Privacy policy

Preamble

The following privacy policy is intended to inform you about the types of personal data (hereinafter also referred to simply as „data“) that we process, the purposes for which we do so, and the extent of such processing. This privacy policy applies to all processing of personal data carried out by us, both in the course of providing our services and, in particular, on our websites, in mobile applications and on external online platforms, such as our social media profiles (hereinafter collectively referred to as the „online offering“).

The terms used are not gender-specific.

As at 17 June 2026

Table of Contents

Data controller

Relay GmbH
Deutz-Kalker Str. 62
50679 Cologne
Germany

Authorised representatives: Bernard Lay

Email address: info@relay-on.de

Phone: 0221 99999 661

Legal notice: https://relay-on.de/impressum/

Overview of processing operations

The following overview summarises the types of data processed and the purposes for which they are processed, and identifies the data subjects.

Types of data processed

  • Stock data.
  • Employee data.
  • Payment details.
  • Location data.
  • Contact details.
  • Table of contents.
  • Contract details.
  • Usage data.
  • Meta data, communication data and procedural data.
  • Social data.
  • Applicant details.
  • Photographs and/or video recordings.
  • Sound recordings.
  • Contact details (Facebook).
  • Event details (Facebook).
  • Log data.
  • Performance and behavioural data.
  • Working time data.
  • Salary details.

Special categories of data

  • Health data.
  • Religious or philosophical beliefs.
  • Trade union membership.

Categories of data subjects

  • Beneficiaries and clients.
  • Employees.
  • Prospective customers.
  • Communication partner.
  • Users.
  • Applicants.
  • Business and contractual partners.
  • People pictured.
  • Third parties.

Purposes of processing

  • Provision of contractual services and fulfilment of contractual obligations.
  • Communication.
  • Safety measures.
  • Direct marketing.
  • Range measurement.
  • Tracking.
  • Office and organisational procedures.
  • Remarketing.
  • Conversion tracking.
  • Target group identification.
  • Organisational and administrative procedures.
  • Application process.
  • Feedback.
  • Marketing.
  • Profiles containing user-related information.
  • Provision of our online services and user-friendliness.
  • Establishment and administration of employment relationships.
  • Information technology infrastructure.
  • Finance and payments management.
  • Public relations.
  • Sales promotion.
  • Business processes and management practices.
  • Artificial Intelligence (AI).

Relevant legal bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country or ours, depending on where you or we are resident or have our registered office. Should more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Article 6(1), first sentence, point (a) of the GDPR) – The data subject has given their consent to the processing of their personal data for a specific purpose or for several specific purposes.
  • Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the data subject’s request.
  • Legal obligation (Article 6(1), first sentence, point (c) of the GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR) – the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests, fundamental rights and freedoms of the data subject which require the protection of personal data.
  • The recruitment process as a pre-contractual or contractual relationship (Article 6(1), first sentence, point (b) of the GDPR) – Where, as part of the recruitment process, special categories of personal data within the meaning of Article 9(1) of the GDPR (e.g. health data, such as severe disability status or ethnic origin), so that the controller or the data subject may exercise their rights and fulfil their obligations arising from employment law and the law on social security and social protection, such data is processed in accordance with Article 9(2)(b) of the GDPR; in the case of the protection of the vital interests of applicants or other individuals, in accordance with Article 9(2)(c) GDPR; or for the purposes of preventive healthcare or occupational medicine, for the assessment of an employee’s fitness for work, for medical diagnosis, care or treatment in the health or social sector, or for the management of systems and services in the health or social sector in accordance with Article 9(2)(h) GDPR. Where special categories of data are provided on the basis of voluntary consent, their processing is carried out on the basis of Article 9(2)(a) of the GDPR.
  • Processing of special categories of personal data relating to health, employment and social security (Article 9(2)(h) of the GDPR) – The processing is carried out for the purposes of preventive healthcare or occupational medicine, for the assessment of an employee’s fitness for work, for medical diagnosis, care or treatment in the health or social care sector, or for the administration of systems and services in the health or social care sector, on the basis of Union law or the law of a Member State, or pursuant to a contract with a healthcare professional.

National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer of data, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Relevant legal bases under the Swiss Data Protection Act: If you are in Switzerland, we process your data in accordance with the Federal Act on Data Protection (the „Swiss FADP“ for short). Unlike the GDPR, for example, the Swiss Data Protection Act does not, as a general rule, require a legal basis to be specified for the processing of personal data, and stipulates that the processing of personal data must be carried out in good faith, lawfully and proportionately (Art. 6(1) and (2) of the Swiss DPA). Furthermore, we only collect personal data for a specific purpose that is recognisable to the data subject and only process it in a manner compatible with that purpose (Art. 6(3) of the Swiss DPA).

Note regarding the applicability of the GDPR and the Swiss Data Protection Act: This privacy notice serves to provide information in accordance with both the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). For this reason, please note that, due to the GDPR’s broader geographical scope and greater clarity, the terms used in the GDPR are employed here. In particular, instead of the terms „processing“ of „personal data“, „overriding interest“ and „personal data requiring special protection“, the terms used in the GDPR – „processing“ of „personal data“, „legitimate interest“ and „special categories of data“ – are used. However, the legal meaning of these terms continues to be determined in accordance with the Swiss Data Protection Act (DSG) within the scope of its application.

Applicability of data protection regulations in the country of incorporation: In the country where the controller is established, national data protection regulations apply in addition to the General Data Protection Regulation (GDPR).

Safety measures

We implement technical and organisational measures appropriate to the circumstances and the purposes of the processing, as well as to the varying probabilities of occurrence and the severity of the threat to the rights and freedoms of natural persons, in accordance with the statutory requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihoods and severity of threats to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, and safeguarding of the availability of the data, and ensuring its segregation. Furthermore, we have established procedures to ensure that data subjects’ rights are upheld, that data is deleted and that appropriate action is taken in the event of a data breach. Furthermore, we take the protection of personal data into account right from the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and through privacy-friendly default settings.

Truncation of IP addresses: Where IP addresses are processed by us or by the service providers and technologies we use, and where the processing of a full IP address is not necessary, the IP address is truncated (also known as „IP masking“). In this process, the last two digits, or the last part of the IP address following a full stop, are removed or replaced with placeholders. The purpose of truncating the IP address is to prevent, or make it significantly more difficult, to identify a person on the basis of their IP address.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the presence of ‘HTTPS’ in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.

Transfer of personal data

As part of our processing of personal data, it may happen that such data is transferred to or disclosed to other bodies, companies, legally independent organisational units or individuals. Recipients of this data may include, for example, service providers commissioned to carry out IT tasks or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

International data transfers

Data processing in third countries: Where we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in connection with the use of third-party services or the disclosure or transfer of data to other persons, bodies or organisations (which can be identified by the postal address of the respective provider or where the privacy policy expressly refers to data transfers to third countries), this is always carried out in accordance with the legal requirements.

For data transfers to the USA, we rely primarily on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the European Commission dated 10 July 2023. In addition, we have entered into standard contractual clauses with the relevant providers, which comply with the European Commission’s requirements and set out contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary layer of protection, whilst the Standard Contractual Clauses serve as an additional safeguard. Should any changes arise in relation to the DPF, the Standard Contractual Clauses will act as a reliable fallback option. In this way, we ensure that your data remains adequately protected at all times, even in the event of any political or legal changes.

For each service provider, we will inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the US Department of Commerce’s website at https://www.dataprivacyframework.gov/ (in English).

Appropriate security measures apply to data transfers to other third countries, in particular standard contractual clauses, explicit consent or transfers required by law. Information on transfers to third countries and applicable adequacy decisions can be found on the European Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of personal data abroad: In accordance with the Swiss Data Protection Act, we only disclose personal data abroad if adequate protection for the data subjects is guaranteed (Art. 16 of the Swiss Data Protection Act). Unless the Federal Council has determined that adequate protection exists (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures.

For data transfers to the USA, we rely primarily on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by a Swiss adequacy decision dated 15 September 2024. In addition, we have entered into standard data protection clauses with the relevant service providers, which have been approved by the Federal Data Protection and Information Commissioner (FDPIC) and set out contractual obligations regarding the protection of your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary layer of protection, whilst the Standard Data Protection Clauses serve as an additional safeguard. Should any changes arise in relation to the DPF, the Standard Data Protection Clauses will act as a reliable fallback option. In this way, we ensure that your data remains adequately protected at all times, even in the event of any political or legal changes.

For each service provider, we will inform you whether they are certified under the DPF and whether standard data protection clauses are in place. You can find the list of certified companies and further information on the DPF on the US Department of Commerce’s website at https://www.dataprivacyframework.gov/ (in English).

Appropriate security measures apply to data transfers to other third countries, including international treaties, specific safeguards, standard data protection clauses approved by the EDÖB, or internal corporate data protection policies recognised in advance by the EDÖB or a competent data protection authority in another country.

General information on data storage and deletion

We delete the personal data we process in accordance with the statutory provisions as soon as the underlying consents are withdrawn or there are no longer any legal grounds for processing. This applies to cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule apply where legal obligations or specific interests require the data to be retained or archived for a longer period.

In particular, data which must be retained for commercial or tax law reasons, or where storage is necessary for the purposes of legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data, which applies specifically to certain processing operations.

Where there are several specifications regarding the retention period or deletion deadlines for a particular date, the longest period shall always apply. We process data that is no longer retained for its originally intended purpose, but rather due to legal requirements or other reasons, exclusively for the purposes that justify its retention.

Data retention and deletion: The following general time limits apply to data retention and archiving under German law:

  • 10 years – retention period for books and records, annual accounts, inventories, management reports, opening balance sheets, as well as the working instructions and other organisational documents necessary for their understanding (Section 147(1)(1) in conjunction with (3) of the German Fiscal Code (AO), Section 14b(1) of the Value Added Tax Act (UStG), Section 257(1)(1) in conjunction with (4) of the Commercial Code (HGB)).
  • 8 years – accounting documents, such as invoices and expense receipts (Section 147(1)(4) and (4a) in conjunction with paragraph 3, first sentence, of the German Fiscal Code (AO) and Section 257(1)(4) in conjunction with paragraph 4 of the German Commercial Code (HGB)).
  • 6 years – Other business records: commercial or business correspondence received, copies of commercial or business correspondence sent, and other documents insofar as they are relevant for tax purposes, e.g. hourly pay slips, operational accounting sheets, costing documents, price labels, as well as payroll records, provided they are not already accounting vouchers, and cash register receipts (Section 147(1)(2), 3, 5 in conjunction with para. 3 of the German Fiscal Code (AO), Section 257(1)(2) and (3) in conjunction with para. 4 of the German Commercial Code (HGB)).
  • 3 years – Data required to take into account potential warranty and compensation claims or similar contractual claims and rights, and to process related enquiries, based on previous business experience and standard industry practices, are stored for the duration of the standard statutory limitation period of three years (Sections 195 and 199 of the German Civil Code (BGB)).

Data retention and deletion: The following general time limits apply to data retention and archiving under Swiss law:

  • 10 years – retention period for books and records, annual accounts, inventories, management reports, opening balance sheets, accounting vouchers and invoices, as well as all necessary work instructions and other organisational documents (Art. 958f of the Swiss Code of Obligations (CO)).
  • 10 years – Data necessary for the assessment of potential claims for damages or similar contractual claims and rights, as well as for the processing of related enquiries, based on previous business experience and standard industry practices, will be stored for the statutory limitation period of ten years, unless a shorter period of five years applies, which is relevant in certain cases (Art. 127, 130 OR). After five years, claims for rent, lease payments and interest on capital, as well as other periodic payments arising from the supply of food, for board and lodging and for pub debts, and from craft work, the retail sale of goods, medical services, professional services provided by lawyers, legal agents, solicitors and notaries, and from the employment relationship of employees (Art. 128 OR).

Start of a time limit at the end of the year: If a time limit does not expressly commence on a specific date and is at least one year in duration, it shall automatically commence at the end of the calendar year in which the event triggering the time limit occurred. In the case of ongoing contractual relationships under which data is stored, the event triggering the time limit is the date on which the termination or other cessation of the legal relationship takes effect.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. Where personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
  • Right of access: You have the right to request confirmation as to whether the data in question is being processed, and to request access to this data, as well as further information and a copy of the data, in accordance with the statutory requirements.
  • Right to rectification: In accordance with the relevant legal provisions, you have the right to request that the data relating to you be completed or that any inaccurate data relating to you be rectified.
  • Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to request that data relating to you be erased without delay or, alternatively, to request that the processing of such data be restricted in accordance with the statutory provisions.
  • Right to data portability: You have the right to receive the data relating to you that you have provided to us in a structured, commonly used and machine-readable format, in accordance with the statutory requirements, or to request that it be transferred to another data controller.
  • Complaint to the supervisory authority: In accordance with the statutory requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you habitually reside, the supervisory authority for your place of work or the location of the alleged infringement, should you consider that the processing of your personal data infringes the GDPR.

Rights of data subjects under the Swiss Data Protection Act:

As a data subject, you are entitled to the following rights in accordance with the provisions of the Swiss Data Protection Act (DSG):

  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary to enable you to exercise your rights under this Act and to ensure that data processing is carried out transparently.
  • Right to access or transfer data: You have the right to request that we provide you with your personal data, which you have provided to us, in a commonly used electronic format.
  • Right to rectification: You have the right to request the rectification of any inaccurate personal data relating to you.
  • Right to object, erasure and destruction: You have the right to object to the processing of your data and to request that your personal data be deleted or destroyed.

Business services

We process the personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers and other cooperation partners (collectively referred to as „contractual partners“), for the purpose of establishing, implementing and managing contractual relationships and similar legal relationships. This also includes pre-contractual measures carried out upon request, as well as communication relating to the respective contractual relationship.

The processing serves, in particular, to fulfil our principal and ancillary contractual obligations. These include the provision of the agreed services, any obligations to provide updates and information, the handling of warranty claims and other service disruptions, the processing of cancellations, terminations of continuing contractual relationships, reversals of transactions, refunds, and the processing of other contract-related declarations and enquiries. This covers both one-off contracts and ongoing contractual relationships.

In particular, we process master data such as name, address and, where applicable, company name; contact details such as email address and telephone number; contract and service data such as the subject matter of the contract, contract term, order or transaction number; usage and service data; payment and billing data; as well as the content and history of communications. Where necessary, we also process data that is disclosed or transmitted to us in the course of carrying out an order.

Furthermore, we process the data to safeguard our rights and to fulfil legal obligations. This includes, in particular, retention requirements under commercial and tax law, documentation requirements and, where applicable, obligations to provide evidence and account for our actions. Furthermore, processing takes place on the basis of our legitimate interests in the proper conduct of business, internal administration, risk management and IT security, as well as in the protection of our business operations and our contractual partners against misuse and threats to data, confidential information and other legal interests. This may also involve the use of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisers or other agents, insofar as this is necessary for the performance of the contract or to fulfil legal obligations.

Personal data will only be disclosed to third parties to the extent that this is necessary for the performance of a contract, for the implementation of pre-contractual measures, to safeguard legitimate interests or to fulfil legal obligations. We provide separate information regarding any further processing, in particular for marketing purposes, within this privacy policy.

We inform our contractual partners of the data required in each individual case at the time of data collection, for example by clearly labelling online forms or during face-to-face contact.

Data will be deleted as soon as it is no longer required for the aforementioned purposes and there are no statutory retention obligations preventing this. Statutory retention periods, in particular under commercial and tax law, may require data to be retained for a longer period. We will delete data transmitted in connection with a specific order once the order has been completed and any retention periods have expired, provided there are no further statutory or contractual obligations to retain the data.

The legal basis for the processing is Article 6(1)(b) of the GDPR for the purpose of taking pre-contractual measures and fulfilling the relevant contractual relationship, as well as Article 6(1)(c) of the GDPR for the purpose of complying with legal obligations. Where processing is based on legitimate interests, it is carried out on the basis of Article 6(1)(f) of the GDPR. Where processing is based on Article 6(1)(f) of the GDPR, it is carried out to safeguard our legitimate interests in the proper and efficient organisation of our business, the internal administration and documentation of business transactions, the enforcement and defence of legal claims, ensuring IT and data security, preventing misuse and fraud, and the economic management and further development of our business operations. These interests consist, in particular, of ensuring secure and legally compliant business operations and safeguarding our ability to act as a business.

  • Types of data processed: Personal details (e.g. full name, home address, contact details, customer number, etc.); payment details (e.g. bank details, invoices, payment history); contact details (e.g. postal and email addresses or telephone numbers). Contract details (e.g. subject matter of the contract, term, customer category).
  • People affected: Service recipients and clients; prospective clients. Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; organisational and administrative procedures. Business processes and business management procedures.
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR); legal obligation (Article 6(1), first sentence, point (c) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Logistics services: We process the data of our customers and clients (collectively referred to as „customers“) for the purposes of planning, carrying out and invoicing transport and logistics services. The required details are identified as such when the order is placed and include the information necessary for the provision of services and invoicing, as well as contact details to enable us to consult with you where necessary. Where we gain access to information relating to end customers, employees or other individuals, we process this information in accordance with statutory and contractual requirements; Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Business processes and procedures

Personal data relating to service recipients and clients – including customers, clients or, in specific cases, legal clients, patients or business partners, as well as other third parties – is processed within the framework of contractual and similar legal relationships, and in connection with pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounts and project management.

The data collected is used to fulfil contractual obligations and to organise operational processes efficiently. This includes the processing of business transactions, the management of customer relationships, the optimisation of sales strategies, and the safeguarding of internal accounting and financial processes. In addition, the data helps to safeguard the rights of the data controller and supports administrative tasks and the organisation of the company.

Personal data may be disclosed to third parties where this is necessary to fulfil the stated purposes or to comply with legal obligations. Once statutory retention periods have expired or if the purpose of the processing no longer applies, the data will be deleted. This also includes data that must be retained for longer periods due to tax and statutory record-keeping obligations.

  • Types of data processed: Master data (e.g. full name, home address, contact details, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Contract data (e.g. subject matter of the contract, term, customer category); Usage data (e.g. page views and time spent on site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved); Log data (e.g. log files relating to logins, data retrieval or access times); Employment data (information relating to employees and other individuals in an employment relationship).
  • People affected: Service recipients and clients; prospective clients; communication partners; business and contractual partners; third parties; users (e.g. website visitors, users of online services). Employees (e.g. staff, job applicants, temporary staff and other personnel).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and management procedures; communication; marketing; sales promotion; public relations; financial and payment management. IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR); legitimate interests (Article 6(1), first sentence, point (f) of the GDPR). Legal obligation (Article 6(1), first sentence, point (c) of the GDPR).

Further information on processing procedures, methods and services:

  • Contact management and contact maintenance: Procedures required for the organisation, maintenance and safeguarding of contact information (e.g. setting up and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, carrying out backups and restores of contact data, training staff in the effective use of contact management software, regularly reviewing communication history and adapting contact strategies); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • General payment transactions: Procedures required for the execution of payment transactions, the monitoring of bank accounts and the control of cash flows (e.g. preparing and verifying bank transfers, processing direct debits, checking account statements, monitoring incoming and outgoing payments, managing returned direct debits, account reconciliation, cash management); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Accounting, accounts payable, accounts receivable: Procedures required for the recording, processing and verification of business transactions in accounts payable and accounts receivable (e.g. preparing and checking incoming and outgoing invoices, monitoring and managing outstanding items, processing payments, handling reminders, reconciling accounts for receivables and payables, accounts payable and accounts receivable); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Financial Accounting and Taxation: Procedures required for the recording, management and control of finance-related business transactions, as well as for the calculation, declaration and payment of taxes (e.g. account allocation and posting of business transactions, preparation of quarterly and annual financial statements, processing of payments, handling of reminders, account reconciliation, tax advice, preparation and submission of tax returns, handling of tax affairs); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Shopping: Processes required for the procurement of goods, raw materials or services (e.g. supplier selection and evaluation, price negotiations, placing and monitoring orders, checking and inspecting deliveries, invoice verification, order administration, stock management, and the creation and maintenance of purchasing guidelines); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Sales: Processes required for the planning, implementation and monitoring of measures relating to the marketing and sale of products or services (e.g. customer acquisition, quotation preparation and follow-up, order processing, customer advice and support, sales promotion, product training, sales controlling and analysis, management of sales channels); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Marketing, advertising and sales promotion: Processes required in the context of marketing, advertising and sales promotion (e.g. market analysis and target group identification, development of marketing strategies, planning and implementation of advertising campaigns, design and production of promotional materials, online marketing, including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programmes, sales promotion measures, performance measurement and optimisation of marketing activities, budget management and cost control); Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Economic analysis and market research: The data held on business transactions, contracts, enquiries, etc. is analysed for business management purposes and to identify market trends and the preferences of contractual partners and users. The group of data subjects may include contractual partners, prospective customers, customers, visitors and users of the data controller’s online services. The analyses are carried out for the purposes of business evaluation, marketing and market research (e.g. to identify customer groups with different characteristics). In doing so, where available, profiles of registered users, including their details regarding the services they have used, are taken into account. The analyses are used exclusively by the data controller and are not disclosed externally, unless they are anonymous analyses containing aggregated, i.e. anonymised, values. Furthermore, users’ privacy is respected; where possible, the data is processed in a pseudonymised manner for analysis purposes and, where feasible, anonymised (e.g. as aggregated data); Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Public relations: Processes required as part of public relations work (e.g. developing and implementing communication strategies, planning and executing PR campaigns, drafting and distributing press releases, maintaining media contacts, monitoring and analysing media coverage, organising press conferences and public events, crisis communication, creating content for social media and corporate websites, managing corporate branding); Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Providers and services used in the course of business

As part of our business activities, we use additional third-party services, platforms, interfaces or plug-ins (hereinafter referred to as „Services“), in compliance with legal requirements. Our use of these is based on our interests in the proper, lawful and cost-effective management of our business operations and internal organisation.

  • Types of data processed: Master data (e.g. full name, home address, contact details, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the date of creation); Contract data (e.g. subject matter of the contract, term, customer category).
  • People affected: Service recipients and clients; prospective clients. Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures. Business processes and management procedures.
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Provision of the online service and web hosting

We process users’ data in order to provide them with our online services. To this end, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

  • Types of data processed: Usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, individuals involved); log data (e.g. log files relating to logins, data retrieval or access times); Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Personal details (e.g. full name, residential address, contact details, customer number, etc.). Contact details (e.g. postal and email addresses or telephone numbers).
  • People affected: Users (e.g. website visitors, users of online services); service recipients and clients; communication partners; business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures; communication; organisational and administrative procedures; feedback (e.g. collecting feedback via an online form); Provision of contractual services and fulfilment of contractual obligations; direct marketing (e.g. by email or post); audience measurement (e.g. traffic statistics, identification of returning visitors).
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR). Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR).

Further information on processing procedures, methods and services:

  • Hosting an online service on rented server space: To provide our online services, we use storage space, computing capacity and software which we rent or otherwise obtain from a relevant server provider (also known as a „web host“); Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Collection of access data and log files: Access to our online service is logged in the form of so-called „server log files“. Server log files may include the address and name of the web pages and files accessed, the date and time of the request, the volume of data transferred, confirmation of a successful request, browser type and version, the user’s operating system, the referrer URL (the page visited previously) and, as a rule, IP addresses and the requesting provider. The server log files may be used, on the one hand, for security purposes, e.g. to prevent server overload (particularly in the event of malicious attacks, known as DDoS attacks), and, on the other hand, to ensure server capacity and stability; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and is then deleted or anonymised. Data that needs to be retained for evidential purposes is exempt from deletion until the incident in question has been fully resolved.
  • Email delivery and hosting: The web hosting services we use also include the sending, receiving and storage of emails. For these purposes, the addresses of the recipients and senders, as well as further information relating to the sending of emails (e.g. the providers involved) and the contents of the respective emails, are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails are generally not sent in encrypted form over the internet. Although emails are usually encrypted whilst in transit, they are not encrypted on the servers from which they are sent and received (unless a so-called end-to-end encryption method is used). We are therefore unable to accept any responsibility for the transmission of emails between the sender and our server; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Elementor: Creation of online forms, collection and storage of the corresponding user input; Service provider: Elementor Ltd., 40 Tuval Street, Ramat Gan, Israel; Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://elementor.com/features/form-builder/; Privacy Policy: https://elementor.com/about/privacy/; Data Processing Agreement: https://elementor.com/terms/cloud-toc/elementor-data-processing-agreement/; Basis for transfers to third countries: EU/EEA – Standard Contractual Clauses (https://elementor.com/terms/cloud-toc/elementor-data-processing-agreement/), Switzerland – Standard contractual clauses (https://elementor.com/terms/cloud-toc/elementor-data-processing-agreement/). Further information: https://elementor.com/trust/.
  • SolidWP: Firewall, security and intrusion detection functions to detect and prevent unauthorised access attempts, as well as technical vulnerabilities that could enable such access. For these purposes, cookies and similar storage methods required for this purpose may be used, and security logs may be generated during the check and, in particular, in the event of unauthorised access. In this context, users’ IP addresses, a user identification number and their activities – including the time of access – are processed and stored, and are compared with the data provided by the provider of the firewall and security functions and transmitted to that provider. These security logs are retained for 14 days; Service provider: Liquid Web, LLC, 2703 Ena Drive, Lansing, MI 48917, USA; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://solidwp.com/. Privacy Policy: https://solidwp.com/privacy-policy/.
  • ManageWP: Management of WordPress websites; Service provider: ManageWP, LLC, 14455 N. Hayden Rd, Ste. 219, Scottsdale, AZ 85260, USA; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://managewp.com/; Privacy Policy: https://managewp.com/privacy-policy/; Data Processing Agreement: https://www.godaddy.com/de/legal/agreements/data-processing-addendum. Basis for transfers to third countries: EU/EEA – Standard Contractual Clauses (https://www.godaddy.com/de/legal/agreements/data-processing-addendum), Switzerland – Standard contractual clauses (https://www.godaddy.com/de/legal/agreements/data-processing-addendum).
  • Brevo: Email delivery and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.brevo.com/; Privacy Policy: https://www.brevo.com/legal/privacypolicy/. Data Processing Agreement: Provided by the service provider.
  • Cloudflare Turnstile: Automated detection and prevention of bot activity. Provision of a CAPTCHA-like service that operates without user input. Improvement of user experience by minimising interruptions for genuine users. Collection and analysis of data to distinguish between human and automated access to web services; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.cloudflare.com/application-services/products/turnstile/; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/).

Use of cookies

The term „cookies“ refers to functions that store and retrieve information on users’ devices. Cookies may also be used for various purposes, such as ensuring the functionality, security and user-friendliness of online services, as well as for analysing visitor traffic. We use cookies in accordance with legal requirements. To this end, we obtain users’ consent in advance where necessary. Where consent is not required, we rely on our legitimate interests. This applies where the storage and retrieval of information is essential to provide explicitly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online services. Consent may be withdrawn at any time. We provide clear information on the scope of this and which cookies are used.

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. Where consent has been given, this serves as the legal basis. Where consent has not been given, we rely on our legitimate interests, which are explained earlier in this section and in the context of the relevant services and procedures.

Retention period: With regard to their storage duration, a distinction is made between the following types of cookies:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest once a user has left an online service and closed their device (e.g. browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored even after the device has been switched off. This allows, for example, the user’s login status to be retained and their preferred content to be displayed immediately when they revisit a website. Similarly, user data collected via cookies may be used for audience measurement. Unless we provide users with explicit information regarding the type and storage period of cookies (e.g. when seeking consent), they should assume that these are persistent and that the storage period may be up to two years.

General information on withdrawal and opting out: Users may withdraw the consents they have given at any time and may also object to the processing of their data in accordance with the relevant legal provisions, including via their browser’s privacy settings.

  • Types of data processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, individuals involved). Usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
  • People affected: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR). Consent (Article 6(1), first sentence, point (a) of the GDPR).

Further information on processing procedures, methods and services:

  • Processing of cookie data on the basis of consent: We use a consent management solution to obtain users’ consent to the use of cookies or to the procedures and providers specified within the consent management solution. This procedure serves to obtain, log, manage and revoke consents, in particular with regard to the use of cookies and similar technologies used to store, read and process information on users’ end devices. As part of this procedure, users’ consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and providers mentioned in the consent management procedure. Users also have the option to manage and withdraw their consents. Consent declarations are stored to avoid having to request them again and to be able to provide evidence of consent in accordance with legal requirements. Storage takes place on the server and/or in a cookie (known as an ‘opt-in cookie’) or by means of comparable technologies, in order to be able to associate the consent with a specific user or their device. Unless specific details regarding the providers of consent management services are available, the following general information applies: Consent is stored for up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, the system and the end device used; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR).
  • Cookie opt-out: In the footer of our website, you will find a link that allows you to change your cookie settings and withdraw your consent.
  • BorlabsCookie: Storing and managing consents (consent to cookies and data processing), logging users’ decisions, displaying notices regarding data protection and cookies, and enabling users to withdraw or amend their consents; Service provider: Execution on servers and/or computers under one’s own responsibility under data protection law; Website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language, the types of consent given and the time at which they were given are stored on the server and in a cookie on the user’s device.

Contact and enquiry management

When you contact us (e.g. by post, via the contact form, by email, by telephone or via social media), and in the context of existing user and business relationships, the personal data provided by the enquirers is processed to the extent necessary to respond to enquiries and carry out any requested actions.

  • Types of data processed: Contact details (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, individuals involved); personal details (e.g. full name, residential address, contact details, customer number, etc.). Usage data (e.g. page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
  • People affected: Communication partners; service recipients and clients. Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Communication; organisational and administrative procedures; feedback (e.g. collecting feedback via an online form). Provision of our online services and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR). Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR).

Further information on processing procedures, methods and services:

Communication via Messenger

We use messaging services for communication purposes and therefore ask you to take note of the following information regarding the functionality of these services, encryption, the use of communication metadata and your options for objecting.

You can also contact us through other channels, such as by telephone or email. Please use the contact details provided to you or those listed on our website.

In the case of end-to-end encryption of content (i.e. the content of your message and any attachments), please note that the communication content (i.e. the message content and any attached images) is encrypted end-to-end. This means that the content of the messages cannot be viewed, not even by the messaging service providers themselves. You should always use the latest version of the messaging app with encryption enabled to ensure that the message content is encrypted.

However, we would also like to draw our communication partners’ attention to the fact that, whilst the providers of these messaging services do not view the content itself, they can ascertain whether and when communication partners are communicating with us, and that technical information relating to the device used by the communication partners – as well as location information, depending on their device settings (so-called metadata) – is processed.

Notes on the legal basis: Where we ask communication partners for their consent before communicating with them via Messenger, the legal basis for our processing of their data is their consent. Furthermore, if we do not ask for consent and they, for example, contact us of your own accord, we use Messenger in our dealings with our contractual partners and as part of the pre-contractual process as a contractual measure; and in the case of other interested parties and communication partners, on the basis of our legitimate interests in rapid and efficient communication and in meeting our communication partners’ needs regarding communication via Messenger. Furthermore, we would like to point out that we do not initially transmit the contact details provided to us to the messaging services without your consent.

Revocation, objection and deletion: You may withdraw your consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we will delete the messages in accordance with our general deletion policy (i.e. for example, as described above, upon termination of contractual relationships, in the context of archiving requirements, etc.) and, in other cases, as soon as we can assume that we have responded to any enquiries from the communication partner, provided that no reference back to a previous conversation is to be expected and there are no statutory retention obligations preventing deletion.

Disclaimer regarding references to other means of communication: To ensure your security, we ask for your understanding that, for certain reasons, we may not be able to respond to enquiries via Messenger. This applies to situations where, for example, contract details must be treated as particularly confidential, or where a reply via Messenger would not meet the formal requirements. In such cases, we recommend that you use more appropriate channels of communication.

  • Types of data processed: Contact details (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, individuals involved).
  • People affected: Communication partner.
  • Purposes of processing and legitimate interests: Communication. Direct marketing (e.g. by email or post).
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Consent (Art. 6(1), first sentence, point (a) of the GDPR); performance of a contract and pre-contractual enquiries (Art. 6(1), first sentence, point (b) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • WhatsApp: A communication service that enables the sending and receiving of text messages, voice messages, images, videos and documents, as well as voice and video calls, via the internet. Communication takes place via end-to-end encryption, meaning that content is accessible only to the parties involved in the communication. In order to provide the service, the platform processes metadata (e.g. telephone numbers, timestamps, device information) and may use this to improve functionality, enhance security and optimise the service; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.whatsapp.com/. Privacy Policy: https://www.whatsapp.com/legal/privacy-policy-eea.

Artificial Intelligence (AI)

We use artificial intelligence (AI), which involves the processing of personal data. The specific purposes and our legitimate interests in using AI are set out below. By „AI“, we mean – in accordance with the definition of an ‘AI system’ as set out in Article 3(1) of the AI Regulation – a machine-based system designed to operate with varying degrees of autonomy, which is capable of adapting after its deployment and which, based on the inputs it receives, produces outputs such as predictions, content, recommendations or decisions that may influence physical or virtual environments.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations governing artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimisation, integrity and confidentiality. We ensure that the processing of personal data always takes place on a legal basis. This may be either the consent of the data subjects or a statutory authorisation.

When using external AI systems, we carefully select their providers (hereinafter „AI providers“). In accordance with our legal obligations, we ensure that the AI providers comply with the applicable regulations. We also observe the obligations incumbent upon us when using or operating the AI services we have procured. The processing of personal data by us and the AI providers takes place exclusively on the basis of consent or a legal basis. In doing so, we attach particular importance to transparency, fairness and the preservation of human control over AI-supported decision-making processes.

To protect the data we process, we implement appropriate and robust technical and organisational measures. These ensure the integrity and confidentiality of the data processed and minimise potential risks. By regularly reviewing AI providers and their services, we ensure ongoing compliance with current legal and ethical standards.

  • Types of data processed: Content data (e.g. text-based or image-based messages and posts, as well as related information such as details of authorship or the time of creation). Usage data (e.g. page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
  • People affected: Users (e.g. website visitors, users of online services). Third parties.
  • Purposes of processing and legitimate interests: Artificial Intelligence (AI).
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications provided by third parties (hereinafter referred to as „conference platforms“) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as „conferences“). When selecting conference platforms and their services, we comply with the relevant legal requirements.

Data processed by conference platforms: When participants take part in a conference, the conference platforms process the personal data of the participants listed below. The scope of the processing depends, on the one hand, on what data is required for a specific conference (e.g. provision of login details or real names) and what optional information participants choose to provide. In addition to processing for the purpose of running the conference, participants’ data may also be processed by the conference platforms for security purposes or to optimise the service. The data processed includes personal details (first name, surname), contact information (email address, telephone number), login details (access codes or passwords), profile pictures, details of professional position/role, the IP address of the internet connection, details of participants’ devices, their operating system, browser and its technical and language settings, information on the content of communications, i.e. inputs in chats as well as audio and video data, and the use of other available functions (e.g. polls). The content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users on the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

Minutes and recordings: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, participants will be informed of this in advance in a transparent manner and, where necessary, asked for their consent.

Participants’ data protection measures: Please refer to the privacy notices of the conference platforms for details on how your data is processed, and select the security and privacy settings that best suit your needs within the conference platforms’ settings. Please also ensure that your data and privacy are protected in the background of your recording for the duration of a video conference (e.g. by informing housemates, locking doors and, where technically possible, using the function to blur the background). Links to the conference rooms and access details must not be passed on to unauthorised third parties.

Notes on the legal basis: Where, in addition to the conference platforms, we also process users’ data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary to fulfil our contractual obligations (e.g. in participant lists, when summarising the outcomes of discussions, etc.). In other respects, users’ data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: Master data (e.g. full name, home address, contact details, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Usage data (e.g. page views and time spent on site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Images and/or video recordings (e.g. photographs or video recordings of a person); audio recordings; log data (e.g. log files relating to logins, data retrieval or access times).
  • People affected: Communication partners; users (e.g. website visitors, users of online services). People depicted.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; communication. Office and organisational procedures.
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Microsoft Teams: Used to organise online events and conferences, and to communicate with internal and external participants. The services utilised include voice calls, direct messaging, group communication and collaboration features; the data processed includes name, business contact details, job profile, attendance and content (audio/video, speech, chat, files, speech transcription) for the purposes of and in the interests of improving efficiency and productivity, cost-effectiveness, flexibility, mobility, enhanced communication, IT security, the use of a centralised platform and the conduct of business by Microsoft. Audio signals are not stored as a matter of course, unless recording is enabled. Meeting and conference recordings are stored for 90 days by default, unless a different duration is specified. Chat and file content is stored in accordance with the policies set by the administrator or user; by default, there is no automatic deletion. Channels must be renewed every 180 days; otherwise, content will be deleted. In addition, system-generated log, diagnostic and metadata are processed, and diagnostic data relating to product stability, security and improvement is collected; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.microsoft.com/de-de/microsoft-teams/; Privacy Policy: https://www.microsoft.com/de-de/privacy/privacystatement. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

Cloud services

We use software services accessible via the internet and run on their providers„ servers (so-called “cloud services„, also known as “Software as a Service’) for the storage and management of content (e.g. document storage and management, the sharing of documents, content and information with specific recipients, or the publication of content and information).

In this context, personal data may be processed and stored on the providers’ servers, insofar as such data forms part of communications with us or is otherwise processed by us, as set out in this privacy policy. This data may include, in particular, users’ master data and contact details, as well as data relating to transactions, contracts, other processes and their contents. The cloud service providers also process usage data and metadata, which they use for security purposes and to optimise their services.

Where we use cloud services to provide forms or similar documents and content to other users or on publicly accessible websites, the providers may store cookies on users’ devices for the purposes of web analytics or to remember and save users’ settings (e.g. in the case of media controls).

  • Types of data processed: Master data (e.g. full name, home address, contact details, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation). Usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
  • People affected: Prospective clients; communication partners. Business and contractual partners.
  • Purposes of processing and legitimate interests: Office and organisational procedures. IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

Newsletters and electronic notifications

We send out newsletters, emails and other electronic notifications (hereinafter referred to as „newsletters“) exclusively with the recipients’ consent or on a legal basis. Where the content of a newsletter is specified as part of the subscription process, this content forms the basis for the user’s consent. To subscribe to our newsletter, providing your email address is normally sufficient. However, in order to offer you a personalised service, we may ask you to provide your name so that we can address you personally in the newsletter, or to provide further information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to provide evidence of consent that was previously given. The processing of this data is limited to the purpose of potentially defending against claims. An individual request for erasure may be made at any time, provided that the prior existence of consent is confirmed at the same time. In the event of obligations to comply with objections on a permanent basis, we reserve the right to store the email address solely for this purpose in a blocklist.

The registration process is logged on the basis of our legitimate interests for the purpose of verifying that it has been carried out correctly. Where we engage a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure email delivery system.

Contents:

Information about us, our services, promotions and special offers.

  • Types of data processed: Personal details (e.g. full name, home address, contact details, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, individuals involved). Usage data (e.g. page views and time spent on site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
  • People affected: Communication partner.
  • Purposes of processing and legitimate interests: Direct marketing (e.g. by email or post). Audience measurement (e.g. traffic statistics, identification of returning visitors).
  • Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Right to object (opt-out): You can unsubscribe from our newsletter at any time, i.e. withdraw your consent or object to receiving further issues. You will find a link to unsubscribe from the newsletter either at the end of each newsletter, or you can use one of the contact details provided above – preferably by email – to do so.

Further information on processing procedures, methods and services:

  • Measuring open and click-through rates: The newsletters contain what are known as „web beacons“, i.e. a pixel-sized file that is retrieved from our server – or from the server of the mailing service provider, if we use one – when the newsletter is opened. As part of this retrieval, technical information – such as details of your browser and system – as well as your IP address and the time of retrieval are initially collected. This information is used to improve our newsletter technically, based on the technical data or the target groups and their reading behaviour, determined by their location (which can be identified using the IP address) or the times of access. This analysis also includes determining whether and when the newsletters are opened and which links are clicked. The information collected is assigned to individual newsletter recipients and stored in their profiles until it is deleted. On this basis, user profiles are created in which usage behaviour and user characteristics are stored. The measurement of open and click-through rates, as well as the storage of the measurement results in users’ profiles and their further processing, are carried out on the basis of the users’ consent. Unfortunately, it is not possible to withdraw consent for performance measurement separately; in this case, the entire newsletter subscription must be cancelled or opt-out must be exercised. In that event, the stored profile information will be deleted; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR).
  • Brevo: Email delivery and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.brevo.com/; Privacy Policy: https://www.brevo.com/legal/privacypolicy/. Data Processing Agreement: Provided by the service provider.

Marketing communications via email, post, fax or telephone

We process personal data for the purposes of marketing communications, which may be carried out via various channels, such as email, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to opt out of marketing communications at any time, free of charge, using the contact details provided above.

Following revocation or objection, we will retain the data necessary to prove prior authorisation for the purposes of contacting you or sending you communications for up to three years after the end of the year in which the revocation or objection took place, on the basis of our legitimate interests. The processing of this data is limited to the purpose of potentially defending against claims. Furthermore, on the basis of our legitimate interest in permanently respecting users’ revocation or objection, we also store the data necessary to prevent further contact (e.g. depending on the communication channel, the email address, telephone number or name).

  • Types of data processed: Master data (e.g. full name, home address, contact details, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers). Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation).
  • People affected: Communication partner.
  • Purposes of processing and legitimate interests: Direct marketing (e.g. by email or post); marketing; sales promotion.
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Web analytics, monitoring and optimisation

Web analytics (also known as „reach measurement“) is used to analyse visitor traffic to our online platform and may include pseudonymised data on visitors’ behaviour, interests or demographic information, such as age or gender. With the help of audience measurement, we can, for example, identify at what times our online platform or its functions and content are used most frequently, or encourage repeat visits. It also enables us to identify which areas require optimisation.

In addition to web analytics, we can also use testing methods to, for example, test and optimise different versions of our website or its individual components.

Unless otherwise stated below, profiles – that is, data aggregated to reflect a usage session – may be created for these purposes, and information may be stored in a browser or on a device and subsequently retrieved. The data collected includes, in particular, websites visited and the features used on them, as well as technical information such as the browser used, the computer system used and details of usage times. Where users have consented to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymisation by truncating the IP address) to protect users. Generally speaking, no personally identifiable data (such as email addresses or names) is stored in the context of web analytics, A/B testing and optimisation; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.

Notes on legal bases: Where we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. our interest in providing efficient, cost-effective and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, individuals involved).
  • People affected: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Remarketing; audience targeting; audience measurement (e.g. traffic statistics, identification of returning visitors); profiles containing user-related information (creation of user profiles); provision of our online services and user-friendliness. Tracking (e.g. interest-based/behavioural profiling, use of cookies).
  • Retention and deletion: Deletion in accordance with the information provided in the section „General information on data storage and deletion“. Cookies may be stored for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
  • Safety measures: IP masking (pseudonymisation of the IP address).
  • Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Google Analytics: We use Google Analytics to measure and analyse the use of our online service on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It serves to associate analytical information with a device in order to identify which content users have accessed during one or more sessions, which search terms they have used, whether they have revisited that content, or how they have interacted with our online service. The time of use and its duration are also stored, as well as the sources from which users have accessed our online service and technical details of their devices and browsers.
    In the process, pseudonymous user profiles are created using information derived from the use of various devices, and cookies may be used for this purpose. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides approximate geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based equivalents). For EU data traffic, IP address data is used exclusively for this derivation of geolocation data before being deleted immediately. It is not logged, is not accessible and is not used for any other purposes. When Google Analytics collects measurement data, all IP queries are carried out on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Safety measures: IP masking (pseudonymisation of the IP address); Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms); Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of adverts: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (Types of processing and the data processed).
  • Google as the recipient of consent: The consent given by users as part of a consent dialogue (also known as „cookie opt-in/consent“, „cookie banner“, etc.) serves several purposes. On the one hand, it fulfils our obligation to obtain consent for the storage and retrieval of information on and from users’ devices in accordance with the ePrivacy Regulation. On the other hand, it covers the processing of users’ personal data in accordance with data protection requirements. Furthermore, this consent also applies to Google, as the company is obliged under the Digital Markets Act (DMA) to obtain valid consent for personalised services. For this reason, we share the status of the consents granted or withheld by users with Google. Our consent management software informs Google whether consent has been given or not. The aim is to ensure that users’ decisions are taken into account when using Google measurement services – in particular in the context of audience measurement, conversion tracking and personalised advertising (e.g. Google Analytics, Google Ads and similar services) – as well as when integrating other features and external services – are taken into account. Processing takes place dynamically and depends on the user’s respective selection, including any withdrawal of consent; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy Policy: https://business.safety.google/privacy/.
  • Google Signals (a Google Analytics feature): Google Signals consists of session data from websites and apps that Google associates with users who are signed in to their Google accounts and have enabled ad personalisation. This association of data with these signed-in users is used to enable cross-device reporting, cross-device remarketing and cross-device conversion measurement. This includes: Cross-platform reporting – linking data across devices and activities from different sessions using your User ID or Google Signals data, which enables an understanding of user behaviour at every stage of the conversion process, from initial contact through to conversion and beyond; Remarketing with Google Analytics – creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts; Demographics and interests – Google Analytics collects additional information about the demographics and interests of users who are signed in to their Google accounts and have enabled ad personalisation; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://support.google.com/analytics/answer/7532985?hl=de; Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms). Further information: https://business.safety.google/adsservices/ (Types of processing and the data processed).
  • Creating target audiences with Google Analytics: We use Google Analytics to display adverts, served via Google’s advertising services and those of its partners, specifically to users who have already shown an interest in our online offering or who exhibit certain characteristics (e.g. interests in specific topics or products, as determined on the basis of the webpages they have visited). We transmit this data to Google as part of what is known as „remarketing“ or „Google Analytics Audiences“. The aim of using Remarketing Audiences is to ensure that our adverts match users’ potential interests as closely as possible; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://marketingplatform.google.com; Legal basis: https://business.safety.google/adsprocessorterms/; Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and the data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products and standard contractual clauses for data transfers to third countries: https://business.safety.google/adsprocessorterms.
  • Google Tag Manager: We use Google Tag Manager, a piece of software from Google that enables us to manage so-called website tags centrally via a user interface. Tags are small pieces of code on our website that are used to track and analyse visitor activity. This technology helps us to improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies containing user profiles, and does not carry out any independent analyses. Its function is limited to simplifying and streamlining the integration and management of the tools and services we use on our website. Nevertheless, when using Google Tag Manager, users’ IP addresses are transmitted to Google; this is necessary for technical reasons in order to implement the services we use. Cookies may also be set in the process. However, this data processing only takes place when services are integrated via Tag Manager. For more detailed information on these services and their data processing, please refer to the relevant sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Data Processing Agreement:
    https://business.safety.google/adsprocessorterms. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms).
  • Microsoft Clarity: Web analytics, audience measurement and analysis of user behaviour in terms of usage and interests relating to features and content, as well as the duration of use, based on a pseudonymous user identification number and profiling; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://clarity.microsoft.com; Privacy Policy: https://www.microsoft.com/de-de/privacy/privacystatement; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/en-us/privacy/privacystatement), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/en-us/privacy/privacystatement).

Online marketing

We process personal data for the purposes of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as „content“) based on users’ potential interests, as well as the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (known as a „cookie“), or similar methods are used to store information about the user that is relevant to the display of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical details such as the browser and computer system used, and information on usage times and functions utilised. Where users have consented to the collection of their location data, this may also be processed.

In addition, users’ IP addresses are stored. However, we use available IP masking methods (i.e. pseudonymisation by truncating the IP address) to protect users. Generally speaking, no users’ plaintext data (such as email addresses or names), but rather pseudonyms. This means that neither we nor the providers of the online marketing services know the user’s actual identity, but only the information stored in their profiles.

The information contained in the profiles is usually stored in cookies or by means of similar methods. These cookies can generally also be read later on other websites that use the same online marketing method; they may be analysed for the purpose of displaying content, supplemented with further data, and stored on the server of the online marketing provider.

In exceptional cases, it is possible to link personal data to user profiles, particularly where users are, for example, members of a social network whose online marketing methods we utilise and where the network links user profiles to the aforementioned information. Please note that users may enter into additional agreements with the providers, for example by giving their consent as part of the registration process.

As a general rule, we only have access to aggregated information regarding the performance of our adverts. However, as part of what is known as conversion tracking, we can analyse which of our online marketing methods have led to a so-called conversion – for example, the conclusion of a contract with us. Conversion tracking is used solely to analyse the effectiveness of our marketing activities.

Unless otherwise stated, please assume that any cookies used will be stored for a period of two years.

Notes on the legal basis: Where we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. our interest in providing efficient, cost-effective and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Information on withdrawal and objection:

Please refer to the privacy policies of the respective providers and the opt-out options specified by them. If no explicit opt-out option has been provided, you can disable cookies in your browser settings. However, this may restrict the functionality of our website. We therefore also recommend the following opt-out options, which are summarised and organised by relevant areas:

(a) Europe: https://youronlinechoices.eu/.

b) Canada: https://youradchoices.ca/.

c) USA: https://optout.aboutads.info/.

(d) Cross-regional: https://optout.aboutads.info.

  • Types of data processed: Content data (e.g. text-based or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Usage data (e.g. page views and time spent on site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, individuals involved); Event data (Facebook) („Event data“ refers to information sent to the provider Meta – for example, via Meta Pixels (whether via apps or other channels) – which relates to individuals or their actions. This data includes, for example, details of website visits, interactions with content and features, app installations and product purchases. Event data is processed for the purpose of creating target audiences for content and advertising messages (Custom Audiences). It is important to note that Event Data does not include actual content such as comments posted, login details, or contact information such as names, email addresses or telephone numbers. „Event data“ is deleted by Meta after a maximum of two years, and the target audiences created from it are deleted when our Meta user accounts are deleted.); Contact information (Facebook) („Contact information“ refers to data that (clearly) identifies data subjects, such as names, email addresses and telephone numbers, which may be transmitted to Facebook – for example, via the Facebook Pixel or by upload – for matching purposes in order to create Custom Audiences. Once the data has been matched to create target groups, the contact information is deleted).
  • People affected: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Audience measurement (e.g. traffic statistics, identification of returning visitors); tracking (e.g. interest-based/behavioural profiling, use of cookies); Conversion tracking (measuring the effectiveness of marketing measures); audience targeting; marketing; profiles containing user-related information (creation of user profiles); provision of our online service and user-friendliness; remarketing.
  • Retention and deletion: Deletion in accordance with the information provided in the section „General information on data storage and deletion“. Cookies may be stored for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
  • Safety measures: IP masking (pseudonymisation of the IP address).
  • Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Meta-pixels and audience targeting (Custom Audiences): With the help of the Meta Pixel (or similar functions for transmitting event data or contact information via interfaces within apps), Meta is able, on the one hand, to identify visitors to our online platform as a target audience for the display of adverts (so-called „Meta Ads“). Accordingly, we use the Meta Pixel to ensure that the Meta Ads we place are shown only to such users on Meta’s platforms and within the services of Meta’s partner networks (the so-called „Audience Network“)“ https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online offering or who exhibit certain characteristics (e.g. an interest in specific topics or products, as indicated by the web pages they have visited), which we transmit to Meta (so-called „Custom Audiences“). We also use the Meta pixel to ensure that our Meta adverts are tailored to users„ potential interests and do not come across as intrusive. Furthermore, the Meta pixel enables us to track the effectiveness of Meta adverts for statistical and market research purposes by monitoring whether users were redirected to our website after clicking on a Meta advert (known as “conversion tracking’); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Users„ event data, i.e. information on their behaviour and interests, is used for the purposes of targeted advertising and audience segmentation on the basis of the agreement on joint responsibility (“Addendum for Data Controllers’, https://www.facebook.com/legal/controller_addendum) is processed. Joint controllership is limited to the collection of data by, and the transfer of data to, Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transfer of data to the parent company, Meta Platforms, Inc., in the USA (on the basis of the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Advanced calibration for the Meta-Pixel: In addition to the processing of event data in connection with the use of the Meta Pixel (or similar functions, e.g. in apps), contact information (data identifying individual persons, such as names, email addresses and telephone numbers) is also collected by Meta within our online offering or transmitted to Meta. The processing of contact information serves to create target groups (so-called „Custom Audiences“) for the display of content and advertising tailored to users„ presumed interests. The collection, transmission and matching against data held by Meta do not take place in plain text, but as so-called “hash values’, i.e. mathematical representations of the data (this method is used, for example, when storing passwords). Once the data has been matched for the purpose of creating target groups, the contact information is deleted; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Privacy Policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: https://www.facebook.com/legal/terms/data_security_terms.
  • Facebook adverts: Placing advertisements on the Facebook platform and analysing the results of those advertisements; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Right to object (opt-out): We refer to the privacy and advertising settings in users’ profiles on Facebook platforms, as well as to Facebook’s consent procedures and contact details for exercising the right to access data and other data subject rights, as described in Facebook’s Privacy Policy; Further information: Users„ event data, i.e. information on their behaviour and interests, is used for the purposes of targeted advertising and audience segmentation on the basis of the agreement on joint responsibility (“Addendum for Data Controllers’, https://www.facebook.com/legal/controller_addendum) is processed. Joint controllership is limited to the collection of data by, and the transfer of data to, Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transfer of data to the parent company, Meta Platforms, Inc., in the USA (on the basis of the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Google Ads and conversion tracking: Online marketing methods used to place content and adverts within the service provider’s advertising network (e.g. in search results, in videos, on websites, etc.), so that they are displayed to users who are presumed to have an interest in the adverts. In addition, we measure the conversion rate of the adverts, i.e. whether users have been prompted to interact with the adverts and make use of the advertised offers (so-called ‘conversions’). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and the data processed: https://business.safety.google/adsservices/. Data processing agreements between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Google Ads – Enhanced conversion tracking: Enhanced conversions are used to measure and optimise the effectiveness of advertising campaigns. This is an extension of existing conversion tracking (the measurement of user actions such as purchases or enquiries), in which certain first-party data provided by users (data collected directly by the website operator, e.g. email address or telephone number) is processed technically to attribute conversions more reliably to an advert. The processing takes place exclusively in hashed form using the cryptographic one-way hash algorithm SHA-256 (a mathematical method for the irreversible transformation of data). In this process, personal data is encrypted prior to transmission in such a way that it is not in plain text and cannot be decrypted. The hashed data is transmitted to Google either at the time of a conversion on the website or – in the case of so-called lead conversions (transactions outside the website, e.g. by telephone or email) – at a later time. The transmission takes place either on the client side via a tag (tracking code, e.g. via Google Tag Manager) or on the server side via an API (application programming interface for system-side data transmission). In the case of server-side transmission, the data is transferred via an HTTPS connection (encrypted internet connection). The purpose of the processing is to correctly record and attribute conversions even when conventional tracking methods such as cookies (small text files or functions for recognising users) or device identifiers are restricted or unavailable. The hashed data transmitted may be matched against existing Google accounts, provided that users are logged in at the time of conversion. The processing serves exclusively to measure conversions, evaluate the success of advertising campaigns and optimise automated bidding strategies (automatic adjustment of ad bids based on measured conversions) using first-party data; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Further information: Types of processing and the data processed: https://business.safety.google/adsservices/. Data processing agreements between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Google Ads Remarketing: Google Remarketing, also known as retargeting, is a technology whereby users who use an online service are added to a pseudonymous remarketing list, so that adverts can be displayed to them on other online platforms based on their visit to that online service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and the data processed: https://business.safety.google/adsservices/. Data processing agreements between data controllers and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.
  • Instagram adverts: Placing advertisements on the Instagram platform and analysing the advertising results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Right to object (opt-out): We refer to the privacy and advertising settings in users’ profiles on the Instagram platform, as well as to Instagram’s consent procedures and the contact options set out in Instagram’s Privacy Policy for exercising the right to access data and other data subject rights; Further information: Users„ event data, i.e. information on their behaviour and interests, is used for the purposes of targeted advertising and audience segmentation on the basis of the agreement on joint responsibility (“Addendum for Data Controllers’, https://www.facebook.com/legal/controller_addendum) is processed. Joint responsibility is limited to the collection of data by, and the transfer of data to, Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transfer of data to the parent company, Meta Platforms, Inc., in the USA.
  • Microsoft Advertising: Online marketing methods used to place content and adverts within the service provider’s advertising network (e.g. in search results, in videos, on websites, etc.), so that they are displayed to users who are presumed to have an interest in the adverts. Furthermore, we measure the conversion rate of the adverts, i.e. whether users have been prompted to interact with the adverts and make use of the advertised offers (known as ‘conversion’). However, we only receive anonymous information and no personal information about individual users; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://about.ads.microsoft.com/; Privacy Policy: https://www.microsoft.com/de-de/privacy/privacystatement; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF). Right to object (opt-out): https://account.microsoft.com/privacy/ad-settings/.
  • Microsoft Advertising (Enhanced Conversions): Advanced conversion tracking for more accurate measurement of ad interactions using hashed first-party data (e.g. email addresses); Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Website: https://ads.microsoft.com/. Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement.

Customer reviews and the review process

We take part in review and rating schemes in order to evaluate, optimise and promote our services. When users rate us or provide feedback via the participating review platforms or schemes, the providers’ general terms and conditions or terms of use and privacy policies also apply. As a rule, submitting a rating also requires registration with the respective providers.

To ensure that the reviewers have actually used our services, we transmit the necessary data relating to the customer and the service used to the relevant review platform (including name, email address and order number or item number), with the customer’s consent. This data is used solely to verify the user’s authenticity.

  • Types of data processed: Contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • People affected: Service recipients and clients. Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Feedback (e.g. collecting feedback via an online form). Marketing.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Rating widget: We incorporate so-called „review widgets“ into our online service. A widget is a functional and content element integrated into our online service that displays variable information. It may, for example, take the form of a seal or similar element, sometimes also referred to as a „badge“. Whilst the relevant content of the widget is displayed within our online service, it is retrieved at that moment from the servers of the respective widget provider. This is the only way to ensure that the most up-to-date content is always displayed, particularly the current rating. To do this, a data connection must be established from the webpage accessed within our online service to the widget provider’s server, and the widget provider receives certain technical data (access data, including IP address) which are necessary for the widget’s content to be delivered to the user’s browser. Furthermore, the widget provider receives information indicating that users have visited our online service. This information may be stored in a cookie and used by the widget provider to identify which online services participating in the rating process have been visited by the user. The information may be stored in a user profile and used for advertising or market research purposes; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Google customer reviews: A service for gathering and/or presenting customer satisfaction data and customer feedback; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.google.com/; Privacy Policy: https://business.safety.google/privacy/; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: As part of the process of collecting customer reviews, an identification number and the date and time of the transaction being reviewed are processed; in the case of review requests sent directly to customers, the customer’s email address, their country of residence and the review details themselves are also processed; Further details on the types of processing and the data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on the services; data processing terms between data controllers; and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.

Social media presence

We maintain an online presence on social media platforms and, in this context, process user data in order to communicate with users active on those platforms or to provide information about us.

We would like to point out that user data may be processed outside the European Union in this context. This may entail risks for users, as it could, for example, make it more difficult to enforce their rights.

Furthermore, users’ data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created on the basis of users’ behaviour and the interests derived from it. These profiles may in turn be used, for instance, to display adverts both within and outside the networks that are presumed to correspond to users’ interests. Consequently, cookies are usually stored on users’ computers, in which their usage behaviour and interests are recorded. In addition, data may also be stored in these usage profiles regardless of the devices used by users (particularly if they are members of the respective platforms and are logged in there).

For a detailed explanation of the various forms of data processing and the options for objecting (opt-out), please refer to the privacy policies and information provided by the operators of the respective networks.

We would also like to point out that, in the case of requests for information and the exercise of data subjects’ rights, these can most effectively be addressed with the service providers. Only the service providers have access to the user data and are able to take appropriate action and provide information directly. Should you nevertheless require assistance, please do not hesitate to contact us.

  • Types of data processed: Contact details (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation). Usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
  • People affected: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Communication; feedback (e.g. collecting feedback via an online form). Public relations.
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Instagram: A social network that allows users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF).
  • Facebook pages: Profiles on the Facebook social network – The data controller is jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data relating to visitors to our Facebook page („fan page“). This includes, in particular, information on user behaviour (e.g. content viewed or interacted with, actions taken) as well as device information (e.g. IP address, operating system, browser type, language settings, cookie data). Further details can be found in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical analyses via the „Page Insights“ service, which give us an insight into how people interact with our page and its content. This is based on an agreement with Facebook („Information about Page Insights“: https://www.facebook.com/legal/terms/page_controller_addendum), which sets out, amongst other things, security measures and the exercise of data subjects’ rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore submit requests for access or erasure directly to Facebook. Users’ rights (in particular the right of access, erasure, objection and the right to lodge a complaint with a supervisory authority) remain unaffected by this. Joint controllership is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for any further processing, including any possible transfer to Meta Platforms Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
  • LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data used to generate the „Page Insights“ (statistics) for our LinkedIn profiles. This data includes information about the types of content that users view or interact with, as well as the actions they take. Details of the devices used are also collected, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job title, country, industry, hierarchical level, company size and employment status. Information on the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
    We have entered into a specific agreement with LinkedIn Ireland („Page Insights Joint Controller Addendum“, https://legal.linkedin.com/pages-joint-controller-addendum), which sets out, in particular, the security measures LinkedIn must comply with and in which LinkedIn has agreed to uphold the rights of data subjects (i.e. users may, for example, submit requests for access or erasure directly to LinkedIn). Users’ rights (in particular the right to access, erasure, objection and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company, LinkedIn Corporation, in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.linkedin.com/legal/privacy-policy), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.linkedin.com/legal/privacy-policy). Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • Xing: Social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://www.xing.com/. Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

Plug-ins, embedded functions and content

We incorporate functional and content elements into our online offering which are sourced from the servers of their respective providers (hereinafter referred to as „third-party providers“). These may include, for example, graphics, videos or city maps (hereinafter collectively referred to as „content“).

The integration always requires the third-party providers of this content to process users„ IP addresses, as they would be unable to send the content to users“ browsers without an IP address. The IP address is therefore necessary for the display of this content or these functions. We endeavour to use only content where the respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as „web beacons“) for statistical or marketing purposes. These ‘pixel tags’ enable information, such as visitor traffic on the pages of this website, to be analysed. This pseudonymous information may also be stored in cookies on the user’s device and may include, amongst other things, technical details regarding the browser and operating system, referring websites, the time of the visit and further details on the use of our online service; it may also be linked to such information from other sources.

Notes on the legal basis: Where we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. our interest in providing efficient, cost-effective and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. page views and time spent on the site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, individuals involved). Location data (information regarding the geographical position of a device or a person).
  • People affected: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information provided in the section „General information on data storage and deletion“. Cookies may be stored for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
  • Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Integration of third-party software, scripts or frameworks (e.g. jQuery): We incorporate software into our online service that we retrieve from other providers’ servers (e.g. function libraries that we use to enhance the presentation or user-friendliness of our online service). In doing so, the respective providers collect users’ IP addresses and may process them for the purposes of transmitting the software to users’ browsers, for security purposes, and for the evaluation and optimisation of their services. – We integrate software into our online service that we retrieve from servers operated by other providers (e.g. function libraries that we use to enhance the presentation or user-friendliness of our online service). In doing so, the respective providers collect users’ IP addresses and may process them for the purposes of transmitting the software to users’ browsers, for security purposes, and for the evaluation and optimisation of their services; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Font Awesome (hosted on your own server): Display of fonts and symbols; Service provider: The Font Awesome icons are hosted on our server; no data is transmitted to the Font Awesome provider; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Google Maps: We embed maps from the „Google Maps“ service provided by Google. The data processed may include, in particular, users’ IP addresses and location data; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Article 6(1), first sentence, point (a) of the GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://business.safety.google/privacy/. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF).

Management, organisation and support tools

We use services, platforms and software provided by other providers (hereinafter referred to as „third-party providers“) for the purposes of organising, managing, planning and delivering our services. When selecting third-party providers and their services, we comply with the relevant legal requirements.

In this context, personal data may be processed and stored on third-party providers’ servers. This may affect various types of data which we process in accordance with this privacy policy. Such data may include, in particular, users’ master data and contact details, as well as data relating to transactions, contracts, other processes and their contents.

Where users are directed to third-party providers or their software or platforms in the course of communication, business or other dealings with us, those third-party providers may process usage data and metadata for security purposes, to optimise their services or for marketing purposes. We therefore ask that you refer to the privacy policies of the relevant third-party providers.

  • Types of data processed: Content data (e.g. text-based or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Usage data (e.g. page views and time spent on site, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, individuals involved); Master data (e.g. full name, residential address, contact details, customer number, etc.); Contact details (e.g. postal and email addresses or telephone numbers); Applicant data (e.g. personal details, postal and contact addresses, documents relating to the application and the information contained therein, such as cover letters, CVs, certificates, as well as any further information relating to a specific position or voluntarily provided by applicants regarding their personal details or qualifications); Contract data (e.g. subject matter of the contract, term, customer category).
  • People affected: Communication partners; users (e.g. website visitors, users of online services); job applicants; prospective customers; business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; recruitment procedures (establishment and any subsequent implementation, as well as possible subsequent termination of the employment relationship). Communication.
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

Processing of data in the context of employment relationships

In the context of employment relationships, personal data is processed with the aim of effectively establishing, managing and terminating such relationships. This data processing supports various operational and administrative functions necessary for the management of staff relations.

Data processing encompasses various aspects, ranging from the initiation of a contract to its termination. This includes the organisation and administration of daily working hours, the management of access rights and authorisations, and the handling of staff development measures and performance reviews. The processing also serves the purposes of payroll accounting and the administration of wage and salary payments, which are critical aspects of contract performance.

In addition, data processing takes into account the legitimate interests of the employer responsible, such as ensuring safety in the workplace or collecting performance data for the purpose of evaluating and optimising operational processes. Furthermore, data processing includes the disclosure of employee data as part of external communication and publication processes, where this is necessary for operational or legal purposes.

This data is always processed in accordance with the applicable legal framework, with the aim always being to create and maintain a fair and efficient working environment. This also includes taking into account the data protection of the employees concerned, and the anonymisation or deletion of data once the purpose of processing has been fulfilled or in accordance with statutory retention periods.

  • Types of data processed: Employee data (information on employees and other individuals in an employment relationship); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, term, customer category); Master data (e.g. full name, residential address, contact details, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation); Social data (data subject to social confidentiality and processed, for example, by social security providers, social welfare agencies or pension authorities); Log data (e.g. log files relating to logins, data retrieval or access times); Performance and behavioural data (e.g. performance and behavioural aspects such as performance appraisals, feedback from line managers, participation in training, compliance with company policies, self-assessments and behavioural assessments); Working time data (e.g. start of working time, end of working time, actual working time, scheduled working time, break times, overtime, annual leave days, special leave days, sick days, absences, days working from home, business trips); Salary data (e.g. basic salary, bonus payments, incentives, tax bracket information, allowances for night work/overtime, tax deductions, social security contributions, net pay); Photographs and/or video recordings (e.g. photographs or video recordings of a person); usage data (e.g. page views and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
  • Special categories of personal data: Health data; religious or philosophical beliefs; trade union membership.
  • People affected: Staff (e.g. employees, job applicants, temporary staff and other staff members).
  • Purposes of processing and legitimate interests: Establishment and administration of employment relationships (processing of employee data in connection with the establishment and administration of employment relationships); business processes and operational procedures; provision of contractual services and fulfilment of contractual obligations; public relations; security measures; office and organisational procedures.
  • Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR); Legal obligation (Article 6(1), first sentence, point (c) of the GDPR); Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR). Processing of special categories of personal data relating to health, employment and social security (Article 9(2), point (h) of the GDPR).

Further information on processing procedures, methods and services:

  • Time and attendance recording: Methods for recording employees’ working hours include both manual and automated approaches, such as the use of time clocks, time-recording software or mobile apps. This involves activities such as entering arrival and departure times, break times, overtime and absences. Verification and validation of the recorded working hours include cross-checking against duty or shift rosters, checking for absences and the approval of overtime by line managers. Reports and analyses are generated based on the recorded working hours to provide timesheets, overtime reports and absence statistics for management and the HR department; Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Access management: Procedures required for the definition, management and control of access rights and user roles within a system or organisation (e.g. creation of authorisation profiles, role- and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Special categories of personal data: Special categories of personal data are processed in the context of the employment relationship or to fulfil legal obligations. The special categories of personal data processed include data relating to employees’ health, trade union membership or religious affiliation. This data may, for example, be passed on to health insurance funds or processed for the purpose of assessing employees’ fitness for work, for occupational health management, or for reporting to the tax authorities; Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Sources of the processed data: Personal data obtained in the context of an employee’s application and/or employment relationship is processed. In addition, where required by law, personal data is collected from other sources. These may include tax authorities for tax-related information, the relevant health insurance provider for information on sick leave, third parties such as employment agencies, or publicly accessible sources such as professional social networks in the context of recruitment processes; Legal basis: Legal obligation (Article 6(1), first sentence, point (c) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Purposes of data processing: Employees’ personal data is processed primarily for the purposes of establishing, managing and terminating the employment relationship. Furthermore, the processing of this data is necessary to comply with legal obligations under tax and social security legislation. In addition to these primary purposes, employees’ data is also used to meet regulatory and supervisory requirements, to optimise electronic data processing procedures, and to compile internal or cross-company data, which may include statistical data. Furthermore, employees’ data may be processed for the purpose of asserting legal claims and defending the company in legal disputes; Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Transfer of employee data: Employees’ data is processed internally only by those departments that require it in order to fulfil operational, contractual and legal obligations.
    Data will only be disclosed to external recipients where required by law, or where the employees concerned have given their consent. Possible scenarios for this include requests for information from public authorities or in the case of capital formation benefits. Furthermore, the data controller may pass on personal data to other recipients insofar as this is necessary to fulfil its contractual and statutory obligations as an employer. These recipients may include: a) banks; b) health insurance funds, pension insurance providers, retirement provision providers and other social security providers; c) public authorities, courts (e.g. tax authorities, employment tribunals, other supervisory authorities in the context of fulfilling reporting and disclosure obligations) d) tax and legal advisers e) third-party debtors in the event of wage and salary garnishments f) other bodies to which legally required declarations must be made.
    Furthermore, data may be disclosed to third parties where this is necessary for communication with business partners, suppliers or other service providers. Examples of this include details in the ‘From’ field of emails or on letterheads, as well as the creation of profiles on external platforms; Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Transfer of employee data to third countries: Employee data is only transferred to third countries – that is, countries outside the European Union (EU) and the European Economic Area (EEA) – if this is necessary for the fulfilment of the employment relationship, if it is required by law, or if employees have given their consent. Where required by law, employees will be informed separately of the details; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Business travel and travel expense claims: Procedures required for the planning, organisation and settlement of business travel (e.g. booking travel, organising accommodation and transport, managing travel expense advances, submitting and verifying travel expense claims, checking and posting the costs incurred, ensuring compliance with travel policies, and handling travel expense management); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Payroll processing and payroll accounting: Processes required for the calculation, payment and documentation of employees’ wages, salaries and other remuneration (e.g. recording working hours, calculating deductions and supplements, paying tax and social security contributions, preparing payslips, maintaining payroll accounts, and reporting to the tax authorities and social security bodies); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR).
  • Deletion of employee data: Under German law, employee data is deleted when it is no longer required for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or in the interests of the employer. In this regard, the following retention and archiving obligations are observed:
    • General personnel records – General personnel records (such as employment contracts, references and supplementary agreements) are retained for up to three years after the termination of the employment relationship (Section 195 of the German Civil Code (BGB)).
      Tax-related documents – Tax-related documents in the personnel file are retained for six years (Section 147 of the German Fiscal Code (AO), Section 257 of the German Commercial Code (HGB)).
      Information on wages and working hours – Information on wages and working hours for persons insured under the (accident) insurance scheme who provide proof of earnings is retained for five years (Section 165(1)(1), (4)(2) of Book VII of the Social Code).
    • Payroll records, including lists of special payments – Payroll records, including lists of special payments, provided that a supporting document exists, must be retained for ten years (Section 147 of the German Fiscal Code (AO), Section 257 of the German Commercial Code (HGB)).
    • Payroll records for interim, final and special payments – Payroll records for interim, final and special payments must be retained for six years (Section 147 of the German Fiscal Code (AO), Section 257 of the German Commercial Code (HGB)).
    • Documents relating to employees’ insurance – Documents relating to employees’ insurance, provided that accounting records are available, must be retained for ten years (Section 147 of the German Fiscal Code (AO), Section 257 of the German Commercial Code (HGB)).
    • Contribution statements for social security institutions – Contribution statements for social security institutions must be retained for ten years (Section 165 of Book VII of the Social Code).
      Payroll records – Payroll records must be retained for six years (Section 41(1)(9) of the Income Tax Act).
    • Applicant data – Retained for a maximum of six months from the date of receipt of the rejection.
    • Records of working hours (for working days exceeding 8 hours) – These are retained for two years (Section 16(2) of the Working Hours Act (ArbZG)).
    • Application documents (following an online job advertisement) – These are retained for between three and a maximum of six months after receipt of the rejection notice (Section 26
    • Federal Data Protection Act (BDSG) (as amended), Section 15(4) of the General Equal Treatment Act (AGG)).
    • Certificates of incapacity for work (AU) – These are retained for up to five years (Section 6(1) of the Expenses Reimbursement Act (AAG)).
    • Documents relating to occupational pension schemes – These must be retained for 30 years (Section 18a of the Act on the Improvement of Occupational Pension Schemes (BetrAVG)).
    • Employees’ sickness records – These are retained for twelve months from the start of the illness, provided that the total number of days absent in any one year does not exceed six weeks.
    • Documents relating to maternity leave – These are kept for two years (Section 27(5) of the Maternity Leave Act).
    Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR), processing of special categories of personal data relating to health, employment and social security (Article 9(2), point (h) of the GDPR).
  • Personnel records management: Procedures required for the organisation, updating and management of staff data and records (e.g. recording of personnel master data, retention of employment contracts, references and certificates, updating of data in the event of changes, compiling documents for staff appraisals, archiving of personnel files, compliance with data protection regulations); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR), processing of special categories of personal data relating to health, employment and social security (Article 9(2), point (h) of the GDPR).
  • Staff development, performance appraisal and staff appraisals: Procedures required in the areas of staff development and advancement, as well as for assessing staff performance and in the context of staff appraisals (e.g. needs analysis for further training, planning and delivery of training programmes, preparation of performance appraisals, conducting target-setting and feedback meetings, career planning and talent management, succession planning); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR), processing of special categories of personal data relating to health, employment and social security (Article 9(2), point (h) of the GDPR).
  • Obligation to provide data: The data controller informs employees that the provision of their personal data is necessary. This is generally the case where the data is required for the establishment and performance of the employment relationship, or where its collection is required by law. The provision of personal data may also be necessary where employees assert claims or are entitled to benefits. The implementation of these measures or the fulfilment of these obligations depends on the provision of this data (for example, the provision of data for the purpose of receiving wages); Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legal obligation (Article 6(1), first sentence, point (c) of the GDPR), Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).
  • Publication and disclosure of employee data: Employees’ personal data will only be published or disclosed to third parties if this is necessary for the performance of their duties in accordance with their employment contract. This applies, for example, where employees are named as points of contact in correspondence, on the website or in public registers, following consultation or in accordance with an agreed job description, or where their remit includes representative duties. This may also be the case where, in the course of carrying out their duties, employees appear in or communicate with the public, such as in photographs taken as part of public relations work. Otherwise, employees’ data will only be published with their consent or on the basis of the employer’s legitimate interests, for example in the case of stage or group photographs taken during a public event; Legal basis: Performance of a contract and pre-contractual enquiries (Article 6(1), first sentence, point (b) of the GDPR), legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Application process

The application process requires applicants to provide us with the information necessary for their assessment and selection. The information required is set out in the job description or, in the case of online forms, in the details provided there.

Generally speaking, the required details include personal information such as your name, address and contact details, as well as evidence of the qualifications required for the post. We are also happy to provide further details on what information is required upon request.

Where available, applicants are welcome to submit their applications via our online form, which is encrypted using state-of-the-art technology. Alternatively, it is also possible to send applications to us by email. However, we would like to point out that emails are generally not sent in encrypted form over the internet. Although emails are usually encrypted whilst in transit, this is not the case on the servers from which they are sent and received. We are therefore unable to accept any responsibility for the security of your application whilst it is being transmitted between you and our server.

For the purposes of searching for candidates, receiving applications and selecting candidates, we may, in accordance with legal requirements, make use of candidate management and recruitment software, as well as third-party platforms and services.

Applicants are welcome to contact us to enquire about how to submit their application, or to send it to us by post.

Processing of special categories of data: Where, as part of the recruitment process, special categories of personal data (Article 9(1) of the GDPR, e.g. health data, such as severe disability status or ethnic origin) are requested from applicants or provided by them, such data is processed to enable the controller or the data subject to exercise their rights and fulfil their obligations arising from employment law and the law on social security and social protection, in the case of the protection of the vital interests of applicants or other individuals, or for the purposes of preventive healthcare or occupational medicine, for the assessment of an employee’s fitness for work, for medical diagnosis, for care or treatment in the health or social sector, or for the administration of systems and services in the health or social sector.

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a vacancy is unsuccessful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a valid withdrawal by the applicant, the data will be deleted no later than six months after the application was submitted, to enable us to answer any follow-up questions regarding the application and to fulfil our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices relating to any travel expense reimbursements are archived in accordance with tax regulations.

Inclusion in a candidate pool: Inclusion in a candidate pool, where offered, is subject to consent. Candidates are informed that their consent to be included in the talent pool is voluntary, has no bearing on the current recruitment process, and that they may withdraw their consent at any time with effect for the future.

Length of time data is retained in the candidate pool, in months: 6

  • Types of data processed: Master data (e.g. full name, home address, contact details, customer number, etc.); contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image-based messages and posts, as well as related information such as details of authorship or the time of creation). Applicant data (e.g. personal details, postal and contact addresses, documents relating to the application and the information contained therein, such as cover letters, CVs, certificates, as well as further information regarding a specific position or information provided voluntarily by applicants about themselves or their qualifications).
  • People affected: Applicants.
  • Purposes of processing and legitimate interests: Recruitment procedure (reasons for, and any subsequent implementation of, the recruitment process, as well as the possible subsequent termination of the employment relationship).
  • Retention and deletion: Deletion in accordance with the information set out in the section „General information on data storage and deletion“.
  • Legal basis: The recruitment process as a pre-contractual or contractual relationship (Article 6(1), first sentence, point (b) of the GDPR). Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR).

Further information on processing procedures, methods and services:

  • Indeed: Services relating to recruitment (search for staff, communication, application procedures, contract negotiations); Service provider: Indeed Ireland Operations Limited, 124 St Stephen’s Green, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1), first sentence, point (f) of the GDPR); Website: https://indeed.com/. Privacy Policy: https://de.indeed.com/legal?hl=de#privacypolicy.

Amendments and updates

We ask that you check the content of our privacy policy regularly. We will update the privacy policy as soon as changes to the data processing activities we carry out make this necessary. We will inform you as soon as the changes require any action on your part (e.g. consent) or any other individual notification.

Where we provide addresses and contact details for companies and organisations in this privacy policy, please note that these details may change over time, and we ask that you check them before making contact.

Definitions of terms

This section provides an overview of the terms used in this privacy policy. Where these terms are defined by law, their statutory definitions shall apply. The explanations below, however, are primarily intended to aid understanding.

  • Employees: The term ‘employee’ refers to individuals who are in an employment relationship, whether as staff members, employees or in similar roles. An employment relationship is a legal relationship between an employer and an employee, which is established by an employment contract or agreement. It involves the employer’s obligation to pay the employee remuneration in return for the employee’s work. The employment relationship comprises various phases, including the commencement phase, during which the employment contract is concluded; the performance phase, during which the employee carries out their work; and the termination phase, when the employment relationship ends, whether through dismissal, a termination agreement or otherwise. Employee data refers to all information relating to these individuals and arising in the context of their employment. This includes aspects such as personal identification details, identification numbers, salary and bank details, working hours, holiday entitlements, health data and performance appraisals.
  • Stock data: Master data comprises essential information required for the identification and management of contractual partners, user accounts, profiles and similar assignments. This data may include, amongst other things, personal and demographic details such as names, contact details (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, organisations or systems by enabling unique mapping and communication.
  • Contents: Content data comprises information generated during the creation, editing and publication of all types of content. This category of data may include text, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself, but also includes metadata that provides information about the content itself, such as tags, descriptions, author details and publication dates
  • Contact details: Contact details are essential pieces of information that enable communication with individuals or organisations. They include, amongst other things, telephone numbers, postal addresses and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
  • Conversion tracking: Conversion tracking (also known as „visit-action analysis“) is a method used to determine the effectiveness of marketing measures. To do this, a cookie is usually stored on users’ devices whilst they are on the websites where the marketing measures are carried out, and is then retrieved again on the target website. For example, this enables us to track whether the adverts we have placed on other websites have been successful.
  • Artificial Intelligence (AI): The purpose of processing data using artificial intelligence (AI) is to analyse and process user data automatically in order to identify patterns, make predictions and improve the efficiency and quality of our services. This involves the collection, cleaning and structuring of data, the training and application of AI models, and the continuous review and optimisation of results, and is carried out exclusively with the users’ consent or on the basis of statutory authorisation.
  • Performance and behavioural data: Performance and behavioural data refer to information relating to how individuals carry out tasks or behave in a specific context, such as an educational, work or social environment. This data may include metrics such as productivity, efficiency, quality of work, attendance and compliance with policies or procedures. Behavioural data could include interactions with colleagues, communication styles, decision-making processes and reactions to various situations. These types of data are often used for performance appraisals, training and development initiatives, and decision-making within organisations.
  • Meta, communication and transaction data: Meta-data, communication data and procedural data are categories that contain information about the way in which data is processed, transmitted and managed. Meta-data, also known as ‘data about data’, comprises information that describes the context, origin and structure of other data. It may include details such as file size, creation date, the author of a document and revision histories. Communication data records the exchange of information between users via various channels, such as email correspondence, call logs, social media messages and chat histories, including the individuals involved, timestamps and transmission routes. Process data describes the processes and procedures within systems or organisations, including workflow documentation, transaction and activity logs, and audit logs used to track and verify operations.
  • Usage data: Usage data refers to information that tracks how users interact with digital products, services or platforms. This data encompasses a wide range of information that reveals how users utilise applications, which features they prefer, how long they spend on specific pages, and the paths they take when navigating through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information and location data. It is particularly valuable for analysing user behaviour, optimising user experiences, personalising content and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences and potential problem areas within digital offerings
  • Personal data: „Personal data“ means any information relating to an identified or identifiable natural person (hereinafter referred to as the „data subject“); a natural person is regarded as identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more specific characteristics that reflect the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiles containing user-related information: The processing of „profiles containing user-related information“, or „profiles“ for short, encompasses any form of automated processing of personal data that involves using such personal data to identify certain personal characteristics relating to a natural person (depending on the type of profiling, this may include various information relating to demographics, behaviour and interests, such as interaction with websites and their content, etc.), or to predict them (e.g. interests in specific content or products, click behaviour on a website or location). Cookies and web beacons are frequently used for profiling purposes.
  • Log data: Log data is information about events or activities that have been logged in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages and other details regarding the use or operation of a system. Log data is often used to analyse system issues, for security monitoring or to generate performance reports.
  • Reach measurement: Audience measurement (also known as web analytics) is used to analyse visitor traffic to an online service and may include the behaviour or interests of visitors in relation to specific information, such as website content. With the help of audience analysis, operators of online services can, for example, identify at what times users visit their websites and what content they are interested in. This enables them, for example, to better tailor the content of their websites to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are frequently used to recognise returning visitors and thus obtain more accurate analyses of how an online service is used.
  • Remarketing: The terms „remarketing“ or „retargeting“ are used when, for example, a website records which products a user has shown an interest in for advertising purposes, so that the user can be reminded of these products on other websites, for example through adverts.
  • Location details: Location data is generated when a mobile device (or any other device capable of determining its location) connects to a mobile network cell, a Wi-Fi network or similar technical means and location-determination functions. Location data is used to indicate the geographically identifiable position on Earth at which the device in question is located. Location data can, for example, be used to display map functions or other location-dependent information.
  • Tracking: The term „tracking“ is used when users’ behaviour can be tracked across multiple online services. As a rule, information relating to behaviour and interests in connection with the online services used is stored in cookies or on the servers of the providers of tracking technologies (a process known as ‘profiling’). This information can then be used, for example, to display adverts to users that are likely to match their interests.
  • Data controller: The term „controller“ refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: „Processing“ means any operation or set of operations which is carried out on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, be it collection, analysis, storage, transmission or erasure.
  • Contract details: Contract data is specific information relating to the formalisation of an agreement between two or more parties. It documents the terms and conditions under which services or products are provided, exchanged or sold. This data category is essential for the management and fulfilment of contractual obligations and encompasses both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the nature of the agreed services or products, pricing arrangements, payment terms, termination rights, renewal options and any special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims and resolving disputes.
  • Payment details: Payment data comprises all the information required to process payment transactions between buyers and sellers. This data is of crucial importance for e-commerce, online banking and any other form of financial transaction. It includes details such as credit card numbers, bank account details, payment amounts, transaction dates, verification numbers and billing information. Payment data may also include information on payment status, chargebacks, authorisations and fees.
  • Target group identification: The term „Custom Audiences“ is used when target groups are defined for advertising purposes, such as the display of adverts. For example, based on a user’s interest in certain products or topics on the internet, it can be inferred that this user would be interested in adverts for similar products or the online shop where they viewed those products. The term „Lookalike Audiences“ (or similar target groups) is used, on the other hand, when content deemed suitable is displayed to users whose profiles or interests are presumed to correspond to those of the users on whose profiles the audience was based. Cookies and web beacons are generally used for the purpose of creating Custom Audiences and Lookalike Audiences.