TYPES OF DATA PROCESSED
- User data (e.g. name and address)
- Contact data (e.g. e-mail address, telephone numbers)
- Content data (e.g. text input, photographs, videos)
- Usage data (e.g. websites visited, interest in content, times of visits)
- Metadata/Communication data (e.g. information about devices used, IP addresses)
PURPOSE OF PROCESSING
- Provision of the online service, its functions and its content
- To respond to contact requests and for communication with users
- Security measures
- Audience reach measurement/Marketing
“Personal data” are all information that relates to an identified or identifiable natural person (hereinafter the “data subject”); a natural person will be considered identifiable if they can be identified directly or indirectly particularly through association with a designation such as a name, an ID number, location data, online identification (e.g. a cookie) or one or more specific features that indicate the physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.
“Processing” is any automated or non-automated process or sequence effected in connection with personal data. The term is far-reaching and covers virtually every use of data.
The “data controller” is the natural or legal person, authority, establishment or other body that alone or with others decides on how and for what purpose personal data are processed.
APPLICABLE LEGAL PROVISIONS
COLLABORATION WITH DATA PROCESSORS AND THIRD PARTIES
Insofar as we disclose data to other individuals and businesses (data processors and third parties), transfer data to them or otherwise give them access to the data within the scope of our processing, this is effected only where this is legally permissible (e.g. where transfer of the data to a third party such as payment service providers is necessary for contract performance in accordance with Art. 6 (1) b) GDPR), where you have given your consent, where a legal obligation exists, or where it is on the basis of our legitimate interests (e.g. in the event that agents, web hosters, etc. are used).
Insofar as we instruct third parties to process data on the basis of a data processing contract, this is done on the basis of Art. 28 GDPR.
TRANSFER TO THIRD COUNTRIES
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or do so by using the services of a third party and/or disclose and/or transfer data to third parties, this is only done in order to fulfill our precontractual and/or contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual permissions, we process data or have data processed in a third country only where the special conditions set out in Art. 44 ff. GDPR exist. This means that processing is effected on the basis of special guarantees such as the officially recognized establishment of a EU-compliant level of data protection (e.g. the Privacy Shield in the USA) or observation of officially recognized special contractual obligations (what are known as “standard contractual clauses”).
RIGHTS OF THE DATA SUBJECT
Under the provisions of Art. 15 GDPR you have the right to request information about which data are being processed, and the right to information about these data as well as to further information and a copy of the data.
Under the provisions of Art. 16 GDPR you have the right to request the completion of your personal data and/or rectification of incorrect personal data.
Under the provisions of Art. 17 GDPR you have the right to request the immediate erasure of your personal data and/or to request that the processing of your personal data be restricted under the provisions of Art. 18 GDPR.
Under the provisions of Art. 20 GDPR you have the right to receive the personal data that you have provided to us, and the right to have that data transferred to another data controller.
Furthermore, Art. 77 GDPR gives you the right to lodge a complaint with the competent supervisory authority.
RIGHT TO WITHDRAW CONSENT
Under the provisions of Art. 7 (3) GDPR you have the right to withdraw any consents you have given with future effect.
Furthermore, Art. 77 GDPR gives you the right to lodge a complaint with the competent supervisory authority.
RIGHT TO OBJECT
Under the provisions of Art. 21 GDPR you may object at any time to the future processing of your personal data. This objection may most notably be exercised against processing for the purposes of direct advertising.
COOKIES AND THE RIGHT TO OBJECT TO DIRECT ADVERTISING
Cookies are small files that are stored on your computer. Various information may be stored on cookies. The main purpose of a cookie is to store information about you, as a user (such as the device on which the cookie is stored) during and/or after your visit to an online service. Cookies that are deleted after you have left the online service and closed your browser are known as temporary, session, or transient cookies. This kind of cookie may, for example, store the contents of your shopping cart in an online store or your login status.
Permanent or persistent cookies are those cookies that remain stored on your device even after the browser is closed. This means that your login status can be stored when you return to the service at some later date. Equally, this kind of cookie can store your interests and this information is used to measure audience reach or for marketing purposes. Third-party cookies are those cookies that are placed by providers other than the party providing the online service (that party’s cookies are known as first-party cookies).
If you do not wish cookies to be stored on your computers, you should deactivate them by adjusting your browser settings accordingly. Browser settings can be used to deleted cookies that are already stored. Blocking cookies may reduce the functionality of this online service.
ERASURE OF DATA
Under the provisions of German law, the most notable retention periods are 10 years in accordance with Art. 147 (1), Art. 257 (1) 1) and 4) AO (German Tax Code), Art. 4 HGB (German Commercial Code) (books, records, situation reports, booking receipts, account books, documents relevant for tax purposes, etc.), and 6 years in accordance with Art. 257 (1) 2) and 3), and (4) HGB (business correspondence).
Under the provisions of Austrian law, the most notable retention periods are 7 years (accounting documents, receipts/invoices, accounts, vouchers, business papers, records of income and outgoings, etc.) in accordance with Art. 132 (1) BAO (Austrian Tax Code), 22 years in connection with real estate lots, and 10 years for documentation connected with services provided electronically, telecommunications, radio and television services provided to non-entrepreneurs in EU member states, and those services for which the Mini-One-Stop-Shop (MOSS) is used.
We also process
- contractual data (e.g. subject matter of the contract, contract term, customer category)
- payment data (e.g. bank details, payment history)
of our customers, leads and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.
The hosting services we use serve the provision of the following services: infrastructure and platform services, computing capacity, storage and database services, security services, and technical maintenance services that we use for the purpose of operating this online service.
In doing so we process, for example, our hosting provider’s user data, contact data, content data, contractual data, usage data, meta data and communication data of customers, leads, and visitors to this online service on the basis of our legitimate interests in an efficient and secure provision of this online service in accordance with Art. 6 (1) f) GDPR in conjunction with Art. 28 GDPR (conclusion of a processing contract).
COLLECTION OF ACCESS DATA AND LOG FILES
We and/or our hosting provider collect data in what are known as log files every time the server on which this service is located is accessed, on the basis of our legitimate interest in the sense of Art. 6 (1) f) GDPR. These access data include the name of the web page visited, file, date and time of the visit, transferred data volume, report on successful retrieval, browser type and version, the user’s operating system, the referrer URL (the previously visited page), IP address and the name of the internet services provider.
Log file information is stored for a maximum 7 days for security reasons (e.g. to establish misuse or fraudulent acts) and then erased. Data which need to be retained for longer for evidence are not erased until the respective incident has been finalized.
ORDER HANDLING AT THE ONLINE STORE; CUSTOMER ACCOUNT
We process your data when you place an order in our online store so that we can enable you to select and order your chosen products and services, and to enable payment and delivery and/or execution.
The data processed includes user data, communication data, contractual data, payment data and the data subjects include our customers, leads and other business partners. Processing is effected for the purpose of providing contractual services within the scope of operating an online store, invoicing, delivery, and customer service. In doing so, we use session cookies to store the contents of shopping carts, and permanent cookies to store the user’s login status.
Processing is effected on the basis of Art. 6 (1) b) (handling order processes) and c) (legally obligatory processing) GDPR whereby the details designated as mandatory are required for the establishment and performance of the contract. We only disclose the data to third parties within the scope of delivery, payment or within the scope of legal permissions and obligations to legal consultants and authorities. The data are only processed in third countries where this is necessary for contract performance (e.g. for delivery or payment at the customer’s request).
If you wish, you may if create a user account where, most notably, you can view your orders. During registration, you are notified about mandatory information. User accounts are not public and cannot be indexed by search engines. If you cancel your account, your data are erased in terms of the user account subject to their retention being required under commercial or fiscal law as set out in Art. 6 (1) c) GDPR. Data in the customer account are retained until the account is deleted and subsequently archived in the event of a legal obligation. You are obliged to secure your data when you close your account prior to the end of the contract.
Within the scope of first registration and subsequent registrations, and the use of our online services, we store your IP address and the time of your respective user activity. Storage is on the basis of our and your legitimate interest in protection against misuse or other unauthorized use. These data are not disclosed to third parties save where this is necessary to pursue our claims or where a legal obligation exists as set out in Art. 6 (1) c) GDPR.
Data are erased after any statutory warranty and similar retention periods have elapsed. The necessity of retaining data is checked every three years; in the event of statutory archiving obligations, erasure is effected once they have lapsed (6-year obligatory retention period under commercial law and 10 years under fiscal law).
We process our customers’ data within the scope of our contractual services which include conceptual and strategic consultancy, campaign planning, software and design development/consultancy or maintenance, implementation of campaigns and processes/handling, server administration, data analysis / consultancy services and training services.
In doing so we process user data (e.g. customer user data such as names or addresses), contact data (e.g. e-mail addresses, telephone numbers), content data (e.g. text input, photographs, videos), contractual data (e.g. subject matter of the contract, contract term), payment data (e.g. bank details, payment history), usage and meta data (e.g. within the scope of analyzing and measuring the success of marketing measures). We do not process special categories of personal data save where these form part of a contracted processing. The data subjects include our customers, leads, and their customers, users, website visitors or employees, and third parties. The purpose of processing lies in the provision of contractual services, invoicing, and our customer service. Art. 6 (1) b) GDPR (contractual services) and Art. 6 (1) f) GDPR (analysis, statistics, optimization, security measures) form the legal basis for processing. We process data that are necessary to establish and provide contractual services and we draw attention to the need to provide these data. They are only disclosed to third parties where this is necessary within the scope of a contract. When processing data within the scope of a contract, we act on the instruction of the client and we comply with the statutory requirements for contracted processing as set out in Art. 28 GDPR, and we do not process the data for any purpose other than that specified in the contract.
We erase the data once statutory warranty and similar retention obligations have lapsed. The necessity of retaining data is checked every three years; in the event of statutory archiving obligations, erasure is effected once they have lapsed (6-year obligatory retention period under the provisions of Art. 257 (1) of the German Commercial Code; 10 years under the provisions of Art. 147 (1) of the German Tax Code). In the case of data that are disclosed to us by the client within the scope of a contract, we erase the data in accordance with the terms of the contract, and always once the contract has ended.
ADMINISTRATION, ACCOUNTING, OFFICE ORGANIZATION, CONTACT MANAGEMENT
We process data within the scope of administrative duties and the organization of our business, accounting, and complying with legal obligations such as archiving. In doing so we process the same data that we process within the scope of providing our contractual services. Art. 6 (1) c) GDPR and Art. 6 (1) f) GDPR form the legal basis for processing. This processing affects customers, leads, business partners and website visitors. The purpose of and our interest in processing lies in administration, accounting, office organization, and archiving of data. In other words, tasks that serve the maintenance of our business activities, administration of our duties, and provision of our services. The erasure of the data with regard to contractual services and contractual communication corresponds with the details specified for these processing activities.
In the course of processing we disclose or transfer data to financial authorities, consultants such as tax consultants or auditors, and other billing centers and payment service providers.
On the basis of our commercial interests we furthermore store data about suppliers, event organizers and other business partners for the purpose of, say, making contact in future. We permanently store these data, the majority of which are business-related.
PRIVACY WITH REGARD TO JOB APPLICATION PROCESSES
We only process job candidate data for the purpose of and within the scope of handling job application processes in compliance with the statutory requirements. The processing of candidates’ data is effected to fulfill our precontractual and contractual obligations within the scope of the job application process in the sense of Art. 6 (1) b) GDPR and Art. 6 (1) f) GDPR insofar as the data processing is necessary to us within the scope of legal processes (in Germany, Art. 26 BDSG – Data Protection Act – also applies).
The job application process presupposes that candidates share their details with us. Insofar as we provide an online form, the required candidate data are specifically indicated, and can otherwise be recognized from the given job descriptions. These data include information about the individual, mail and contact addresses, and the documentation for the individual’s application such as a letter, resumé, and certificates. Candidates may also share additional information with us voluntarily.
Insofar as special categories of personal data in the sense of Art. 9 (1) GDPR are shared voluntarily within the scope of the job application process, the processing of these data is also in accordance with Art. 9 (2) b) GDPR (e.g. health data such as the existence of severe disability, or ethnic origin). Insofar as special categories of personal data in the sense of Art. 9 (1) GDPR are solicited from applicants, these data are also processed in accordance with Art. 9 (2) a) GDPR (e.g. health data where these are necessary for the performance of the respective job).
Candidates may send us their applications by using an online form on our website, where available. The data will be transferred to us in encrypted form in keeping with the latest technological standard.
Candidates may furthermore send us their applications by e-mail. In this case, however, we would point out that e-mails are not sent in encrypted form and that candidates must themselves arrange encryption. We can therefore accept no responsibility for the application’s journey from the sender to our server. We would thus recommend the use of an online form or a mail application because instead of sending applications via the online form and e-mail, candidates still have the option of sending us their application by mail.
The data provided to us by candidates may be processed further by us in the event of a successful application for purposes relating to an employment relationship. Otherwise, where the job application is not successful, the candidate’s data are erased. Candidates’ data are also erased if they withdraw their application, which candidates are entitled to do at any time.
Subject to a justified objection by the candidate, data are erased after a period of six months has elapsed, so that we can respond to any follow-up questions about the application, and can meet our obligation to provide proof arising out of the Equal Opportunities Act. Invoices for any reimbursement of travel expenses are archived in accordance with the provisions of fiscal law.
Within the scope of application, we offer candidates the opportunity to be listed in our “Talent Pool” for a period of two years on the basis of their consent in the sense of Art. 6 (1) b) and Art. 7 GDPR.
The application documentation contained in the Talent Pool is solely processed in connection with future job vacancies and sourcing candidates, and is erased at latest on expiry of the retention deadline. Candidates are informed that their consent to inclusion in the Talent Pool is voluntary, that it has no influence on the ongoing job application process, that their consent may be withdrawn at any time with future effect, and that they may object in the sense of Art. 21 GDPR.
When you make contact with us (e.g. by contact form, e-mail, telephone, or via social media) your data are processed for the purpose of dealing with the contact request and resolving it in accordance with Art. 6 (1) b) GDPR. Your data may be stored in a customer relationship management system (CRM system) or some similar request organization system.
We erase queries once they are no longer required. We examine their necessity every two years. The statutory archiving retention periods also apply.
The following informs you about the content of our newsletter, subscription, dispatch, and statistical analysis procedures, and your rights to object. By subscribing to our newsletter you consent to receiving the newsletter and to the procedures described. Content of the newsletter: We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “newsletter”) only with the consent of the recipient or on the basis of legal permission. Where, in the course of subscription to the newsletter, its contents are concretely outlined, those contents shall be material to the user’s consent. Otherwise our newsletter contains information about us and our services. Double opt-in and logging: A double opt-in procedure is used for subscription to our newsletter. This means that after you subscribe, you will receive an e-mail in which you will be asked to confirm your subscription. This confirmation is necessary to ensure that nobody can subscribe using someone else’s e-mail address. Subscription to the newsletter is logged in order to prove that the subscription process has been effected in accordance with legal requirements. This logging includes storage of the time of the subscription and confirmation and your IP address. The changes to your data stored with the dispatch service provider will also be logged.
Subscription data: In order to subscribe to the newsletter you only need to provide your e-mail address. So that we can address you by name in the newsletter, we may ask you to optionally state your name.
Germany: The dispatch of the newsletter and the success measurement associated with it are effected on the basis of the recipient’s consent in accordance with Art. 6 (1) a) and Art. 7 GDPR in conjunction with Art. 7 (2) 3) UWG (Act against Unfair Competition) and/or on the basis of legal permission in accordance with Art. 7 (3) UWG.
The logging of the subscription process is effected on the basis of our legitimate interests under the provisions of Art. 6 (1) f) GDPR. Our interest lies in the use of a user-friendly and secure newsletter system that both serves our business interests and meets users’ expectations, and furthermore provides us with proof of consent.
Unsubscribing/Withdrawal: You may unsubscribe from our newsletter at any time, i.e. you may withdraw your consent. You will find a link to unsubscribe from the newsletter at the end of every newsletter. We may store removed e-mail addresses for up to three years on the basis of our legitimate interests before we erase them so that we can prove that consent has previously been granted. The processing of these data is restricted to possible defense against claims. An individual application for erasure may be made at any time provided that the existence of a previous consent is confirmed at the same time.
NEWSLETTER – E-MAIL MARKETING SERVICE PROVIDER
The e-mail marketing service provider may use the recipient’s data in pseudonymized form, i.e. without associating them with a specific user, to optimize or improve its own services, e.g. for the technical optimization of mailing and displaying the newsletter, or for statistical purposes. The e-mail marketing service provider does not however use the newsletter recipient’s data to write to the latter, nor does it share the data with third parties.
NEWSLETTER – MEASURING SUCCESS
Our newsletters contain what is known as a web beacon. This is a pixel-size file that is accessed by our server and/or insofar as we use an e-mail marketing service provider, the latter’s server when you open the newsletter. This retrieval initially results in the collection of technical information such as details about the browser and system you are using, as well as your IP address and the time you opened the newsletter.
This information is used for the technical improvement of the service on the basis of the technical data or the target groups and their reading behavior on the basis of the places in which they opened the newsletter (that can be identified with the help of the IP address) or their access times. Statistical data collected also includes details of whether the newsletter is opened, when it is opened and which links are clicked. Although, for technical reasons, this information can be associated with the individual newsletter recipient, neither we nor the e-mail marketing service provider if we use one, has any interest in observing individual users. Rather, these evaluations serve to help us identify our users’ reading habits, and to modify our content or to send users different content related to their interests.
Google has signed up to the Privacy Shield Network which provides a guarantee that it complies with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf to analyze the use of our online service by users, to produce reports about activities relating to this online service, and to provide us with further services related to the use of this online service and of the internet. Pseudonymized user profiles of the users may be generated out of the data processed.
We only use Google Analytics with activated IP anonymization. This means that user IP addresses are abbreviated by Google within the member states of the European Union or in other countries that are signatories to the Agreement on the European Economic Area. Only in exceptional cases is the complete IP address transmitted to a Google server in the USA and abbreviated there.
The IP address that is transmitted by your browser is not associated with other data held by Google. You may prevent the storage of cookies by adjusting your browser settings; you may also prevent the collection by Google of data relating to your use of the online service generated by the cookie and the processing of these data by Google by downloading and installing the browser plugin that is available here: tools.google.com/dlpage/gaoptout.
Users’ personal data are erased or anonymized after 14 months.
FACEBOOK PIXEL, CUSTOM AUDIENCES AND FACEBOOK CONVERSION
On the basis of our legitimate interests in the analysis, optimization and cost-effective operation of our online service and for those purposes, our online service uses the “Facebook Pixel” provided by the social network Facebook which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, and/or if you are based in the EU by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
Facebook has signed up to the Privacy Shield Network which provides a guarantee that it complies with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
With the help of the Facebook Pixel, Facebook can on the one hand identify visitors to our online service as a target group for the display of advertising (“Facebook ads”). Accordingly, we use the Facebook Pixel to display our Facebook ads only to those Facebook users who have shown an interest in our online service or who possess certain characteristics (e.g. an interest in specific subjects or products that are identified on the basis of the websites visited) that we transmit to Facebook (“Custom Audiences”). With the help of the Facebook Pixel we also wish to ensure that our Facebook ads are of potential interest to you and do not cause you annoyance. With the help of the Facebook Pixel we can moreover assess the effectiveness of Facebook advertising for statistical and market research purposes, as we can see whether a user is transferred to our website (“conversion”) after clicking on a Facebook ad.
You may refuse the collection of your data by the Facebook Pixel and their use for the display of Facebook ads. To set the type of advertising that you see when on Facebook, you can visit the corresponding Facebook page and follow the instructions about user-based advertising: www.facebook.com/settings. The settings are platform-independent. This means that they will apply across all your devices such as desktop computers or mobile devices.
ONLINE PRESENCE ON SOCIAL MEDIA
We maintain an online presence on social networks and platforms so that we can actively communicate there with customers, leads and users and inform them about our services. When you visit the respective networks and platforms the Terms and Conditions and the privacy policies of the respective operators apply.
INTEGRATION OF THE SERVICES AND CONTENT OF THIRD PARTIES
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and cost-effective operation of our online service in the sense of Art. 6 (1) f) GDPR) within our online service we use the content or services of third-party providers in order to integrate their content and services such as videos or fonts (hereinafter “content”).
Such integration presupposes that the third-party provider of this content recognizes the your IP address as they cannot send their content to your browser without your IP address. This means that the IP address is necessary in order to display that content. We endeavor to use only content whose respective providers only use the IP address to deliver that content. Third-party providers may also use what are known as pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. Pixel tags allow information such as visitor traffic to a website’s pages to be analyzed. This pseudonymized information can also be stored on cookies on your device and may include technical information about your browser and operating system, the referring websites, time of the visit and other details, and may also be associated with such information from other sources.
Our website contains maps from the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed in this instance may most notably include your IP address and location which are not, however, collected without your consent (generally speaking, based on your mobile device’s settings). These data may be processed in the USA.
USE OF FACEBOOK SOCIAL PLUGINS
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and cost-effective operation of our online service in the sense of Art. 6 (1) f) GDPR) we use social plugins (“plugins”) of the social network facebook.com provided by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins may be interactive elements or content (e.g. videos, graphics or text items) and are marked with the Facebook logo (white “f” on a blue tile, the “Like” or “Thumbs Up” symbol) or are designated as “Facebook Social Plugins”. The list and appearance of Facebook social plugins is available here: developers.facebook.com/docs/plugins/.
Facebook has signed up to the Privacy Shield Network which provides a guarantee that it complies with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
If you make use of a function of this online service which contains this kind of plugin, your device will create a direct link with the Facebook servers. The content of the plugin is transmitted directly by Facebook to your device and is integrated by Facebook into the online service. The data that are processed at that time can be used to create a usage profile of the user. We have no influence on the scope of the data that Facebook collects with the help of this plugin and we are therefore informing users based on the knowledge we have at present.
By integrating the plugin, Facebook obtains the information that you have visited a given page of the online service. If you are logged into your Facebook account, Facebook can associate your visit with the given Facebook account. If you interact with the plugins, e.g. if you click the “Like” button or leave a comment, the corresponding information will be transmitted directly to Facebook and stored there. If you are not a member of Facebook, it is still possible that Facebook will identify and store your IP address. According to Facebook, in Germany only anonymized IP addresses are stored.
If you are a member of Facebook and do not wish Facebook to collect data about you via this online service, and associate it with your Facebook profile, you must log out of your Facebook account and delete cookies before using our online service. You can adjust other settings and refuse the use of your data for advertising purposes using the Facebook profile settings: www.facebook.com/settings or by going to the US page www.aboutads.info/choices/ or the EU page www.youronlinechoices.com. The settings are platform-independent. This means that they will apply across all your devices such as desktop computers or mobile devices.