Privacy Policy
Introduction
With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").
The terms used are not gender-specific.
Last updated: January 9, 2022
Table of Contents
Introduction
Controller
Overview of Processing
Relevant Legal Bases
Security Measures
Transmission of Personal Data
Data Processing in Third Countries
Deletion of Data
Business Services
Provision of Online Services and Web Hosting
Blogs and Publication Media
Contact and Inquiry Management
Communication via Messenger
Video Conferences, Online Meetings, Webinars and Screen Sharing
Cloud Services
Presences on Social Networks (Social Media)
Amendment and Update of the Privacy Policy
Rights of Data Subjects
Definitions
Controller
Dr. Stefan Kuhn
Kuhn & Völkel GmbH
Nürnberger Str. 38
95448 Bayreuth
Germany
Authorized representatives: Dr. Stefan Kuhn
Email address: datenschutz [at] kuhn-voelkel [dot] de
Overview of Processing
The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.
Types of Data Processed
- Inventory data.
- Payment data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta/communication data.
Special Categories of Data
- Health data.
- Data concerning sex life or sexual orientation.
- Religious or philosophical beliefs.
- Data revealing racial or ethnic origin.
Categories of Data Subjects
- Customers.
- Employees.
- Prospects.
- Communication partners.
- Users.
- Business and contractual partners.
- Students/participants.
Purposes of Processing
- Provision of contractual services and customer service.
- Contact requests and communication.
- Direct marketing.
- Office and organizational procedures.
- Administration and response to inquiries.
- Feedback.
- Marketing.
- Provision of our online offering and user-friendliness.
Relevant Legal Bases
Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or business. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6(1) sentence 1 lit. a. GDPR) - The data subject has given consent to the processing of personal data concerning them for a specific purpose or purposes.
- Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b. GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation (Art. 6(1) sentence 1 lit. c. GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes in particular the Act on Protection Against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains in particular special rules on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases including profiling. Furthermore, it regulates the data processing for purposes of the employment relationship (§ 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships and the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.
Security Measures
We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, ensuring availability and their separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, deletion of data and responses to data breaches. Furthermore, we consider the protection of personal data already in the development or selection of hardware, software and procedures according to the principle of data protection, through technology design and through privacy-friendly default settings.
IP address truncation: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address is truncated (also referred to as "IP masking"). In this process, the last two digits, or the last part of the IP address after a period, are removed or replaced by placeholders. The truncation of the IP address is intended to prevent or significantly impede the identification of a person by their IP address.
SSL encryption (https): To protect your data transmitted via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Transmission of Personal Data
In the course of our processing of personal data, it may happen that the data is transmitted to other entities, companies, legally independent organizational units or persons or that it is disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
Data Processing in Third Countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transmission of data to other persons, entities or companies, this only takes place in accordance with legal requirements.
Subject to express consent or contractually or legally required transmission, we process or have the data processed only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
Deletion of Data
The data processed by us will be deleted in accordance with legal requirements as soon as their permitted consents are revoked or other permissions cease to apply (e.g., if the purpose of processing this data ceases to apply or it is not necessary for the purpose).
If the data are not deleted because they are required for other and legally permissible purposes, their processing is restricted to these purposes. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
As part of our privacy information, we can provide users with additional information about the deletion and retention of data that applies specifically to the respective processing processes.
Business Services
We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships and related measures and in the context of communication with contractual partners (or pre-contractually), e.g., to respond to inquiries.
We process this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations and remedies in case of warranty and other performance disruptions. In addition, we process the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and corporate organization. Furthermore, we process the data on the basis of our legitimate interests in proper and businesslike business management and security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g., to involve telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or financial authorities). Within the framework of applicable law, we only pass on data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about other forms of processing, e.g., for marketing purposes, within the framework of this privacy policy.
We inform contractual partners which data are required for the aforementioned purposes before or in the context of data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or personally.
We delete the data after expiry of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be kept for legal reasons of archiving (e.g., for tax purposes usually 10 years). Data disclosed to us in the context of an order by the contractual partner will be deleted in accordance with the specifications of the order, generally after the end of the order.
If we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.
Agency Services
We process our customers' data as part of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services and training services.
Education and Training Services
We process the data of participants in our education and training programs (collectively referred to as "trainees") in order to provide them with our training services. The data processed in this context, the type, scope, purpose and necessity of their processing are determined by the underlying contractual and training relationship. The forms of processing also include performance evaluation and evaluation of our services and those of the instructors.
In the course of our activities, we may also process special categories of data, in particular information on the health of trainees and data revealing ethnic origin, political opinions, religious or philosophical beliefs. To this end, we obtain, if necessary, express consent from the trainees and otherwise process the special categories of data only if it is necessary for the provision of training services, for purposes of health care, social protection or the protection of vital interests of the trainees.
If it is necessary for our contract performance, to protect vital interests or legally required, or if there is consent from the trainees, we disclose or transmit the data of the trainees in compliance with professional requirements to third parties or agents, such as authorities or in the field of IT, office or comparable services.
Coaching
We process the data of our clients as well as prospects and other clients or contractual partners (collectively referred to as "clients") in order to provide them with our services. The data processed, the type, scope, purpose and necessity of their processing are determined by the underlying contractual and client relationship.
In the course of our activities, we may also process special categories of data, in particular information on the health of clients, possibly with reference to their sex life or sexual orientation, as well as data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. To this end, we obtain, if necessary, express consent from the clients and otherwise process the special categories of data if this serves the health of the clients, the data is public or other legal permissions exist.
If it is necessary for our contract performance, to protect vital interests or legally required, or if there is consent from the clients, we disclose or transmit the data of the clients in compliance with professional requirements to third parties or agents, such as authorities, billing offices as well as in the field of IT, office or comparable services.
Consulting
We process the data of our clients, mandators as well as prospects and other clients or contractual partners (collectively referred to as "clients") in order to provide them with our consulting services. The data processed, the type, scope, purpose and necessity of their processing are determined by the underlying contractual and client relationship.
If it is necessary for our contract performance, to protect vital interests or legally required, or if there is consent from the clients, we disclose or transmit the data of the clients in compliance with professional requirements to third parties or agents, such as authorities, subcontractors or in the field of IT, office or comparable services.
Artistic and Literary Services
We process the data of our clients in order to enable them to select, purchase or commission the selected services or works as well as related activities and their payment and delivery or execution or provision.
The required information is marked as such in the context of the order, purchase or comparable contract conclusion and includes the information needed for delivery and billing as well as contact information in order to be able to hold any consultations.
Project and Development Services
We process the data of our customers as well as clients (hereinafter collectively referred to as "customers") in order to enable them to select, purchase or commission the selected services or works as well as related activities and their payment and provision or execution or provision.
The required information is marked as such in the context of the order, purchase or comparable contract conclusion and includes the information needed for service provision and billing as well as contact information in order to be able to hold any consultations. To the extent that we have access to information of end customers, employees or other persons, we process this in accordance with legal and contractual requirements.
Technical Services
We process the data of our customers as well as clients (hereinafter collectively referred to as "customers") in order to enable them to select, purchase or commission the selected services or works as well as related activities and their payment and provision or execution or provision.
The required information is marked as such in the context of the order, purchase or comparable contract conclusion and includes the information needed for service provision and billing as well as contact information in order to be able to hold any consultations. To the extent that we have access to information of end customers, employees or other persons, we process this in accordance with legal and contractual requirements.
- Types of data processed: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter of contract, term, customer category).
- Special categories of personal data: Health data (Art. 9(1) GDPR); Data concerning sex life or sexual orientation (Art. 9(1) GDPR); Religious or philosophical beliefs (Art. 9(1) GDPR); Data revealing racial or ethnic origin.
- Data subjects: Prospects; Business and contractual partners; Students/participants.
- Purposes of processing: Provision of contractual services and customer service; Contact requests and communication; Office and organizational procedures; Administration and response to inquiries.
- Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b. GDPR); Legal obligation (Art. 6(1) sentence 1 lit. c. GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR).
Provision of Online Services and Web Hosting
In order to provide our online offering securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.
The data processed in the context of providing the hosting offering may include all information relating to users of our online offering that is generated in the context of use and communication. This regularly includes the IP address, which is necessary to deliver the content of online offerings to browsers, and all entries made within our online offering or from websites.
- Types of data processed: Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of our online offering and user-friendliness; Provision of contractual services and customer service.
- Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR).
Further information on processing operations, procedures and services:
- Collection of access data and log files: We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, date and time of access, amounts of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and usually IP addresses and the requesting provider. The server log files may be used on the one hand for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and on the other hand to ensure the utilization of the servers and their stability; Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is exempt from deletion until the respective incident is finally clarified.
- IONOS by 1&1: Hosting platform for e-commerce / websites; Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Website: https://www.ionos.de; Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy; Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/?utm_source=search&utm_medium=global&utm_term=Auft&utm_campaign=HELP_CENTER&utm_content=/hilfe/.
Blogs and Publication Media
We use blogs or comparable means of online communication and publication (hereinafter "publication medium"). Readers' data are processed for the purposes of the publication medium only insofar as it is necessary for its presentation and communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the framework of this privacy information.
- Types of data processed: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of contractual services and customer service; Feedback (e.g., collecting feedback via online form).
- Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b. GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR).
Contact and Inquiry Management
When contacting us (e.g., via contact form, email, telephone or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.
The response to contact inquiries as well as the management of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer (pre)contractual inquiries and otherwise on the basis of legitimate interests in answering the inquiries and maintaining user or business relationships.
- Types of data processed: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms).
- Data subjects: Communication partners.
- Purposes of processing: Contact requests and communication; Provision of contractual services and customer service.
- Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b. GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR); Legal obligation (Art. 6(1) sentence 1 lit. c. GDPR).
Further information on processing operations, procedures and services:
- Contact form: When users contact us via our contact form, email or other communication channels, we process the data provided to us in this context to process the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships, insofar as this is necessary for their fulfillment and otherwise on the basis of our legitimate interests as well as the interests of communication partners in responding to the concerns and our legal retention obligations.
Communication via Messenger
We use messengers for communication purposes and therefore ask you to observe the following information on the functionality of the messengers, encryption, use of metadata of communication and your options for objection.
You can also contact us via alternative means, e.g., via telephone or email. Please use the contact options provided to you or the contact options specified within our online offering.
In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that the communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages is not visible, not even by the messenger providers themselves. You should always use a current version of the messenger with encryption enabled to ensure that the encryption of message content is guaranteed.
However, we additionally point out to our communication partners that the providers of the messengers may not see the content, but can learn that and when communication partners communicate with us as well as technical information about the device used by the communication partners and, depending on the settings of their device, also location information (so-called metadata) is processed.
Information on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis of our processing of their data is their consent. Otherwise, if we do not ask for consent and they, for example, contact us on their own initiative, we use messengers in relation to our contractual partners as well as in the context of contract initiation as a contractual measure and in the case of other prospects and communication partners on the basis of our legitimate interests in fast and efficient communication and fulfillment of the needs of our communication partners for communication via messenger. Furthermore, we point out that we do not transmit the contact data provided to us to the messengers without your consent for the first time.
Revocation, objection and deletion: You can revoke your consent at any time and object to communication with us via messenger at any time. In the case of communication via messenger, we delete the messages in accordance with our general deletion guidelines (i.e., e.g., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise, as soon as we can assume that we have answered any inquiries from the communication partners, if no reference to a previous conversation is to be expected and the deletion does not conflict with any legal retention obligations.
Reservation of reference to other communication channels: Finally, we would like to point out that we reserve the right, for reasons of your security, not to answer inquiries via messenger. This is the case if, for example, contract internals require special confidentiality or an answer via messenger does not meet the formal requirements. In such cases, we refer you to more adequate communication channels.
- Types of data processed: Contact data (e.g., email, phone numbers); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses); Content data (e.g., entries in online forms).
- Data subjects: Communication partners.
- Purposes of processing: Contact requests and communication; Direct marketing (e.g., by email or postal mail).
- Legal bases: Consent (Art. 6(1) sentence 1 lit. a. GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR).
Further information on processing operations, procedures and services:
- Microsoft Teams: Microsoft Teams - Messenger; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://products.office.com; Privacy policy: https://privacy.microsoft.com/en-us/privacystatement, Security information: https://www.microsoft.com/en-us/trustcenter; Standard contractual clauses (ensuring data protection level for processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Video Conferences, Online Meetings, Webinars and Screen Sharing
We use platforms and applications of other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "conference"). When selecting conference platforms and their services, we observe the legal requirements.
Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of participants mentioned below. The scope of processing depends on one hand on which data are required in the context of a specific conference (e.g., provision of access data or real names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, the data of participants may also be processed by the conference platforms for security purposes or service optimization. The data processed includes personal data (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the participants' terminal devices, their operating system, the browser and its technical and language settings, information on the content-related communication processes, i.e., entries in chats as well as audio and video data, as well as the use of other available functions (e.g., surveys). Content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users with the conference platforms, then further data may be processed in accordance with the agreement with the respective conference provider.
Logging and recordings: If text entries, participation results (e.g., from surveys) as well as video or audio recordings are logged, this is communicated transparently to participants in advance and they are asked for consent if necessary.
Data protection measures of participants: Please note the details of the processing of your data by the conference platforms in their privacy notices and select the optimal security and data protection settings for you within the settings of the conference platforms. Please also ensure data and personality protection in the background of your recording during a video conference (e.g., by informing roommates, locking doors and using, if technically possible, the function to obscure the background). Links to conference rooms as well as access data may not be passed on to unauthorized third parties.
Information on legal bases: If we also process user data in addition to the conference platforms and ask users for their consent to the use of the conference platforms or certain functions (e.g., consent to a recording of conferences), the legal basis of processing is this consent. Furthermore, our processing may be necessary for the fulfillment of our contractual obligations (e.g., in participant lists, in the case of processing of conversation results, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.
- Types of data processed: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data subjects: Communication partners; Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of contractual services and customer service; Contact requests and communication; Office and organizational procedures.
- Legal bases: Consent (Art. 6(1) sentence 1 lit. a. GDPR); Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b. GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR).
Further information on processing operations, procedures and services:
- Microsoft Teams: Messenger and conference software; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://products.office.com; Privacy policy: https://privacy.microsoft.com/en-us/privacystatement, Security information: https://www.microsoft.com/en-us/trustcenter; Standard contractual clauses (ensuring data protection level for processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Cloud Services
We use software services accessible via the Internet and executed on the servers of their providers (so-called "cloud services", also referred to as "Software as a Service") for the following purposes: document storage and management, calendar management, email sending, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information as well as chats and participation in audio and video conferences.
In this context, personal data may be processed and stored on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us, as set out in this privacy policy. These data may include in particular master data and contact data of users, data on processes, contracts, other processes and their contents. The providers of the cloud services also process usage data and metadata that they use for security purposes and service optimization.
If we provide forms or other documents and content for other users or publicly accessible websites with the help of the cloud services, the providers may store cookies on the users' devices for the purposes of web analysis or to remember user settings (e.g., in the case of media control).
Information on legal bases: If we ask for consent to the use of cloud services, the legal basis of processing is consent. Furthermore, their use may be part of our (pre)contractual services, if the use of the cloud services has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient and secure administrative and collaboration processes).
- Types of data processed: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data subjects: Customers; Employees (e.g., employees, applicants, former employees); Prospects; Communication partners.
- Purposes of processing: Office and organizational procedures.
- Legal bases: Consent (Art. 6(1) sentence 1 lit. a. GDPR); Contract performance and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b. GDPR); Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR).
Further information on processing operations, procedures and services:
- Microsoft Cloud Services: Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://microsoft.com/en-us; Privacy policy: https://privacy.microsoft.com/en-us/privacystatement, Security information: https://www.microsoft.com/en-us/trustcenter; Standard contractual clauses (ensuring data protection level for processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Presences on Social Networks (Social Media)
We maintain online presences within social networks and process data of users in this context in order to communicate with users active there or to offer information about us.
We point out that data of users may be processed outside the European Union. This may result in risks for users because, for example, the enforcement of users' rights could be made more difficult.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles may be created on the basis of usage behavior and resulting interests of users. The usage profiles may in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and the interests of users are stored. Furthermore, data may be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
For a detailed presentation of the respective forms of processing and the options for objection (opt-out), we refer to the privacy statements and information provided by the operators of the respective networks.
Also in the case of information requests and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can directly take appropriate measures and provide information. Should you nevertheless need help, then you can contact us.
- Types of data processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta/communication data (e.g., device information, IP addresses).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Contact requests and communication; Feedback (e.g., collecting feedback via online form); Marketing.
- Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f. GDPR).
Further information on processing operations, procedures and services:
- Xing: Social network; Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy policy: https://privacy.xing.com/en/privacy-policy.
Amendment and Update of the Privacy Policy
We ask you to inform yourself regularly about the content of our privacy policy. We will adjust the privacy policy as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes make an act of cooperation on your part (e.g., consent) or any other individual notification necessary.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and please check the information before contacting us.
Rights of Data Subjects
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
- Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1) lit. e or f GDPR; this also applies to profiling based on these provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
- Right to withdraw consent: You have the right to withdraw your consent at any time.
- Right of access: You have the right to request confirmation as to whether data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements.
- Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of incorrect data concerning you.
- Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to demand that data concerning you be deleted immediately, or alternatively, in accordance with legal requirements, to demand restriction of processing of the data.
- Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with legal requirements or to request its transmission to another controller.
- Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you usually reside, the supervisory authority of your workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you violates the GDPR.
Definitions
In this section, you will find an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are defined above all in Art. 4 GDPR. The legal definitions are binding. The following explanations are intended primarily for understanding. The terms are sorted alphabetically.
- Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Controller: The "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processing: "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and includes virtually any handling of data, be it collection, analysis, storage, transmission or deletion.