Here you'll learn how your information is being kept safe backstage.
Privacy
I don’t know where I’m going from here, but I promise it won’t be boring.
David Bowie
Privacy Policy
Preamble
With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the course of providing our services and in particular on our websites, mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as the "online offering").
The terms used are not gender-specific.
Effective date: July 12, 2024
Table of Contents
- Preamble
- Controller
- Overview of Processing Activities
- Applicable Legal Bases
- Security Measures
- Transmission of Personal Data
- International Data Transfers
- General Information on Data Retention and Deletion
- Rights of Data Subjects
- Business Services
- Business Processes and Procedures
- Provision of the Online Offering and Web Hosting
- Use of Cookies
- Contact and Inquiry Management
- Video Conferences, Online Meetings, Webinars, and Screen Sharing
- Audio Content
- Cloud Services
- Web Analytics, Monitoring, and Optimization
- Social Media Presences
- Plug-ins and Embedded Features and Content
- Modifications and Updates
- Definitions of Terms
Controller
Katrin Terwiel
Psychotherapeutische Praxisgemeinschaft
Klosterstraße 18
48143 Münster
Germany
Authorized Representative: Katrin Terwiel
Email Address: office@katrin-terwiel.de
Phone: +49 (0) 157-7057 25 25
Imprint: Go to Imprint
Overview of Processing Activities
The following overview summarizes the types of data processed, the purposes of their processing, and references the categories of data subjects concerned.
Types of Data Processed
- Inventory data.
- Payment data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communication, and process data.
- Image and/or video recordings
- Audio recordings.
- Log data.
- Creditworthiness data.
Special Categories of Data
- Health data.
Categories of Data Subjects
- Service recipients and clients.
- Employees.
- Interested parties.
- Communication partners.
- Users.
- Business and contractual partners.
- Patients.
- Depicted individuals.
- Third parties.
Purposes of Processing
- Provision of contractual services and fulfillment of contractual obligations.
- Communication.
- Security measures.
- Reach measurement.
- Büro- und Organisationsverfahren.
- Office and organizational procedures.
- Organizational and administrative procedures.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online offering and user-friendliness.
- Assessment of credit standing and creditworthiness.
- Information technology infrastructure.
- Financial and payment management.
- Public relations.
- Sales promotion.
- Business processes and business management procedures.
Relevant Legal Bases
Relevant legal bases under the GDPR: Below you will find an overview of the legal bases under the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or in our country of establishment. If more specific legal bases are applicable in individual cases, we will inform you of them in this privacy policy.
- Consent (Art. 6(1)(1)(a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract at the request of the data subject.
- Legal obligation (Art. 6(1)(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6(1)(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
National data protection regulations in Germany:
In addition to the provisions of the GDPR, national data protection regulations also apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, as well as data transfer and automated decision-making on an individual basis, including profiling. Furthermore, data protection laws of individual federal states may also apply.
Reference to the applicability of the GDPR and the Swiss DPA:
This privacy notice is intended to provide information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For reasons of broader territorial applicability and clarity, the terminology of the GDPR is used throughout this document. Specifically, terms used in the Swiss FADP such as "processing" of "personal data", "overriding interest", and "particularly sensitive personal data" are replaced by the corresponding GDPR terms: "processing" of "personal data", "legitimate interest", and "special categories of data". However, within the scope of applicability of the Swiss FADP, the legal meaning of these terms remains governed by Swiss law.
Security Measures
We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to the relevant input, transmission, availability, and separation of data. In addition, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principles of privacy by design and privacy by default.
IP Address Truncation:
Where IP addresses are processed by us or by service providers and technologies we use, and where the full IP address is not required for processing, the IP address is truncated (also known as "IP masking"). In this process, the last two digits or the final segment of the IP address after the last dot is removed or replaced with a placeholder. The purpose of truncating the IP address is to prevent or significantly hinder the identification of individuals based on their IP address.
Securing Online Connections with TLS/SSL Encryption (HTTPS):
To protect users’ data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the foundations of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by "HTTPS" in the URL. This serves as a signal to users that their data is being transmitted securely and in encrypted form.
Transfer of Personal Data
In the course of processing personal data, it may occur that such data is transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers tasked with IT responsibilities or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your personal data.
International Data Transfers
Data Processing in Third Countries:
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if such processing occurs in the context of using third-party services or disclosing or transferring data to other individuals, entities, or companies, this will only take place in accordance with legal requirements.
If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this decision serves as the legal basis for the data transfer. Otherwise, data transfers are carried out only if the data protection level is otherwise ensured, particularly through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or if the transfer is necessary for the performance of a contract or required by law (Art. 49(1) GDPR). In all other cases, we inform you of the legal basis for third-country transfers in relation to each specific provider based in a third country, whereby adequacy decisions are given priority.
Further information on data transfers to third countries and existing adequacy decisions can be found on the website of the European Commission:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de
EU–US Trans-Atlantic Data Privacy Framework:
Under the so-called “Data Privacy Framework” (DPF), the European Commission has recognized the data protection level for certain U.S. companies as adequate by adequacy decision dated July 10, 2023. A list of certified companies and further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). In this privacy policy, we will inform you which service providers used by us are certified under the Data Privacy Framework.
General Information on Data Retention and Deletion
We delete personal data we process in accordance with legal requirements, as soon as the underlying consent is withdrawn or no other legal basis for processing exists. This applies in cases where the original purpose of the processing no longer applies or the data is no longer needed. Exceptions to this rule apply if legal obligations or special interests require a longer retention or archiving period.
In particular, data that must be retained for commercial or tax law reasons, or data whose storage is necessary for legal enforcement or the protection of the rights of other natural or legal persons, must be archived accordingly.
Our privacy policy contains additional information on data retention and deletion that applies specifically to certain processing activities.
If multiple retention or deletion periods are stated for a given data type, the longest period shall always apply.
If a retention period does not explicitly begin on a specific date and is at least one year in duration, it shall automatically commence at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the effective date of termination or other conclusion of the legal relationship.
Data that is no longer retained for its originally intended purpose but is instead stored due to legal obligations or other reasons will only be processed for the purposes that justify its continued retention.
Additional Information on Processing Activities, Procedures, and Services:
- Data Retention and Deletion: The following general retention and archiving periods apply in accordance with German law:
- 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the work instructions and other organizational documents necessary for their understanding, as well as accounting vouchers and invoices
(pursuant to § 147(3) in conjunction with § 147(1) Nos. 1, 4, and 4a of the German Fiscal Code (AO); § 14b(1) of the VAT Act (UStG); and § 257(1) Nos. 1 and 4, and § 257(4) of the German Commercial Code (HGB)). - 6 years – Retention period for other business documents: received commercial or business letters, copies of sent commercial or business letters, and other documents relevant for taxation, such as timesheets, internal cost allocation sheets, calculation documents, price tags, as well as payroll records (insofar as they are not already accounting vouchers) and cash register receipts
(pursuant to § 147(3) in conjunction with § 147(1) Nos. 2, 3, and 5 of the German Fiscal Code (AO); and § 257(1) Nos. 2 and 3, and § 257(4) of the German Commercial Code (HGB)). - 3 years – Data necessary to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, are retained for the duration of the standard statutory limitation period of three years. This retention period is based on past business experience and common industry practices (pursuant to §§ 195, 199 of the German Civil Code (BGB)).
- 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the work instructions and other organizational documents necessary for their understanding, as well as accounting vouchers and invoices
Rights of Data Subjects
Rights of Data Subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, particularly as set out in Articles 15 to 21 GDPR:
- Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. - Right to Withdraw Consent: You have the right to withdraw any consent you have given at any time.
- Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed, and, if so, to obtain access to this data along with further information and a copy of the data, in accordance with legal requirements.
- Right to Rectification: In accordance with legal requirements, you have the right to request the completion of your personal data or the correction of inaccurate data concerning you.
- Right to Erasure and Restriction of Processing: In accordance with legal requirements, you have the right to request the immediate deletion of personal data concerning you. Alternatively, you may request the restriction of processing of your data, subject to the conditions laid down by law.
- Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request that it be transmitted to another controller, in accordance with legal requirements.
- Right to Lodge a Complaint with a Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority—particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement—if you believe that the processing of your personal data violates the GDPR.
Business Services
We process the data of our contractual and business partners—such as clients and prospective clients (collectively referred to as “contractual partners”)—within the scope of contractual and similar legal relationships, including related measures and communication with the contractual partners (including pre-contractual interactions), for example when responding to inquiries.
We use this data to fulfill our contractual obligations. This includes, in particular, providing the agreed services, fulfilling any update obligations, and addressing warranty claims or other service-related issues. Furthermore, we use the data to protect our rights and to carry out administrative tasks associated with these obligations, as well as for internal business organization purposes.
We also process this data based on our legitimate interests in proper and economically sound business management, and to implement security measures for protecting our contractual partners and our business operations from misuse, data breaches, or violations of confidentiality, information, and other rights (e.g., by involving telecommunications providers, logistics services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). In accordance with applicable laws, we share the data of our contractual partners with third parties only to the extent necessary for the purposes mentioned above or for compliance with legal obligations. Contractual partners will be informed of any further processing, such as for marketing purposes, within this privacy policy.
We inform contractual partners which data is necessary for the purposes outlined above prior to or during data collection—e.g., through online forms, specific labels (such as colors), symbols (e.g., asterisks), or directly in person.
We delete the data after the expiration of statutory warranty or comparable obligations, generally after four years, unless the data is stored in a customer account or must be retained longer for legal archiving purposes (e.g., typically ten years for tax reasons). Data that has been disclosed to us as part of a contract is deleted in accordance with the contract terms and, as a rule, after the end of the engagement.
- Types of Data Processed:
Inventory data (e.g., full name, residential address, contact information, customer number);
Payment data (e.g., bank details, invoices, payment history);
Contact data (e.g., postal and email addresses, telephone numbers);
Contract data (e.g., subject matter of the contract, term, customer category). - Special Categories of Personal Data:
Health data. - Data Subjects:
Service recipients and clients;
Interested parties;
Business and contractual partners. - Purposes of Processing:
Provision of contractual services and fulfillment of contractual obligations;
Communication;
Office and organizational procedures;
Organizational and administrative procedures;
Business processes and business management procedures. - Retention and Deletion:
Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion." - Legal Bases:
Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR);
Legal obligation (Art. 6(1)(1)(c) GDPR);
Legitimate interests (Art. 6(1)(1)(f) GDPR).
Additional Information on Processing Activities, Procedures, and Services:
- Coaching: We process the data of our clients, as well as interested parties and other contracting or business partners (collectively referred to as “clients”), in order to provide them with our services. The procedures carried out within the scope and for the purposes of coaching include: contact and communication with clients, needs analysis to determine suitable coaching measures, planning and conducting coaching sessions, documentation of coaching progress, collection and management of client-specific information and data, scheduling and organization of appointments, provision of coaching materials and resources, billing and payment management, follow-up and review of coaching sessions, quality assurance and feedback processes.
The type, scope, purpose, and necessity of data processing depend on the underlying contractual and client relationship.
If it is necessary for the performance of the contract, to protect vital interests, required by law, or based on the client’s consent, we may disclose or transmit client data—complying with professional confidentiality requirements—to third parties or service providers, such as public authorities, billing agencies, or providers of IT, office, or similar services.
Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR). - Therapeutic Services: We process the data of our clients, as well as interested parties and other contracting or business partners (collectively referred to as “clients”), in order to provide them with our services. The type, scope, purpose, and necessity of the data processed are determined by the underlying contractual and client relationship.
In the course of our activities, we may also process special categories of data, particularly information concerning the health of clients, possibly including data related to their sex life or sexual orientation, as well as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Where required, we obtain the clients' explicit consent and otherwise process special categories of data only if it serves the health of the clients, the data is publicly available, or other legal permissions apply.
If it is necessary for the performance of the contract, to protect vital interests, required by law, or based on the client’s consent, we may disclose or transmit client data—complying with professional confidentiality requirements—to third parties or service providers, such as public authorities, medical facilities, laboratories, billing agencies, or providers of IT, office, or similar services.
Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).
Business Processes and Procedures
Personal data of service recipients and clients—including customers, patients, clients, or in specific cases, legal clients or business partners, as well as other third parties—is processed within the context of contractual or similar legal relationships and pre-contractual measures, such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payment transactions, accounting, and project management.
The collected data is used to fulfill contractual obligations and to design business processes efficiently. This includes handling business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal accounting and financial procedures. In addition, the data helps safeguard the rights of the controller and supports administrative tasks and organizational management.
Personal data may be shared with third parties if necessary for the fulfillment of the above-mentioned purposes or to comply with legal obligations. Once statutory retention periods have expired or the purpose of the processing no longer applies, the data is deleted. This also includes data that must be retained for a longer period due to tax and legal documentation obligations.
- Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image-based messages and posts, as well as related information such as authorship or time of creation); contract data (e.g., subject matter of the contract, term, customer category); log data (e.g., log files relating to logins or data access times); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); creditworthiness data (e.g., received credit score, estimated probability of default, resulting risk classification, historical payment behavior); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
- Special Categories of Personal Data:
Health data. - Data Subjects:
Service recipients and clients; interested parties; communication partners; business and contractual partners; third parties; users (e.g., website visitors, users of online services); patients; employees (e.g., staff, applicants, temporary workers, and other personnel). - Purposes of Processing:
Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and business management procedures; communication; marketing; sales promotion; public relations; assessment of credit standing and creditworthiness; financial and payment management; information technology infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.). - Retention and Deletion:
Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion." - Legal Bases:
Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR);
Legitimate interests (Art. 6(1)(1)(f) GDPR);
Legal obligation (Art. 6(1)(1)(c) GDPR).
Additional Information on Processing Activities, Procedures, and Services:
- Patient Management
Procedures required within the scope of patient management include, for example, the acquisition and intake of new patients, the development of strategies to promote patient retention, and ensuring effective patient communication and appointment scheduling. Additionally, comprehensive patient services are provided. These procedures also involve maintaining and managing patient records, securely documenting medical procedures, and ensuring the confidentiality and integrity of patient data. Furthermore, they regulate the sharing of patient information with other medical facilities or professionals. Procedures are implemented to ensure the secure and GDPR-compliant deletion of patient data once it is no longer needed or statutory retention periods have expired.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legal obligation (Art. 6(1)(1)(c) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR). - Contact Management and Maintenance
Procedures required for organizing, maintaining, and securing contact information include, for example, the setup and maintenance of a centralized contact database, regular updates of contact details, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restorations of contact data, training employees in the effective use of contact management software, and regularly reviewing communication history and adjusting contact strategies.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR). - General Payment Transactions
Procedures required for carrying out payment operations, monitoring bank accounts, and managing cash flows include, for example, the preparation and verification of transfers, processing of direct debits, reviewing account statements, monitoring incoming and outgoing payments, managing returned debits, account reconciliation, and cash management.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR). - Accounting, Accounts Payable, Accounts Receivable
Procedures required for the recording, processing, and monitoring of business transactions in the areas of accounts payable and accounts receivable include, for example, the creation and verification of incoming and outgoing invoices, monitoring and managing outstanding items, executing payment transactions, handling dunning processes, and account reconciliation relating to receivables and payables, as well as managing accounts payable and receivable.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legal obligation (Art. 6(1)(1)(c) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR). - Financial Accounting and Taxes
Procedures required for recording, managing, and controlling financial business transactions, as well as for calculating, reporting, and paying taxes, include, for example, account assignment and booking of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, handling of dunning processes, account reconciliation, tax consulting, preparation and submission of tax returns, and handling tax-related matters.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legal obligation (Art. 6(1)(1)(c) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR). - Marketing, Advertising, and Sales Promotion
Procedures required in the context of marketing, advertising, and sales promotion include, for example, market analysis and target group identification, development of marketing strategies, planning and execution of advertising campaigns, design and production of promotional materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management, and cost control.
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR). - Public Relations
Procedures required in the context of public relations and corporate communications include, for example, the development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, media relations, monitoring and analysis of media coverage, organization of press conferences and public events, crisis communication, content creation for social media and corporate websites, and management of corporate branding.
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).
Provision of the Online Offering and Web Hosting
We process users’ data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.
- Types of Data Processed: Usage data (e.g., page views and session duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, involved individuals); log data (e.g., log files related to logins, data access, or access times); content data (e.g., textual or visual messages and posts, as well as related information such as authorship or time of creation).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.); security measures.
- Retention and Deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion."
- Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).
Additional Information on Processing Activities, Procedures, and Services:
- Provision of the Online Offering on Rented Hosting Space:
To provide our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a suitable server provider (also referred to as a "web host").
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR). - Collection of Access Data and Log Files:
Access to our online offering is logged in the form of so-called "server log files." These server log files may include the address and name of the accessed web pages and files, date and time of access, amount of data transferred, messages about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.
The server log files serve security purposes (e.g., to prevent server overload, especially in the event of abusive attacks, such as DDoS attacks), as well as to ensure the server’s load capacity and stability.
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).
Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified. - Content Delivery Network (CDN):
We use a "Content Delivery Network" (CDN). A CDN is a service that enables faster and more secure delivery of content from an online offering—particularly large media files such as graphics or program scripts—via regionally distributed servers that are connected through the internet.
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR). - ALL-INKL: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity);
Service provider: ALL-INKL.COM - Neue Medien Münnich, Owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany;
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR);
Website: https://all-inkl.com/
Privacy policy: https://all-inkl.com/datenschutzinformationen/
Data processing agreement: Provided by the service provider. - Contao: Management of web content, user administration, creation and maintenance of websites, template customization, multilingual functionality, form generator, file management, search engine optimization;
Service provider: Operation on servers and/or computers under our own data protection responsibility.
Website: https://contao.org/
Use of Cookies
Cookies are small text files or other types of storage notes that store information on end devices and retrieve information from them. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the content accessed, or the functions used within an online offering. Cookies may also be used for various other purposes, such as ensuring the functionality, security, and convenience of online offerings as well as for analyzing visitor traffic.
Notes on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not required by law. Consent is not required in particular when storing and retrieving information, including cookies, is strictly necessary to provide users with a telemedia service (i.e., our online offering) that they have expressly requested. The revocable consent is clearly communicated to users and includes information about the respective use of cookies.
Notes on legal bases under data protection law: The legal basis on which we process users' personal data using cookies depends on whether we ask users for their consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed via cookies is based on our legitimate interests (e.g., in the commercial operation of our online offering and its usability improvement) or, if this occurs in the context of fulfilling our contractual obligations, when the use of cookies is necessary to meet our contractual obligations. We inform users about the purposes for which we use cookies in this privacy policy or as part of our consent and processing procedures.
Storage duration: With regard to storage duration, the following types of cookies are distinguished:
- Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their device (e.g., browser or mobile application).
- Permanent cookies: Permanent cookies remain stored even after the device has been closed. For example, the login status can be saved and preferred content displayed directly when the user revisits a website. User data collected via cookies may also be used for reach measurement. Unless we explicitly inform users of the type and storage duration of cookies (e.g., when obtaining consent), they should assume that the cookies are permanent and that the storage duration can be up to two years.
General information on withdrawal and objection (opt-out): Users can withdraw their consent at any time and may also object to the processing in accordance with legal requirements, including via the privacy settings of their browser.
- Types of data processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, parties involved).
- Data subjects: Users (e.g. website visitors, users of online services).
- Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR). Consent (Art. 6(1)(1)(a) GDPR).
Further information on processing operations, procedures and services:
-
Processing of cookie data based on consent: We use a consent management solution to obtain users’ consent for the use of cookies or for the procedures and providers mentioned in the consent management solution. This procedure is used to obtain, log, manage, and revoke consent, particularly regarding the use of cookies and similar technologies employed to store, read, and process information on users’ devices. Within this framework, users' consents are collected for the use of cookies and the associated processing of information, including the specific processes and providers named in the consent management procedure. Users also have the option to manage and revoke their consents. The declarations of consent are stored to prevent repeated requests and to provide proof of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies, in order to assign the consent to a specific user or their device. If no specific information is provided about the consent management service providers, the following general information applies: the consent is stored for up to two years. A pseudonymous user identifier is created and stored along with the time of consent, the scope of the consent (e.g. categories of cookies and/or service providers concerned), and information about the browser, system, and device used. Legal basis: Consent (Art. 6(1)(1)(a) GDPR).
- Cookiebot: Consent management procedure for obtaining, logging, managing, and revoking consent, particularly for the use of cookies and similar technologies for storing, reading, and processing information on users’ devices and related processing; service provider: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark; website: https://www.cookiebot.com/de; privacy policy: https://www.cookiebot.com/de/privacy-policy/; data processing agreement: provided by the service provider; further information: stored data (on the service provider’s server): the user's IP address in anonymized form (the last three digits are set to 0), date and time of consent, browser information, the URL from which the consent was submitted, an anonymous, random, and encrypted key, the user's consent status.
Contact and request management
When contacting us (e.g. by post, contact form, email, telephone or via social media) as well as in the context of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.
- Processed types of data: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts as well as related information, such as authorship details or creation timestamp); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Communication partners.
- Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness.
- Retention and deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion."
- Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).
Further information on processing activities, procedures, and services:
- Contact form: When contacting us via our contact form, email, or other communication channels, we process the personal data provided to us to respond to and handle the respective request. This generally includes information such as name, contact details, and, if applicable, other information shared with us that is necessary for appropriate handling. We use this data solely for the specified purpose of contact and communication; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR).
- Contact Form 7: Management of contact requests and communication; service provider: Rock Lobster, LLC; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://contactform7.com/. Further information: operation within own hosting environment.
Video conferences, online meetings, webinars, and screen sharing
We use platforms and applications from third-party providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereinafter collectively referred to as "conferences"). When selecting conference platforms and their services, we comply with legal requirements.
Data processed by conference platforms: In the course of participating in a conference, the conference platforms process the personal data of participants as listed below. The scope of processing depends on which data is required for a specific conference (e.g., provision of access credentials or real names) and which optional information is provided by the participants. In addition to processing for conducting the conference, participants’ data may also be processed by the conference platforms for security purposes or service optimization. Processed data includes personal information (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, professional position/function, the IP address of the internet connection, details about participants’ devices, their operating systems, browsers and their technical and language settings, information on communication content such as chat inputs, audio and video data, as well as use of other available features (e.g., polls). Communication content is encrypted to the extent technically provided by the conference provider. If participants are registered users on the conference platforms, additional data may be processed according to the agreement with the respective provider.
Logging and recordings: If text inputs, participation results (e.g., from polls), or video or audio recordings are logged, participants will be informed transparently in advance and, where required, asked for consent.
Data protection measures for participants: Please refer to the conference platforms’ privacy notices for details on data processing. Choose the optimal security and privacy settings in the conference platform settings. Additionally, during a video conference, ensure data and privacy protection in your background (e.g., notify roommates, lock doors, use background blurring if technically possible). Links to conference rooms and access credentials must not be shared with unauthorized third parties.
Notes on legal bases: If, in addition to the conference platforms, we also process users’ data and request their consent for the use of the conference platforms or certain features (e.g., consent to recording conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g., in participant lists or in processing meeting results). Otherwise, users’ data is processed based on our legitimate interests in efficient and secure communication with our communication partners.
- Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as related information such as authorship details or creation timestamps); usage data (e.g., page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); image and/or video recordings (e.g., photographs or video recordings of a person); audio recordings; log data (e.g., log files relating to logins or data retrieval or access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Communication partners; users (e.g., website visitors, users of online services); depicted persons; service recipients and clients; interested parties.
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication; office and organizational procedures.
- Retention and deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion."
- Legal bases: Legitimate interests (Art. 6(1)(1)(f) GDPR).
Further information on processing activities, procedures, and services:
- Cisco WebEx: Conference and communication software; service provider: Webex Communications Deutschland GmbH, Hansaallee 249, c/o Cisco Systems GmbH, 40549 Düsseldorf, parent company: Cisco Systems, Inc., 170 West Tasman Dr., San Jose, CA 95134, USA; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://www.webex.com/de; privacy policy: https://www.cisco.com/c/de_de/about/legal/privacy-full.html. Basis for third-country transfers: Data Privacy Framework (DPF).
- Microsoft Teams: Audio and video conferences, chat, file sharing, integration with Office 365 applications, real-time collaboration on documents, calendar functions, task management, screen sharing, optional recording; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://www.microsoft.com/de-de/microsoft-365; privacy policy: https://privacy.microsoft.com/de-de/privacystatement; security information: https://www.microsoft.com/de-de/trustcenter. Basis for third-country transfers: Data Privacy Framework (DPF).
- Meetergo: Appointment booking and management, automatic calendar synchronization, custom booking pages, real-time notifications; service provider: meetergo GmbH, Hansaring 61, 50670 Cologne, Germany; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://meetergo.com/; privacy policy: https://meetergo.com/datenschutz.
- Zoom: Conference and communication software; service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://zoom.us; privacy policy: https://explore.zoom.us/docs/de-de/privacy-and-legal.html; data processing agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA). Basis for third-country transfers: Data Privacy Framework (DPF).
- Google Hangouts / Meet: Conference and communication software; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://hangouts.google.com/; privacy policy: https://policies.google.com/privacy; data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Basis for third-country transfers: Data Privacy Framework (DPF).
Audio content
We use hosting services from providers to offer our audio content for listening and download. For this purpose, we use platforms that enable uploading, storing, and distributing audio material.
- Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); log data (e.g., log files relating to logins or data retrieval or access times).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Reach measurement (e.g., access statistics, identification of returning visitors); user-related profiling (creation of user profiles); provision of our online offering and user-friendliness; conversion measurement (measurement of marketing effectiveness).
- Retention and deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion."
- Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).
Further information on processing activities, procedures, and services:
- Apple Podcasts: Podcast hosting and statistical analysis of podcast plays; service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; website: https://www.apple.com/de/apple-podcasts/; privacy policy: https://www.apple.com/de/legal/privacy/.
- Spotify: Podcast hosting, publication and management of podcast content, analysis of listening behavior and statistics, monetization options for podcasters; service provider: Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://podcasters.spotify.com/; privacy policy: https://www.spotify.com/de/legal/privacy-policy/.
Cloud services
We use software services accessible via the internet and operated on the servers of their providers (so-called "cloud services," also referred to as "software as a service") for storing and managing content (e.g., document storage and management, exchanging documents, content, and information with specific recipients, or publishing content and information).
In this context, personal data may be processed and stored on the providers’ servers insofar as it is part of communication processes with us or otherwise processed by us as outlined in this privacy policy. This data may include, in particular, master data and contact details of users, data related to transactions, contracts, other processes, and their contents. The providers of cloud services also process usage data and metadata, which they use for security purposes and service optimization.
If we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the providers may store cookies on users’ devices for web analytics purposes or to remember user settings (e.g., in the case of media controls).
- Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as related information such as authorship details or creation timestamps); usage data (e.g., page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Interested parties; communication partners; business and contractual partners; users (e.g., website visitors, users of online services).
- Purposes of processing: Office and organizational procedures; information technology infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.); provision of our online offering and user-friendliness.
- Retention and deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion."
- Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).
Further information on processing activities, procedures, and services:
- Microsoft cloud services: cloud storage, cloud infrastructure services, and cloud-based application software; service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://microsoft.com/de-de; privacy statement: https://privacy.microsoft.com/de-de/privacystatement; security information: https://www.microsoft.com/de-de/trustcenter; data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; basis for third-country transfers: Data Privacy Framework (DPF).
- Proton Drive: Secure storage and management of files, encryption of user data, sharing files with others, access to files across multiple devices; service provider: Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Switzerland; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://proton.me/de/drive; privacy policy: https://proton.me/de/legal/privacy; data processing agreement: provided by the service provider. Basis for third-country transfers: adequacy decision (Switzerland).
Web analytics, monitoring, and optimization
Web analytics (also referred to as "reach measurement") is used to analyze visitor traffic on our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine when our online offering or its functions or content are most frequently used, or invite users to revisit. It also allows us to identify areas in need of optimization.
In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online offering or its components.
Unless otherwise stated below, profiles—i.e., data aggregated for a usage event—may be created for these purposes, and information may be stored in and read from a browser or device. The collected data includes visited websites and used elements as well as technical information such as the browser used, the computer system, and usage times. If users have consented to the collection of their location data by us or the providers of the services we use, processing of location data is also possible.
Furthermore, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear personal data of users (such as email addresses or names) is stored in connection with web analytics, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the data stored in their profiles for the respective purposes.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.
- Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Data subjects: Users (e.g., website visitors, users of online services). - Purposes of processing: Reach measurement (e.g., access statistics, identification of returning visitors); user-related profiling (creation of user profiles); provision of our online offering and user-friendliness.
- Retention and deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion." Cookies may be stored for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
- Security measures: IP masking (pseudonymization of IP address).
- Legal bases: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).
Further information on processing activities, procedures, and services:
-
Google Analytics: We use Google Analytics to measure and analyze the usage of our online offering based on a pseudonymous user identification number. This identification number does not contain any identifiable data such as names or email addresses. It serves to assign analytical information to a device to recognize which content users have accessed during one or multiple usage sessions, which search terms they used, revisited, or interacted with in our online offering. The time and duration of use, as well as the sources referring users to our online offering and technical details of their devices and browsers, are also stored.
Pseudonymous user profiles are created from information across different devices, where cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographic location data derived from IP address metadata: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based equivalents). For EU traffic, IP address data is used exclusively for deriving geolocation data before being immediately deleted. They are not logged, accessible, or used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to Analytics servers for processing.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal basis: Consent (Art. 6(1)(1)(a) GDPR);
Website: https://marketingplatform.google.com/intl/de/about/analytics/;
Security measures: IP masking (pseudonymization of IP address);
Privacy policy: https://policies.google.com/privacy;
Data processing agreement: https://business.safety.google/adsprocessorterms/;
Basis for third-country transfers: Data Privacy Framework (DPF);
Opt-out options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad personalization settings: https://myadcenter.google.com/personalizationoff.
Further information: https://business.safety.google/adsservices/ (types of processing and data processed). - Matomo (without cookies): Matomo is a privacy-friendly web analytics software that is used without cookies and recognizes returning users through a so-called "digital fingerprint," which is stored anonymously and changed every 24 hours. The "digital fingerprint" captures user movements within our online offering using pseudonymized IP addresses combined with user-side browser settings in such a way that conclusions about the identity of individual users are not possible. The data collected through the use of Matomo is processed solely by us and not shared with third parties; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR). Website: https://matomo.org/.
- digistats: digistats is a privacy-friendly web analytics software used without cookies, which recognizes returning users through a so-called "digital fingerprint" that is stored anonymously and changed every 24 hours. The "digital fingerprint" captures user movements within our online offering using pseudonymized IP addresses combined with user-side browser settings in such a way that conclusions about the identity of individual users are not possible. The data collected through the use of digistats is processed solely by us and not shared with third parties; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); service provider: digistats Analytics Ltd, Marktgasse 24, CH - 5620 Bremgarten AG; website: https://digistats.de; privacy policy: https://digistats.de/pages/datenschutz.
Presences in social networks (social media)
We maintain online presences within social networks and process user data in this context to communicate with users active there or to provide information about us.
Please note that user data may be processed outside the territory of the European Union. This may pose risks for users, for example, because enforcing user rights could be more difficult.
Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles may be created based on usage behavior and resulting user interests. These profiles may then be used to display advertisements inside and outside the networks that presumably match users’ interests. Therefore, cookies are usually stored on users’ devices, recording their usage behavior and interests. Additionally, data may be stored in usage profiles independent of the devices used by users (especially if they are members of the respective platforms and logged in there).
For a detailed description of the respective processing activities and options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.
In the case of requests for information and assertion of data subject rights, we also point out that these can be most effectively asserted directly with the providers. Only they have access to the user data and can take appropriate measures and provide information directly. If you still need assistance, you may contact us.
- Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts as well as related information such as authorship details or creation timestamps); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: Communication; feedback (e.g., collecting feedback via online form); public relations.
- Retention and deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion."
- Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).
Further information on processing activities, procedures, and services:
-
LinkedIn: Social network – Together with LinkedIn Ireland Unlimited Company, we are responsible for the collection (but not the further processing) of data from visitors, which is used for the creation of “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, actions taken by them, information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data), and details from users’ profiles such as job function, country, industry, hierarchy level, company size, and employment status. Privacy information about the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
We have entered into a specific agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum (the ‘Addendum’)", https://legal.linkedin.com/pages-joint-controller-addendum), which regulates, among other things, the security measures LinkedIn must observe and in which LinkedIn agrees to comply with data subject rights (i.e., users can directly request information or deletion from LinkedIn). Users’ rights (particularly to information, deletion, objection, and complaints to the competent supervisory authority) are not limited by the agreements with LinkedIn. The joint responsibility is limited to the collection of data by and transmission to Ireland Unlimited Company, an EU-based company. Further processing of data is the sole responsibility of Ireland Unlimited Company, particularly with regard to data transfer to the parent company LinkedIn Corporation in the USA.
Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR);
Website: https://www.linkedin.com;
Privacy policy: https://www.linkedin.com/legal/privacy-policy;
Basis for third-country transfers: Data Privacy Framework (DPF).
Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Plugins and embedded functions and content
We embed functional and content elements in our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as "content").
Embedding always requires that the third-party providers of this content process the users’ IP addresses, as without the IP address they could not send the content to the users’ browsers. The IP address is therefore necessary for displaying this content or functionality. We strive to use only such content whose providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also called "web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the users’ devices and may contain, among other things, technical information about the browser and operating system, referring websites, visit times, and other data about the use of our online offering, and may be combined with such information from other sources.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.
- Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
Data subjects: Users (e.g., website visitors, users of online services). - Purposes of processing: Provision of our online offering and user-friendliness; provision of contractual services and fulfillment of contractual obligations.
- Retention and deletion: Deletion is carried out in accordance with the information provided in the section "General Information on Data Retention and Deletion." Cookies may be stored for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
- Legal bases: Consent (Art. 6(1)(1)(a) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).
Further information on processing activities, procedures, and services:
- Google Fonts (retrieval from Google servers): Retrieval of fonts (and icons) for the purpose of technically secure, maintenance-free, and efficient use of fonts and icons regarding up-to-dateness and loading times, uniform display, and consideration of possible licensing restrictions. The provider of the fonts receives the user’s IP address to deliver the fonts to the user’s browser. Additionally, technical data (language settings, screen resolution, operating system, hardware used) necessary for providing the fonts depending on the devices used and the technical environment are transmitted. These data may be processed on a server of the font provider in the USA. When visiting our online offering, users’ browsers send their HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and subsequently the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent that describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. The user agent must adjust the font generated for the respective browser type in the Google Fonts Web API. The user agent is primarily logged for debugging and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and to generate an aggregated report on the top integrations based on the number of font requests. According to Google’s own statements, none of the information collected by Google Fonts is used to create profiles of end users or to deliver targeted advertising.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR);
Website: https://fonts.google.com/;
Privacy policy: https://policies.google.com/privacy;
Basis for third-country transfers: Data Privacy Framework (DPF).
Further information: https://developers.google.com/fonts/faq/privacy?hl=de. - reCAPTCHA: We integrate the "reCAPTCHA" function to determine whether inputs (e.g., in online forms) are made by humans and not by automated machines (so-called "bots"). The data processed may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with reCAPTCHA on other websites, possibly cookies, and results of manual recognition processes (e.g., answering posed questions or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offering against abusive automated crawling and spam. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.google.com/recaptcha/; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad personalization settings: https://myadcenter.google.com/personalizationoff.
- Font Awesome (retrieval from the provider’s server): Retrieval of fonts (as well as icons) for the purpose of technically secure, maintenance-free, and efficient use of fonts and icons regarding up-to-dateness and loading times, uniform display, and consideration of possible licensing restrictions. The provider of the fonts receives the user’s IP address to deliver the fonts to the user’s browser. Additionally, technical data (language settings, screen resolution, operating system, hardware used) necessary for providing the fonts depending on the devices used and the technical environment are transmitted; service provider: Fonticons, Inc., 6 Porter Road Apartment 3R, Cambridge, MA 02140, USA; legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); website: https://fontawesome.com/; privacy policy: https://fontawesome.com/privacy.
Changes and updates
We ask you to regularly inform yourself about the content of our privacy policy. We adjust the privacy policy as soon as changes in the data processing activities we carry out make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or any other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that these addresses may change over time, and we ask you to verify the information before making contact.
Definitions of terms
This section provides an overview of the terminology used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.
- Employees: Employees are persons who are in an employment relationship, whether as staff, employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee established by an employment contract or agreement. It involves the employer’s obligation to pay remuneration while the employee provides their work performance. The employment relationship includes various phases, including initiation (when the employment contract is concluded), execution (when the employee performs their work), and termination (when the employment relationship ends, whether by dismissal, termination agreement, or otherwise). Employee data comprises all information relating to these persons in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank details, working hours, vacation entitlements, health data, and performance evaluations.
- Inventory data: Inventory data includes essential information necessary for identifying and managing contractual partners, user accounts, profiles, and similar assignments. This data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, institutions, or systems by enabling unique assignment and communication.
- Content data: Content data includes information generated in the course of creating, editing, and publishing all types of content. This category of data may include texts, images, videos, audio files, and other multimedia content published across various platforms and media. Content data is not limited to the actual content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.
- Contact data: Contact data are essential information that enables communication with individuals or organizations. This includes, among other things, telephone numbers, postal addresses, and email addresses, as well as communication means such as social media handles and instant messaging identifiers..
- Conversion measurement: Conversion measurement (also called "visitor action analysis") is a method used to determine the effectiveness of marketing measures. Typically, a cookie is stored on users’ devices within the websites where the marketing takes place and then retrieved again on the target website. For example, this allows us to track whether ads placed by us on other websites were successful.
- Meta, communication, and procedural data: Meta, communication, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information describing the context, origin, and structure of other data. They may include details such as file size, creation date, document author, and revision history. Communication data capture the exchange of information between users over various channels, such as email traffic, call logs, messages in social networks, and chat histories, including the involved persons, timestamps, and transmission paths. Procedural data describe processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, as well as audit logs used for tracking and verifying operations.
- Usage data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes a wide range of information showing how users use applications, which features they prefer, how long they stay on certain pages, and the paths they take through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Additionally, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
- Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Profiles with user-related information: The processing of "profiles with user-related information," or simply "profiles," includes any form of automated processing of personal data that involves using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.
- Log data: Log data are information about events or activities that have been recorded in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used for analyzing system problems, security monitoring, or generating performance reports.
- Reach measurement: Reach measurement (also known as web analytics) serves to evaluate visitor traffic on an online offering and may include visitors’ behavior or interests regarding certain information, such as website content. Using reach analysis, operators of online offerings can determine when users visit their websites and which content interests them. This enables them to better tailor website content to the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are often used to recognize returning visitors and obtain more accurate analyses of the use of an online offering.
- Controller: The "controller" is the natural or legal person, authority, institution, or other body that alone or jointly with others determines the purposes and means of processing personal data.
- Processing: "Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, including collection, evaluation, storage, transmission, or deletion.
- Contract data: Contract data are specific information relating to the formalization of an agreement between two or more parties. They document the conditions under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the type of agreed services or products, price agreements, payment terms, termination rights, renewal options, and special conditions or clauses. They serve as the legal basis for the relationship between the parties and are crucial for clarifying rights and duties, enforcing claims, and resolving disputes.
- Payment data: Payment data includes all information necessary to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction dates, verification numbers, and invoice information. Payment data may also include information about payment status, chargebacks, authorizations, and fees.