DATA PRIVACY STATEMENT

INTRODUCTION

In the following data privacy statement, we would like to explain to you which types of personal data (subsequently shortened and referred to as “data”) we process, for what purposes and to what extent. The data privacy statement applies to all personal data processed by us, both as part of providing our services and especially on our websites, in mobile applications and within external online presences such as our social media profiles (subsequently referred to as “web presence”).

The terms used are not gender-specific.

Dated: 21 June 2021

OVERVIEW OF CONTENTS

CONTROLLER

Georg Hagelschuer GmbH & Co. KG
Gewerbestraße 60
48249 Dülmen, Germany

Authorised representatives: Managing Director, Georg Hagelschuer

E-mail address: info@dampfkessel.com.

Telephone: +49 (0) 25 90 / 93 89 5 – 0.

Legal note: https://www.dampfkessel.com/impressum.

OVERVIEW OF PROCESSING

The following overview summarises the types of data processed and the purpose of their processing, and refers to the data subject.

Types of data processed

  • Event data (Facebook) (“Event data” are date that can be transferred by us to Facebook, e.g. via Facebook pixels (via apps or other means) and that relate to people or their actions; these data include information about visits to websites, interactions with content, functions, installing apps, buying products, etc.; the event data are processed for the purpose of forming target groups for content and advertising information (custom audiences); event data do not contain the actual content (such as written comments), any login information or any contact information (i.e. no names, e-mail addresses and telephone numbers). Facebook deletes event data after a maximum of two years and the target groups formed from them are deleted if we delete our Facebook account).
  • Inventory data (e.g. names, addresses).
  • Applicant data (e.g. data regarding the person, postal and contact addresses, the documents belonging to the application and the information contained therein, e.g. cover letter, CV, certificates and other information about their person or qualification with regard to a concrete position or submitted voluntarily by applicants).
  • Content data (e.g. entries in online forms).
  • Contact data (e.g. e-mail, telephone numbers).
  • Meta/communication data (e.g. device information, IP addresses).
  • Usage data (e.g. websites visited, interest in contents, access times).
  • Contractual data (e.g. contract object, term, customer category).
  • Payment data (e.g. bank details, invoices, payment history).

Categories of data subjects

  • Applicants.
  • Business and contractual partners.
  • Prospective customers.
  • Communication partners.
  • Users (e.g. website visitors, users of online services).

Purposes of processing

  • Provision of the web presence and user-friendliness.
  • Conversion measurement (measurement of the effectiveness of marketing campaigns).
  • Application procedure (reasoning and any later performance, as well potentially ending the employment relationship at a later date).
  • Office and organisation procedures.
  • Direct marketing (e.g. by e-mail or post).
  • Target group formation.
  • Marketing.
  • Contact requests and communication.
  • Profiles with user-related information (creation of user profiles).
  • Remarketing.
  • Reach measurement (e.g. access statistics, recognising repeat visitors).
  • Security measures.
  • Providing contractual services and customer service.
  • Managing and answering queries.
  • Target group formation (determination of target groups relevant for marketing purposes or other output of contents).

Relevant legal basis

The following provides you with an overview of the legal basis of the GDPR on which basis we process personal data. Please note that, in addition to the regulations in the GDPR, national data protection regulations in your or our domicile or member state of the head office may apply. Furthermore, if a special legal basis becomes significant, we will inform you of this in the data privacy statement.

  • Consent (Art. 6, Section 1 (a) GDPR)– the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Contract performance and steps prior to entering into a contract (Art. 6, Section 1 (b) GDPR)– processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6, Section 1 (c) GDPR)– processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interest (Art. 6, Section 1 (f) GDPR)– processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Application procedure as pre-contractual or contractual relationship (Art. 9, Section 2 (b) GDPR)– insofar as special categories of personal data as defined by Art. 9, Section 1 of the GDPR (e.g. health data such as disability or ethnic origin) are requested from applicants for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, their processing is performed in accordance with Art. 9, Section 2 (b) of the GDPR, to protect the vital interests of the data subject or of another natural person in accordance with Art 9, Section 2 (c) of the GDPR or for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services in accordance with Art. 9, Section 2 (h) of the GDPR. In the event that the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, they are processed in accordance with Art. 9, Section 2 (a) of the GDPR.

National data protection regulations in Germany: In addition to the data protection regulations in the General Data Protection Regulation, national data protection regulations apply in Germany. This includes the law to protect against misuse of personal data when processing data (Federal Data Protection Act – BDSG) in particular. The BDSG contains special regulations in particular regarding the right of access, the right to erasure, the right to object, processing special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (section 26 of the BDSG), in particular with regard to hiring decisions, carrying out or terminating the employment contract and employee consent. Furthermore, state data protection regulations may apply in the individual Federal States.

SECURITY MEASURE

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with the legal regulations.

The measures include, in particular, safeguarding confidentiality, integrity and availability of data by checking physical and electronic access to the data, as well as the applicable access, input, transmission, safeguarding availability and its separation. Furthermore, we have established procedures that guarantee performance of data subject rights, erasure of data and reactions to an endangerment to the data. Furthermore, we consider protection of personal data already when developing or selecting hardware, software and procedures in accordance with the principle of data protection by design and by default.

TRANSMITTING PERSONAL DATA

As part of our processing of personal data, the data will be transferred to other bodies, companies, legally independent organisational units or people, or will be disclosed to them. The recipients of these data may include service providers commissioned with IT work or providers of service and contents that are integrated into this website. In this case, we will observe the legal regulations and conclude corresponding contacts or agreements with the recipients of your data, which serve to protect your data.

DATA PROCESSING IN THIRD COUNTRIES

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or processing takes place as part of using the services of third parties or data are disclosed or transferred to other people, bodies or companies, this is performed in accordance wit the legal regulations.

Subject to explicit consent or contractual or legally required transmission, we process or have the data processed in third countries only with a recognised data protection level, contractual obligation via so-called standard protection clauses of the EU Commission, if certification or binding internal data protection regulations are present (Art. 44 to 49 of the GDPR, EU Commission information website: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

USE OF COOKIES

Cookies are text files that contain data regarding websites or domains visited and that are saved by a browser on the user’s computer. First and foremost, a cookie is used to save the information regarding a user during or after their visit within a web presence. The saved information may include the language settings on a website, the login status, a shopping basket or the point to which a video was watched. Furthermore, we include other technologies that fulfil the same function as cookies in the term cookies (e.g. if user information is saved using anonymised online indicators, also known as “User IDs”)

A difference is made between the following cookie types and functions:

  • Temporary cookies (also known as: session cookies):Temporary cookies are deleted at the latest after a user has left the web presence and closed their browser.
  • Permanent cookies:Permanent cookies remain saved even after the browser has been closed. In this way, the login status can be saved for example or preferred content can be displayed directly when the user visits a website again. In addition, the interests of users, which are used for reach measurement or for marketing purposes, can also be saved in this type of cookie.
  • First-party cookies:First-party cookies are set by us.
  • Third-party cookies (also known as: third-party provider cookies): Third-party provider cookies are mainly set by advertisers (third parties) in order to process user information.
  • Required (also known as essential) cookies:Cookies may be essential to operate a website (e.g. to save logins or other user entries, or for security reasons).
  • Statistics, marketing and personalisation cookies: Furthermore, cookies are generally used as part of reach measurement as well as when the interests of a user (e.g. viewing certain content, using functions, etc.) are to be saved in a user profile on individual websites. These profiles serve to display content to the users, which matches their potential interests. This procedure is also known as “Tracking”, i.e. tracking the potential interests of the user. If we use cookies or “tracking” technology, we will inform you explicitly in our data privacy statement or when obtaining your consent.

Notes regarding the legal basis: The legal basis on which we process your personal data via cookies depends on whether we ask you for consent. If this is the case and you agree to the use of cookies, the legal basis for processing your data is declared consent. Otherwise, the data processed via cookies is processed on the basis of our legitimate interest (e.g. for economic operation of our web presence and its improvement) or, if the use of cookies is essential, in order to meet our contractual obligations.

Storage duration: Unless we explicitly inform you of the storage duration of permanent cookies (e.g. as part of a cookie opt-in), please assume that the storage duration can be up to two years.

General notes regarding withdrawal and objection (opt-out): Depending on whether the processing is performed on the basis of consent or a legal permit, you have the option to withdraw your consent or to object to the processing of your data via cookie technology (known jointly as “opt-out”). You can first declare your objection using your browser’s settings, e.g. by deactivating the use of cookies (although this may limit the functions of our web presence). An objection to the use of cookies for online marketing purposes can also be declared via a number of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further objection information as part of the entries to the service providers and cookies used.

Processing cookie data on the basis of consent: We use a cookie consent management procedure within which the consents of the users for the use of cookies or the processing and providers specified as part of cookie consent management can be collected, managed by users and objected to. A consent declaration is saved in order to prevent having to repeat its query and to be able to demonstrate the consent in accordance with the legal obligation. Saving can be performed on the server and/or in a cookie (known as an opt-in cookie, or via comparable technologies) in order to be able to assign the consent to a user or their device. Subject to individual specifications regarding the providers of cookie management service, the following notes apply: The maximum duration of saving the consent is two years. Here, an anonymised user identifier is formed and saved along with the time of consent, information regarding the reach of the consent (e.g. which categories of cookies and/or service providers), the browser, system and the end device used.

  • Processed data types:Usage data (e.g. websites visited, interest in contents, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects:Users (e.g. website visitors, users of online services).
  • Legal basis:Consent (Art. 6, Section 1 (a) GDPR), legitimate interest (Art. 6, Section 1 (f) GDPR).

Services and service providers used:

  • BorlabsCookie:Cookie consent management; service provider: Borlabs; website: https://de.borlabs.io/borlabs-cookie/; an individual user ID, the language, types of consent and the time of submission are saved on the server and in the cookie on the user’s device.

COMMERCIAL SERVICES

We process the data of our contractual and business partners (e.g. customers and prospective customers, subsequently referred to as “contractual partners”) as part of contractual and comparable legal relationships, as well as associated measures and as part of communicating with the contractual partners (or prior to the contract), e.g. to answer questions.

We process this data to fulfil our contractual obligations, to safeguard our rights and for the purpose of the management tasks associated with these entries, as well as intra-company organisation. We will only give the data of contractual partners to third parties within the framework of the applicable law if this is required for the aforementioned purposes or to fulfil legal obligations, or if it has been done with the consent of the data subjects (e.g. on associated telecommunication, transport and other auxiliary services, as well as subcontractors, banks, accountants, legal consultants, payment service providers or tax offices). The contractual partners are informed of other forms of processing, e.g. for marketing purposes, in this data privacy statement.

We will inform the contractual partner of the data required for the aforementioned purposes before or during data collection, e.g. in online forms via special marking (e.g. colours) or symbols (e.g. asterisks or similar) or personally.

We will delete the data after the legal warranty and comparable obligations have expired, i.e. after 4 years in all cases unless the data have been saved in a customer account, e.g. as long as they have to be stored for legal reasons of archiving (e.g. generally 10 years for tax purposes). We will delete data that the contractual partner disclosed as part of an order in accordance with the specifications of the order and always after the order is complete.

If we use third-party suppliers or platforms to provide our services, the terms and conditions and data privacy statements of the corresponding third-party supplier or platform apply to the relationship between the users and the suppliers.

Technical services: We process the data of our customers and purchasers (subsequently referred to as “customers”) in order to enable them to select, acquire or order the selected services or works, as well as connected activities and their payment and provision or design or fulfilment.

The required information is marked accordingly when concluding the job, order or comparable contract and comprise the information required to provide and invoice the service, as well as contact information for any queries. If we receive access to information for end customers, employees or other people, we will process this in accordance with the legal and contractual specifications.

Further information regarding commercial services: We process the data of our customers and purchasers (subsequently referred to as “customers”) in order to enable them to select, acquire or order the selected services or works, as well as connected activities and their payment and delivery or design or fulfilment.

The required information is marked accordingly when concluding the job, order or comparable contract and comprise the information required to provide and invoice the service, as well as contact information for any queries.

  • Processed data types:Inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), contractual data (e.g. contract object, term, customer category).
  • Data subjects:Prospective customers, business and contractual partners.
  • Purposes of processing:Providing contractual services and customer service, contact requests and communication, office and organisation procedures, managing and answering queries.
  • Legal basis:Contract performance and steps prior to entering into a contract (Art. 6, Section 1 (b) GDPR), legal obligation (Art. 6, Section 1 (c) GDPR), legitimate interest (Art. 6, Section 1 (f) GDPR).

PROVISION OF THE WEB PRESENCE AND WEB HOSTING

In order to be able to provide our web presence securely and efficiently, we use the services of one or several web hosting suppliers from whose servers (or the servers managed by them) the web presence can be called up. For this purpose, we may use infrastructure and platform services, computing capacity, disk space and database serviced, as well as security services and technical maintenance services.

All of the information that is collected as part of use and communication and that relates to the users of our web presence can be part of the data processed as part of providing our hosting service. This often includes the IP address that is required to be able to supply the contents of a web presence to the browser and all inputs made within our web presence or from websites.

Collecting access data and log files: We (or our web hosting suppliers) collect data regarding each access to the server (known as server log files). The server log files can contain the address and name of the websites and files called up, the date and time of calling, data volumes transferred, notification of a successful call-up, the browser type and version, the user’s operating system, the referrer URL (the site visited before) and normally the IP addresses and the querying provider.

The server log files can be used for security purposes on the one hand, e.g. to prevent the server overloading (this occurs particularly during malicious attacks known as distributed denial of service attacks) and, on the other hand, to safeguard the server load and stability.

  • Processed data types:Content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in contents, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects:Users (e.g. website visitors, users of online services).
  • Purposes of processing:Provision of the web presence and user-friendliness, providing contractual services and customer service.
  • Legal basis:Legitimate interest (Art. 6, Section 1 (f) GDPR).

Services and service providers used:

CONTACT

When you contact us (e.g. via the contact form, by e-mail, telephone or via social media), the information regarding the person making contact is processed if this is required to answer the contact queries and for any measures requested.

Responding to contact queries as part of contractual or pre-contractual relationships is performed to fulfil our contractual obligations or to answer (pre-)contractual queries and on the basis of the legitimate interest of responding to the queries.

  • Processed data types:Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms).
  • Data subjects:Communication partners.
  • Purposes of processing:Contact requests and communication.
  • Legal basis:Contract performance and steps prior to entering into a contract (Art. 6, Section 1 (b) GDPR), legitimate interest (Art. 6, Section 1 (f) GDPR).

VIDEO CONFERENCES, ONLINE MEETINGS, WEBINARS AND SCREEN SHARING

We use platforms and applications from other suppliers (subsequently referred to as “conference platforms”) to perform video and audio conferences, webinars and other types of video and audio meetings (subsequently referred to as “conference”). We observe the legal requirements when selecting the conference platforms and their services.

Data processed by conference platforms: When you participate in a conference, the conference platforms process the following participant personal data. The scope of processing depends on the data requested as part of a concrete conference (e.g. entering access data or real names) and which optional information can be entered by the participants. In addition to processing to perform the conference, the conference platforms may also process participants’ data for security reasons or to optimise service. The data to be processed include personal data (forename, surname), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information regarding the job or function, the IP address used for internet access, information regarding the participants’ end devices, their operating system, the browser and its technical and language settings, information regarding the content communication processes, i.e. entries in chats, as well as audio and video data, and the use of other functions that are available (e.g. polls). Contents of the communications are encrypted in the scope provided technically by the conference supplier. If the participants are registered as users on the conference platforms, further data can be processed in accordance with the agreement with the relevant conference supplier.

Logging and recording: If text inputs, participant results (e.g. of polls), as well as video or audio recordings are logged, the participants will be informed of this transparently in advance and they will be asked for consent if required.

Participant data protection measures: Please see the data privacy statements of the conference platforms for details regarding processing your data and select the optimum security and data protection settings for you when making the settings for the conference platforms. Furthermore, please also ensure data and personal protection in the background of your recording for the duration of a video conference (e.g. by informing others living on the premises, closing doors and, if technically possible, using the function to anonymise the background). Links to the conference rooms and access data must not be passed on to unauthorised third parties.

Notes regarding the legal basis: If we also process the user’s data in addition to the conference platforms and ask the users for their consent to use the conference platforms or certain functions (e.g. consent to record conferences), the legal basis for processing is this consent. Furthermore, our processing may be required to fulfil our contractual obligations (e.g. lists of participants, in the event of re-appraising meeting results, etc.). Finally, the user data is processed on the basis of our legitimate interest in efficient and secure communication with our communication partners.

  • Processed data types:Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in contents, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects:Communication partners, users (e.g. website visitors, users of online services).
  • Purposes of processing:Providing contractual services and customer service, contact requests and communication, office and organisation procedures.
  • Legal basis:Consent (Art. 6, Section 1 (a) GDPR), contract performance and steps prior to entering into a contract (Art. 6, Section 1 (b) GDPR), legitimate interest (Art. 6, Section 1 (f) GDPR).

Services and service providers used:

APPLICATION PROCEDURE

The application procedure requires applicants to provide us with data to evaluate and select them. The information required depends on the job description or, in the event of online forms, from the specifications there.

Basically, the required information includes information about the person such as name, address, a contact option and the proof of the qualifications required for the job. We are also happy to specify which information is required upon request.

If available, applicants can submit their application to us via an online form. The data are encrypted in a state of the art manner when they are transferred to us. Applicants can also send us their applications by e-mail. However, please note that e-mails are not generally sent encrypted over the internet. E-mails are normally encrypted during transmission but not on the servers from which they are sent and received. We therefore cannot take any responsibility for the application’s transmission route between the sender and receipt on our server.

In order to search for applicants, submit applications and select applicants, we may use applicant management or recruitment software, platforms and services from third-party suppliers in accordance with the legal requirements.

Applicants are free to contact us regarding the manner of submitting the application or send us an application by post.

Processing special categories of data: Insofar as special categories of personal data as defined by Art. 9, Section 1 of the GDPR (e.g. health data such as disability or ethnic origin) are requested from applicants for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, their processing is performed in accordance with Art. 9, Section 2 (b) of the GDPR, to protect the vital interests of the data subject or of another natural person in accordance with Art 9, Section 2 (c) of the GDPR or for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services in accordance with Art. 9, Section 2 (h) of the GDPR. In the event that the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, they are processed in accordance with Art. 9, Section 2 (a) of the GDPR.

Erasure of data: The data provided by the applicants can be processed by us further for the purposes of an employment relationship in the event of a successful application. Otherwise, if the application is unsuccessful, the applicant’s data will be erased. The applicant’s data will also be erased if the application is withdrawn, which the applicant is entitled to do at any time. Erasure will be performed subject to a legitimate withdrawal by the applicant at the latest after six months so that we are able to answer any queries connected with the application and in order to comply with our burden of proof of equal treatment of applicants. Invoices for any travel expense reimbursement will be archived in accordance with tax law regulations.

Acceptance into an applicant pool: Acceptance into an applicant pool, if offered, is on the basis of consent. The applicants will be informed that their consent to be accepted into the talent pool is voluntary, has no effect on the ongoing application procedure and that they may withdraw their consent with future effect.

  • Processed data types:Applicant data (e.g. data regarding the person, postal and contact addresses, the documents belonging to the application and the information contained therein, e.g. cover letter, CV, certificates and other information about their person or qualification with regard to a concrete position or submitted voluntarily by applicants).
  • Data subjects:
  • Purposes of processing:Application procedure (reasoning and any later performance, as well potentially ending the employment relationship at a later date).
  • Legal basis:Application procedure as pre-contractual or contractual relationship (Art. 9, Section 2 (b) GDPR).

NEWSLETTER AND ELECTRONIC NOTIFICATIONS

We only send newsletters, e-mails and electronic notifications (subsequently referred to as “newsletter”) with the consent of the recipient or a legal approval. If the newsletter’s content has been transcribed as part of signing up for the newsletter, it is decisive for the user’s consent. Our newsletters contain information regarding our services and us.

In order to sign up for our newsletter, it is basically sufficient to simply enter your e-mail address. However, we can request that you enter a name for the purpose of a personal greeting in the newsletter or other information if required for newsletter purposes.

Double opt-in procedure: A double opt-in procedure is used to sign up to our newsletter. This means that you receive an e-mail after signing up, in which you are requested to confirm your registration. This confirmation is required to ensure that nobody can sign up with a fake e-mail address. The sign ups for the newsletter are logged in order to be able to prove the sign-up process in accordance with the legal requirements. This includes saving the sign-up and confirmation times, as well as the IP address. The changes to your data stored with your e-mail provider are also logged.

Erasure and restriction of processing: We can save the e-mail addresses supplied for up to three years on the basis of our legitimate interest before we erase them, in order to be able to prove that there was consent. Processing of these data is limited to the purpose of defending any potential claims. An individual erasure request is possible at any time as long as the existence of an original consent is confirmed. In the event of obligations for continuous observance of objections, we reserve the right to save the e-mail address only for this purpose in a “block list”.

Logging of the sign-up procedure is performed on the basis of our legitimate interest for the purpose of proving a correct sequence. If we commission a service provider to send e-mails, this is performed on the basis of our legitimate interest in an efficient and secure sending system.

Notes regarding the legal basis: The newsletter is sent on the basis of the recipient’s consent or, if consent is not required, on the basis of our legitimate interest in direct marketing if and insofar as this is legally permitted, e.g. in the event of advertising to existing customers. If we commission a service provider to send e-mails, this is performed on the basis of our legitimate interest. The registration procedure is recorded on the basis of our legitimate interest in order to prove that it was performed legally.

Contents: Information about us, our services and special offers.

Measuring opening and click rates: The newsletters contain a “web beacon”, i.e. a pixel-sized file that is called when opening the newsletter from our server or the server of the sending provider if we use one. As part of this call, technical information such as information regarding the browser and your system, as well as your IP address and the time of calling is collected.

This information is used for technical improvements to our newsletter based on the technical data or the target groups and their reading behaviour based on their calling locations (that can be determined using the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. This information is assigned to the individual newsletter recipients and saved in their profiles until erasure. The evaluations are used to detect our users’ reading habits and to adjust our content to them or to send different content according to our users’ interests.

Measurement of the opening rates and the click rates, as well as saving the measurement results in the users’ profiles and further processing are performed on the basis of the users’ consent.

Unfortunately, it is not possible to request a separate objection for success measurement; in this case, the entire newsletter subscription would have to be cancelled or objected to. In this case, the saved profile information is erased.

  • Processed data types:Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in contents, access times).
  • Data subjects:Communication partners, users (e.g. website visitors, users of online services).
  • Purposes of processing:Direct marketing (e.g. by e-mail or post), reach measurement (e.g. access statistics, recognising repeat visitors), conversion measurement (measurement of the effectiveness of marketing campaigns), profiles with user-related information (creation of user profiles).
  • Legal basis:Consent (Art. 6, Section 1 (a) GDPR), legitimate interest (Art. 6, Section 1 (f) GDPR).
  • Objection possibility (opt-out):You can stop receiving our newsletter at any time, i.e. withdraw your consent or object to continuing to receive it. A link to cancel the newsletter is provided at the end of each newsletter or you can use one of the aforementioned contact options, preferably e-mail, for this.

Services and service providers used:

ADVERTISEMENTS VIA E-MAIL, POST, FAX OR TELEPHONE

We process personal data for advertisement purposes that can be performed via various channels such as e-mail, telephone, post or fax.

The recipients have the right to withdraw consent that was granted or to object to advertisements at any time.

After withdrawing or objecting, we may store the data required to provide consent for up to three years on the basis of our legitimate interest before we delete them. Processing of these data is limited to the purpose of defending any potential claims. An individual erasure request is possible at any time as long as the existence of an original consent is confirmed.

  • Processed data types:Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).
  • Data subjects:Communication partners.
  • Purposes of processing:Direct marketing (e.g. by e-mail or post).
  • Legal basis:Consent (Art. 6, Section 1 (a) GDPR), legitimate interest (Art. 6, Section 1 (f) GDPR).

ONLINE MARKETING

We process personal data for the purpose of online marketing, which can include marketing in advertising space or displaying advertisement and other contents (subsequently referred to as “content”) based on potential interest on the part of the users, as well as measuring its effectiveness.

For this purpose, user profiles are created and saved in a file (known as a “cookie”) or a similar process is used, with which the user information relevant for showing the aforementioned content is saved. This information may include content viewed, websites visited, online networks used but also communication partners and technical information such as the browser used, the computer system used and information about usage times. If users have consented to their location data being collected, this can also be processed.

The users’ IP address is also saved. However, we use the IP masking procedure that is available (i.e. anonymisation by shortening the IP address) in order to protect users. In general, no plain data (such as e-mail addresses or names) are saved for the users as part of the online marketing procedure; only pseudonyms are used. This means that we and the providers of the online marketing procedure do not know the real identity of the users, just the information saved in their profiles.

The information in the profiles is normally saved in the cookies or using similar procedures. These cookies can normally be read later by other websites that use the same online marketing procedure, analysed for display purposes, have further data added to them and be saved on the online marketing procedure provider’s server.

In exceptional cases, plain data can be assigned to the profiles. This is the case if the users are members of a social network whose online marketing procedure we use and the network connect the users’ profiles with the aforementioned information. Please not that users can have different agreements with the providers, e.g. due to consents given when registering.

We basically only receive access to summarised information regarding the success of our advertisements. But we can use conversion measurements to check which of our online marketing procedures has led to a conversion, i.e. to a contract being placed with us for example. Conversion measurement is only used to analyse the success of our marketing measures.

Unless otherwise specified, we ask that you assume that the cookies used will be saved for a period of two years.

Notes regarding the legal basis: If we ask users for their consent to use the third-party suppliers, the legal basis for processing the data is consent. Otherwise, the user data is processed on the basis of our legitimate interest (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would like to draw your attention to the information regarding the use of cookies in this data privacy statement.

Google Universal Analytics: We use the Universal Analytics version of Google Analytics (https://support.google.com/analytics/answer/2790010?hl=en&ref_topic=6010376). “Universal Analytics” designates a Google Analytics procedure in which the user analysis is performed based on an anonymised user ID and therefore creates an anonymous user profile with information from the use of different devices (known as “Cross-device tracking”).

Facebook pixel and target group formation (custom audiences): The Facebook pixel (or comparable functions to transmit event data or contact information using interfaces in apps) enables Facebook to define the visitors to our web presence as the target group for displaying advertisements (known as “Facebook-Ads”). We therefore use the Facebook pixel to only display those Facebook-Ads switched by us to users on Facebook and within the services of the partners that cooperate with Facebook (known as “Audience Network” https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our web presence or who have certain characteristics (e.g. interest in certain topics or products that are clear from the websites that they have visited) that we communicate to Facebook (known as “Custom Audiences”). We want to use the Facebook pixel to ensure that our Facebook-Ads correspond to the users’ potential interests and are not bothersome. Furthermore, we can use the Facebook pixel to determine the effectiveness of the Facebook advertisements for statistical and market research purposes by seeing whether users are forwarded to our website after clicking a Facebook advertisement (known as “conversion measurement”).

We are jointly responsible along with Facebook Ireland Ltd. for collecting or receiving “event data” as part of transmission (but not for further processing), which Facebook executes via Facebook pixels and comparable functions (e.g. interfaces) on our web presence, collects or receives as part of transmission for the following purposes: a) displaying content advertising information that correspond to the users’ probable interests; b) sending commercial and transaction-related messages (e.g. communicating with users via Facebook Messenger); c) improving the advertisement delivery and personalisation of functions and contents (e.g. improving recognition of which contents or advertising information correspond to the users’ probable interests). We have concluded a special agreement with Facebook (“Controller addendum”, https://www.facebook.com/legal/controller_addendum), which controls particularly which security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook declares itself prepared to fulfil the rights of the data subject (i.e. users can send requests for access or erasure directly to Facebook). Note: If Facebook provides us with measured value, analyses and reports (that are aggregated, i.e. do not contain any information regarding individual users and that are anonymised for us), this processing is not performed as part of the joint responsibility but on the basis of an order preparation contract (“Data Processing Terms”, https://www.facebook.com/legal/terms/dataprocessing) , the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), as well as, with regard to processing in the USA, on the basis of standard contract clauses (“Facebook EU Data Transfer Addendum”, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of the user (particularly to access, erasure, objection and complaints with a supervisory authority) are not limited by the agreements with Facebook.

  • Processed data types:Usage data (e.g. websites visited, interest in contents, access times), meta/communication data (e.g. device information, IP addresses), event data (Facebook) (“Event data” are date that can be transferred by us to Facebook, e.g. via Facebook pixels (via apps or other means) and that relate to people or their actions; these data include information about visits to websites, interactions with content, functions, installing apps, buying products, etc.; the event data are processed for the purpose of forming target groups for content and advertising information (custom audiences); event data do not contain the actual content (such as written comments), any login information or any contact information (i.e. no names, e-mail addresses and telephone numbers). Facebook deletes event data after a maximum of two years and the target groups formed from them are deleted if we delete our Facebook account).
  • Data subjects:Users (e.g. website visitors, users of online services).
  • Purposes of processing:Marketing, profiles with user-related information (creation of user profiles), remarketing, conversion measurement (measurement of the effectiveness of marketing campaigns), target group formation, target group formation (determination of target groups relevant for marketing purposes or other output of contents).
  • Security measures:IP masking (anonymisation of the IP address).
  • Legal basis:Consent (Art. 6, Section 1 (a) GDPR), legitimate interest (Art. 6, Section 1 (f) GDPR).
  • Objection possibility (opt-out):We refer to the data privacy statement of the relevant provider and the objection possibilities specified to the providers (known as “opt-out”). If no explicit opt-out possibility was specified, you have the option of switching cookies off in your browser settings. However, this may limit the functions of our web presence. We therefore recommend the following opt-out possibilities that are offered as combinations for the corresponding areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-area: https://optout.aboutads.info.

Services and service providers used:

  • Google Tag Manager:Google Tag Manager is a solution that we can use to manage website tags via an interface and therefore include other services in our web presence (reference is made to other information in this data privacy statement for this). The Tag Manager itself (that implements the tags) therefore does not yet create user profiles or save cookies. Google only obtains the user’s IP address, which is required to execute the Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Data privacy statement: https://policies.google.com/privacy.
  • Google Analytics:Online marketing and web analysis; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/en/about/analytics/; Data privacy statement: https://policies.google.com/privacy; Objection possibility (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for displaying advertisements: https://adssettings.google.com/authenticated.
  • Google Universal Analytics:Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Data privacy statement: https://policies.google.com/privacy.
  • Google Ads and conversion measurement:We use the “Google Ads” online marketing procedure to place advertisements in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they can be displayed to users who have a probable interest in the advertisements. Furthermore, we measure the conversion of the advertisements. However, we only learn the anonymous total number of users who have clicked our advertisement and been forwarded to a page provided with a “Conversion Tracking Tag”. We do not receive any information that could be used to identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Data privacy statement: https://policies.google.com/privacy.
  • Facebook pixel and target group formation (custom audiences):Service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; data privacy statement: https://www.facebook.com/about/privacy; objection possibility (opt-out): https://www.facebook.com/adpreferences/ad_settings (you must log in to Facebook).

SOCIAL NETWORK PRESENCE (SOCIAL MEDIA)

We keep an online presence within social networks and process user data within this framework in order to communicate with the active users there or to provide information about us.

We would like to advise you that user data may be processed outside the European Union in this case. This could pose risks to the users, e.g. by making it harder to assert user rights.

Furthermore, the user’s data are generally processed within social networks for market research and advertising purposes. In this way, usage behaviours and the user interests resulting from this can be used to create usage profiles. The usage profiles are in turn used to switch advertisements inside and outside the networks, which probably correspond to the users’ interests. For this purpose, cookies are normally saved on the users’ computers, in which the usage behaviour and the users’ interests are saved. Furthermore, the usage profiles can also save data regardless of the devices that the users are using (particularly if the users are members of the relevant platforms and logged in there).

For a detailed illustration of the relevant forms of processing and the objection possibilities (opt-out), please refer to the data privacy statements and information from the operators of the relevant networks.

We would also like to advise you that access requests and asserting subject rights are more effectively addressed to the providers. Only the providers have access to the users’ data and can take the required measures directly and provide information. If you still require help, you can contact us.

Facebook: Together with Facebook Ireland Ltd., we are responsible for collection (but not further processing) of data of the visitors to our Facebook page (“fan page”). These data include information about the types of contents that users view or with which they interact, or the actions that they took (see “Things that you and others do and provide” in the Facebook data privacy policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system browser type, language settings, cookie data, see “Device information” in the Facebook data privacy policy: https://www.facebook.com/policy). As explained in “How do we use this information?” in the Facebook data privacy policy, Facebook also collects and uses information to provide analysis services, “page insights”, to website operators so that they can obtain information about how people interact with their sites and with the content connected to them. We have concluded a special agreement with Facebook (“Information about Page Insights”, https://www.facebook.com/legal/terms/page_controller_addendum), which controls particularly which security measures Facebook must observe and in which Facebook declares itself prepared to fulfil the rights of the data subject (i.e. users can send requests for access or erasure directly to Facebook). The rights of the user (particularly to access, erasure, objection and complaints with a supervisory authority) are not limited by the agreements with Facebook. For more information, see the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data).

  • Processed data types:Contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in contents, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects:Users (e.g. website visitors, users of online services).
  • Purposes of processing:Contact requests and communication, feedback (e.g. collecting feedback via an online form), marketing.
  • Legal basis:Legitimate interest (Art. 6, Section 1 (f) GDPR).

Services and service providers used:

PLUGINS AND EMBEDDED FUNCTIONS AND CONTENT

Our web presence includes functional and content elements that are obtained from the servers of the corresponding providers (subsequently referred to as “third-party providers”). These may be graphics, videos or maps (subsequently referred to simply as “contents”).

Inclusion always requires the third party providers of these contents to process the users’ IP addresses, as they cannot send the contents to their browsers without the IP address. The IP address is therefore required to display these contents or functions. We make every effort to only use those contents where the relevant provider only uses the IP address to deliver the contents. Third-party providers can also use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as user traffic to this website. The anonymised information can also be saved in cookies on the users’ devices and contain technical information regarding the browser and the operating system, about linking websites, about the visit time, as well as further information regarding the use of our web presence, and be connected with this type of information from other sources.

Notes regarding the legal basis: If we ask users for their consent to use the third-party suppliers, the legal basis for processing the data is consent. Otherwise, the user data is processed on the basis of our legitimate interest (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would like to draw your attention to the information regarding the use of cookies in this data privacy statement.

  • Processed data types:Usage data (e.g. websites visited, interest in contents, access times), meta/communication data (e.g. device information, IP addresses), inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms).
  • Data subjects:Users (e.g. website visitors, users of online services).
  • Purposes of processing:Provision of the web presence and user-friendliness, providing contractual services and customer service.
  • Legal basis:Legitimate interest (Art. 6, Section 1 (f) GDPR), consent (Art. 6, Section 1 (a) GDPR), Contract performance and steps prior to entering into a contract (Art. 6, Section 1 (b) GDPR).

Services and service providers used:

  • Google Fonts:We include fonts (“Google Fonts”) from Google but the user data is only used to display the fonts in the users’ browsers. Inclusion is performed on the basis of our legitimate interest in a technically secure, maintenance-free and efficient use of fonts, their consistent display and consideration for possible licence restrictions for their use. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; Data privacy statement: https://policies.google.com/privacy.
  • Google Maps:We include the maps from the “Google Maps” service provided by Google. The data to be processed may include IP addresses and location data for use users but they are not collected without their consent (normally as part of the settings on their mobile devices); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Data privacy statement: https://policies.google.com/privacy; Objection possibility (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for displaying advertisements: https://adssettings.google.com/authenticated.
  • Adobe Typekit fonts:We include fonts (“Typekit fonts”) from Adobe but the user data is only used to display the fonts in the users’ browsers. Inclusion is performed on the basis of our legitimate interest in a technically secure, maintenance-free and efficient use of fonts, their consistent display and consideration for possible licence restrictions for their use. Service provider: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; Website: https://www.adobe.com; Data privacy statement: https://www.adobe.com/privacy.html.
  • YouTube videos:Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Data privacy statement: https://policies.google.com/privacy; Objection possibility (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for displaying advertisements: https://adssettings.google.com/authenticated.

ERASURE OF DATA

The data that we collect is erased in accordance with the legal specifications as soon as the consent to processing is withdrawn or other approvals no longer apply (e.g. if the purposes of processing for these data no longer apply or they are not required for the purpose).

If the data are not deleted because they are required for other, legally permissible purposes, their processing is limited to these purposes. This means that the data are blocked and not processed for other purposes. This applies, for example, to data that has to be stored for trade or tax reasons or that have to be saved for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

As part of our data privacy policy, we can provide the users with further information regarding erasure and storing data, which apply specifically to the relevant processing process.

CHANGES AND UPDATES TO THE DATA PRIVACY STATEMENT

We request that you read the data privacy policy on a regular basis. We will adjust the data privacy policy as soon as the changes to the data processing performed by us makes this necessary. We will inform you as soon as the changes require an action on your part (e.g. consent) or another individual notification becomes necessary.

If we specify addresses and contact details for companies and organisations in this data privacy statement, please note that addresses can change over time and please therefore check the information prior to contacting them.

RIGHTS OF THE DATA SUBJECT

As the data subject, the GDPR provides you with various rights, which derive from Art. 15 to 21 of the GDPR in particular:

  • Right to object: You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent:You have the right to withdraw consent at any time.
  • Right of access:You shall have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data, as well as further information and a copy of the data in accordance with the legal regulations.
  • Right to rectification:You shall have the right to have incomplete personal data completed or to obtain the rectification of inaccurate personal data concerning you in accordance with the legal regulations.
  • Right to erasure and restriction of processing:You shall have the right to obtain the erasure of personal data concerning you without undue delay in accordance with the legal regulations or to obtain restriction of processing in accordance with the legal regulations.
  • Right to data portability:You shall have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller in accordance with the legal regulations.
  • Right to lodge a complaint with a supervisory authority:In accordance with the legal regulations and notwithstanding a different administrative law or judicial appeal, you also have the right to lodge a complaint with a supervisory authority, in particular, a supervisory authority in the Member State in which you normally reside, the supervisory authority of your place of work or the place of the alleged violation if you are of the opinion that the processing of your personal data violates the GDPR.

GLOSSARY

This section provides you with an overview of the terms used in this data privacy statement. Many terms are taken from the legislation and are defined in Art. 4 of the GDPR in particular. The legal definitions are binding. The following explanations, on the other hand, are to aid with comprehension. The terms are sorted alphabetically.

  • IP masking:“IP masking” designates a method in which the last octet, i.e. the last two numbers in an IP address are deleted so that the IP address can no longer be used to identify a person clearly. IP masking: is therefore a form of anonymisation for processing procedures, particularly in online marketing
  • Conversion measurement:Conversion measurement (also known as “conversion tracking”) is a procedure to determine the effectiveness of marketing measures. To do this, a cookie is normally set on the users’ devices within the websites on which the marketing measures are taking place, saved and then called again on the target website. For example, we can use this to determine whether any of the advertisements that we placed on other websites were successful.
  • Personal data:“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiles with user-related information:Processing “Profiles with user-related information”, also knowns as “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person (depending on the type of profiling, this could be different information relating to demographics, behaviour and interests, such as interactions with websites and their contents, etc.), to analyse them, evaluate them or to predict them (e.g. interest in certain contents or products, the click behaviour on a website or the location). Cookies and web beacons are often used for profiling.
  • Reach measurement:Reach measurement (also known as Web Analytics) is used to evaluate the visitor flows of a web presence and can record the behaviour or interests of the visitors to certain information such as contents of websites. Website owners can use the reach analysis to find out when people visit their website and what content they find interesting. They can therefore adjust the contents of the website better to their visitors’ requirements. Pseudonym cookies and web beacons are often used for reach analysis, in order to detect repeat visitors and therefore to obtain more precise analyses regarding the use of a web presence.
  • Remarketing:You talk of “remarketing” or “retargeting” for example if you note the products that a user is interested in for advertising purposes in order to remind the user of these products on other websites, e.g. through advertisements.
  • Controller:“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing:“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is wide-reaching and covers virtually any handling of data, be it collection, evaluation, storage, transmission or erasure.
  • Target group formation:You talk of target group formation (or “Custom Audiences”) when target groups are to be determine for advertising purposes, e.g. showing advertisements. For example, a user’s interest in certain products or topics on the internet can be used to conclude that this user would be interested in advertisements for similar products or the online ship in which they looked at the products. You talk of “Lookalike Audiences” (or similar target groups) if the contents that were judged to be suitable are shown to users whose profiles or interests probably correspond to those of the users for whom the profiles were established. Cookies and web beacons are normally used to form Custom Audiences and Lookalike Audiences.

Created using datenschutz-Generator.de from Dr. Thomas Schwenke