contract data (e.g. subject of the contract, duration, customer category); applicant data (e.g. information about the person, mailing and contact addresses, materials that are part of the application and the information they contain, such as cover letter, CV, letters of reference as well as other information regarding a specific job or information provided voluntarily by applicants concerning their person and qualifications).
• Data subjects: Potential customers; business partners and contractual partners; applicants; customers.
• Purposes of the processing: Providing contractual services and customer service; contact requests and communications; office and organizational processes; managing and responding to inquiries.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legal obligation (Art. 6(1) p. 1 lit. c. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

Blogs and publication media

We use blogs and comparable online communication media and publications (hereinafter “Publication Medium”). For the purposes of the Publication Medium, the readers’ data is processed only to the extent necessary to display it and to enable communications between authors and readers, or for security reasons. For the rest, please see the information on processing data concerning visitors to our Publication Medium, as provided in this Privacy Policy.

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses); contract data (e.g. subject of the contract, term, customer category).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of the processing: Providing contractual services and customer service; feedback (e.g. gathering feedback via an online form); making our online offering available and user-friendly; contact requests and communications; managing and responding to inquiries; security measures.

Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR); consent (Art. 6(1) p. 1 lit. a. GDPR).

More information about processing methods, procedures, and services:

• Comments and posts: If users leave comments or make other posts, their IP addresses can be saved on the basis of our legitimate interests. This is done for the sake of our security in case someone enters illegal content in comments or posts (insults, prohibited political propaganda, etc.). In this case, we can be prosecuted for the comment or post, so we are interested in the identity of the author. Furthermore, on the basis of our legitimate interests, we reserve the right to process the user’s information for the purpose of identifying spam. On the same legal basis, we reserve the right to save users’ IP addresses for the duration of a survey and to use cookies to prevent multiple responses. Information concerning the person, any contact or website information, and content-related information shared in the context of the comments and posts shall be saved permanently by us until the user objects to this.
• Comment subscriptions: Users can subscribe to comment responses by providing their consent. Users receive a confirmation email to determine whether they are the owner of the provided email address. Users can cancel ongoing comment subscriptions at any time. The confirmation email provides information about cancellation options. For the purpose of proving users’ consent, we save the sign-up time along with the user’s IP address and erase this information when users cancel the subscription. You can choose to stop receiving our subscription at any time, e.g. by withdrawing your consent. We can save the provided email addresses for up to three years on the basis of our legitimate interests before we erase them, for the purpose of proving that consent was previously provided. Processing of this data is restricted to the purpose of a defense against potential claims. It is possible to request individual erasure at any time as long as confirmation is simultaneously provided that consent previously existed.
• Retrieval of WordPress emojis and smileys: Retrieval of WordPress emojis and smileys – our WordPress blog, for the purpose of efficiently integrating content elements, uses graphical emojis (or smileys) – or small graphics files that express emotions – that are obtained from external servers. The providers of these servers collect users’ IP addresses. This is necessary in order to transfer the emoji files to the users’ browsers; service provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; website: https://automattic.com; privacy policy: https://automattic.com/privacy.
• Profile pictures from Gravatar: Profile pictures – we use the Gravatar service within our online offering and particularly in the blog. Gravatar is a service that allows users to log in and save their profile pictures and email addresses. When a user utilizes the respective email address to leave posts or comments on other online presences (especially on blogs), his or her profile picture can be displayed alongside the posts or comments. To this end, the email address provided by the user is transferred to Gravatar in encrypted form in order to check whether a profile has been saved under this address. This is the only purpose for which the email address is transferred. It is not used for any other purpose, but is erased afterward. The use of Gravatar is based on our legitimate interests because we use Gravatar to give the post and comment authors the option of personalizing their posts with a profile picture. When the pictures are displayed, Gravatar learns the users’ IP addresses, since this is necessary for communications between a browser and an online service. If users do not want a user image associated with their email address with Gravatar to appear in the comments, they should use an email address that is not saved with Gravatar when posting comments. Please also note that it is possible to use an anonymous email address or none at all if users do not want their own email address to be sent to Gravatar. Users can prevent data from being transferred entirely by not using our commenting system; service provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; website: https://automattic.com; privacy policy: https://automattic.com/privacy.

Community features

The community features that we provide allow users to enter into conversation or other types of exchanges with one another. Please note that use of the community features is permitted only with consideration for the applicable legal situation, our terms and conditions and guidelines, and the rights of other users and third parties.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of the processing: providing contractual services and customer service; security measures.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b) GDPR).

More information about processing methods, procedures and services:

Single sign-on

“Single sign-on” or “single sign-on authentication” means processes that allow users to register with a provider of single sign-on processes (e.g. a social network), including our online offering, via a user account. Single sign-on authentication requires users to be registered with the respective single sign-on provider and to confirm the single sign-on by clicking on a button.

Authentication takes place directly through the respective single sign-on provider. During this authentication, we receive a user ID notifying us that the user under this user ID is logged in with the respective single sign-on provider, along with an ID that we cannot use for any other purposes (“user handle”). Whether or not additional data is transferred to us depends solely on the implemented single sign-on process, the selected data sharing in the context of authentication, and which data the users chose to share in the single sign-on provider’s privacy or other settings. Depending on the single sign-on provider and the user’s selections, this data can vary. As a rule, it is the email address and user name. The password entered with the single sign-on provider during the single sign-on process cannot be viewed by us, nor do we save it. Users are asked to please note that their information saved with us can automatically be compared to their user account with the single sign-on provider; however, this is not always possible and does not always take place. For instance, if users’ email addresses change, they must manually update them in their user account with us.

Where agreed with the users, we can implement the process single sign-on during or after performance of the contract as long as users are consulted; we can process it within the context of a declaration of consent, and otherwise shall use it on the basis of legitimate interests on our part and the users’ interests in ensuring an effective, secure login system.

If users decide at any point that they no longer wish to use the connection to their user account with the single sign-on provider for the single sign-on process, they must block this connection inside their user account with the single sign-on provider. If users wish to erase their data with us, they must cancel their registration with us.

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of the processing: Providing contractual services and customer service; security measures; sign-in processes.
• Legal basis: Legitimate interests (Art. 6(1) p. 1 lit. f) GDPR).

More information about processing methods, procedures and services:

Contact and inquiry management

When you contact us (e.g. using the contact form, email, phone, or via social media), as well as within the context of existing user and business relationships, information concerning the inquirer is processed to the extent necessary to respond to contact requests and any requested measures.

We respond to contact requests, and manage contact and inquiry data, in the context of contractual and pre-contractual relationships in order to fulfill our contractual duties or to respond to (pre-)contractual inquiries, as well as on the basis of our legitimate interest in responding to inquiries and maintaining user and/or business relationships. 

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms).
• Data subjects: Communication partners.
• Purposes of the processing: Contact requests and communications; providing contractual services and customer service.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR); legal obligation (Art. 6(1) p. 1 lit. c. GDPR).

More information about processing methods, procedures, and services:

• Contact form: When users contact us via our contact form, email, or other communication methods, we process the data shared with us in this connection in order to handle the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships where this is necessary for their performance, as well as on the basis of our legitimate interests, the communication partners’ interest in obtaining a response to the inquiries, and our statutory retention obligations.

Event follow-up

We process personal data for the purposes of following up on events; this can take place through various channels, such as email, phone, mail, or fax, according to the statutory requirements.

Recipients have the right to withdraw their granted consent at any time or to opt-out of marketing communications at any time.

Following such withdrawal and/or opting-out by the recipient, we can save the data necessary to prove consent for up to three years on the basis of our legitimate interests before we erase it. Processing of this data is restricted to the purpose of a defense against potential claims. An individual erasure request can be made at any time as long as the previous declaration of consent is simultaneously confirmed. 

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Event participants.
• Purposes of the processing: Direct marketing, contact requests, and communications; providing contractual services and customer service, managing and responding to inquiries.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR); legal obligation (Art. 6(1) p. 1 lit. c. GDPR).

More information about processing methods, procedures and services:

• Communications: When users contact us on site or via the provided communication options (like chats or email), we process the data shared with us in this connection in order to handle the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships where this is necessary for their performance, as well as on the basis of our legitimate interests and the communication partners’ interest in obtaining a response to the inquiries, providing information about direct marketing, and our statutory retention obligations.

Communication via Messenger

We use Messenger for communication purposes and ask that you please read the following information about the functionalities of Messenger, encryption, the use of communication metadata, and your opt-out options. 

You can also contact us by alternative means, e.g. via phone or email. Please use the specified contact methods or the contact methods indicated in our online offering.

In the case of end-to-end encryption of content (e.g. the content of your message and attachments), please note that the communication content (e.g. the content of the message and any attached images) will be encrypted end-to-end. That means the content of the messages cannot be viewed, not even by the Messenger providers. You should always use an updated version of Messenger with encryption enabled to ensure that the content of your messages is encrypted.

However, we also hereby inform our communication partners that while the providers of Messenger do not review the content, they can learn whether and when communication partners communicate with us as well as obtaining technical information about the communication partner’s implemented device; in addition, depending on your device settings, location information (metadata) may also be processed.

About the legal basis: Where we ask communication partners for permission before communicating with them via Messenger, their consent forms the legal basis for our processing of their data. For the rest, if we do not request agreement and you contact us voluntarily, for instance, we use Messenger as a contractual measure in the relationship with our contractual partners and in the context of contract initiation; for other potential customers and communication partners, we use it on the basis of our legitimate interest in fast, efficient communication and in meeting our communication partners’ needs to communicate via Messenger. Please also note that we do not initially provide Messenger with your contact information unless you grant us permission to do so.  

Withdrawal, opt-out, and erasure: You can withdraw your granted consent at any time and opt-out of communicating with us via Messenger at any time. In the case of communication via Messenger, we shall erase messages according to our general erasure guidelines (e.g., for instance, as described above, after the end of a contractual relationship, in the context of archiving requirements, etc.); otherwise, we shall do so as soon as we can safely assume all inquiries from the communication partner have been answered, where we do not expect anyone to refer back to a previous conversation, and where there are no statutory retention obligations that oppose their erasure.

Reservation of the right to suggest other communication methods: Finally, we would like to note that for the sake of your security, we reserve the right not to respond to inquiries via Messenger. This is the case, for instance, where the contract content requires special confidentiality or where responding via Messenger does not fulfill the formal requirements. In such cases, we shall suggest more appropriate communication methods for you.

• Types of data processed: Contact information (e.g. email, phone numbers); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses); content data (e.g. information entered in online forms).
• Data subjects: Communication partners.
• Purposes of the processing: Contact requests and communications; direct marketing (e.g. by email or mail).
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures and services:

• Facebook Messenger: Facebook Messenger with end-to-end encryption (end-to-end encryption from Facebook Messenger must be enabled if it is not enabled by default); service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; data processing contract: https://www.facebook.com/legal/terms/dataprocessing.
• Slack: Instant messaging service; service provider: Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, USA; website: https://slack.com/intl/de-de/; privacy policy: https://slack.com/intl/de-de/legal; standard contractual clauses (guaranteeing the same level of data protection for processing in third countries): https://slack.com/intl/de-de/terms-of-service/data-processing; data processing contract: https://slack.com/intl/de-de/terms-of-service/data-processing; more information: security measures: https://slack.com/intl/de-de/security-practices.
• Twitter: Social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: https://twitter.com/privacy, (settings: https://twitter.com/personalization).

Videoconferences, online meetings, webinars, and screen sharing

We use platforms and applications from other providers (hereinafter known as “Conference Platforms”) for the purpose of holding video and audio conferences, webinars, and other types of video and audio meetings (hereinafter jointly known as a “Conference”). We take the statutory requirements into consideration when choosing the conference platforms and their services. 

Data processed by Conference Platforms: In the context of their participation in a Conference, the Conference Platforms process the following personal data concerning the participants. The scope of processing depends in part on which data is required in the context of a specific Conference (e.g. login data or real names), as well as on the optional information provided by participants. In addition to the processing required to hold the Conference, participant data can also be processed by the Conference Platforms for security purposes or for service optimization. The processed data includes personal data (first and last name), contact information (email address, phone number), login data (access codes or passwords), profile pictures, information about the professional position/function, IP address of the internet connection, information about participants’ end devices and their technical and language settings, information about the content of communications, e.g. entries made in chats as well as audio and video data, as well as the use of other available features (e.g. surveys). Communication content shall be encrypted to the extent technically available through the Conference provider. If participants are registered as users with the Conference Platforms, additional data can be processed according to the agreement with the respective Conference provider. 

Logging and recording: Where text entries, participation results (e.g. from surveys), and video or audio recordings are logged, this shall be transparently reported to the participants in advance; where necessary, they shall be asked to agree to this.

Data protection measures for participants: For more details about how your data is processed by the Conference Platforms, please read their privacy policies and use the settings on the Conference Platforms to choose the best security and data protection settings for your needs. Please also ensure data and privacy protection in the background of your recording for the duration of a videoconference (e.g. by notifying your roommates, closing doors, and, where technically possible, using the background blurring feature). Links to the conference rooms and login data shall not be shared with unauthorized third parties.

About the legal basis: Where we also process user data alongside the Conference Platforms, and ask users for their consent to use the Conference Platforms or certain features (e.g. agreeing to allow recording of Conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary for the performance of our contractual duties (e.g. participant lists, in the case of processing meeting results, etc.). For the rest, user data shall be processed on the basis of our legitimate interest in efficient and secure communication with our communication partners. 

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Communication partners; users (e.g. website visitors, users of online services).
• Purposes of the processing: Providing contractual services and customer service; contact requests and communications; office and organizational processes.
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures and services:

Cloud services

We use internet-accessible software services that are run on their providers’ servers (referred to as “Cloud Services,” also known as “Software as a Service”) for the following purposes: saving and administering documents; managing calendars; sending emails; performing spreadsheet analysis and creating presentations; sharing documents, content, and information with certain recipients; or publishing websites, forms, or other content and information as well as chats and participation in audio and videoconferences. 

In this context, personal data can be processed and saved on the providers’ servers as long as this data is part of communications with us or is otherwise processed by us as described in this Privacy Policy. In particular, this data can include inventory data and contact information for users, data about transactions, contracts, other processes and their content. The providers of Cloud Services also process usage data and metadata, which they use for security purposes and for service optimization. 

Where we use the Cloud Services to provide forms or the abovementioned documents and content for other users or publicly accessible websites, the providers can place cookies on users’ devices for the purposes of web analysis or in order to remember user settings (e.g. in the case of media control).

About the legal basis: Where we ask for your consent to use the Cloud Services, the legal basis for processing is this consent. Furthermore, their use can be part of our (pre-)contractual services where the use of Cloud Services was agreed in this context. Otherwise, the user data is processed on the basis of our legitimate interests (e.g. our interest in efficient and secure administration and collaboration processes).

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Customers; employees (e.g. staff, applicants, former employees); potential customers; communication partners.
• Purposes of the processing: Office and organizational processes.
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures and services:

Newsletters and electronic notifications

We send newsletters, emails, and other electronic notifications (hereinafter “Newsletters”) only with consent from the recipients or with legal permission. Where the content of a Newsletter is specifically described as part of the subscription process, this is definitive for the users’ consent. For the rest, our Newsletters contain information about our services and about us.

To subscribe to our Newsletters, it is fundamentally sufficient for you to provide your email address. However, we may ask you to provide a name for the purpose of addressing you personally in the Newsletter, or additional information as necessary for the purposes of the Newsletter.

Double opt-in process: Subscribing to our Newsletter fundamentally involves a double opt-in process. In other words, after subscribing, you will receive an email asking you to confirm your subscription. This confirmation is necessary to ensure that no one can subscribe using someone else’s email address. Newsletter subscriptions are recorded in order to provide proof of the subscription process in compliance with the legal requirements. That includes saving the subscription and confirmation times as well as the IP address. Any changes to your data saved with the delivery service provider shall also be recorded.

Erasure and restriction of processing: We can save the provided email addresses for up to three years on the basis of our legitimate interests before erasing them, in order to provide proof of prior consent. Processing of this data is restricted to the purpose of a defense against potential claims. An individual erasure request can be made at any time as long as the prior existence of consent is simultaneously confirmed. In the event of a duty to permanently observe objections, we reserve the right to save the email address in a “blocklist” solely for this purpose.

The subscription process is recorded on the basis of our legitimate interest in proving its proper execution. Where we hire a service provider to send out emails, this occurs on the basis of our legitimate interest in an efficient, secure delivery system.

About the legal basis: The Newsletter is sent out on the basis of consent from the recipients or, where consent is not required, on the basis of our legitimate interest in direct marketing if and to the extent that this is legally permissible, e.g. in the case of marketing to existing customers. Where we hire a service provider to send out emails, this occurs on the basis of our legitimate interest in an efficient, secure delivery system. The subscription process is recorded on the basis of our legitimate interest, to prove that it was executed in compliance with the law.

Information about us, our services, promotions, and offers.

Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); metadata/communication data (e.g. device information, IP addresses); usage data (e.g. websites visited, interest in content, access times).

Data subjects: Communication partners; users (e.g. website visitors, users of online services).

Purposes of the processing: Direct marketing (e.g. by email or mail); providing contractual services and customer service.

Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

Opt-out option: You can cancel our Newsletter at any time, in other words withdraw your consent or opt-out of receiving it. You can either find a cancellation link for the Newsletter at the end of each Newsletter, or you can use one of the abovementioned contact options, preferably email, to do so.

More information about processing methods, procedures and services:

Marketing communications via email, mail, fax, or phone 

We process personal data for the purposes of marketing communications, which can take place through various channels such as email, phone, mail, or fax, according to the statutory requirements. 

Recipients have the right to withdraw their consent at any time or to opt-out of marketing communications at any time.

Following a withdrawal or opt-out, we can save the data necessary to prove consent for up to three years on the basis of our legitimate interests before we erase it. Processing of this data is restricted to the purpose of a defense against potential claims. An individual erasure request can be made at any time as long as the prior existence of consent is simultaneously confirmed.

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers).
• Data subjects: Communication partners.
• Purposes of the processing: Direct marketing (e.g. via email or mail).
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

Surveys and questionnaires

The surveys and questionnaires that we carry out (hereinafter “Surveys”) are analyzed anonymously. Processing of personal data occurs only to the extent that this is necessary for the provision and technical performance of the Surveys (e.g. processing the IP address in order to display the Survey in the user’s browser, or using a temporary cookie (session cookie) to continue completing the Survey) or where the users have consented to this.

About the legal basis: Where we ask participants for consent for the processing of their data, this is the legal basis of the processing; otherwise, processing of participant data takes place on the basis of our legitimate interest in performing an objective Survey. 

• Types of data processed: Contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Communication partners.
• Purposes of the processing: Contact requests and communications; direct marketing (e.g. by email or mail).
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures and services:

Web analysis, monitoring, and optimization

Web analysis (also known as “reach measurement”) is used to evaluate visitor flows for our online offering. It can include visitor behavior, interests, or demographic information, e.g. age or gender, expressed as pseudonymous values. With reach measurement, we can determine, for instance, when our online offering or its features and content are most frequently used, or invite visitors to use them again. We can also use it to understand which areas need to be optimized.

In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components, for example.

Unless otherwise stated below, profiles – in other words data summarized for a usage transaction – can be created, and information can be saved in a browser and/or end device and read out from there. The gathered information particularly includes the websites visited and the elements utilized there, as well as technical information such as the implemented browser and computer system as well as information about usage times. Where users have consented to the collection of their location data by us or by the providers of services that we utilize, location data can also be processed. 

Users’ IP addresses are also saved. However, we use an IP masking process (e.g. pseudonymization, by shortening the IP address) to protect users. In general, no plain data concerning users (e.g. email addresses or real names) that is collected in the context of the web analysis, A/B testing, or optimization is saved; rather, pseudonyms are used. In other words, we and the providers of the implemented software do not know the actual identity of the users, only the information saved in their profiles for the purposes of the respective transaction.

About the legal basis: Where we ask users to consent to the use of third-party providers, the legal basis for processing data is this consent. Otherwise, users’ data shall be processed on the basis of our legitimate interests (e.g. our interest in providing efficient, cost-effective, and recipient-friendly services). In this context, please also note the information about the use of cookies in this Privacy Policy.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of the processing: Reach measurement (e.g. access statistics, recognizing returning visitors); profiles with user-related information (creating user profiles).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures and services:

Social network presence (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with users who are active in these networks, or to provide them with information about us. 

Please note that user data can be processed outside the European Union in this case. This may produce risks for the users because it could, for instance, make it more difficult for users to exercise their rights. 

Furthermore, as a rule, user data is processed within social networks for market research and marketing purposes. That means usage behavior and the user interests determined from this can be used to create usage profiles, for instance. These usage profiles can in turn be used to display ads inside and outside the networks, for example, that presumably correspond to the users’ interests. As a rule, cookies are saved on users’ computers for this purpose; the cookies record the users’ usage behavior and interests. Furthermore, usage profiles can also save data independently from the devices implemented by users (especially if the users are members of the respective platforms and are logged in to them). 

For a detailed description of the respective processing forms and opt-out options, please also see the privacy policies and information from operators of the respective networks.

In the case of requests for information and for asserting data subjects’ rights, please also note that these can most effectively be asserted with the providers. Only the providers have access to user data in each case and can take corresponding direct measures and provide information. If you nonetheless need further help, you can also contact us.

• Types of data processed: Contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of the processing: Contact requests and communications; feedback (e.g. gathering feedback via an online form); marketing.
• Legal basis: Legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures and services:

Plugins and embedded features as well as content

We integrate features and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter known as “Third-Party Providers”). These can be, for instance, graphics, videos, or city maps (hereinafter jointly known as “Content”). 

Such integration always requires Third-Party Providers of this content to process the IP addresses of users, since they cannot send content to the users’ browsers without an IP address. Thus the IP address is necessary in order to display the content and features. We strive to use only content whose respective provider utilizes the IP address exclusively to deliver the content. Further, Third-Party Providers can use pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. The pixel tags can be used to analyze information such as visitor traffic to the pages of this website. The pseudonymous information can also be saved in cookies on the user’s device; among other things, it can include technical information about the browser and the operating system, about referring web pages, about the time of the visit, and other information about the use of our online offering. It can also be associated with such information from other sources.

About the legal basis: Where we ask users to consent to the use of Third-Party Providers, the legal basis for processing data is this consent. Otherwise, user data is processed on the basis of our legitimate interests (e.g. our interest in providing efficient, cost-effective, and recipient-friendly services). In this context, please also note the information on the use of cookies in this Privacy Policy. 

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses); inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of the processing: Making our online offering available and user-friendly; providing contractual services and customer service; profiles with user-related information (creating user profiles); feedback (e.g. gathering feedback via an online form).
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures, and services:

Management, organization, and auxiliary tools

We use services, platforms, and software from other providers (hereinafter known as “Third-Party Providers”) for the purposes of organizing, administering, planning, and providing our services., We take the statutory requirements into consideration when choosing Third-Party Providers and their services. 

In this context, personal data can be processed and saved on the servers of Third-Party Providers. This can affect a range of data that we process according to this Privacy Policy. In particular, this data can include master data and contact information for users as well as data about transactions, contracts, and other processes and their content. 

Where users are referred to the Third-Party Providers and/or their software or platforms in the context of communications, business relationships or other relationships with us, the Third-Party Providers can process usage data and metadata for security purposes, for service optimization, or for marketing purposes. Therefore please note the privacy policies of the respective Third-Party Providers.

About the legal basis: Where we ask users to consent to the use of Third-Party Providers, the legal basis for processing data is this consent. Further, their use can be part of our (pre-)contractual services where the use of Third-Party Providers has been agreed in this context. Otherwise, user data shall be processed on the basis of our legitimate interests (e.g. our interest in providing efficient, cost-effective, and recipient-friendly services). In this context, please also note the information about the use of cookies in this Privacy Policy.

• Types of data processed: Inventory data (e.g. names, addresses); contact information (e.g. email, phone numbers); content data (e.g. information entered in online forms); usage data (e.g. websites visited, interest in content, access times); metadata/communication data (e.g. device information, IP addresses).
• Data subjects: Communication partners; users (e.g. website visitors, users of online services).
• Purposes of the processing: Office and organizational processes.
• Legal basis: Consent (Art. 6(1) p. 1 lit. a. GDPR); contract fulfillment and pre-contractual inquiries (Art. 6(1) p. 1 lit. b. GDPR); legitimate interests (Art. 6(1) p. 1 lit. f. GDPR).

More information about processing methods, procedures, and services:

Changes and updates to the Privacy Policy

Please review the content of our Privacy Policy regularly. We update the Privacy Policy as needed in order to account for changes to data processing we perform. We notify you whenever these changes require action on your part (e.g. consent) or where any other individual notification is necessary. 

Where we provide addresses and contact information for companies in this Privacy Policy, please note that addresses can change over time, and please review the information before contacting them.

Rights of data subjects

As data subjects, you have various rights under the GDPR, particularly on the basis of Art. 15 through 21 GDPR:

Responsible supervisory authority:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach

Mailing address:
Postfach 1349, 91504 Ansbach

Phone: 0981/180093-0

Email: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de

Definitions

This section provides an overview of the terms used in this Privacy Policy. Many of the terms come from the law, and most are defined in Art. 4 GDPR. The statutory definitions are binding. The following explanations, by contrast, are intended primarily for improved understanding. The terms are sorted alphabetically.