Data Privacy
The purpose of this Privacy Statement is to explain to you the nature, scope and purpose of the processing of personal data (hereinafter referred to in short as “Data”) within our online offer and the related websites, functions and content as well as our external online presence, such as our social media profiles (hereinafter jointly referred to as our “Online offering”). With regard to the terms used, such as “processing” or “party responsible”, we refer to the definitions contained in Art. 4 of the General Data Protection Regulation (GDPR). We also hereby inform you in the following of the external components that we use for optimisation purposes and for increasing quality of use (as long as it makes the processing of third-party data the responsibility of the respective third parties once again).
The party responsible under data protection legislation (in particular the EU's General Data Protection Regulations, GDPR) is:
MetaDesign GmbHLeibnizstraße 65
10629 Berlin
E-mail address: mail.ber@metadesign.de
Managing Director / owner: Leyser, Daniel
Contact Data Protection Officer: yusuf.tuncay-eberl@lionresources.com
You can exercise the following rights at any time using the contact details provided for our Data Protection Officers:
- Information regarding data about you stored with us and its processing (Art. 15 of the GDPR),
- Correction of incorrect personal data (Art. 16 of the GDPR),
- Deletion of data about you that is stored with us (Art. 17 of the GDPR),
- Restriction of data processing (provided that we are not entitled to delete your data on the basis of legal obligations) (Art. 18 of the GDPR),
- Objection to us processing your data (Art. 21 of the GDPR) and
- Transferability of data if you have consented to the processing of your data or have entered into a contract with us (Art. 20 of the GDPR).
If you have given us consent, you can revoke it any time, with future effect. You can refer a complaint to a regulatory authority at any time,such as to the competent supervisory authority of the Federal State of your place of residence or to our relevant responsible office with competent authority status. A list of regulatory authorities (for the non-public sector) with addresses can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Type of data to be processed:
- Inventory data (e.g. names, addresses)
- Contact data (e.g. e-mail, telephone numbers)
- Content data (e.g. text entries, photographs, videos)
- Usage data (e.g. websites visited, interest in contents, times of access)
- Meta-/communications data (e.g. devices information, IP addresses)
Categories of persons affected
Visitors to and users of our online offering (we hereinafter also refer to persons concerned collectively as “Users”).
Purpose of processing
Provision of the online offering, and its functions and contents Answering contact requests and communication with users Security measures Reach measurement/marketing
Terms used
- “Personal Data” means all information relevant to an identified or identifiable natural person (hereinafter known as the “person concerned”); a natural person is accepted as identifiable if they can be identified, directly or indirectly, in particular by means of relation to an identifier, such as a name, an identification number, location data, an online identifier (e.g. cookies) or by one or more particular features which constitute an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of the said natural person.
- “Processing” means any process or sequence of processes in connection with personal data, performed with or without the aid of automated procedures. The term has a broad meaning; it includes practically every process related to data.
- “Pseudonymisation” means the processing of personal data in such a way that personal data can no longer be assigned to a specific person concerned without the need for additional information, provided that the said additional information is stored separately and there are technical and organisational measures in place which guarantee that the said personal data cannot be assigned to any identified or identifiable natural person.
- “Profiling” means any type of automated processing of personal data with the intent of using the said personal data to evaluate certain personal aspects relevant to a natural person, in particular aspects pertinent to analysing or predicting elements of the said natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence or change of location.
- A “party responsible” means the natural or legal person, authority, institution or other body which, whether alone or together with others, makes decisions regarding the purposes and the means for processing of personal data. “Processor” means a natural or legal person, authority, institution or other body which processes personal data on behalf of the party responsible.
Relevant legal bases
Pursuant to Art. 13 of the GDPR, we inform you of the legal bases for our data processing means. If the legal basis should not be mentioned in the Privacy Statement, the following shall apply:
The legal basis for obtaining consent is Art. 6 (1) (a) and Art. 7 of the GDPR; the legal basis for the processing of data as part of the fulfilment of our services and the execution of contractual measures and for answering queries is Art. 6 (1) (b) of the GDPR; the legal basis for the processing of personal data as part of the fulfilment of our legal obligations is Art. 6 (1) (c) of the GDPR; and the legal basis for the processing of personal data for the purpose of safeguarding our legitimate interests is Art. 6 (1) (f) of the GDPR. In the event that vital interests of any given person concerned or another natural person make the processing of personal data necessary, Art. 6 (1) (d) of the GDPR shall serve as the legal basis in this regard.
Security measures
We take appropriate technical and organisational measures under Art. 32 of the GDPR – taking into consideration technological status, implementation costs, and the type and scope and conditions and purposes for the processing of personal data, as well as varying risk probability and severity with regard to natural persons’ rights and liberties – in order to guarantee a level of protection appropriate to the risk.
These measures include the following in particular: securing confidentiality, integrity and availability of data by monitoring physical access to it, including the access conditions with respect to the latter and its input, disclosure, protection of availability and separation. We have also established procedures that guarantee observance of the rights of persons concerned, the deletion of data and response to compromised data. We also take into account the protection of personal data during the development/selection of hardware or software and individual procedures, in accordance with the principle of data protection through technology design and privacy-friendly default settings (Art. 25 of the GDPR).
Collaboration with processors and third parties
If we disclose data to other persons and companies (processors or third parties) as part of our data processing, forward it to them or otherwise grant them access to data, this may be done only on the basis of a statutory permit (e.g. if it is necessary to transfer data to third parties, or to lettershops (as per Art. 6 (1) (b) of the GDPR) for the purpose of contractual fulfilment), you have consented, there is a legal obligation mandating it or if it is relevant to our legitimate interests (e.g. when using agents, web hosters, etc.).
If we commission third parties to process data on the basis of a so-called “order processing agreement”, this shall be performed on the basis of Art. 28 of the GDPR.
Transmission to third party countries
If we process data in a third party country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or this happens in the context of use of third party services or of disclosure or transmission of data to third parties, this may be done only for the purpose of fulfilment of our (pre)-contractual obligations, or on the basis of your consent, a legal obligation or our legitimate interests. Subject to legal or contractual permission, we will process data (or allow it to be processed) in a third party country only if the special conditions included in Art. 44 ff. of the GDPR apply. That is to say: such processing can be carried out on the basis of special guarantees, such as the officially recognised establishment of an EU-standard data protection level (e.g. with the “Privacy Shield” in the case of the USA) or the observation of officially recognised special contractual obligations (so-called “standard contractual clauses”).
Right of revocation
You can revoke future processing of data applicable to you, at any time, pursuant to Art. 21 of the GDPR. Such a revocation can be initiated in particular to prevent processing of data for direct marketing purposes.
Cookies and right of revocation with direct marketing
“Cookies” are small files stored on users’ computers. Different kinds of information can be stored within cookies. The primary purpose of a cookie is to save information on a user (or on the device on which the cookie is saved) during or after their visit as part of an online offering. Cookies that are deleted after a user has left an online offering and closed their browser are labelled as temporary cookies, “session cookies” or “transient cookies”. Aspects that can be saved in such a cookie include the content of a shopping cart in an online shop or a login status. Cookies are known as “permanent” or “persistent” if they remain saved after the browser has been closed. With this, login status, for example, can be saved if the users visit again after several days. The interests of users can also be saved in such a cookie, for use for range measurement or marketing purposes. Cookies offered by providers other than the party responsible (i.e. that has provided the online offering), are known as “third-party cookies” (otherwise, if it’s only their own cookies, these are known as “first-party cookies”).
We can use temporary and permanent cookies – we clarify them in the context of our Privacy Statement.
If you, as the user, do not want cookies to be stored on your computer, you will be asked to deactivate the appropriate option in the system settings of your browser. Saved cookies can be deleted in the system settings of your browser. Exclusion of cookies can lead to functional restrictions with the online offering.
A general objection to the use of cookies used for online marketing purposes can be clarified by a variety of services (especially in the case of tracking) recognised with the American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, cookies can be saved in the browser settings by deactivating them. Please note that, if you decide to do this, not all functions included in the online offering can be used.
Deletion of data
The data processed by us shall be deleted, or have its processing restricted, in accordance with Art. 17 and 18 of the GDPR. Unless explicitly stated in this Privacy Statement, data saved with us shall be deleted as soon as it is no longer required for its intended purpose and such deletion does not conflict with any statutory retention requirements. If such data is not deleted – because it is required for other, legally permitted, purposes – its processing shall be restricted. That is to say, the data shall be disabled and not processed for other purposes. This applies, for example, for data which needs to be retained for commercial or tax law reasons.
In accordance with existing legal requirements in Germany, the period for such storage may be 10 years (pursuant to §§ 147 (1) of the German Fiscal Code, 257 (1) (1) and (4) of the German Commercial Code (for books, records, status reports, accounting documents, trading books, for taxation of relevant documents, etc.)) or 6 years (pursuant to § 257 (1) nos. (2) and (3) of and Clause 4 of the German Commercial Code (business letters)).
Business-related processing
We also process
- Contract data (e.g. object of contract, duration period, customer category)
- Payment data (e.g., bank details, payment history) of our clients, prospective clients and business partners for the purpose of providing contractual services, customer care and service, marketing, advertising and market research.
Agency services
We process our clients’ data as part of our contractual services – this includes conceptual and strategic advice, campaign planning, software and design development/advice or care, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.
As part of this, we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), contract data (e.g. object of contract, duration period), payment data (e.g. bank details, payment history), usage and metadata (e.g. as part of evaluation and performance measurement of marketing measures). There are certain categories of personal data which we will absolutely not process unless the components in question are of commissioned processing. Persons concerned include our clients and prospective customers, as well as their clients, users, website visitors or colleagues, as well as third parties. The purpose of the processing is the provision of contractual services, accounting, and our customer service. The legal bases for processing are covered in Art. 6 (1) (b) of the GDPR (contractual services), Art. 6 (1) (f) of the GDPR (analysis, statistics, optimisation, safety measures). We process data necessary for the justification and fulfilment of contractual services, with reference to the of processing it. It may be disclosed to external parties only if this is necessary as part of an order. During processing of the data transferred to us as part of an order, we will act in a manner consistent with the instructions of the client as well as with the legal requirements recognised with order processing as per Art. 28 of the GDPR, and we will not process such data for any purposes other than those specified in the order.
We will delete the data upon the expiry of the statutory warranty obligations and comparable obligations. The necessity for retention of the data shall be checked every three years; with statutory archiving obligations, it shall be deleted after they expire (6 years, in accordance with § 257 (1) of the German Commercial Code, or 10 years, in accordance with § 147 (1) of the German Fiscal Code). With data which was disclosed to us by the client as part of an order, we shall delete this data in accordance with the specifications of the order (or, in any case, after the end of the order).
Contractual services
We process the data of our contractual partners and prospective clients, as well as that of other clients, customers or contractual partners (together designated as “contractual partners”) as per Art. 6 (1) (b) of the GDPR, for the purpose of providing you with our contractual or pre-contractual services. The data that is processed in this respect, and the type and scope and purpose and necessity of its processing, are determined by the underlying contractual relationship.
The data to be processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) and contract data (e.g. services requested, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).
There are certain categories of personal data which we absolutely will not process unless the components in question are part of contracted or contractual processing.
We process data which is necessary for justification and fulfilment of the contractual obligations and refer to the requirement should this not be evident to the contractors. It may be disclosed to external persons or companies only if this is necessary as part of a contract. During processing of the data transferred to us as part of an order, we will act in accordance with the instructions of the client as well as the relevant legal requirements.
As part of the use of our online services, we may, if appropriate, save the IP address and the time of known user action. Saving shall be done on the basis of our legitimate interests, as well as users’ interests, as a means of protection against abuse and other unauthorised use. This data absolutely may not be forwarded to third parties, unless this is a requirement pursuant to our claims under Art. 6 (1) (f) of the GDPR or if there is a legal obligation to do the same under Art. 6 (1) (c) of the GDPR.
Data shall be deleted if it is no longer required for the fulfilment of our contractual or legal care responsibilities or for dealing with any warranty obligations or comparable obligations, in which case the necessity for storage of the data shall be checked every three years; otherwise, the statutory storage obligations shall apply.
Administration, financial accounting, office organisation, contact management
We process data as part of administrative tasks, as well as the organisation of our operations, financial accounting and compliance with legal obligations, such as archiving; whereby we process the same data that we process in the provision of our contractual services. The basic data processing principles recognised hereby are Art. 6 (1) (c) of the GDPR and Art. 6 (1) (f) of the GDPR. Said data processing pertains to clients, prospective clients, business partners and website visitors. The purpose for such processing/our interest in it concerns the administration, financial accounting, office organisation and archiving activities recognised with such data i.e. tasks pursuant to maintaining our business activities, the acknowledgement of our tasks and the provision of our services. Deletion of data pursuant to contractual services and communication shall be in accordance with the information stated as part of such processing activities.
As part of the same, we will disclose or transmit data to the financial authorities or consultants, such as tax consultants or auditors, as well as other bodies and service providers.
We will also save information concerning suppliers, organisers and other business partners based on our business interests, such as for the purpose of subsequent contact. We will save this (mostly company-related) data indefinitely as a matter of principle.
Business analysis and market research
For the purpose of operating our business economically (including recognition of market trends and the requests of contract partners and users), we will analyse the data that we have which covers business transactions, contracts, queries etc. We will, as part of this, process inventory data, communication data, contract data, payment data, usage data and metadata in accordance with Art. 6 (1) (f) of the GDPR – the persons concerned include contract partners, prospective clients, clients, visitors and users of our online offering.
Analyses are carried out for the purpose of business analysis, marketing and market research. We may, as part of it, consider the profiles of registered users, including information regarding the services that they use for example. We make use of these analyses in order to increase user-friendliness, and optimise our offering and operating profitability. These analyses are for our benefit only; they are not to be disclosed externally.
If such analyses or profiles are personal in nature, they shall be deleted or anonymised upon termination of use, or otherwise removed no later than two years after the conclusion of the contract. Furthermore, overall business analyses and general trend determination shall always be drafted anonymously whenever possible.
Contact
When we are contacted (e.g. via contact form, e-mail, telephone or social media), the information of the user in question shall be processed as part of the processing of the contact request and its conclusion in accordance with Art. 6 (1) (b) (as part of contractual/pre-contractual relationships) or Art. 6 (1) (f) of the GDPR (in connection with our own legitimate interests). User information can be saved in a customer relationship Management system (“CRM system”) or a comparable queries system. Your data will be deleted as soon as your request has been finally answered and such deletion is not precluded by any statutory retention obligations e.g. with any subsequent contract.
Hosting and e-mail dispatching
The hosting services that we use serve the purpose of provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatching, security services and technical maintenance services that we employ as part of the operation of this online offering.
As part of this, we/our hosting provider process inventory data, contact data, content data, contract data, usage data, and metadata and communication data of clients and prospective clients and visitors to this online offering, on the basis of our legitimate interests pertinent to providing this online offering in an efficient and secure manner as per Art. 6 (1) (f) of the GDPR in conjunction with Art. 28 of the GDPR.
Collection of access data
We/our hosting provider collect data on each access to the server which hosts this service, on the basis of our legitimate interests as per Art. 6 (1) (f) of the GDPR (so-called server log files). Said access data includes: name of the requested website, file, date and time of the request, volume of transferred data, notification of successful request, browser type and version, the user’s operating system, the referrer URL (the site visited previously), the IP address and the requesting provider.
Log file information shall be saved for a maximum period of 7 days, for security reasons (e.g. in the interests of investigation of abuse or fraud), after which it shall be deleted. Data which needs to be retained for longer for evidence purposes shall be exempt from such deletion up until the time of the final clarification of the incident in question.
Google AdWords and Conversion Measurement
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer in the sense of Art. 6 Para. 1 lit. f. of the German Civil Code), we make use of the information provided on this website. DSGVO) the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").
Google is certified under the Privacy Shield Agreement and therefore offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the Google AdWords online marketing process to place ads on the Google Advertising Network (e.g., in search results, videos, websites, etc.) so that they are displayed to users who have a suspected interest in the ads. This allows us to display ads within our online offering in a more targeted manner in order to present users only with ads that potentially match their interests.
We also receive an individual "conversion cookie". The information obtained with the help of the cookie is used by Google to compile conversion statistics for us. However, we only know the anonymous total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive any personally identifiable information.
User information is processed pseudonymously within the Google Advertising Network. This means, for example, that Google does not store and process the user's name or e-mail address, but processes the relevant data cookie-related within pseudonymous user profiles. This means that, from Google's point of view, the ads are not administered and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymization. The information collected about users is transmitted to Google and stored on Google's servers in the United States.
You can also prevent or restrict the installation of cookies by making the appropriate settings in your Internet browser. At the same time, you can delete cookies that have already been saved at any time. However, the steps and measures required for this depend on the Internet browser you are using. If you have any questions, please use the help function or documentation of your Internet browser or contact its manufacturer or support.
Google also offers the following services and further information on this topic and in particular on the possibilities of preventing the use of data.
- https://services.google.com/sitestats/de.html
- http://www.google.com/policies/technologies/ads/
- http://www.google.de/policies/privacy/
Matomo (formerly: PIWIK)
We use Matomo (formerly: “PIWIK”) on our website. Matomo is an open source software which allows us to analyse use of our website. This involves processing your IP address, the page(s) of our website that you visit, the website from which you came to our website (referrer URL), the period of time you spent on our website and the frequency of access to any of the pages on our website.
This data is collected when Matomo saves a cookie on your end device via your web browser. This cookie shall be valid for one week. The relevant legal basis is Art. 6 (1) (f) of the GDPR. Our relevant legitimate interest is analysis and optimisation of our website. However, we use Matomo with the anonymisation function “Automatically Anonymise Visitor IPs”. This anonymisation function shortens your IP address by the last byte, making any relation to you, or the internet connection that you use, impossible.
If you do not agree with such processing, you have the option of preventing the cookie from being saved, via a certain setting in your internet browser. You can find more detailed information on this above, under “Cookies and right of revocation in connection with direct marketing”. You also have the option to end analysis of your usage behaviour, using the so-called opt-out. You can activate your objection by clicking on the link below.
When you do this, a cookie will be saved on your end device via your internet browser; this cookie will prevent further analysis. However, please note that you will need to activate the above link again if you delete the cookies saved on your end device.
Online presence on social media
We maintain an online presence in the form of social networks and platforms so that we can communicate with the clients, prospective clients and users active there and provide them with information about our services. During access to the respective networks and platforms, the business terms and conditions and the data processing guidelines of their respective operators shall apply.
Unless otherwise specified in our Privacy Statement, we will process users’ data for as long as they communicate with us on social networks and platforms, e.g. by writing posts on our online presence profiles or by sending us messages.
Integration of third-party services and contents
We use the contents and service offerings of third-party providers within our online offering, based on our legitimate interests (i.e. analysis, optimisation and economic operation of our online offering as per Art. 6 (1) (f) of the GDPR), in order to integrate their contents and services e.g. videos or writing fonts (hereinafter referred to together as “contents”).
This always assumes that the third-party providers of this content are aware of the users’ IP addresses, since they would be unable to send the contents to their browser without the IP address. This means that the IP address is necessary for the presentation of this content. We strive to use only such content for which the respective providers use the IP address to deliver the content. Third-party providers can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as user traffic on the pages of this website. Pseudonymous information can also be saved on the user’s device in the form of cookies, and it can include, inter alia, technical information on the browser and operating system, referring websites and visit time as well as other information regarding the use of our online offering, and it can also be linked to such information from other sources.
JW player videos
Our websites include plug-ins of the video portal JWPlayer (LongTail Ad Solutions, Inc. d/b/a JW Player 2 Park Avenue, 10th Floor New York, NY 10016, USA). With every request for a page which offers one or more JWPlayer video clips, a direct connection between your browser and a JWPlayer server in the USA is established. Information on your visit and your IP address will be saved there. Through interactions with the JWPlayer plug-ins (e.g. clicking the Start button), this information will also be transferred to JWPlayer and saved there. Further explanations can be found here https://www.jwplayer.com/privacy/#Technology.
The Privacy Statement for JWPlayer, with more detailed information on how JWPlayer collects and uses your data, can be found at https://www.jwplayer.com/privacy.
JWPlayer also uses the Google Analytics Tracker via an iFrame in which the video is called up. This is a separate tracking of JWPlayer, to which we have no access. You can prevent tracking by Google Analytics by using the deactivation tools that Google offers for some internet browsers. Users can also prevent Google from collecting data generated by Google Analytics that is related to your use of the website (incl. your IP address), and prevent Google from processing this data, by downloading and installing the browser plug-in available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de
Use of Facebook social plug-ins
We use social plug-ins ("plug-ins") of the social network facebook.com (operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook")) on the basis of our legitimate interests (i.e. analysis, optimisation and economic operation of our online operation as per Art. 6 (1) (f) of the GDPR). This can include such content as images, videos or texts and buttons with which users can share content of this online offering within Facebook. The list and appearance of Facebook social plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/.
Facebook is certified under the Privacy Shield Agreement, meaning that it offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
If a user requests a function of this online offer which includes such a plug-in, their device shall establish a direct connection with the Facebook servers. The content of the plug-in shall be transferred directly to the user’s device by Facebook as Facebook integrates it into the online offering. This makes it possible to create user profiles of the users from the processed data. With this, we have no influence on the scope of the data that Facebook determines with the help of this plug-in and as such informs the users accordingly based on our knowledge.
By integrating the plug-ins, Facebook receives the information that a user has requested the corresponding page in the online offering. If the user is logged into Facebook, Facebook can assign the visit to their Facebook account. When users interact with the plug-ins, such as by clicking on the Like button or leaving a comment, the corresponding information shall be transferred from their device directly to Facebook and saved there. If a user is not a member of Facebook, it is still possible for Facebook to obtain and store their IP address. According to Facebook, only an anonymised IP address will be saved in Germany.
Information on the purpose and scope of data collection and further processing and use of data by Facebook, and the related rights and settings options for protection of users’ privacy, can be found in Facebook’s Privacy Statement: https://www.facebook.com/about/privacy/.
If a user is a member of Facebook and does not want Facebook to collect data about them via this online offering or to link it with their member data stored on Facebook, then they must, prior to using our online offer, log out from Facebook and delete their cookies. Additional settings and objections to use of data for advertising purposes are possible in the Facebook profile settings https://www.facebook.com/settings?tab=ads or via the American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Settings are platform-independent, meaning that they are adopted for all devices, be they desktop computers or mobile devices.
Functions and contents of the Twitter service (offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) can be integrated into our online offering. This may include content such as images, videos or bodies of text and buttons which allow users to share content within this online offering within Twitter. If users are members of the Twitter platform, Twitter can assign the request for the above contents and functions to users’ local profiles. Twitter is certified under the Privacy Shield Agreement, meaning that it offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active).
Privacy Statement: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.
Functions and contents of the Xing service (offered by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) can be integrated into our online offering. This may include content such as images, videos or bodies of text and buttons which allow users to share content within this online offering within Xing. If users are members of the Xing platform, Xing can assign the request for the above contents and functions to users’ local profiles. Xing’s Privacy Statement: https://www.xing.com/app/share?op=data_protection.
Functions and contents of the LinkedIn service (offered by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) can be integrated into our online offering. This may include content such as images, videos or bodies of text and buttons which allow users to share content within this online offering within LinkedIn. If users are members of the LinkedIn platform, LinkedIn can assign the request for the above contents and functions to users’ local profiles. LinkedIn’s Privacy Statement: https://www.linkedin.com/legal/privacy-policy. LinkedIn is certified under the Privacy Shield Agreement, meaning that it offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active). Privacy Statement: https://www.linkedin.com/legal/privacy-policy, Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Newsletter
In the following guideline we provide you with information regarding the content of our newsletter, as well as on our registration, dispatch and statistical evaluation procedures, and on your rights to object. By subscribing to our newsletter, you declare that you agree to receive it, and that you agree to the procedures mentioned.
Content of the newsletter: we send newsletters, e-mails and other electronic notifications with promotional information (hereinafter known as “newsletters”) only if the recipient has consented to it or if we have legal permission to do so. If the contents of a registration for the newsletter are concrete in nature, they shall be definitive as to the consent of the users. Our newsletters also include information on our services and us.
Double opt-in and logging: registration for our newsletter is achieved in a so-called double opt-in process. What this means is that, after the registration, you will receive an e-mail in which you are asked to confirm your registration. Such a confirmation is necessary so that no-one can log in with external e-mail addresses. Newsletter registrations are logged in order that the registration process can be verified in accordance with relevant legal requirements. This includes saving the information of the time of the registration and the confirmation, as well as the IP address. The changes made with your data saved with the service provider will also be logged.
Registration data: to register for the newsletter, it will suffice for you to send us your e-mail address.
The dispatch of the newsletter, and the related performance measurement, are based on consent of the recipient as per Art. 6 (1) (a) , Art. 7 of the GDPR in conjunction with § 7 (2) (3) of the German Fair Trade Practices Act or, if no such consent is required, on the basis of our legitimate interests pertinent to direct marketing as per Art. 6 (1) (f) of the. GDPR in conjunction with § 7 (3) of the German fair Trade Practices Act.
The registration process is logged on the basis of our legitimate interests as per Art. 6 (1) (f) of the GDPR. Our interest focusses on use of a user-friendly and safe newsletter system which both serves our business interests and meets users’ expectations, and also allows us to provide evidence of consent.
Termination/revocation – You can cancel receipt of our newsletter at any time i.e. revoke your consent. You can find a link for newsletter termination at the end of every newsletter. We are allowed to save listed e-mail addresses for up to three years (on the basis of our legitimate interests) before finally deleting them so as to be able to prove previously granted consent. Processing of such data shall be limited to the purpose of any defence against claims. An individual request for revocation is possible at any time, provided that, at the same time, the former existence of any such consent is confirmed.
Newsletter dispatch with Mailchimp
The newsletter is dispatched using the dispatch service provider “MailChimp”, a newsletter dispatch platform of the American provider Rocket Science Group (LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA). The Privacy Statement of this dispatch service provider can be viewed here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement, meaning that it offers a guarantee of compliance with the European data protection standard (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
The dispatch service provider is used on the basis of our legitimate interests as per Art. 6 (1) (f) of the GDPR and an order processing contract as per Art. 28 (3) (1) of the GDPR.
The dispatch service provider can use recipients’ data in pseudonymous form i.e. without assignment to a user as part of optimisation or improvement of its own services for technical optimisation of the dispatch and presentation of the newsletter, or for statistical purposes. However, the dispatch service provider may not use the data of our newsletter recipients in order to write to them, or to forward the data to third parties.
Online job applications/publication of job vacancies We offer you the opportunity to apply for work with us via our website. With such digital applications, we will electronically collect and process your applicant and application data as part of the processing of the application procedure. The legal process for such processing is outlined in § 26 (1) (1) of the Federal Data Protection Act in conjunction with Art. 88 (1) of the GDPR.
We use an interface (API) to the external provider SmartRecruiters on our website. Please also read the Privacy Statement of the platform provider in connection with the same, at https://www.smartrecruiters.com/legal/candidate-privacy-policy/may-14-2019/
If a contract of work is entered into as part of a job application procedure, we will save the data you submitted as part of your application in your personal file as part of the regular organisation and administration process – we will of course take into consideration further legal obligations when we do this. The legal basis for such processing is also outlined in § 26 (1) (1) of the Federal Data Protection Act in conjunction with Art. 88 (1) of the GDPR.
When rejecting an application, we will automatically delete the data transferred to us two months after notification of the rejection. However, such a deletion shall not take place if, on account of certain legal regulations (e.g. owing to duties of proof under the German General Equal Treatment Act), the data is required to be saved for longer (up to six months, or up to the conclusion of legal proceedings).
The legal basis for such a case is covered in Art. 6 (1) (f) of the GDPR and § 24 (1) (2) of the Federal Data Protection Act. Our legitimate interest in such matters is legal defence/enforcement. If you have expressly consented for your data to be saved for longer, or to be included in a candidate or prospective candidates' database, the data shall be processed as per your consent. The legal basis here shall be Art. 6 (1) (a) of the GDPR. However, you are of course entitled to withdraw your consent at any time as per Art. 7 (3) of the GDPR by informing us accordingly, at which point it shall become effective in the future.
Changes to our Privacy Statement We reserve the right to make adjustments to this Privacy Statement to ensure that it always meets the current legal requirements, or to implement changes to our services offered in the Privacy Statement e.g. with the introduction of new services. In such a case, the new Privacy Statement will apply at the time of your new visit. Privacy Statement version: June 2019