Phone +49 (0) 6224 76996-0
Managing directors: Bernd Kletti, Christiane Kletti, Sina Thomas, Steffen Exner
Nature of data to be processed:
- Inventory data (e.g. names and addresses).
- Contact data (e.g. email, phone numbers).
- Content data (e.g. text input, photographs, videos).
- Usage data (e.g. visited websites, interest in content, log-in times).
- Meta and communication data (e.g. information on terminals, IP addresses).
Categories of data subjects
Visitors and users of the online presence (hereinafter, the data subjects are also collectively described as “Users”).
Purpose of processing
- Provision of an online presence, its features and content.
- Responding to contact inquiries and communicating with users.
- Security measures.
- Reach measurement/marketing.
Definitions in use
“Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, in connection with personal data. It is an elastic term which has a broad meaning and encompasses practically any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural personal performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
According to Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The measures include in particular the protection of the privacy, integrity and availability of data by means of monitoring physical access to the data as well as the access, input, transfer, safeguarding of availability and separation of the information concerned. Furthermore, we have implemented procedures which guarantee awareness of the rights of the persons affected, erasure of data, and reaction to threats to data. We also take into account the safeguarding of personal data already in the development phase or when selecting hardware, software and procedures corresponding to the principle of data protection in the process of technical development, and using data protection-friendly presets. (Art. 25 GDPR).
Zusammenarbeit mit Auftragsverarbeitern und Dritten
Sofern wir im Rahmen unserer Verarbeitung Daten gegenüber anderen Personen und Unternehmen (Auftragsverarbeitern oder Dritten) offenbaren, sie an diese übermitteln oder ihnen sonst Zugriff auf die Daten gewähren, erfolgt dies nur auf Grundlage einer gesetzlichen Erlaubnis (z.B. wenn eine Übermittlung der Daten an Dritte, wie an Zahlungsdienstleister, gem. Art. 6 Abs. 1 lit. b DSGVO zur Vertragserfüllung erforderlich ist), Sie eingewilligt haben, eine rechtliche Verpflichtung dies vorsieht oder auf Grundlage unserer berechtigten Interessen (z.B. beim Einsatz von Beauftragten, Webhostern, etc.).
Sofern wir Dritte mit der Verarbeitung von Daten auf Grundlage eines sog. „Auftragsverarbeitungsvertrages“ beauftragen, geschieht dies auf Grundlage des Art. 28 DSGVO.
Cooperation with processors and third parties
Where, whilst processing data, we disclose this to other persons and companies (processors or third parties), transfer it to these or otherwise allow access to the information, this procedure takes place only on the basis of legal permission (e.g. when a transfer of data to third parties such as service providers is necessary to fulfil a contractual obligation pursuant to point b of Art. 6(1) GDPR), where you have given us your consent, a legal obligation stipulates this, or we have a legitimate interest in doing so (e.g. when implementing agents, web hosts, etc.).
Where we commission third parties to process data on the basis of a so-called “job processing contract”, this shall take place according to Art. 28 GDPR.
Transfers of data in third countries
Any data we process in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EWR)), or where this process takes place in connection with the utilisation of the services of third parties, or this data is disclosed or transferred to third parties, this shall take place only to fulfil our (pre)contractual obligations, where you have given us your consent, for reasons of a contractual obligation, or on the basis of our legitimate interests. Subject to legal or contractual permission, we shall process data, or have this processed in a third country, only when special conditions pursuant to Art. 44 ff. GDPR are provided for. This means, for example, that processing shall take place on the basis of special guarantees such as the officially recognised establishment of a level of data protection equivalent to that of the EU (for the USA, this is provided by the “Privacy Shield”), or the observation of officially recognised special contractual obligation (the so-called “standard contractual clauses”).
Rights of the data subjects
You have the right to obtain confirmation as to whether or not data concerning your person is being processed, and to obtain information about this data, and further information and copies of the data, in accordance with Art. 15 GDPR. You have the right, pursuant to Art. 16 GDPR, to have incomplete data concerning your person completed, or to obtain the rectification of inaccurate data concerning your person. According to Art. 17 GDPR, you have the right to obtain the erasure of data concerning your person without undue delay, or, alternatively, to obtain restriction of processing of the data pursuant to Art. 18 GDPR. According to Art. 20 GDPR, you have the right to receive the data concerning your person, which you have provided to us in accordance with Art. 20 GDPR and have the right to demand transmission of this data to other controllers. Furthermore, you have the right, pursuant to Art. 77 GDPR, to lodge a complaint with the responsible supervisory authority.
Right to withdraw consent
You have the right to withdraw your given consent with effect for the future pursuant to Art. 7(3) GDPR.
Right to object
You have the right, at any time, to object to the future processing of data concerning your person pursuant to Art. 21 GDPR. The objection may apply in particular to processing for the purpose of direct advertising.
Cookies and right to object to direct advertising
“Cookies” is a term for small files which are deposited on a user’s computer. Various details can be stored within the cookie. The main purpose of a cookie (or the terminal a cookie is stored on) is to store data concerning the user during, and also after a visit to an online presence. Temporary cookies, also known as “session cookies” or “transient cookies”, are ones which are erased once a user leaves an online presence and closes his or her browser. In a cookie of this type, the content of an online shopping basket, for example, or a login status, can be memorised. “Permanent“ or “persistent“ cookies are ones which remain stored even after the browser has been closed. In this way, for instance, the login status can be stored when the user returns to the online presence many days later. At the same time, a cookie of this type can store user preferences in order to process these for reach measurement or marketing purposes. A “third party cookie” is one which is offered by suppliers other than the controller responsible for the online presence (when talking only about the latter’s cookies, we use the term “first party cookies”).
If users do not wish to have cookies stored on their terminal, they are requested to deactivate the corresponding option in the system preferences of their browser. Stored cookies can be erased in the browser’s system settings. When cookies are left out, this may result in a limitation of the functionality of the online presence used.
Information on how to generally object to the implementation of cookies used for online marketing, especially for tracking purposes, by a number of services, is described on the US website http://www.aboutads.info/choices/ or on the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be stopped by turning them off in the browser settings. Please bear in mind that in this case it may not be possible to use all features of this online presence.
Erasure of data
According to German legal requirements, retention takes place in particular for ten years pursuant to Section 147(1) of the German Fiscal Code (AO), and Section 257(1) numbers 1 and 4, subsection 4 of the German Commercial Code (HGB) (accounts, records, situation reports, accounting records, trading books, documents required for taxation purposes, etc.) and for six years pursuant to Section 257(1) numbers 2 and 3, subsection 4 of the German Commercial Code (trading books).
Administration, accounting, office and contact management
We process data in connection with administration duties and organisation of our company, financial accounting, and to observe legal obligations such as archiving. In doing so, we process the same data we handle when delivering our contractual services. The basis for processing is point (c) of Art. 6(1) GDPR, and point (f) of Art. 6(1) GDPR. Customers, prospective customers, business associates and visitors to the website are affected by this processing. The purpose, and our interest in processing, consists of administration, accounting, office management, and archiving of data, in other words activities which allow us to maintain our business activities, perform our tasks, and provide our services. The erasure of data with regard to contractual services and contractual communication is equivalent to the tasks mentioned in connection with these processing activities.
We shall, in doing so, disclose or transfer data to financial authorities, counsellors such as tax authorities, or auditors as well as to billing centres and payment service providers.
Furthermore, we shall, on the basis of our business interests, store information concerning suppliers, organisers or other business associates, for example in order to permit us to contact these at a later stage. Data of this kind, which is mainly connected with the company, is categorically stored by us on a permanent basis.
Data protection information in application procedures
We process applicant data only for the purpose and within the framework of the application procedure in accordance with legal requirements. The processing of applicant data takes place for compliance with our (pre)contractual obligations within the framework of the application procedure within the meaning of point (b) of Art. 6(1) GDPR, and point (f) of Art. 6(1) GDPR, as long as data processing is required by us for example in connection with legal procedures (in Germany, Section 26 of the Federal Data Protection Act/BDSG also applies).
A prerequisite for the application procedure is that applicants submit their applicant details. As long as we offer an online form, the required applicant data is specified, as otherwise described in the job descriptions. Categorically, this includes details of the person, postal and contact addresses, and documents pertaining to the application such as covering letters, the curriculum vitae and certificates. Beyond this, applicants are free to volunteer further information about themselves.
If, in connection with the application procedure, special categories of personal data are voluntarily disclosed pursuant to Art. 9(1) GDPR, these are additionally processed according to point (b) of Art. 9(2) GDPR (for example health data characterising a severe disability, or information concerning one’s ethnic origin). Insofar as special categories of personal data is requested from applicants in connection with the application procedure pursuant to Art. 9(1) GDPR, the processing of this data takes place additionally according to point (a) of Art. 9(2) GDPR (e.g. health data, if this is required for the professional activity).
As long as it is made available, applicants may submit their applications using an online form on our website. This information is transferred to us in encrypted form according to the state of the art. Furthermore, applicants may transfer their applications to us via email. In this case we ask you to bear in mind that emails are in general not encrypted, and that if applicants wish to encrypt these, they must do this on their own accord. For this reason, we cannot accept responsibility for the transfer route between the sender and reception on our server, and therefore recommend an online form or a postal dispatch instead. After all, apart from the application procedures using online forms and email, we continue to offer the alternative of applying to us by post.
In cases where applications are successful, we may, for employment relationship purposes, continue to process the data made available to us by applicants. If, however, the application for a job vacancy is unsuccessful, the applicant’s data shall be erased. Similarly, an applicant’s data is also erased if an application is withdrawn; a procedure applicants have a right to at any time.
The erasure takes place, unless applicants justifiably revoke this, at the end of a period of six months, so that we are able to respond to possible follow-up queries and conform to our obligations in accordance with the Equal Opportunities Act. Bills concerning possible travel compensation are archived according to fiscal requirements.
When contacting us (for example via contact forms, email, the phone or social media), user details shall be processed in order to handle and execute contact requests pursuant to point (b) of Art. 6(1) (within the framework of contractual/precontractual relationships), and pursuant to point (f) of Art. 6(1) GDPR (other requests). The user information may be stored in a Customer Relationship Management System ("CRM System") or equivalent request organisation.
We erase the requests where these are no longer required. Every two years, we review their necessity. Furthermore, the legal archiving obligations apply.
Hosting and email dispatch
The hosting services we make use of allow us to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services, all of which we implement for the management of this online presence.
In doing so, we, or our hosting providers, process inventory, contact, and content data as well as contractual data, usage data, and meta and communication data pertaining to customers, potential customers and visitors of this website on the basis of our legitimate interest in providing an efficient and secure online presence in accordance with point (f) of Art. 6(1) GDPR in connection with Art. 28 GDPR (completion of a job processing contract).
You have the right to receive information about your personal data which is saved in our system. Furthermore you are allowed to rectify incorrect saved personal data or if relevant to change or revoke your consent to a data agreement at any time and without mentioning any reasons. To revoke the processing of your personal data with impact on the future, or to demand the complete deletion of your personal data. According to the conditions specified in article 20 of the DSGVO you are entitled to receive your saved personal data in a structured, correct and machine-readable format.
To avoid possible abuse cases we have the right to demand a handwritten signature ar any other form of legimitation on requests. You have the right to give a complaint at the data protection inspectorat. Those resonsible for us is the Country Commissioner for Data Protection and Freedom of Information in 70173 Stuttgart, Königstrasse 10 a.
Collection of access data and log files
We, or our hosting provider, shall, on the basis of our legitimate interests pursuant to point (f) of Art. 6(1) GDPR, collect data concerning every log in to the server this service is located on (the so-called server log files). The type of log in data includes the name of the accessed website, the file, date and time of access, the data volume transferred, the report that access has been successful, the type of browser and version of the same, the user’s operating system, the referral URL (the site one has previously visited), the IP address, and the requesting provider.
Log file information shall be stored for security reasons (e.g. in order to investigate cases of abuse or fraud) for a period of no longer than seven days, and subsequently erased. Data which has to be stored for evidentiary purposes shall be excluded from erasure until the relevant case has been solved.