With the following Privacy Policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).
Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country or ours. Where more specific legal bases are relevant in individual cases, we will inform you of these in the Privacy Policy.
Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

Legitimate interests (Art. 6(1)(f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection provisions of the General Data Protection Regulation, national data protection regulations apply in Germany. These include in particular the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act — BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated individual decision-making including profiling. It also governs the processing of personal data for employment purposes (§ 26 BDSG), in particular with regard to the establishment, performance, or termination of employment relationships and the consent of employees. State data protection laws of the individual federal states may also apply.

Security Measures

In accordance with the legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include in particular safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, ensuring the availability of, and separation of such data. We have also established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data security threats. Furthermore, we take the protection of personal data into account from the outset in the development or selection of hardware, software, and processes, in accordance with the principle of privacy by design and privacy by default.

SSL encryption (https): To protect the data you transmit via our online offering, we use SSL encryption. You can identify such encrypted connections by the prefix https:// in the address bar of your browser.

Transfer of Personal Data

In the course of our processing of personal data, data may be transferred to or disclosed to other bodies, companies, legally independent organisational units, or individuals. Recipients of such data may include, for example, service providers entrusted with IT tasks, or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data Processing in Third Countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where processing takes place in the context of using third-party services or disclosing or transferring data to other individuals, bodies, or companies, this is done only in accordance with the legal requirements.
Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognised level of data protection, on the basis of contractual obligations through so-called standard contractual clauses of the EU Commission, in the presence of certifications, or on the basis of binding internal data protection rules (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Deletion of Data

The data processed by us will be deleted in accordance with the legal requirements as soon as the consents permitting their processing are revoked or other permissions cease to apply (e.g. where the purpose for which the data was processed has ceased to exist or it is no longer necessary for that purpose). Where the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons, or whose retention is necessary for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person.

Our privacy notices may also contain further information on the retention and deletion of data that takes precedence for the respective processing activities.

Use of Cookies

Cookies are small text files or other storage markers that store information on end devices and read information from those end devices — for example, to save login status in a user account, the contents of a shopping cart in an online shop, the content accessed, or the functions used within an online offering. Cookies may also be used for various purposes, such as to ensure the functionality, security, and convenience of online offerings, and for the analysis of visitor flows.

Notes on consent: We use cookies in accordance with the legal requirements. We therefore obtain prior consent from users, unless this is not required by law. Consent is in particular not necessary where the storing and reading of information, including cookies, is strictly necessary in order to provide users with a telemedia service they have expressly requested (i.e. our online offering). Revocable consent is clearly communicated to users and includes information on the respective cookie usage.

Notes on the legal basis under data protection law: The legal basis on which we process users’ personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is the consent given. Otherwise, data processed using cookies is processed on the basis of our legitimate interests (e.g. in the commercially viable operation of our online offering and improving its usability), or, where the use of cookies is necessary to fulfil our contractual obligations, on the basis of the performance of those obligations. We will inform users of the purposes for which we use cookies in the course of this Privacy Policy or in the context of our consent and processing procedures.

Retention period: With regard to retention periods, the following types of cookies are distinguished:

Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest once a user has left the online offering and closed their end device (e.g. browser or mobile application).

Persistent cookies: Persistent cookies remain stored even after the end device is closed. For example, login status can be saved or preferred content can be displayed directly when a user revisits a website. Equally, data collected using cookies can be used to measure reach. Unless we provide users with explicit information on the type and retention period of cookies (e.g. in the context of obtaining consent), users should assume that cookies are persistent and that the retention period may be up to two years.

General notes on revocation and objection (opt-out): Users may revoke any consent they have given at any time and may also object to processing in accordance with the legal requirements set out in Art. 21 GDPR (further information on objection is provided in the course of this Privacy Policy). Users may also declare their objection via their browser settings.

Further Notes on Processing Activities, Procedures, and Services

Processing of cookie data on the basis of consent: We use a cookie consent management procedure through which users’ consents to the use of cookies, or to the processing activities and providers referred to in the cookie consent management procedure, are obtained, managed, and revoked by users. The consent declaration is stored so that it does not need to be requested again and so that consent can be demonstrated in accordance with the legal obligation. Storage may take place server-side and/or in a cookie (a so-called opt-in cookie, or by means of comparable technologies), in order to be able to associate consent with a user or their device. Subject to individual information provided by cookie management service providers, the following notes apply: The retention period for consent may be up to two years. A pseudonymous user identifier is generated and stored together with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers), and the browser, system, and end device used.

Provision of the Online Offering and Web Hosting

In order to provide our online offering securely and efficiently, we use the services of one or more web hosting providers whose servers (or servers managed by them) the online offering can be accessed from. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The data processed in the context of providing the hosting offering may include all information relating to users of our online offering that arises in the course of use and communication. This regularly includes the IP address, which is necessary to deliver the content of online offerings to browsers, and all input made within our online offering or on websites.

Types of data processed: Content data (e.g. input in online forms); usage data (e.g. pages visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of our online offering and user experience; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further Notes on Processing Activities, Procedures, and Services

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files may be used, on the one hand, for security purposes, e.g. to prevent server overload (in particular in the event of abusive attacks, so-called DDoS attacks), and, on the other hand, to ensure server load and stability. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further retention is required for evidentiary purposes is exempt from deletion until the final clarification of the relevant incident.

Contact and Inquiry Management

When you contact us (e.g. via contact form, email, telephone, or via social media) and in the context of existing user and business relationships, the information provided by the inquiring parties is processed to the extent necessary to respond to the contact inquiries and any requested measures.

The handling of contact inquiries and the management of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre-)contractual inquiries, and otherwise on the basis of the legitimate interests in responding to inquiries and maintaining user or business relationships.

Types of data processed: Contact data (e.g. email, telephone numbers); content data (e.g. input in online forms); usage data (e.g. pages visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).

Data subjects: Communication partners.

Purposes of processing: Performance of contractual services and customer service; contact inquiries and communication; management and response to inquiries; feedback (e.g. collecting feedback via online form); provision of our online offering and user experience.

Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further Notes on Processing Activities, Procedures, and Services

Contact form: Where users contact us via our contact form, email, or other communication channels, we process the data communicated to us in this context for the purpose of handling the matter raised. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships to the extent necessary for their performance, and otherwise on the basis of our legitimate interests and those of the communication partners in responding to the matters raised and our statutory retention obligations. Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Amendment and Update of the Privacy Policy

We ask you to regularly inform yourself about the content of our Privacy Policy. We update the Privacy Policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an action on your part (e.g. consent) or any other individual notification.
Where we provide addresses and contact information of companies and organisations in this Privacy Policy, please note that addresses may change over time and we ask you to verify the information before making contact.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw consent given at any time.
Right of access: You have the right to request confirmation as to whether data concerning you is being processed, and to obtain access to that data as well as further information and a copy of the data in accordance with the legal requirements.
Right to rectification: You have the right, in accordance with the legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.

Right to erasure and restriction of processing: You have the right, in accordance with the legal requirements, to request that data concerning you be erased without undue delay, or alternatively, in accordance with the legal requirements, to request a restriction of the processing of the data.
Right to data portability: You have the right to receive data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transfer to another controller, in accordance with the legal requirements.

Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

Definitions

This section provides an overview of the terms used in this Privacy Policy. Many of the terms are taken from the law and defined primarily in Art. 4 GDPR. The statutory definitions are binding. The following explanations are intended primarily to aid understanding. The terms are listed in alphabetical order.
Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Controller: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing: “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, whether it involves collecting, evaluating, storing, transmitting, or erasing it.