Data protection

Dussmann Stiftung & Co. KGaA 
Friedrichstrasse 90 
10117 Berlin 
Germany

e-mail address: hotline@dussmanngroup.com

phone: +49 30 20 250 

Dussmann Stiftung & Co. KGaA 
Data Protection Officer 
Friedrichstrasse 90 
10117 Berlin 
Germany

+49 30 20250

datenschutz@dussmanngroup.com 

The overview below summarizes the types of data we process and the purposes of processing thereof and indicates the data subjects.

Types of data processed

• Inventory data
• Payment data
• Contact information
• Content-related data
• Contract data
• Usage data
• Metadata, communication data, process data
• Log data
• Performance and behavior data
• Creditworthiness data

Special categories of data

• Data concerning health
• Religious or philosophical beliefs
• Trade union membership
• Sex life or sexual orientation

Categories of data subjects

• Service recipients and clients
• Prospective clients
• Communication partners
• Business partners and other parties to contracts
• Whistleblowers
• Clients

Purposes of processing

• Performance of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Reach measurement
• Tracking
• Conversion measurement
• Marketing
• Provision of our online services and user friendliness
• Assessment of credit ratings and creditworthiness
• Information technology infrastructure
• Whistleblower protection
• Financial management and payment management
• Public relations work
• Promoting sales
• Business processes and business administration procedures

Automated decision-making in individual cases

• Credit reports 

Relevant legal bases pursuant to the GDPR: This section provides an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection and privacy specifications may apply in your or our country of residence or domicile. Should more-specific legal bases be relevant in the individual case, we will notify you of these in the Data Protection and Privacy Statement.

• Consent (point (a) of Article 6(1) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Performance of a contract or inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (point (c) of Article 6(1) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (point (f) of Article 6(1) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations stipulated by the GDPR, there are national regulations governing data protection and privacy in Germany. This particularly includes German Federal Data Protection Act (BDSG). In particular, the BDSG contains special provisions relating to the rights of access to information, of erasure, and to object; the processing of special categories of personal data; processing for other purposes; transfers; and automated decision-making in individual cases, including profiling. Furthermore, state data protection laws at the level of the individual states may also apply. 

In accordance with the legal specifications and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include but are not limited to ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data and the data access concerning them, along with the entry, communication, and separation thereof and ensuring the availability of the data. We have also established procedures that ensure that the rights of data subjects are upheld, data are erased, and there is a response to any risk to the data. Furthermore, we take protecting personal data into account in the early stages of developing and/or selecting hardware, software, and procedures in keeping with the principle of data protection by design and by default.

Safeguarding online connections through TLS/SSL encryption technology (HTTPS): To protect the user data transferred via our online services against unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transferred between the website or app and the user’s browser (or between two servers), which protects the data against unauthorized access. TLS, a further developed and more-secure version of SSL, ensures that all data transmissions meet the very highest standards of security. If a website is safeguarded by an SSL/TLS certificate, “HTTPS” is displayed in the URL. This serves as an indicator for users that their data are being transferred securely and with encryption.

Within the scope of our processing of personal data, it is possible that these data will be transferred or disclosed to other bodies, companies, legally independent organizational units, persons, or entities. Recipients of these data may include, for example, service providers commissioned to perform IT tasks or providers of services and content incorporated into a website. In such cases, we observe the legal specifications and, in particular, enter into relevant contracts and/or agreements that serve to protect your data with the recipients of your data.

Data transfers within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to these data. Where such disclosures take place for administrative purposes, the disclosure of the data is based on our legitimate entrepreneurial and business administration interests or takes place to the extent necessary to fulfill our contract-related obligations or where the data subject has given consent or the disclosure is permitted by law. 

Data processing in third countries: Where we process data in a third country (i.e., outside the European Union (EU) or European Economic Area (EEA)) or the processing takes place within the scope of our utilization of third-party services or of the disclosure or transfer of data to other persons or entities, bodies, or companies, this takes place solely in compliance with the legal specifications. Where the level of data protection in the third country has been acknowledged by an adequacy decision (Article 45 GDPR), this decision serves as the basis for the data transfer. In all other respects, data transfers take place only if the level of data protection has been safeguarded through other means, particularly standard contractual clauses (point (c) of Article 46(2) GDPR), express consent has been granted, or the transfer is required based on the provisions of a contract or by law (Article 49(1) GDPR). In all other respects, we communicate to you the bases for the third-country transfer in the case of the individual third-country providers; the adequacy decisions take precedence as bases. For information on third-country transfers and existing adequacy decisions, please consult the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

Transatlantic EU–U.S. data privacy framework: Within the scope of the Data Privacy Framework (DPF), the European Commission acknowledged the level of data protection provided by certain companies based in the United States as secure under the adequacy decision dated July 10, 2023. The list of certified companies and further information relating to the DPF is available from the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/.  

We erase personal data that we process in accordance with the statutory provisions once the underlying consent has been withdrawn or there are no further legal bases for the processing thereof. This applies to cases in which the original purpose of processing ceases to apply or the data are no longer required. Exceptions to this provision apply if statutory obligations or particular interests require that the data be retained or archived for a longer period.

In particular, data that must be retained for reasons of commercial or tax law or whose storage is necessary in order to pursue legal claims or protect the rights of other natural persons or legal entities must be archived accordingly.

We process data that are no longer retained for the originally intended purpose, but rather based on legal specifications or other reasons, exclusively on the bases that justify the retention thereof.

Should you wish your data to be erased or withdraw consent to data processing, the data will be erased as soon as possible unless there is an obligation to store them.

Further information on processing operations, procedures, and services:

• Retention and erasure of data: The following general time limits apply to retention and archiving pursuant to German law:
  • Ten years – retention period for accounts and records, inventories, annual financial statements, management or situation reports, the opening balance sheet as well as the operating instructions and other organizational documents, accounting records and invoices needed for their comprehension (Sec. 147 (3) in conjunction with (1) Nos. 1, 4 and 4a of the German Fiscal Code (AO), Sec. 14b (1) of the German Value-Added Tax Act (UStG), Sec. 257 (1) Nos. 1 and 4 and (4) of the German Commercial Code (HGB)).
  • Six years – other business documents: trade or business letters received, reproductions of trade or business letters sent, other documents to the extent that these are of relevance for taxation, such as hourly wage slips, operating expense sheets, calculation documents, pricing materials, but also payroll documents, where these do not already constitute accounting records, and cash register tapes (Sec. 147 (3) in conjunction with (1) Nos. 2, 3, and 5 AO, Sec. 257 (1) Nos. 2 and 3 and (4) HGB).
  • Three years – data that are required in order to take potential warranty claims and claims for damages or similar contractual claims and rights into account and to process inquiries associated therewith, based on past business experience and customary industry practices, are stored for the duration of the regular statutory limitation period of three years (Sec. 195 and 199 BGB). 

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly based on Articles 15 through 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw your consent at any time.
• Right of access to information: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to information about the personal data and to further information and copies of the data in accordance with the legal specifications.
• Right to rectification: In accordance with the legal specifications, you have the right to have the data concerning you completed if they are incomplete or rectified if they are inaccurate.
• Right of erasure and restriction of processing: In accordance with the legal specifications, you have the right to have the data concerning you erased without undue delay or, alternatively, to have the processing of these data restricted in accordance with the legal specifications.
• Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format or to have those data transmitted to another controller in accordance with the legal specifications.
• Complaint to a supervisory authority: In accordance with the legal specifications and without prejudice to any other administrative or judicial remedy, you moreover have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence or the supervisory authority responsible for your place of work or the place of the alleged infringement, if you consider that the processing of the personal data relating to you infringes the GDPR. 

We process the data of other parties to contracts with us and our business partners, such as clients and prospective clients (collectively “other parties to contracts”), within the scope of contractual and similar legal relationships and associated measures and with an eye to communications with other parties to contracts (or as part of steps prior to entering into contracts), for example to respond to inquiries.

We use these data to comply with our contractual obligations. These include but are not limited to the obligations to perform the agreed services, any obligations of updating, and obligations to effect a cure or remedy a situation in the case of warranty claims and other disruptions in performance. Beyond that, we use the data to safeguard our rights and for the purposes of the administrative tasks associated with these obligations and of company organization. We also process the data on the basis of our legitimate interests both in the proper and economical management of our business and in security measures to protect the other parties to contracts with us and our business operations against abuse, jeopardization of their data, secrets, information, and rights (e.g., relating to the involvement of telecommunication, transportation, and other supporting services as well as subcontractors, banks, tax advisors and legal counsel, payment service providers or fiscal authorities). Within the scope of applicable law, we share the data of other parties to contracts with us with third parties only to the extent that this is necessary for the aforementioned purposes or to fulfill statutory obligations. Other parties to contracts with us are informed of further forms of processing, such as for marketing purposes, within the scope of this Data Protection and Privacy Statement.

We notify the other parties to contracts of which data are necessary for the aforementioned purposes before or at the time of collection of the data, e.g., in online forms, through special designation (e.g., colors) or symbols (e.g., asterisk or similar) or in person.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, client number, etc.); payment data (e.g., bank account details, invoices, payment history); contact information (e.g., mailing and e-mail addresses or phone numbers); contract data (e.g., subject matter of contract, term, client category); usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); and metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Service recipients and clients; prospective clients; business partners and other parties to contracts.
• Purposes of processing: Performance of contractual services and fulfillment of contractual obligations; security measures; communication; organizational and administrative procedures. Business processes and business administration procedures.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legal obligation (point (c) of Article 6(1) GDPR). Legitimate interests (point (f) of Article 6(1) GDPR). 

Personal data of service recipients and clients, including clients or business partners and further third parties, are processed within the scope of contractual and similar legal relationships and steps prior to entering into a contract, such as preparations for business relationships. This data processing supports and facilitates business administration processes in areas such as customer management, sales, payment transactions, accounting, and project management.

The data collected serve to fulfill contractual obligations and streamline operational processes. This includes the settlement of business transactions, management of customer relationships, optimization of sales strategies, and ensuring internal accounting and financial processes. The data also support the safeguarding of the controller’s rights and are conducive to administrative tasks and to the company's organization.

Personal data may be disclosed to third parties to the extent that this is necessary in order to fulfill the aforementioned purposes or statutory obligations. The data are erased when statutory retention time limits expire or the purpose of processing ceases to apply. This also includes data that must be stored for longer based on the evidentiary obligations of tax law and other laws.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, client number, etc.); payment data (e.g., bank account details, invoices, payment history); contact information (e.g., mailing and e-mail addresses or phone numbers); content data (e.g., messages and posts in text or image form and the information concerning them, such as information on authorship or the time of creation); contract data (e.g., subject matter of contract, term, client category); usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved); log data (e.g., log files concerning logins or the retrieval of data or access times); creditworthiness data (e.g., credit score, estimated likelihood of default, risk assessment on that basis, historical payment behavior). Employee data (information concerning employees and other employed persons).
• Data subjects: Service recipients and clients; prospective clients; communication partners; business partners and other parties to contracts; clients; third parties; users (such as website visitors, users of online services).
• Purposes of processing: Performance of contractual services and fulfillment of contractual obligations; business processes and business administration procedures; security measures; provision of our online services and user friendliness; communication; marketing; promotion of sales; public relations work; assessment of credit ratings and creditworthiness; financial management and payment management. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR). Legal obligation (point (c) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Customer management and customer relationship management (CRM): Procedures that are necessary within the scope of customer management and customer relationship management (CRM) (e.g., customer acquisition in compliance with data protection specifications, measures to promote customer loyalty, effective customer communication, complaint management and customer service with consideration for data protection and privacy, data management and data analysis to support the customer relationship, management of CRM systems, secure account management, customer segmentation and identification of target groups); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR).
• Contact management and contact maintenance: Procedures that are necessary within the scope of organization, maintenance, and safeguarding of contact information (e.g., setting up and maintaining a central contact database, regular updates to contact information, monitoring of data integrity, implementation of data protection measures, ensuring data access controls, performing backups and restoration of contact information, training employees in effective interaction with contact management software, regularly reviewing the communication history and adjusting contact strategies); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR).
• General payment transactions: Procedures that are necessary in implementing payment transactions, monitoring bank accounts, and checking payment flows (e.g., preparing and reviewing funds transfers, handling direct debit transactions, checking account statements, monitoring incoming and outgoing payments, managing return debit notes and chargebacks, account settlement, cash management); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR).
• Accounting, including accounts payable and receivable: Procedures that are necessary in logging, processing, and monitoring business transactions in the areas of accounts payable and receivable (e.g., preparing and checking incoming and outgoing invoices, monitoring and managing open items, carrying out payment transactions, handling the dunning process, account reconciliation within the scope of claims and liabilities, accounts payable and receivable); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR), legal obligation (point (c) of Article 6(1) GDPR), legitimate interests (point (f) of Article 6(1) GDPR).
• Financial accounting and taxes: Procedures that are necessary in logging, managing, and monitoring finance-related business transactions and in calculating, reporting, and paying taxes (e.g., account allocation and posting of business transactions, preparation of quarterly and annual financial statements, carrying out payment transactions, handling the dunning process, account reconciliation, tax advising, preparation and filing of tax returns, handling of tax matters); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR), legal obligation (point (c) of Article 6(1) GDPR), legitimate interests (point (f) of Article 6(1) GDPR).
• Purchasing: Procedures that are necessary in procurement of goods, raw materials, or services (e.g., supplier selection and evaluation, price negotiations, placement and monitoring of orders, reviewing and monitoring deliveries, checking invoices, management of orders, warehouse management, preparing and maintaining purchasing guidelines); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR).
• Sales: Procedures that are necessary in planning, implementing, and monitoring measures for the marketing and sale of products or services (e.g., customer acquisition, preparing and following up on offers, order processing, advising and serving clients, promoting sales, product training activities, sales controlling and sale analysis, management of sales channels); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR).
• Marketing, advertising, and promotion of sales: Procedures that are necessary within the scope of marketing, advertising, and promotion of sales (e.g., market analysis and target group identification, development of marketing strategies, planning and implementation of advertising campaigns, design and production of advertising materials, online marketing, including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, measures to promote sales, performance measurement and optimization of marketing activities, budget management and cost control); legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
• Public relations work: Procedures that are necessary within the scope of public relations (e.g., development and implementation of communication strategies, planning and implementing PR campaigns, preparing and disseminating press releases, maintaining media contacts, monitoring and analyzing media resonance, organizing press conferences and public events, crisis communication, preparing content for social media and corporate websites, serving corporate branding); legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
• Guest Wi-Fi: Procedures that are necessary in setting up, operating, maintaining, and monitoring a wireless network for guests (e.g., installation and configuration of Wi-Fi access points, preparing and managing guest access, monitoring the network connection, ensuring network security, resolving connection problems, updating network software, complying with data protection and privacy provisions); legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR), legal obligation (point (c) of Article 6(1) GDPR), legitimate interests (point (f) of Article 6(1) GDPR).

Where we perform in advance or enter into comparable financial risks (e.g., in the case of orders for payment subsequent to invoicing), we reserve the right to obtain an identity and credit check from service providers that specialize in this area (credit bureaus or agencies) for the purpose of assessing the credit risk on the basis of mathematical and statistical methods in order to safeguard our legitimate interests.

We process the information received from the credit bureaus or agencies concerning the statistical likelihood of default of payment within the scope of an appropriate decision at our discretion regarding the establishment, performance, and termination of the contractual relationship. We reserve the right to decline to offer payment subsequent to invoicing or another form of advance performance if the result of the credit check is negative.

The decision regarding whether we perform in advance is made in keeping with the legal specifications based solely on an automated decision made in the individual case by our software based on the information received from the credit bureau or agency.

Where we obtain express consent from other parties to contracts with us, the legal basis for the credit check and the transfer of the client’s data to the credit bureaus or agencies is consent. If no consent is obtained, the credit check is performed on the basis of our legitimate interest in minimizing the risk of default on our claims to payment.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, client number, etc.); payment data (e.g., bank account details, invoices, payment history); contact information (e.g., mailing and e-mail addresses or phone numbers); contract data (e.g., subject matter of contract, term, client category); creditworthiness data (e.g., credit score, estimated likelihood of default, risk assessment on that basis, historical payment behavior). Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
• Data subjects: Service recipients and clients; prospective clients. Business partners and other parties to contracts.
• Purposes of processing: Assessment of credit ratings and creditworthiness.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Consent (point (a) of Article 6(1) GDPR). Legitimate interests (point (f) of Article 6(1) GDPR).
• Automated decision-making in individual cases: Credit report (decision based on a credit check).

Further information on processing operations, procedures, and services:

• CRIF Bürgel GmbH: Credit bureau; service provider: CRIF Bürgel GmbH, Radlkoferstrasse 2, 81373 Munich, Germany; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://www.crif.de/en/. Data protection and privacy statement:https://www.crif.de/en/privacy.
• Verband der Vereine Creditreform e.V.: Credit rating agency; service provider: Verband der Vereine Creditreform e.V., Hellersbergstrasse 12, 41460 Neuss, Germany; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://www.creditreform.com/en. Data protection and privacy statement:https://www.creditreform.com/en/navigations/footer/data-protection. 

We process user data to be able to provide them with our online services. To this end, we process the user’s IP address, which is necessary in order to transfer the content and features of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved). Log data (e.g., log files concerning logins or the retrieval of data or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Provision of online services via rented storage capacity: To provide our online services, we use storage and processing capacity and software that we rent or otherwise obtain from a relevant server provider (also referred to as a “Web hoster”); legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
• Collection of access data and log files: Access to our online services is logged in the form of “server log files”. Server log files may include the address and name of the websites and files retrieved, date and time of retrieval, volumes of data transferred, report of successful retrieval, browser type and version, the user’s operating system, referrer URL (the page visited beforehand) and typically IP addresses and the requesting provider. The server log files may be used, first, for security purposes, e.g., to prevent overloading of servers (particularly in the case of distributed denial-of-service (DDoS) attacks) and, second, to ensure server capacity utilization and stability; legal bases: legitimate interests (point (f) of Article 6(1) GDPR). Erasure of data: Log file information is stored for a maximum period of 30 days, after which it is erased or anonymized. Data that must be retained for a longer period for evidentiary purposes are exempt from erasure until the relevant incident has been clarified on a final basis. 

Cookies are small text files or other storage notes that store information on devices and read it out from there. This is done, for example, to store the log-in status for a user account, the contents of a shopping cart in an online store, or the content retrieved or features of an online service that are used. Cookies can also be used in relation to various matters, such as for purposes of the functionality, security, and convenience of online services and to prepare analyses of user streams.

Information on consent: We use cookies in accordance with the legal provisions. Therefore, we obtain advance consent from users except where consent is not required by law. In particular, permission is not necessary if storing and reading out the information, including through the use of cookies, is strictly necessary in order to provide users with a tele-media service (meaning our online services) that they have expressly requested. The fact that they are giving consent and that it can be withdrawn is communicated clearly to them in a form that includes the information on the relevant cookie usage.

Information on legal bases for purposes of data protection and privacy law: The legal basis for purposes of data protection and privacy law on which we process users’ personal data using cookies depends on whether we ask users for consent. If users accept, the legal basis for the use of their data is their stated consent. Otherwise, the data used via cookies are processed on the basis of our legitimate interests (e.g., in the cost-effective operation of our online services and improvement of the usability thereof) or, if this takes place within the scope of fulfillment of our contractual obligations, if the use of cookies is necessary in order to comply with our contractual obligations. We provide information on the purposes for which we use cookies elsewhere in this Data Protection and Privacy Statement or within the scope of our consent and processing procedures.

Duration of storage: With regard to the duration of storage, a distinction is made between the following types of cookies:

• Temporary cookies (also known as session cookies): Temporary cookies are erased no later than when a user has left an online service and closed his or her device (e.g., browser or mobile app).
• Persistent cookies: Persistent cookies are stored even after the device is closed. This makes it possible to store the log-in status, for example, and display preferred content directly if and when a user visits a website again. The user data collected using cookies may also be used to measure reach. Where we do not communicate any explicit information on the type and duration of storage of cookies to users (e.g., within the scope of obtaining consent), they should presume that cookies are persistent and that the duration of storage may be up to two years.

General information on withdrawal of consent and objections (opting out): Users can withdraw the consent they have given at any time and can also object to the processing of their data in accordance with the legal specifications, including using their browser’s privacy settings.

• Types of data processed: Metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved). Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user friendliness.
• Legal bases: Legitimate interests (point (f) of Article 6(1) GDPR). Consent (point (a) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Processing of cookie data based on consent: We use a consent management solution in which users’ consent to the use of cookies or to the procedures and providers mentioned in the context of the consent management solution is obtained. This procedure serves for purposes of obtaining, logging, and managing consent and withdrawal thereof, particularly in relation to the use of cookies and similar technologies used to store, retrieve, and process information on users’ devices. Within the scope of this procedure, the consent of users to the use of cookies and the associated processing of information, including the specific processing operations and providers mentioned in the consent management procedure, is obtained. Users also have the ability to manage and withdraw their consent. The declarations of consent are stored to eliminate the need to solicit consent again and to permit documentation of consent in accordance with the legal requirements. They are stored on the server side and/or in a cookie (known as an “opt-in” cookie) or via similar technologies in order to permit the consent to be associated with a specific user or that user’s device. Where there is no specific information provided regarding the providers of consent management services, the following general information applies: The duration of storage of consent is up to two years. In the process, a pseudonymous user identifier is created and stored together with the time of consent, the information on the scope of consent (e.g., relevant categories of cookies and/or service providers) and information about the browser, the system, and the device used; legal bases: consent (point (a) of Article 6(1) GDPR).
• Cookie opt-out: The footer of our website contains a link via which you can modify your cookie settings and withdraw the relevant consent; legal bases: legitimate interests (point (f) of Article 6(1) GDPR).
• Usercentrics: Consent management: procedure for obtaining, logging, managing and withdrawing consent, particularly to the use of cookies and similar technologies used to store, retrieve, and process information on users’ devices; service provider: Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany; website:https://usercentrics.com/. Privacy policy:https://usercentrics.com/privacy-policy/. 

When people contact us (e.g., by mail, contact form, e-mail, phone, or via social media) and in the context of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, client number, etc.); contact information (e.g., mailing and e-mail addresses or phone numbers); content data (e.g., messages and posts in text or image form and the information concerning them, such as information on authorship or the time of creation); usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Other parties to communication.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online services and user friendliness.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Legitimate interests (point (f) of Article 6(1) GDPR). Performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Contact form: When people contact us via our contact form, by e-mail or by other means of communication, we process the personal data transferred to us to respond to and process the relevant request or concern. This typically includes information such as name, contact information, and possibly further information that is communicated to us and is required for proper processing. We use these data exclusively for the indicated purpose of contact and communication; legal bases: performance of contract and inquiries prior to entering into a contract (point (b) of Article 6(1) GDPR); legitimate interests (point (f) of Article 6(1) GDPR). 

We use platforms and applications from other providers (collectively “conference platforms”) for purposes of holding video and audio conferences, webinars, and other types of video and audio meetings (collectively “conferences”). We observe the legal specifications in selecting conference platforms and their services.

Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of participants as mentioned below. The scope of the processing depends on factors including which data are specifically required in the context of a concrete conference (e.g., provision of login information or real names) and which optional information is provided by participants. In addition to processing to hold the conference, the participants’ data may also be processed by the conference platforms for security purposes or to optimize services. The data processed include personal information (first name, last name), contact information (e-mail address, phone number), login information (login codes or passwords), profile pictures, information about the person’s professional position/title or role, the IP address of the Internet access, information on participants’ devices, operating system, browser, and technical and language settings, information on content-related communication procedures, i.e., entries in chats and audio and video data, along with the use of other available features (such as surveys or polls). The content of the communications is encrypted to the extent provided in technical terms by the conference providers. If the participants are registered with the conference platforms as users, then additional data may be processed as agreed with the relevant conference provider.

Logging and recordings: If text entries, results of participation (e.g., in surveys or polls) and video or audio recordings are logged, this is communicated transparently to the participants in advance, and they are asked to consent where necessary.

Data protection measures of participants: With regard to the details of the processing of your data by the conference platforms, please note the latter’s data protection and privacy information and select the security and data protection and privacy settings that are optimal for you within the scope of the conference platform settings. Furthermore, please ensure data protection and privacy in the background of your images or recordings for the duration of a videoconference (e.g., by notifying others with whom you live, closing doors, and using any available technical features to blur your background). Links to conference rooms and login information must not be disclosed to unauthorized third parties.

Information on legal bases: Where we also process users’ data in addition to the conference platforms and request consent from users to the use of the conference platforms or certain features (e.g., consent to the recording of conferences), the legal basis of processing is this consent. Furthermore, our processing may be necessary in order to fulfill our contractual obligations (e.g., in participant lists, in the case of processing of the results of discussions or meetings, etc.). In all other respects, user data are processed on the basis of our legitimate interests in efficient and secure communication with the other parties to communications with us.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, client number, etc.); contact information (e.g., mailing and e-mail addresses or phone numbers); content data (e.g., messages and posts in text or image form and the information concerning them, such as information on authorship or the time of creation); usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); images and/or video recordings (e.g., photographs or video recordings of a person); audio recordings. Log data (e.g., log files concerning logins or the retrieval of data or access times).
• Data subjects: Other parties to communication; users (e.g., website visitors, users of online services). Persons depicted.
• Purposes of processing: Performance of contractual services and fulfillment of contractual obligations; communication. Office and organizational procedures.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Microsoft Teams: Audio and videoconferences, chat, electronic file sharing, integration with Office 365 applications, real-time collaboration on documents, calendar features, task management, screen sharing, optional recording; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://www.microsoft.com/en/microsoft-teams/group-chat-software/; privacy statement: https://privacy.microsoft.com/en-us/privacystatement, security information:https://www.microsoft.com/en/trust-center. Basis for third-country transfers: Data Privacy Framework (DPF). 

We transmit newsletters, e-mails, and other electronic notifications (collectively “newsletters”) exclusively with the consent of recipients or based on a legal basis. Where the content of the newsletter is mentioned in the context of subscribing to receive that newsletter, the content in question is the operative factor with regard to the users’ consent. To subscribe to our newsletter, it is normally sufficient to provide your e-mail address. However, in order to be able to offer you personalized service, we may request that you provide your name so we can address you personally in the newsletter or additional information as necessary for the purpose of the newsletter.

Erasure and restriction of processing: We may store the e-mail addresses provided for up to three years on the basis of our legitimate interests before we erase them in order to demonstrate that consent has previously been granted. The processing of these data is limited to the purpose of potentially defending against claims. An individual erasure request is possible at any time provided that the former existence of consent is confirmed at the same time. In the case of obligations to observe objections on a lasting basis, we reserve the right to store the e-mail address for this purpose alone in what is known as a “block list”.

The logging of the registration process takes place on the basis of our legitimate interests for the purpose of demonstrating that this process has taken place properly. Where we commission a service provider to send e-mails, this takes place on the basis of our legitimate interests in an efficient and secure sending system.

Content:

Information about us, our services, actions, and offerings.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, client number, etc.); contact information (e.g., mailing and e-mail addresses or phone numbers). Metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Other parties to communication.
• Purposes of processing: Direct marketing (e.g., via e-mail or mail).
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Consent (point (a) of Article 6(1) GDPR).
• Option to object (opt-out): You can unsubscribe from our newsletter at any time, meaning withdrawing your consent, or object to further receipt of our newsletter. You will find a link to unsubscribe at the end of each newsletter.

Further information on processing operations, procedures, and services: 
Evalanche: Sending of the newsletter; service provider: SC-Networks GmbH, Würmstrasse 4, 82319 Starnberg, Germany; legal bases: consent (point (a) of Article 6(1) GDPR); website:https://www.sc-networks.com/. Privacy information:https://www.sc-networks.com/data-protection/. 

Web analysis (also known as “reach measurement”) serves to analyze the visitor streams to our online services and may encompass behavior, interests, or demographic information on visitors, such as age or gender, as pseudonymized values. We can use reach analysis to see, for example, the time at which our online services or their features or content are used most frequently or to invite people to use them again. It is also possible for us to track which areas require optimization.

In addition to Web analysis, we may also use test methods to test and optimize aspects such as different versions of our online services or their components.

Unless otherwise indicated below, profiles, meaning data compiled on a use operation, may be created for these purposes, and information may be stored in a browser or on a device and then retrieved. The information collected includes but is not limited to websites visited and elements used there, along with technical information such as the browser and computer system used and information on usage times. Where users have consented, either to us or the providers of the services used by us, to the collection of their location data, processing of location data is also possible.

Beyond that, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by truncating (shortening) the IP address) to protect users. In general, no real information pertaining to users (such as e-mail addresses or names) is stored in the context of Web analysis, A/B testing and optimization. Instead, this information is pseudonymized. This means that neither we nor the providers of the software used know the actual identity of the user. Instead, all that is known is the information stored in the users’ profiles for the purpose of the relevant operations.

Information on legal bases: Where we ask users for their consent to the use of third parties, the legal basis for data processing is consent. Otherwise, user data are processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective and user-friendly services). In this context, we would also like to point out the information on the use of cookies in this Data Protection and Privacy Statement.

• Types of data processed: Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); profiles containing user-related information (creating user profiles). Provision of our online services and user friendliness.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Security measures: IP masking (pseudonymization of IP address).
• Legal bases: Consent (point (a) of Article 6(1) GDPR). Legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Matomo: Matomo is a software program used for purposes of Web analytics and reach measurement. In the context of the use of Matomo, cookies are created and stored on the user’s device. The user data collected in the context of the use of Matomo are processed only by us and not shared with third parties. The cookies are stored for a maximum period of 13 months: https://matomo.org/faq/general/faq_146/; legal bases: consent (point (a) of Article 6(1) GDPR). Erasure of data: The cookies have a maximum storage period of 13 months.
• Indeed.com: Certain usage data that your browser transfers are collected and analyzed by Indeed in order to analyze the use of the website. We receive a statistical analysis of the number of referrals of potential applicants. Indeed may use one or more cookies to collect these usage data. In addition, the IP address assigned to your device at the relevant point in time and a browser-specific code are transferred to Indeed. The IP address is needed solely for the purpose of the session ID and for geolocation (to the city level); service provider: Indeed Ireland Operations Limited, Block B, Capital Dock, 80 Sir John Rogerson’s Quay Grand Canal Dock, Dublin, 2, D02 HE36, Ireland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://indeed.com/. Privacy policy:https://indeed.com/legal. 

We process personal data for the purpose of online marketing, which may encompass but is not limited to the marketing of advertising space or visualization of advertising and other content (collectively referred to as “content”) based on potential interests of users and measurement of their effectiveness.

For these purposes, “user profiles” are created and stored in a file (known as a cookie), or similar procedures are used by means of which the information relating to the user that is relevant to the presentation of the aforementioned content is stored. This may include but is not limited to content viewed, websites visited, and online networks used, along with other parties to communications and technical information such as the browser and computer system used and information on usage times and features used. Where users have consented to the collection of their location data, such data may also be processed.

In addition, users’ IP addresses are stored. However, we use available IP masking procedures (i.e., pseudonymization by truncating (shortening) the IP address) for user protection. In general, no real information pertaining to users (such as e-mail addresses or names) is stored in the context of the online marketing process. Instead, this information is pseudonymized. This means that neither we nor the providers of the online marketing process know the actual identity of the user. Instead, all that is known is the information stored in the users’ profiles.

The information in the profiles is typically stored in the cookies or using similar procedures. These cookies can generally also be read later on on other websites that use the same online marketing process, analyzed for the purpose of displaying content, associated with further data, and stored on the online marketing process provider’s server.

In isolated cases, it is possible to associate real information with the profiles, mainly when users are, for example, members of a social network whose online marketing process we use and the network associates the user profiles with the aforementioned information. Please note that users can make additional arrangements with the providers, for example by consenting in the context of registration.

As a basic principle, we receive access only to aggregated information about the success of our ads. However, we can review, in the context of what are known as conversion measurements, which of our online marketing processes have led to “conversion”, meaning, for example, entry into a contract with us. Conversion measurement is used solely to analyze the success of our marketing measures.

Information on legal bases: Where we ask users for their consent to the use of third parties, the legal basis for data processing is permission. Otherwise, the users’ data are processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective and user-friendly services). In this context, we would also like to point out the information on the use of cookies in this Data Protection and Privacy Statement.

Information on withdrawal of consent and objections:

Please see the data protection and privacy information provided by the relevant providers and the options for objecting (“opting out”) indicated with regard to the providers. Where no explicit opt-out option has been indicated, it is possible for you to deactivate cookies using your browser settings. However, this may restrict some features of our online services. Therefore, we additionally recommend the following opt-out options, which are offered on a collective basis for the relevant areas:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://www.youradchoices.ca/choices.

c) United States: https://www.aboutads.info/choices.

d) General (multiple areas): https://optout.aboutads.info.

• Types of data processed: Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, recognition of recurring visitors); tracking (e.g., interest/behavior-related profiling, use of cookies); identification of target groups; marketing; profiles containing user-related information (creating user profiles). Conversion measurement (measurement of effectiveness of marketing measures).
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Security measures: IP masking (pseudonymization of IP address).
• Legal bases: Consent (point (a) of Article 6(1) GDPR). Legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Google Ads and conversion measurement: Online marketing procedures for the purpose of placing content and ads within the service provider’s advertising network (e.g., in search results, in videos, on websites, and so on) so that they are displayed to users who are likely to be interested in the ads. We also measure the conversion of the ads, meaning whether they have prompted users to interact with the ads and use the services advertised (known as “conversion”). However, we receive only anonymous information and do not receive any personal information concerning individual users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (point (a) of Article 6(1) GDPR), legitimate interests (point (f) of Article 6(1) GDPR); website:https://marketingplatform.google.com; privacy policy:https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF); further information: types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.
• Enhanced conversions for Google Ads: If and when users click on our Google ads and subsequently use the service advertised (known as “conversion”), the data entered by the user, such as the e-mail address, name, home address, and phone number, may be transferred to Google. The hash values are then reconciled with existing Google accounts of those users to be able to better analyze and improve users’ interactions with ads (e.g., clicks or views) and thus the performance thereof; legal bases: consent (point (a) of Article 6(1) GDPR). Website:https://support.google.com/google-ads/answer/9888656. 

We maintain an online presence within social networks and, in this context, process user data to communicate with the users active there or offer information about us.

Please note that user data may be processed outside the European Union in this context. This may give rise to risks to users, as it could make enforcing user rights more difficult, for example.

Furthermore, user data are typically processed within social networks for market research and advertising purposes. In this way, for example, use profiles can be created based on a user’s usage behavior and the user interests it indicates. These profiles may in turn be used, for example, to serve ads that are likely to match users’ interests within and outside these networks. Therefore, cookies are typically stored on users’ computers, storing their usage behavior and interests. In addition, data may also be stored in the usage profiles independently of the devices used by the users (especially if users are members of the relevant platforms and are logged in there).

For a detailed discussion of the relevant forms of processing and the options for objecting (opting out), please see the data protection and privacy statements and policies and other information provided by the operators of the relevant networks.

Please note that requests for access to information and assertion of the rights of data subjects are also most effectively addressed to these providers. Only the latter have access to the user data in each case and can take relevant action and provide information directly. Should you still need help, feel free to contact us.

• Types of data processed: Contact information (e.g., mailing and e-mail addresses or phone numbers); content data (e.g., messages and posts in text or image form and the information concerning them, such as information on authorship or the time of creation). Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g., collecting feedback via online form). Public relations work
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Facebook pages: Profiles within the Facebook social network – We are jointly responsible as controllers with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (known as a fan page). These data include information on the types of content that users view or with which they interact or the actions taken by them (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), and information about the devices used by users (such as IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytical services known as “page insights” for page operators so the operators can gain insight into how people interact with their pages and the associated content. We have entered into a specific agreement with Facebook (“Information about Page Insights”, https://www.facebook.com/legal/terms/page_controller_addendum), which sets out provisions, in particular, on which security measures Facebook is obligated to observe and in which Facebook has declared its willingness to fulfill the rights of data subjects (meaning, for example, that users can address requests for access to information or erasure requests to Facebook directly). The rights of users (particularly the rights of access to information, the right to erasure, and the rights to object and lodge a complaint with the supervisory authority with jurisdiction) are not restricted by the agreements with Facebook. Further information is found in the "Information about Page Insights Data” (https://www.facebook.com/legal/terms/information_about_page_insights_data ). The joint controller status is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly concerns the transfer of the data to the parent company Meta Platforms, Inc., in the United States; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://www.facebook.com; privacy policy:https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
• LinkedIn: Social network – We are jointly responsible as controllers with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data of visitors which are generated for purposes of creating the “Page Insights” (statistics) concerning our LinkedIn profiles.  
  These data include information on the types of content that users view or with which they interact or the actions taken by them and information about the devices used by users (such as IP addresses, operating system, browser type, language settings, cookie data) and information from users’ profiles, such as professional role or title, country, industry, level of the hierarchy, company size, and employment status. For data protection and privacy information concerning the processing of user data by LinkedIn, please see the LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy 
  We have entered into a specific agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, (the “Addendum”), https://legal.linkedin.com/pages-joint-controller-addendum), which sets out provisions, in particular, on which security measures LinkedIn is obligated to observe and in which LinkedIn has declared its willingness to fulfill the rights of data subjects (meaning, for example, that users can address requests for access to information or erasure requests to LinkedIn directly). The rights of users (particularly the rights of access to information, the right to erasure, and the rights to object and lodge a complaint with the supervisory authority with jurisdiction) are not restricted by the agreements with LinkedIn. The joint controller status is limited to the collection by and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, which particularly concerns the transfer of the data to the parent company LinkedIn Corporation in the United States; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://www.linkedin.com; privacy policy:https://www.linkedin.com/legal/privacy-policy; basis for third-country transfers: Data Privacy Framework (DPF). Option to object (opt-out):https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• X: Social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://x.com. Privacy policy:https://x.com/en/privacy.
• Xing: Social network; service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; legal bases: legitimate interests (point (f) of Article 6(1) GDPR); website:https://www.xing.com/. Privacy policy:https://privacy.xing.com/en/privacy-policy. 

Our online services incorporate functional and content elements obtained from the servers of their respective providers (“third-party providers”). These may include but are not limited to graphics, videos, and maps (collectively “content”).

Incorporation of these elements always presupposes that the third-party providers of this content process the IP addresses of users, as without these IP addresses, they would be unable to transmit the content to the users’ browsers. This means the IP address is required in order to present this content or these functions. We strive to use only content whose respective provider uses the IP address solely to deliver the content. Third-party providers may moreover use what are known as pixel tags (invisible graphics also known as Web beacons) for statistical or marketing purposes. These pixel tags allow for analysis of information such as user traffic to the pages of this website. This pseudonymized information can furthermore be stored in cookies on the user’s device and may include items such as technical information on the browser and operating system, referring websites, the time of the visit, and further information on the use of our online services. It may also be associated with such information from other sources.

Information on legal bases: Where we ask users for their consent to the use of third parties, the legal basis for data processing is permission. Otherwise, user data are processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective and user-friendly services). In this context, we would also like to point out the information on the use of cookies in this Data Protection and Privacy Statement.

• Types of data processed: Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved); inventory data (e.g., full name, home address, contact information, client number, etc.); contact information (e.g., mailing and e-mail addresses or phone numbers); content data (e.g., messages and posts in text or image form and the information concerning them, such as information on authorship or the time of creation). Location data (information on the geographic position of a device or person).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user friendliness.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Consent (point (a) of Article 6(1) GDPR). Legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: consent (point (a) of Article 6(1) GDPR); website:https://www.youtube.com; privacy policy:https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF). Option to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, ad display settings: https://myadcenter.google.com/personalizationoff. 

We use services, platforms, and software from other providers (“third-party providers”) for purposes of organization, management, administration, planning, and performance of our services. We observe the legal specifications in selecting the third-party platforms and their services.

In this context, personal data may be processed and stored on the third-party providers’ servers. This may apply to various types of data that we process in accordance with this Data Protection and Privacy Statement. These data may include but are not limited to master data and contact information of users and data on transactions or processes, contracts, other processes and the content thereof.

Where users are referred to third-party providers or their software or platforms within the scope of communication or of business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, to optimize services, or for marketing purposes. We therefore request that the data protection and privacy statements of the relevant third-party providers be noted.

• Types of data processed: Content data (e.g., messages and posts in text or image form and the information concerning them, such as information on authorship or the time of creation); usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Metadata, communication data, and process data (e.g., IP addresses, time stamps, identification numbers, persons involved).
• Data subjects: Other parties to communication. Users (e.g., website visitors, users of online services).
• Purposes of processing: Performance of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Legitimate interests (point (f) of Article 6(1) GDPR).

Further information on processing operations, procedures, and services:

• Swat.io: Swat.io makes it possible to combine work on multiple social media platforms into a single digital dashboard. This relates to the publication of content, monitoring of user reactions, community management, and statistical analyses.  
  If you contact us through comments, postings, mentions, and/or direct messages on Instagram, X, Facebook, and/or LinkedIn, the data you may provide in the context of making contact (such as username, link to profile, date and time of publication) will be processed; service provider: Swat.io GmbH, Schönbrunner Strasse 213-215, 1120 Vienna, Austria; website:https://swat.io/en/. Privacy policy:https://swat.io/en/privacy-policy/. 

This section contains information on how we handle the data of persons who make reports (whistleblowers) and of other parties who are affected and involved within the scope of our whistleblowing procedure. Our goal is to offer an uncomplicated and secure way to report potential misconduct by us, our employees, or our service providers, especially for actions that violate laws or ethical guidelines. We also ensure that reports and processed and handled appropriately.

Legal bases (Germany): Where we process data to comply with our statutory obligations under the German Whistleblower Protection Act (HinSchG), the legal basis of processing is point (c) of Article 6(1) GDPR and, in the case of special categories of personal data, point (g) of Article 9(2) GDPR and Sec. 22 of the German Federal Data Protection Act (BDSG), in each case in conjunction with Sec. 10 HinSchG. This relates to the obligation to establish and operate an internal whistleblowing body, compliance with the statutory obligations thereof and, in the case of use of the data collected as part of the reporting procedure, initiating further investigations or disciplinary measures under labor and employment law against persons found to have committed a violation.

Where we process data (particularly in the event that misconduct is found to have occurred) in the context of or to prepare for a legal defense, this takes place on the basis of our legitimate interests in legally compliant and ethical actions in accordance with point (f) of Article 6(1) GDPR.

Where you have given us your consent to the processing of personal data for specific purposes, the processing takes place on the basis thereof in accordance with point (a) of Article 6(1) GDPR and, in the case of special categories of personal data, point (a) of Article 9(2) GDPR. One example of this would be the disclosure of the whistleblower’s identity or making a verbatim record during a personal meeting. Consent can be withdrawn at any time with effect for the future.

Types of data processed:

We may collect various types of data in the context of accepting and processing reports and in the subsequent whistleblower procedure. This include but are not limited to the data provided by a whistleblower, such as:

• Name, contact information, and place of residence of the person making the report
• Names and information relating to possible witnesses or persons affected by the report
• Names and information relating to the persons against whom the report is being made
• Information concerning the suspected misconduct
• Further relevant details where provided by the whistleblower

For purposes of reviewing the matter and next steps in the process, we moreover process the following personal data:

• The unique identifier assigned to the report
• Contact information for the person making the report, if provided
• Personal data of persons mentioned in the report, if provided
• Personal data of persons indirectly affected by the investigation of the matter, if applicable
• Personal data of persons from other companies involved (e.g., within the scope of legal advice), if relevant
• Further information related to the matter

Special categories of personal data:

We may collect special types of personal data in the context of our activities, particularly where these data are disclosed by a whistleblower. This includes:

• Data concerning a person’s health
• Data concerning persons’ racial or ethnic origin
• Information on a person’s religious or philosophical beliefs
• Information on a person’s sexual orientation

These data are processed only if they are relevant to the processing of the report in question and have been expressly provided by the whistleblower.

Please note that it is possible to make reports anonymously. To ensure that your data are secure when using our online services, we recommend that you access the services using your browser’s “incognito” or “private” mode. Follow these steps to open an incognito window: a) On a Windows PC: Open your browser and press Ctrl+Shift+N; b) On a Mac: Open your browser and press Command+Shift+N; c) On a mobile device: Use the tab menu to switch to private mode.

When you access our website in normal browsing mode, your browser automatically transmits certain information to our server, such as the browser type and version and the date and time of your access. This also includes your device’s IP address. These data are temporarily stored in a log file and automatically erased after 30 days at a maximum.

The processing of the IP address serves the technical and administrative purposes of connecting to our website. It ensures the security, stability, and functionality of the website and is an important component of the measures we take to ensure confidential whistleblowing.

The processing of the logged data is based on point (f) of Article 6(1) GDPR. Our legitimate interest in this case lies in the need for security and the necessity of establishing the technical prerequisites for smooth and disruption-free whistleblowing.

Provision of names: You can make a report anonymously. Except where this is prohibited by national law, however, we do recommend that you provide your name and contact information. This allows us to follow up on your report more effectively and contact you directly where applicable.

If you provide your name and contact information, your identity will be treated as strictly confidential. The only exceptions to this confidentiality are where we are obligated by law to disclose your identity. This may be necessary in order to protect or defend our rights or those of our employee, clients, suppliers, or business partners. Another exception applies if it is determined that the accusations were made with malicious intent.

Provision of data to third parties: We do not disclose data associated with the reports made to third parties except under certain circumstances. This takes place if and when either a) you have given us your express consent to this; or b) there is a legal obligation to disclose the data. These possible third parties include public authorities and government, regulatory, or tax authorities, if disclosure is necessary to comply with a legal or regulatory obligation. We may also engage the services of attorneys and other professional advisors within the scope of the statutory provisions. These persons are entitled to review suspected misconduct and take necessary actions subsequent to an investigation, such as initiating disciplinary or court proceedings. In addition, service providers carefully selected and monitored by us may receive data for these purposes (such as operators of a Web-based reporting system). However, these service providers are contractually obligated to comply with the applicable provisions on data protection and privacy in the context of processing data on another party’s behalf.

Data retention and erasure: Personal data are processed only as long as is necessary in order to fulfill the purposes of processing as described above. If these data are no longer necessary for the purposes mentioned, erasure takes place. In certain situations, however, the data may be retained longer to fulfill the statutory requirements as long as this is necessary and proportionate. In such cases, the data are erased once they are no longer required for these purposes.

Technical and organizational measures: We have implemented the necessary contractual, technical, and organizational measures to ensure the security of all data processed by us. These data are processed exclusively for the stipulated purposes. Incoming reports are processed by persons authorized to do so, who receive access to the relevant reports and perform the subsequent review of the matter. Our employees are specially trained for the proper performance of the reviews of these matters and are obligated to maintain the strictest confidentiality.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, client number, etc.); employee data (information concerning employees and other employed persons); contact information (e.g., mailing and e-mail addresses or phone numbers); content data (e.g., messages and posts in text or image form and the information concerning them, such as information on authorship or the time of creation). Usage data (e.g., page impressions and time spent on pages, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
• Data subjects: Employees (such as permanent and temporary employees, applicants and other associates); third parties. Whistleblowers.
• Purposes of processing: Whistleblower protection.
• Retention and erasure: Erasure in accordance with the information contained in the section titled “Information on data storage and erasure”.
• Legal bases: Consent (point (a) of Article 6(1) GDPR); legal obligation (point (c) of Article 6(1) GDPR). Legitimate interests (point (f) of Article 6(1) GDPR).