Categories of Data Subjects

• Communication partners.
• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Marketing.
• Contact inquiries and communication.
• Profiles with user-related information (creation of user profiles).

Relevant Legal Bases

Below you will find an overview of the GDPR legal bases on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations of your or our country of residence or domicile may apply. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 (1) sentence 1 lit. a GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Contractual performance and pre-contractual inquiries (Art. 6 (1) sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.
• Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, prevail.

National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, special provisions on the right to information, the right to erasure, the right of objection, the processing of special categories of personal data, processing for other purposes, and transmission and automated decision-making in individual cases, including profiling.

Furthermore, it regulates data processing for the purposes of the employment relationship (Section 26 BDSG), particularly with regard to the establishment, implementation, or termination of employment relationships and the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.

Security Measures

In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, transfer, safeguarding of availability, and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. We also take into account the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Transfer of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to other bodies, companies, legally independent organizational units, or persons, or disclosed to them. Recipients of this data may include, for example, service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place in the context of the use of third-party services or disclosure or transfer of data to other persons, bodies, or companies, this is done only in accordance with legal requirements.

Subject to explicit consent or transmission required by contract or law, we process or allow the data to be processed only in third countries with a recognized level of data protection, on the basis of contractual obligations through so-called standard data protection clauses of the EU Commission, in the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission:

https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_de

Use of Cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie primarily serves to store information about a user during or after their visit within an online offering. The stored information can include, for example, language settings on a website, login status, a shopping cart, or the point at which a video was watched. We also include in the term cookies other technologies that fulfill the same functions as cookies (e.g., when user information is stored based on pseudonymous online identifiers, also referred to as “user IDs”).

The following cookie types and functions are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their browser.
• Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, users’ interests, which are used for reach measurement or marketing purposes, can be stored in such a cookie.
• First-party cookies: First-party cookies are set by us.
• Third-party cookies: Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
• Necessary (also: essential or strictly necessary) cookies: Cookies can be absolutely necessary for the operation of a website (e.g., to save logins or other user inputs, or for security reasons).
• Statistics, marketing, and personalization cookies: Cookies are generally also used for reach measurement and when a user’s interests or behavior (e.g., viewing certain content, using functions, etc.) are stored in a user profile on individual websites. Such profiles are used to display content to users that corresponds to their potential interests. This procedure is also referred to as “tracking”, i.e., tracking the potential interests of users. Insofar as we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or as part of obtaining consent.

Notes on legal bases: The legal basis on which we process your personal data with the help of cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g., in the economical operation of our online offering and its improvement) or, if the use of cookies is necessary, to fulfill our contractual obligations.

Storage period: Unless we provide you with explicit information about the storage period of permanent cookies (e.g., as part of a so-called cookie opt-in), please assume that the storage period can be up to two years.

General information on withdrawal and objection (opt-out): Depending on whether processing is based on consent or on legal permission, you have the option at any time to withdraw given consent or to object to the processing of your data by means of cookie technologies (summarized as “opt-out”). You can first declare your objection using your browser settings, e.g., by deactivating the use of cookies (which may also restrict the functionality of our online offering).

An objection to the use of cookies for online marketing purposes can also be declared via a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can obtain further information on objections within the information on the service providers and cookies used.

Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which users’ consents to the use of cookies or the processing and providers mentioned as part of the cookie consent management procedure can be obtained, managed, and revoked by users. The declaration of consent is stored so that it does not have to be queried again and to be able to prove consent in accordance with legal obligations. Storage can take place server-side and/or in a cookie (so-called opt-in cookie or using comparable technologies) in order to be able to assign the consent to a user or their device.

Subject to individual information on providers of cookie management services, the following notes apply: The storage period of the consent can be up to two years. A pseudonymous user identifier is formed and stored together with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers) as well as the browser, system, and device used.

• Types of data processed: Usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR), legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Provision of the Online Offer and Web Hosting

In order to provide our online offering securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.

The data processed in the context of providing the hosting offering can include all information relating to the users of our online offering, which accrues in the context of use and communication. This regularly includes the IP address, which is necessary to deliver the content of online offerings to browsers, and all entries made within our online offering or on websites.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files can include the address and name of the retrieved websites and files, date and time of retrieval, transferred data volumes, report on successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand, to ensure the load and stability of the servers.

• Types of data processed: Content data (e.g., entries in online forms), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Contacting Us

When contacting us (e.g., via contact form, email, telephone, or via social media), the information provided by the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Responses to contact inquiries within the context of contractual or pre-contractual relationships are provided to fulfill our contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of legitimate interests in responding to inquiries.

Types of data processed: Inventory data (e.g., names, addresses), contact data (e.g., email, telephone numbers), content data (e.g., entries in online forms).

Data subjects: Communication partners.

Purposes of processing: Contact inquiries and communication.

Legal bases: Contractual performance and pre-contractual inquiries (Art. 6 (1) sentence 1 lit. b GDPR), legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Online Marketing

We process personal data for the purposes of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on the potential interests of users as well as the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar procedures are used, by means of which the information relevant to the display of the aforementioned content is stored about the user. This information can include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, these can also be processed.

Users’ IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) are stored within the scope of online marketing procedures, but rather pseudonyms. That means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is generally stored in cookies or by means of similar procedures. These cookies can later generally also be read on other websites that use the same online marketing procedure, analyzed for the purpose of displaying content, and supplemented with further data and stored on the server of the provider of the online marketing procedure.

In exceptional cases, clear data can be assigned to the profiles. This is the case if, for example, users are members of a social network whose online marketing procedure we use and the network links the users’ profiles with the aforementioned information. We ask you to note that users can make additional agreements with the providers, e.g., by consenting during registration.

We generally only have access to aggregated information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing procedures have led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. Conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, please assume that the cookies used are stored for a period of two years.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the processing of data is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Marketing, profiles with user-related information (creation of user profiles).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR), legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).
• Right to object (opt-out): We refer to the privacy notices of the respective providers and the opt-out options specified for the providers (so-called “opt-out”). If no explicit opt-out option has been specified, there is, on the one hand, the possibility that you disable cookies in your browser settings. However, this may restrict functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered collectively for the respective regions: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.

Services and Service Providers Used:

• Google Analytics: Online marketing and web analytics; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertising: https://adssettings.google.com/authenticated.

Deletion of Data

The data we process will be deleted in accordance with legal requirements as soon as the consents permitting their processing are withdrawn or other permissions lapse (e.g., if the purpose of processing this data no longer applies or it is no longer necessary for the purpose).

If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the establishment, exercise, or defense of legal claims or to protect the rights of another natural or legal person.

Within the scope of our privacy notices, we can provide users with further information on deletion and retention of data that applies specifically to the respective processing processes.

Amendment and Update of the Privacy Policy

Please inform yourself regularly about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or another individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time; please verify the information before contacting.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, which result in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data which is based on Art. 6 (1) lit. e or f GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consents at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of incorrect data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be deleted without undue delay, or alternatively, in accordance with legal requirements, to request restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
• Complaint to a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you usually reside, the supervisory authority of your workplace, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Definitions

This section provides an overview of the terminology used in this privacy policy. Many of the terms are taken from the law and are defined in particular in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily to aid understanding. The terms are listed in alphabetical order.

• IP masking: “IP masking” refers to a method in which the last octet, i.e., the last two numbers of an IP address, is deleted so that the IP address can no longer serve to uniquely identify a person. IP masking is therefore a means of pseudonymizing processing procedures, particularly in online marketing.
• Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with user-related information: The processing of “profiles with user-related information”, or “profiles” for short, includes any type of automated processing of personal data that consists of using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are frequently used for profiling purposes.
• Controller: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers practically any handling of data, whether the collection, evaluation, storage, transmission, or deletion.