Privacy Policy

Data Policy

Table of Contents

  • Controller
  • Overview of Processing Activities
  • Legal Bases for Processing
  • Security Measures
  • Transmission of Personal Data
  • International Data Transfers
  • Rights of Data Subjects
  • Use of Cookies
  • Provision of Online Services and Web Hosting
  • Contact and Inquiry Management
  • Web Analysis, Monitoring, and Optimization
  • Online Marketing
  • Presence on Social Media

Responsible person

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the individuals affected.

Types of processed data

  • Contact details.
  • Content data.
  • Usage data.
  • Meta, communication and procedural data.

Categories of individuals affected

  • Communication partners.
  • Users.

Purposes of processing

  • Contact inquiries and communication.
  • Security measures.
  • Reach measurement.
  • Tracking.
  • Administration and response to inquiries.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offering and user-friendliness.
  • Information technology infrastructure.

Relevant Legal Basis

Relevant legal basis according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject's request.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary to protect the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The BDSG contains special regulations, in particular on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making and profiling. In addition, data protection laws of the individual federal states may apply.

Reference to the applicability of the GDPR and Swiss DPA: These data protection notices serve to provide information in accordance with the Swiss Federal Data Protection Act (Swiss DPA) as well as the General Data Protection Regulation (GDPR). For this reason, please note that the terms used in the GDPR are used due to their broader geographical application and comprehensibility. In particular, instead of the terms "processing" of "personal data", "overriding interest" and "particularly sensitive personal data" used in the Swiss DPA, the terms "processing" of "personal data", "legitimate interest" and "special categories of data" used in the GDPR are used. However, the legal meaning of the terms continues to be determined in accordance with the Swiss DPA within the scope of the applicability of the Swiss DPA.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, availability and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the erasure of data and the response to data threats. We also take into account the protection of personal data already during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to other companies, legally independent organizational units or persons or that it is disclosed to them. Recipients of this data may include, for example, IT service providers or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Processing of data in third countries: If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this will only be done in accordance with the legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Article 45 GDPR), this serves as the basis for the transfer of data. In all other cases, data transfers will only take place if the level of data protection is otherwise guaranteed, in particular by means of standard contractual clauses (Article 46(2)(c) GDPR), explicit consent or if the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures (Article 49(1) GDPR). In addition, we will inform you about the basis for the transfer to third countries for each provider from third countries, with adequacy decisions taking precedence as the basis. Information on third country transfers and adequacy decisions can be found in the information provided by the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the European Commission has also recognized the level of data protection as safe for certain companies from the USA in the adequacy decision of 10 July 2023. The list of certified companies as well as further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. We will inform you in the context of the data protection notices which service providers used by us are certified under the Data Privacy Framework.

Rights of the Data Subject

Rights of the data subject under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

  • Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data relating to you for the purpose of such marketing, including profiling insofar as it is related to such direct marketing.
  • *Right to withdraw consent: You have the right to withdraw your consent at any time.
  • *Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the information specified in the legal requirements.
  • *Right to rectification: You have the right to obtain the rectification of inaccurate personal data concerning you or the completion of incomplete personal data in accordance with the legal requirements.
  • *Right to erasure and restriction of processing: You have the right to obtain the erasure of personal data concerning you without undue delay or, alternatively, the restriction of processing in accordance with the legal requirements.
  • *Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in accordance with the legal requirements, in a structured, commonly used and machine-readable format or to request the transmission of this data to another controller.
  • *Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

Use of Cookies

Cookies are small text files or other storage markers that store information on end devices and read information from end devices. For example, to store the login status in a user account, the contents of a shopping cart in an online shop, the accessed content or the functions used in an online offer. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offers, as well as for creating analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Consent is not necessary, in particular, if storing and reading information, including cookies, is essential to provide users with a telemedia service (i.e., our online offer) that they explicitly requested. Cookies that are essential usually include cookies with functions related to the display and operation of the online offer, load balancing, security, storage of user preferences and choices, or similar purposes related to providing the main and ancillary functions of the requested online offer. The revocable consent is clearly communicated to users and contains information about the respective cookie usage.

Notes on data protection legal bases: The legal basis for processing users' personal data using cookies depends on whether we ask users for consent. If users give their consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies are based on our legitimate interests (e.g., in the economic operation of our online offer and improving its usability) or, if the use of cookies is necessary to fulfill our contractual obligations, the data is processed based on the performance of a contract. We will clarify the purposes for which we process cookies during the course of this privacy policy or as part of our consent and processing procedures.

Storage duration: In terms of storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes their end device (e.g., browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored even after closing the end device. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The data collected using cookies can also be used for measuring reach. If we do not provide explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are persistent and can be stored for up to two years.

General information on revocation and objection (so-called "opt-out"): Users can revoke their consent given at any time and object to the processing of their data in accordance with legal requirements. To do this, users can restrict the use of cookies in their browser settings (which may also limit the functionality of our online offer). Objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Consent (Art. 6(1)(a) GDPR).

Further information on processing procedures, procedures, and services:

  • Processing of cookie data based on consent: We use a cookie consent management procedure in which users' consent to the use of cookies, as well as the processing and providers mentioned in the cookie consent management procedure, can be obtained, managed, and revoked by users. The consent declaration is stored to avoid having to repeat the consent request and to be able to provide evidence of consent in accordance with legal obligations. Storage can be done server-side and/or in a cookie (so-called opt-in cookie or similar technologies) to assign the consent to a user or their device. Unless individual information about the providers of cookie management services is provided, the following information applies: The duration of consent storage can be up to two years. In this case, a pseudonymous user identifier is created and stored together with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and device used; Legal basis: Consent (Art. 6(1)(a) GDPR).

Provision of the online offer and web hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or end device.

  • Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta and communication data (e.g., IP addresses, time information, identification numbers, consent status).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offer and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); Security measures.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, procedures, and services:

  • Collection of access data and log files: Access to our online offer is logged in the form of server log files. Server log files may include the address and name of the accessed websites and files, date and time of access, data volume transferred, message about successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used, among other things, for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load and stability of the servers; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be kept for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.

Contact and inquiry management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) and in the context of existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary to respond to the contact inquiries and any requested measures.

  • Processed data types: Contact details (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta and communication data (e.g., IP addresses, time information, identification numbers, consent status).
  • Data subjects: Communication partners.
  • Purposes of processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online offer and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further information on processing procedures, procedures, and services:

  • Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to process the respective request; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Web analysis, monitoring, and optimization

Web analysis (also known as "reach measurement") is used to evaluate the visitor flows of our online offer and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine the time at which our online offer or its functions or content are most frequently used or invite for reuse. We can also identify areas that require optimization.

In addition to web analysis, we may also use testing procedures to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, profiles, i.e., data summarized for a usage process, can be created and information can be stored and read in a browser or on an end device for these purposes. The information collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have given their consent to us or the providers of the services we use for the collection of their location data, location data can also be processed.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. In general, we do not store clear data of the users (such as email addresses or names) as part of web analysis, A/B testing, and optimization, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

  • Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta and communication data (e.g., IP addresses, time information, identification numbers, consent status).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, detection of recurring visitors); Profiles with user-related information (creating user profiles).
  • Security measures: IP masking (pseudonymization of the IP address).

Online Marketing

We process personal data for the purposes of online marketing, including the marketing of advertising space or the display of advertising and other content (collectively referred to as "content") based on potential user interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (known as a "cookie") or similar methods are used to store information relevant to the display of the aforementioned content. This information may include viewed content, visited websites, online networks used, as well as communication partners and technical information such as the browser used, the computer system used, and information about usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

IP addresses of users are also stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) are stored within the online marketing procedures, but pseudonyms are used. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, only the information stored in their profiles.

The information in the profiles is usually stored in cookies or similar methods. These cookies can also be read on other websites that use the same online marketing procedures, analyzed for the purpose of displaying content, supplemented with additional data, and stored on the server of the online marketing procedure provider.

Clear data can be assigned to the profiles in exceptional cases. This is the case, for example, if users are members of a social network whose online marketing procedure we use and the network connects the profiles of the users with the aforementioned information. Please note that users may have additional agreements with the providers, for example through consent during registration.

We generally only have access to aggregated information about the success of our advertisements. However, we can check within the scope of so-called conversion tracking which of our online marketing procedures has led to a conversion, i.e., for example, to a contract conclusion with us. The conversion tracking is used solely for the analysis of the success of our marketing measures.

Unless otherwise stated, please assume that the cookies used will be stored for a period of two years.

  • Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Tracking (e.g., interest/behavior-based profiling, use of cookies); Marketing. Profiles with user-related information (creating user profiles).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Possibility of objection (opt-out): We refer to the data protection notices of the respective providers and the opt-out options indicated by the providers (so-called "opt-out"). If no explicit opt-out option has been specified, there is the possibility, for example, to disable cookies in your browser settings. However, this may restrict the functions of our online offer. Therefore, we also recommend the following opt-out options, which are summarized according to their respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.

Presence on social networks (Social Media)

We maintain online presences within social networks and process user data within this framework in order to communicate with the active users there or to provide information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users, as it may make it more difficult, for example, to enforce user rights.

Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, usage behavior and resulting user interests can be used to create usage profiles. These usage profiles can in turn be used to display advertisements inside and outside the networks that are likely to correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the users' usage behavior and interests are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed presentation of the respective processing methods and the options for objection (opt-out), please refer to the data protection declarations and information provided by the operators of the respective networks.

Even in the case of information requests and the exercise of data subject rights, we would like to point out that these can be most effectively exercised with the providers. Only the providers have access to the data of the users and can take appropriate measures and provide information directly. If you still need assistance, you can contact us.

  • Processed data types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online form); Marketing.
  • Legal basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).

Further information on processing procedures, procedures, and services:

  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy policy: https://instagram.com/about/legal/privacy.
  • Facebook Pages: Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data of visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or actions they take (see "Things you and others do and provide" in the Facebook data policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating systems, browser type, language settings, cookie data; see "Device Information" in the Facebook data policy: https://www.facebook.com/policy). As explained in the Facebook data policy under "How do we use this information?", Facebook also collects and uses information to provide analysis services, so-called "Page Insights," for page operators to gain insights into how people interact with their pages and associated content. We have entered into a special agreement with Facebook ("Information about Page Insights," https://www.facebook.com/legal/terms/page_controller_addendum), which in particular regulates the security measures Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to Facebook). The rights of users (in particular to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Basis for transfer to third countries: EU-US Data Privacy Framework (DPF), standard contractual clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially regarding the transmission of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc).
  • LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa; Basis for transfer to third countries: Standard contractual clauses (https://legal.linkedin.com/dpa). Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
LinkedInInstagramFacebook
|
ImprintPrivacy Policy