Data Privacy Statement
This Data Privacy Statement will inform you about the nature, scope and purpose of the processing of your personal data (hereinafter referred to as ‘data’) within the scope our website and the associated web pages, functions and content, in addition to our external online presence, such as our social media profiles (hereinafter referred to collectively as ‘online services’). In regard to the terms used, such as ‘processing’ or ‘controller’, we make reference to the definitions provided in Article 4 of the General Data Protection Regulation (GDPR).
Directors: Michael Quast and Marcel Willms
Types of data processed:
– Master data (e.g. names, addresses)
– Contact data (e.g. email, telephone numbers)
– Content data (e.g. text input, photographs, videos)
– Usage data (e.g. websites visited, interest in content, access times)
– Metadata/communication data (e.g. device information, IP addresses).
Purpose of processing
– Making online services, their functions and content available
– Replying to enquiries and communicating with users
– Security measures
– Coverage measurement/marketing
‘Personal data’ means any information which refers to an identified or identifiable natural person (hereinafter referred to as ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more special features which express the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is to be construed broadly, and covers practically any handling of data.
‘Pseudonymisation’ means the processing of personal data in such a way that said personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
‘Profiling’ means any type of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
Pursuant to Article 13 of the GDPR, we would like to inform you of the legal bases for our data processing. If the legal basis is not specified in the Data Privacy Statement, the following shall apply: the legal basis for obtaining people’s consent is Article 6(1)(a) and Article 7 of the GDPR; the legal basis for processing in order to perform our services and implement contractual measures, as well as reply to enquiries is Article 6(1)(b) of the GDPR; the legal basis for processing in order to fulfil our legal obligations is Article 6(1)(c) of the GDPR; and the legal basis for processing in order to safeguard our legitimate interests is Article 6(1)(f) of the GDPR. In the event that the vital interests of the data subject or another natural person makes processing personal data necessary, Article 6(1)(d) of the GDPR is the legal basis.
Pursuant to Article 32 of the GDPR, we take suitable technical and organisational measures to guarantee a level of security appropriate to the risk, while taking into account state-of-the-art technology; the implementation costs; the nature, scope, circumstances and purposes of the processing; the level of seriousness of a risk to the rights and freedoms of natural persons; and the distinct probability that a risk materialises. The measures include, in particular, ensuring the confidentiality, integrity and availability of the data by controlling physical access to the location of the data in addition to the relevant access to the data itself, the data entry, the transfer of data, and ensuring its availability and its separation. Furthermore, we have set up procedures which ensure that the rights of data subjects can be exercised, that data is erased and that there is a response to data risks. We also take into account the protection of personal data when developing or selecting hardware, software or procedures in accordance with the principle of data protection through the design of technology and default privacy settings (Article 25 of the GDPR).
Collaboration with processors and third-parties
If we disclose or transfer data to other persons and companies (commissioned processors or third parties) or grant them access in any other way during the course of processing, this is done only on the basis of having legal permission to do so (e.g. if data is transferred to a third party, such as a payment service provider, pursuant to Article 6(1)(b) of the GDPR, is required for fulfilment of a contract), you have given your consent, a legal obligation stipulates it, or it is based on our legitimate interests (e.g. when using agents, web hosts, etc.).
If and when we commission a third party with the processing of data based on a so-called ‘Data Processing Agreement’, it is carried out on the basis of Article 28 of the GDPR.
Transfers to non-EU countries
If and when we process data in a non-EU country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this is carried out in the course of contracting the services of third parties or data is disclosed or transferred to a third party, it is only carried out if it is done in order to fulfil our (pre)contractual obligations, if it is based on your consent, if there is a legal obligation to do so, or if it is based on our legitimate interests. Subject to legal or contractual permissions, we will process the data, or allow it to be processed in a non-EU country only when the special conditions specified in Article 44 et seqq. of the GDPR are met. This means that processing takes place based on special guarantees, such as the officially recognised assessment of an EU-compatible data protection level (e.g. through the ‘Privacy Shield’ for the USA) or compliance with officially recognised special contractual obligations (so-called ‘standard contractual clauses’).
Rights of the data subjects
You have the right to demand confirmation of whether the data pertaining to you is being processed, and to obtain information about such data and any other information, and the right to a copy of said data under Article 15 of the GDPR.
According to Article 16 of the GDPR, you have the right to demand that the data about you be completed or to have any incorrect data about you corrected.
Pursuant to Article 17 of the GDPR, you have the right to demand that the data about you be erased immediately, or, alternatively, have the processing of the data limited pursuant to Article 18 of the GDPR.
Under Article 20 of the GDPR, you have the right to demand that you receive the data about you which you provided and to request that it be transferred to another controller.
You furthermore, have the right to file a complaint with the supervisory authority concerned under Article 77 of the GDPR.
Right to revoke consent
Under Article 7(3) of the GDPR, you have the right to revoke the consent you gave, with future effect.
Right to object
Under Article 21 of the GDPR, you may object to the future processing of data concerning you at any time. In particular, an objection can be made to the processing of data for the purposes of direct advertising.
to direct advertising
Cookies are small files which are saved on the user’s computer. Different information can be saved within the cookies. A cookie primarily serves the purpose of saving the information about a user (and the device on which the cookie is saved) during a user’s visit or following their visit to pages within a website. Temporary cookies, which can be designated ‘session cookies’ or ‘transient cookies’, are deleted once a user leaves a website and closes their browser. For example, the content of a shopping cart in an online shop or the login status can be saved in this type of cookie. Permanent or persistent cookies are cookies which continue to be saved on a device, even after the browser is closed. In this way the login status can, for example, be saved for when the user visits the website again several days later. The interests of the user can also be saved in this type of cookie, and used for coverage measurement or marketing purposes. “Third party cookies” are cookies which are offered by providers other than the controller who is operating the website (otherwise, when it is only the controller’s cookies, they are called “first party cookies”).
We may deploy both temporary and permanent cookies, and will inform you of this in our Data Privacy Statement.
If users do not wish cookies to be saved on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Cookies saved can be deleted in the browser’s system settings. Blocking cookies may lead to limited functionality of these online services.
Erasure of data
The personal data processed by us will be erased pursuant to Article 17 and 18 of the GDPR or its processing will be limited. If it is not explicitly indicated in this Data Privacy Statement, the data saved by us will be erased as soon as it is no longer required for its intended purpose and as long as the erasure is not in conflict with any legal retention requirements. Should the data not be erased because it is required for other legally permissible purposes, its processing will be limited. This means that the data will be blocked and not used for other purposes. This will apply to any data which needs to be saved for commercial or tax-related reasons.
According to legal provisions in Germany, some data must be retained, in particular for 10 years under Sec. 147(1) of the German Fiscal Code (AO) and Sec. 257(1)(1) and ((4), as well as paragraph 4, of the German Commercial Code (HGB): books, records, management reports, accounting receipts, trading books and any other documents relevant to taxation, etc.). Other data (business letters) must be retained for 6 years under Sec. 257(1)(2) and (3), as well as paragraph 4, of the German Commercial Code.
According to legal provisions in Austria, some data must be retained, in particular for 7 years, under Sec. 132(1) of the Austrian Fiscal Code (BAO): accounting documents, receipts/invoices, ledgers, receipts, business documents, profit and loss statements, etc.. Other data, such as documents relating to property, need to be retained for 22 years. A retention period of 10 years applies to documents relating to services provided digitally, telecommunication services, broadcasting services and television services which are provided to non-traders in the EU Member States and for which the mini-one-stop-shop (MOSS) is utilised.
Additionally, we process
– Contractual information (e.g. subject matter of the contract, contractual period, customer category).
– Payment information (e.g. bank details, payment history)
of our customers, interested parties and business partners for the purpose of providing contractual services and customer service, as well as for customer relations, marketing, advertising and market research purposes.
The hosting services utilised by us serve the purpose of making the following services available: infrastructure and platform services, computing capacity, storage space and database services, security and technical maintenance services, which we use for the purpose of operating said online services.
In doing so, we, or – to be more precise – our hosting provider, process master data, contact data, content data, contractual data, usage data, metadata and communication data of customers, interested parties and visitors of said online services based on our legitimate interest in making these online services available in an efficient and secure manner in accordance with Article 6(1)(f) of the GDPR in conjunction with Article 28 of the GDPR (conclusion of Data Processing Agreement).
Collecting access data and log files
Based on our legitimate interests within the meaning set out in Article 6(1)(f) of the GDPR, we, or, to be more precise, our hosting provider, collect data about each time the server where this service is located is accessed (so-called “server log files”). Access data includes the name of the retrieving website, the file and also the date and time of the retrieval, the amount of data transferred, a notification that retrieval was successful, the browser type and version, the user’s operating system, the referring URL (the website previously visited), the IP address and the requesting provider.
For security reasons (e.g. for investigating abuse or fraud), log file information is saved for a maximum of 7 days and thereafter erased. Data which needs to be retained longer so that it can be used as evidence will not be erased until the respective incident is finally clarified.
We process our customers’ data within the context of our contractual services, which includes the conceptual and strategic consulting, campaign planning, software and design development/consultancy or management, implementation of campaigns and processes/handling, server administration, data analysis/consultancy services and training services.
In doing so, we process master data (e.g. customer master data, such as names or addresses), contact information (e.g. email, telephone number), content data (e.g. text input, photographs, videos), contract data (e.g. subject matter of the contract, contractual period), payment information (e.g. bank details, payment history), usage and metadata (e.g. within the context of analysing marketing efforts and measuring their success). As a general rule, we do not process special categories of personal data unless they are a component of an authorised processing order. Data subjects include our customers and parties interested in our services, their customers, users, website visitors or employees, as well as any third parties. The purpose of the processing consists in providing contractual services, invoicing them and providing our customer service. The legal basis for the processing arises from Article 6, paragraph 1, letter b) of the GDPR (contractual services) and Article 6(1)(f) of the GDPR (analysis, statistics, optimisation and security measures). We process data which is required to substantiate and fulfil the contractual services and we emphasise the necessity of this information. It will only be disclosed to external parties if it is a requirement within the context of a purchase order. When we process data which has been made available to us within the context of a purchase order, we handle such information in line with the client’s instructions, as well as the statutory requirements for processing orders stipulated in Article 28 of the GDPR, and we do not process the data for any purpose other than the purpose covered by the order.
Once the statutory warranty period and any other similar obligations have expired, we will delete the data. The necessity of retaining the data is reviewed every three years. In the event of statutory obligations to archive such data existing, it will be deleted once such periods have expired (6 years pursuant to Sec. 257(1) of the German Commercial Code (HGB) and 10 years according to Sec. 147(1) of the German Fiscal Code (AO)). In the case of any data which has been disclosed to us within the context of a client’s purchase order, we will delete the data in accordance with the guidelines stipulated in the order, which will normally be once the order has been completed.
Administration, financial accounting, office organisation and contact management
We process data within the scope of our administrative work, as well as the organisation of our business, financial accounting and compliance with the statutory obligations, such as archiving. In doing so, we process the same data which we process while providing our contractual services. The basis for processing is Article 6(1)(c) of the GDPR and Article 6(1)(f) of the GDPR. Customers, parties interested in our services, business partners and website visitors are affected by the processing. The purpose of the processing and our interest in it lies in the administration, financial accounting, office organisation and archiving data, i.e. it serves to aid our work in maintaining our business operations, carrying out our responsibilities and providing our services. The deletion of data relating to contractual services and communications corresponds to the information mentioned in regard to these processing activities.
In this respect, we disclose or transmit data to the fiscal authorities, consultants, such as tax advisers or auditors, and other billing centres and payment service providers.
Based on our business interests, we also save information on suppliers, event organisers and other business partners, e.g. for the purpose of contacting them in the future. As a general rule, we save this primarily business-related data permanently.
We process applicants’ data only for the purpose of, and within the scope of, the application process, in line with the statutory requirements. The applicants’ data is processed in order to meet our (pre)contractual obligations within the scope of the application process as defined in Article 6(1)(b) and (f) of the GDPR in so far as data processing is required by us, for instance within the scope of legal proceedings (in Germany, Sec. 26 of the German Federal Data Protection Act (BDSG) also applies).
The application process assumes that the applicant sends us their application data. If we provide an online form, the information required will be indicated on the form, otherwise the information required will be indicated in the job descriptions. As a general rule it includes information about the applicant, their postal address and other contact information, and any documents which are typically included when applying for a job, such as a covering letter, C.V., references and proof of qualifications. Applicants may also voluntarily submit additional information.
When applicants forward us their applications, they declare that they consent to our processing their data for the purposes of completing the application process in the manner and scope described in this Data Privacy Statement.
If during the application process, special categories of personal information, within the meaning of Article 9(1) of the GDPR, are submitted voluntarily, this data will also be processed in line with Article 9(2)(b) of the GDPR (e.g. health-related data, such as a severe disability, or ethnic origin). If, during the application process, special categories of personal information, within the meaning of Article 9(1) of the GDPR, are requested, this data will also be processed in line with Article 9(2)(a) of the GDPR (e.g. health-related data, if it is required for performing a job).
Applicants may submit their application using the online form on our website, if it is available at the time. The information they submit will be transmitted to us in encrypted form, using state-of-the-art technology.
Applicants can also submit their applications by email. However, we would like to point out that emails are not normally encrypted when they are sent and applicants have to arrange for encryption themselves. For this reason, we cannot assume any responsibility for the transmission route of the application between the sender and our server, which is why we recommend using the online form or submitting applications by post. For applicants do not have to submit their applications using the online form or email; they still have the option of sending us their applications by post.
In the event of the applicant being hired, the information provided by applicant can be processed by us for the purpose of the employment relationship. If the applicant is not hired, the applicant’s data will be deleted. An applicant’s data will also be deleted when an applicant withdraws his/her application, which applicants are entitled to do at any time.
Subject to a justified revocation on the part of the applicant, the data will be deleted after a period of six months, so that we can respond to any follow-up questions about the application and can meet our obligations to provide proof under the General Act on Equal Treatment. Any invoices relating to the reimbursement of any travelling expenses will be archived according to fiscal laws.
When we are contacted (e.g. using the contact form, by email, telephone or on social media), we will process the user’s information for processing the enquiry and completing the request in accordance with Article 6(1)(b) of the GDPR. The user’s information may be saved in a customer relationship management system (CRM system) or similar system of organisation for enquiries.
We will delete the enquiry as soon as it is no longer required. We will review the necessity of this type of information every two years. Legal archiving obligations shall also apply.
Google is certified under the Privacy Shield Agreement, which thereby guarantees that European data protection laws are being complied with (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf in order to evaluate the use of our online services by the user, compile reports about the activities within our online services, and provide us with other services relating to the use of such online services and the use of the Internet. During this process, pseudonymous user profiles can be created from the processed data.
We only use Google Analytics with IP anonymisation activated. This means that the user’s IP address is truncated by Google within a Member State of the European Union or in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a server of Google in the USA and truncated there.
The IP address transferred from the user’s browser will not be merged with other data of Google. Users can prevent cookies from being saved by selecting the corresponding setting in their browser software. Users can also prevent Google from collecting their data which is generated by the cookie and relates to their use of the online services by following the link, downloading the browser plugin provided, and installing it on their computer: http://tools.google.com/dlpage/gaoptout?hl=de.
If you would like an alternative to the browser add-on or wish to use browsers on mobile devices, please click on this link in order to prevent Google Analytics from collecting data within this website in future: Disable Google Analytics. An opt-out cookie will be stored on your device. If you delete your cookies, you will have to click on this link again.
The user’s personal data will be deleted or anonymised after 14 months.
Online presence on social media
We maintain online presences on social networks and platforms in order to actively communicate with the customers, potential customers and users who are active on those sites, as well as inform them about our services. When the respective networks and platforms are accessed, the general terms and conditions of business and data processing guidelines of their respective operators shall apply.
Unless otherwise indicated in our Data Privacy Statement, we process users’ data if they have communicated with us within social networks and platforms, for example by contributing posts to our online platforms or by sending us messages.
Incorporation of third party services and content
Based on our legitimate interests (i.e. interest in analysing and optimising our website and running it economically within the meaning of Article 6(1)(f) of the GDPR), we deploy content or service offers of third party providers within the scope of our online services, such as videos or font types (hereinafter referred to collectively as ‘content’), in order to incorporate their content and services.
This always assumes that the third party providers of such content are aware of the user’s IP address, since they cannot send the content to their browser without the IP address. The IP address is needed in order to display this content. We make every effort to only use content which comes from providers that use IP addresses only for the delivery of the content. Third party providers can, moreover, use so-called pixel tags (invisible graphics which are also known as “web beacons”) for statistical or marketing purposes. Information, such as visitor traffic, can be evaluated on the pages of this website through the “pixel tags”. The pseudonymous information can also be saved in cookies on the user’s device. Among other things, it may contain technical information on the browser, operating system, referring websites, visiting time and other information on the use of our online services, and it may also be linked with this type of information from other sources.
We incorporate videos from the “YouTube” platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, Opt-out: https://adssettings.google.com/authenticated.