THOST Projektmanagement Data Privacy Notice
Welcome to the website of THOST Projektmanagement GmbH. Data protection and the protection of your personal rights are of great importance to us. On this page we would like to inform you about which data THOST processes and for what purposes. If you have any questions or suggestions regarding our privacy policy, please do not hesitate to contact us.
Contents
2. Responsible and Data Protection Officer
3. Compact overview
4. Legal Basis for Processing Personal Data
5. Data Subjects Rights under the General Data Protection Regulation
6. External Hosting
7. Automatic server log files
8. Use of cookies
9. Cookie Consent Management
10. Data Processing in the Context of Communication and Contact
11. Information for Applicants
12. CRM System Salesforce
13. Direct Marketing
14. Audio and Video Conferencing with MS Teams
15. Analytics Tools and Advertising
16. Plugins and Tools on our Website
17. Our Social Media Presence
18. Additional Data Protection Information for our Business Partners
1. Preface and selected terms
On the one hand, this data protection declaration informs visitors and users of our website about the online data processing operations in which personal data is processed. On the other hand, you will receive information about our processing operations, which do not primarily take place online.
- GDPR stands for the European General Data Protection Regulation.
- BDSG is an abbreviation for the Federal Data Protection Act in its current version.
- Personal data is all individual information that allows conclusions to be drawn about a natural person (for definition, see Art. 4 Para. 1 GDPR). This includes, for example, names, email addresses, telephone numbers, but also data such as IP addresses or customer numbers.
- The processing of personal data includes all processes, such as the collection, storage, transmission, archiving or deletion of personal data (definition Art. 4 Para. 2 GDPR).
- The data subject within the meaning of data protection law is any natural person whose personal data is processed.
- Further definitions of terms can be found in the General Data Protection Regulation, which can be found in Art. 4 of the GDPR (definitions).
2. Responsible and Data Protection Officer
Responsible for Data Processing
THOST Projektmanagement GmbH
Villinger Straße 6
75179 Pforzheim
Phone: +49 7231 1560-0
Fax: +49 7231 1560-90
E-mail: info@thost.de
Data Protection Officer
DPO External Data Protection Officer Stuttgart
Fabian Henkel
Diplom-Betriebswirt (FH)
Certified Data Protection Officer
Phone: +49(0)176 32744172
Email: info@externer-datenschutzbeauftragter-stuttgart.de
Web: https://www.externer-datenschutzbeauftragter-stuttgart.de
3. Compact overview
The following content gives you a brief overview of the processing of personal data; more detailed information can be found in the passages presented in detail.
Security on our Website
Our website is equipped with a TLS certificate, which is used to encrypt data transmission processes. This happens, for example, when you send us a message via a form. However, as a precaution, we would like to point out that 100% security in electronic data processing is not possible and that there is always a residual risk.
Data that you transmit to us
On this page, we process the data that you enter yourself, for example in a form. In this case, the purpose of processing results from the type of form and, on the other hand, from this data protection declaration. Even if, for example, you send us a message by email or otherwise contact us, we process your data in accordance with the purpose of the contact.
Server Log Files
On the other hand, our server automatically records all accesses and thus also IP addresses (log files); this serves to ward off attacks, analyze access numbers and ensure smooth operation.
Use of Cookies
Cookies help us to provide various services; further information can be found in this data protection declaration.
Analysis and Tracking Tools
In addition to the pure server log files, which also provide us with information about page views, we use analysis tools. These tools give us detailed insights into the content visited on our site, the flow of behavior and, for example, the country from which access took place. Such services require cookies or comparable technologies to function.
Plugins and content delivery networks
We use plugins and content delivery networks. If such services are integrated via a website, access data is transmitted to the services. Typically this is your IP address and other metadata, such as time and date of access.
Newsletter / direct marketing
Direct marketing to existing customers in the legitimate interest
We reserve the right to send our customers newsletters on the basis of Section 7 Paragraph 3 UWG and Art. 6 Para. 1 lit. f of the GDPR. You can of course object to receiving direct marketing information at any time.
Other data recipients
Data Transfer within the Corporate Group
In the THOST Group, we process data on common systems and for common purposes. This is done on the basis of shared responsibility within the framework of legitimate interests.
Use of Data Processores
We have commissioned data processors in accordance with the requirements of Art. 28 GDPR, for example in the areas of IT services, web hosting or email hosting. These companies process personal data according to our instructions.
Use of Specialist Services
If necessary, we pass on your data to, for example, banks, shipping service providers, our tax advisor or lawyer.
Legal Obligations
We are subject to legal obligations, such as commercial laws or tax laws, in this context we must pass on certain data, for example, to tax authorities.
Investigation of Crimes
If necessary to secure our interests, we pass on data to the law enforcement authorities.
General Information on Deletion Periods of Personal Data
We process the data as long as necessary for the respective purpose. As a rule we process your personal data for the duration of our business relationship, which includes the initiation and processing of a contract; further we are obliged to comply with statutory retention requirements. If data processing is based on your consent, we will delete your data after your revocation.
Transfer of Personal Data to a Third Country
Where possible, we try to have all service providers and services provided by providers within the European Union. A transfer to a third country is possible if you have given us your consent and / or we have concluded a contract for order processing in accordance with Art. 28 GDPR, taking into account suitable guarantees. In individual cases, we use plugins or tools that are hosted in third countries on the basis of our legitimate interests or your consent. In these cases, we will point this out where applicable.
Obligation to provide personal data
You are free to decide whether you provide personal data on our website for specific purposes. To carry out legal transactions, the provision of personal data is contractually required.
4. Legal Basis for Processing Personal Data
The legal bases for the processing of personal data are exceptional circumstances that allow the processing of personal data. The essential legal bases are shown in particular in Art. 6 GDPR. The legal basis on which we process personal data is described in the individual processing operations in this data protection declaration.
Consent (Art. 6 Para. 1 lit. a GDPR)
Consent is one of these legal bases and requires that the person giving consent gives it in an informed manner and on a voluntary basis. Consent based on Art. 6 Para. 1 lit a GDPR can generally be revoked at any time without giving reasons.
Data Processing within contractual purposes (Art. 6 Para. 1 lit. b GDPR)
The processing of personal data to initiate or implement contracts is also a legal basis and is defined in Art. 6 Para. 1 lit. b GDPR.
Legal Obligations (Art. 6 Para. 1 lit. c GDPR)
The exception to data processing based on a legal obligation can be found in Art. 6 Para. 1 lit. c GDPR, for example we are obliged to comply with certain retention periods according to commercial law and tax law.
Legitimate Interests (Art. 6 Para. 1 lit. f GDPR)
The processing of personal data based on a balancing of interests in accordance with Art. 6 Para. 1 lit. f GDPR allows processing after careful weighing of financial or legal interests against the legitimate interests of the data subject.
5. Data Subjects Rights under the General Data Protection Regulation
Every natural person has certain rights, which are defined in particular in Articles 15 to 21 and 77 of the GDPR. In principle, you have the following rights that you can assert against us.
Right to revoke your consent in accordance with Art. 7 GDPR
You can revoke your consent to us at any time without giving reasons with effect for the future.
Right to information according to Art. 15 GDPR (restrictions possible according to Section 34 BDSG)
You have the right at any time to request information about the data you process and the purposes of the processing.
Right to rectification according to Art. 16 GDPR
If you discover that we are processing incorrect or incomplete data about you, you have the right to rectification.
Right to deletion according to Art. 17 GDPR (restrictions possible according to § 35 BDSG)
You have the right to request the erasure of your personal data that we process at any time. If complete erasure is not possible, for example because we have to comply with statutory retention obligations or we can assert legitimate interests for other reasons, we will restrict your data until these reasons no longer apply.
Right to restriction of processing according to Art. 18 GDPR
You have the right to request the restriction of the processing of your personal data. You can contact us at any time at the address given in the legal notice. The right to restriction of processing exists in the following cases:
- If you dispute the accuracy of the personal data we hold about you, we will generally need time to verify this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.
- If the processing of your personal data was/is occurring unlawfully, you can request that data processing be restricted instead of deletion.
- If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection in accordance with Art. 21 Para. 1 GDPR, a balance must be made between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request that the processing of your personal data be restricted.
- If you have restricted the processing of your personal data, this data – apart from its storage – may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.
Right to data portability pursuant to Art. 20 GDPR
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
Right to object to certain processing operations and direct advertising in accordance with Art. 21 GDPR
If data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims (objection pursuant to Art. 21 (1) GDPR).
If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; This also applies to profiling insofar as it is connected to such direct advertising. If you object, your personal data will no longer be used for direct advertising purposes (objection according to Art. 21 Para. 2 GDPR).
Right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR in conjunction with In accordance with Section 19 BDSG
In the event of violations of the GDPR, those affected have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, their place of work or the place of the alleged violation. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedies.
6. External Hosting
This website is hosted externally. The personal data collected on this website is stored on the server(s) of the host(s). This can include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access and other data generated via a website.
External hosting is carried out for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 Para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offering by a professional provider (Art. 6 Para. 1 lit. f GDPR). If appropriate consent has been requested, processing is carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR, insofar as the consent requires the storage of cookies or access to information on the user’s end device (e.g . B. Device fingerprinting). Consent can be revoked at any time.
We use the following hoster
IONOS SE
Elgendorfer Str. 57
56410 Montabaur
Data Processing Agreement
We have concluded a Data Processing Agreement with Microsoft. This is a contract required by data protection law, which ensures that we only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
7. Automatic server log files
Our web server automatically logs all access and thus also the IP addresses of visitors. This serves to defend against attacks, analyze access numbers and ensure smooth operation. We have a legitimate interest in this (Art. 6 lit. f GDPR).
In addition to the IP address, the server log usually records other metadata about the session; you can find this data below.
- Date and time of retrieval
- Information about the browser type and version browser used
- Information about the operating system used
- Device (client)
- Referrer URL (via which page you landed on our site)
- Hyperlinks accessed
We only process this data for the purposes mentioned above. We delete server log files after six months at the latest.
10. Data Processing in the Context of Communication and Contact
Message via contact form (integrated via Salesforce CRM)
You have the option of sending us messages via the contact form. We process the data that you enter in the data entry mask. Mandatory fields are marked and must be completed. The purpose of data processing is to process your request and, if necessary, to contact you afterwards. The legal basis for the processing of the data entered in the contact form is generally based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time in the future without giving us any reasons. In addition, we process your data for the initiation or execution of contracts, for example if you ask us product-related questions (Art. 6 para. 1 lit. b GDPR).
Inquiries from the contact form are saved directly in our CRM Salesforce (see below).
We store the transmitted data until the purpose of data storage is achieved or you revoke your consent. Please note that the process may be subject to legal retention periods. In this case, we will restrict your data from further processing until it expires.
Communication via email
If you send us an email, we will process your data in accordance with the content and purpose of the message. As a rule, the processing is carried out on the basis of pre-contractual measures or in the context of the execution of a contractual relationship on the basis of Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f. GDPR. It is in our legitimate interest to process your request quickly and efficiently.
If it is a product or service-related message, we generally process your data on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. b GDPR.
Please note that we store all incoming e-mails in accordance with the principles of proper accounting and the statutory retention periods. Therefore, if you request us to delete the data, we will henceforth restrict your data for processing and only store it for the purpose of complying with retention periods in our legitimate interest.
Communication by telephone or fax
Even if you contact us by telephone or fax, we process your data either to initiate and execute contractual relationships (if the content is product- or service-related) and/or in our legitimate interest, analogous to contacting us by e-mail. We do not record the content of conversations, but we may take notes to process your request. We store these until the purpose of the data processing has been achieved.
11. Information for Applicants
Data Protection Regulations within Job Applications
If you apply to us, whether for an advertised position or on your own initiative, we process your data to carry out the selection process. It is irrelevant to us whether you apply by post, by e-mail or, if available for the respective position, by online form.
Use of the OnlyFy Platform
If you apply using the online form, the application process is carried out via the OnlyFy application manager, which is provided by New Work SE, Am Strandkai 1, 20457 Hamburg. After calling up the application manager, you will find additional data protection information.
Scope of Processing
As a matter of principle, we only process the data that you yourself have transmitted to us as part of an application procedure. Other sources may be consulted after informing and consulting with you. For example, whether we may contact a former employer. The legal basis for the implementation of an application procedure is §26 BDSG in conjunction with Art. 6 para. 1 lit. b GDPR (initiation of an employment contract). If you give us your consent to store your data for a longer period of time, this is done on the legal basis of Art. 6 para. 1 lit. a GDPR.
Deletion periods for applicant data
We delete applicant data a maximum of months after the end of the application process (once a candidate has been selected and all applicants have been informed of the outcome). The purpose of the data processing is generally no longer given with the end of the selection process, but we have a legitimate interest (Art. 6 para. 1 lit. f GDPR) in being able to defend ourselves against any claims by rejected applicants. If you have the impression that your interests in immediate deletion outweigh our interests, you have the option of requesting us to do so. We will then review your request and provide you with feedback.
Your data will be deleted after the above-mentioned period has expired, unless we have to defend ourselves in ongoing proceedings, for example due to a complaint under the General Equal Treatment Act. In this case, we will delete your data once the proceedings have been concluded, provided that there are no statutory retention periods.
If we are permitted to store your data for a longer period of time on the basis of your consent, we will delete your data if you request us to do so and revoke your consent. If necessary, we will also delete your data before you withdraw your consent if it is foreseeable that no position will be available.
Inclusion in our applicant pool
If we are currently unable to offer you a job, we may ask you for your consent to continue storing your data. This serves the purpose of offering you a suitable position in the future. The legal basis for the processing of your data in our applicant pool is your consent (Art. 6 Para. 1 lit. a GDPR). Of course, you can revoke your consent at any time with future effect. If you do not revoke your consent yourself within a period of two years, we will delete your data from our applicant pool at the latest.
12. CRM System Salesforce
Personal data that you have provided to us through a contact request or direct business relationship is processed and maintained by us using a customer relationship management system (CRM system).
We use Salesforce Sales Cloud from the provider salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich (hereinafter “Salesforce”).
Salesforce Sales Cloud is a CRM system and enables us, among other things, to manage existing and potential customers and customer contacts and to organize sales and communication processes. The use of the CRM system also enables us to analyze our customer-related processes. The customer data is stored on Salesforce’s servers. Personal data may also be transmitted to the parent company of salesforce.com Germany GmbH, salesforce.com inc., Salesforce Tower, 415 Mission Street, San Francisco, CA 94105, USA.
Details on the functions of Salesforce Sales Cloud can be found here: https://www.salesforce.com/de/products/sales-cloud/overview/.
The use of Salesforce Sales Cloud is based on Art. 6 Para. 1 lit. f GDPR. We have a legitimate interest in customer management and customer communication being as efficient as possible. If consent has been requested, processing will be carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and Section 25 Para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
Salesforce has Binding Corporate Rules (BCR) approved by the French data protection authority. These are binding internal company regulations that legitimize the internal transfer of data to third countries outside the EU and the EEA. You can find details here: https://compliance.salesforce.com/en/salesforce-bcrs.
For details, see Salesforce’s privacy policy: https://www.salesforce.com/de/company/privacy/.
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5959.
Data Processing Agreement
We have concluded a Data Processing Agreement with Microsoft. This is a contract required by data protection law, which ensures that we only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
13. Direct Marketing
Direct Marketing to existing Customers in Legitimate Interests
We reserve the right to use the data collected as part of a contract for direct advertising by e-mail or post in accordance with Section 7 (3) of the German Act Against Unfair Competition (UWG) if the customer does not object to this use or has not objected to it. Direct advertising only includes offers for similar products or services to those already purchased from us by the user.
We use your data for up to five years after the last legal transaction for direct marketing purposes in the legitimate interest.
We have a legitimate economic interest (Art. 6 para. 1 lit. f GDPR) in informing our customers about new products and improving our services. Of course, you can object to receiving direct advertising at any time. Please address your objection to the controller named above. You will also find information in each newsletter on how you can assert your objection.
We use the CRM Salesforce (see above) to send newsletters.
14. Audio and Video Conferencing with MS Teams
We use the Microsoft Teams tool for communication. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Microsoft Teams privacy policy: https://privacy.microsoft.com/de-de/privacystatement.
Microsoft Teams processes all data that you provide/use to use the tools (email address and/or your telephone number). The conference tools also process the duration of the conference, start and end (time) of participation in the conference, number of participants and other “contextual information” related to the communication process (metadata).
Furthermore, the provider of the tool processes all technical data that is necessary to process online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker as well as the type of connection.
If content is exchanged, uploaded or made available in any other way within the tool, it will also be stored on the tool provider’s servers. Such content includes, but is not limited to, cloud recordings, chat/instant messages, photos and videos uploaded to voicemails, files, whiteboards and other information shared while using the Service.
Please note that we do not have full influence on the data processing operations of the tools used. Our options depend largely on the corporate policy of the respective provider. Further information on data processing by the conference tools can be found in the data protection declarations of the tools used, which we have listed below this text.
Purpose and legal basis
We use Microsoft Teams to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 Para. 1 lit. b GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). If consent has been requested, the relevant tools will be used on the basis of this consent; consent can be revoked at any time with effect for the future.
Storage duration
The data we collect directly via the video and conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Saved cookies remain on your device until you delete them. Mandatory statutory retention periods remain unaffected.
We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.
Data Processing Agreement
We have concluded a Data Processing Agreement with Microsoft. This is a contract required by data protection law, which ensures that we only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
15. Analytics Tools and Advertising
Google Tag Manager
We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The Google Tag Manager is a tool that we can use to integrate tracking or statistics tools and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not store cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated through it. However, the Google Tag Manager records your IP address, which can also be transferred to Google’s parent company in the United States.
The Google Tag Manager is used on the basis of Art. 6 Para. 1 lit. f GDPR. We have a legitimate interest in the quick and uncomplicated integration and management of various tools on his website. If a corresponding consent has been requested, the processing will be carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and §25 Para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. The consent can be revoked at any time.
Google Analytics
We use functions of the web analysis service Google Analytics on this website. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables us to analyze the behavior of our website visitors. In this context, we use Google Analytics to collect various usage data, such as in particular
- Page views
- Links clicked and actions performed
- Length of stay
- Files downloaded
- Operating systems and browser types used
- Resolution of the device used
- Geographical origin of the site visitor
- Origin of the user (referrer URL)
This data is summarized in a user ID and assigned to the respective device of the website visitor. Furthermore, we can use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modeling approaches to supplement the data sets collected and uses machine learning technologies in data analysis.
Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to a Google server in the USA and stored there.
The use of this service is based on your consent in accordance with Art. 6 Para. 1 lit. a GDPR and Section 25 Para. 1 TDDDG. The consent can be revoked at any time.
Die Datenübertragung in die USA wird auf die Standardvertragsklauseln der EU-Kommission gestützt. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.
Data Processing Agreement
We have concluded a Data Processing Agreement with Google. This is a contract required by data protection law, which ensures that we only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
16. Plugins and Tools on our Website
YouTube
This website integrates videos from YouTube. The operator of the pages is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
As soon as you start a YouTube video on this website, a connection to YouTube’s servers is established. The YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, after starting a video, YouTube can store various cookies on your device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can receive information about visitors to this website. This information is used, among other things, to collect video statistics, improve user experience and prevent fraud attempts.
If necessary, further data processing operations may be triggered after starting a YouTube video, over which we have no influence.
YouTube is used in the interest of an appealing presentation of our online offerings. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and §25 Para.1 TDDDG. Consent can be revoked at any time.
Further information about data protection at YouTube can be found in their data protection declaration at: https://policies.google.com/privacy?hl=de.
Google Maps
This site uses the map service Google Maps. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. With the help of this service, we can integrate map material on our website.
To use the functions of Google Maps, it is necessary to save your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform display of fonts. When you call up Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.
The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the places we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
Die Datenübertragung in die USA wird auf die Standardvertragsklauseln der EU-Kommission gestützt. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.
You can find more information on the handling of user data in Google’s privacy policy: https://policies.google.com/privacy?hl=de.
Google reCAPTCHA
We use “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on this website. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
The purpose of reCAPTCHA is to check whether data is entered on this website (e.g. in a contact form) by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website by the website visitor or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.
The data is stored and analyzed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
For more information about Google reCAPTCHA, please refer to the Google Privacy Policy and the Google Terms of Use at the following links: https://policies.google.com/privacy?hl=de and https://policies.google.com/terms?hl=de.
Integration of the applicant platform OnlyFy
We have integrated content from the provider OnlyFy on our website; the provider is New Work SE, Am Strandkai 1, 20457 Hamburg (privacy policy https://onlyfy.com/de/datenschutz). The purpose is the presentation of job offers and the integration of the OnlyFy applicant platform.
OnlyFy uses cookies; you can find out more about cookies in this data protection declaration. OnlyFy content will only be displayed once you have given your consent. You can grant this, for example, via the cookie settings or revoke it after granting it.
The integration of the OnlyFy Application Platform is based a legitimate interest within the meaning of Art. 6 Para. 1 lit. f of the GDPR. If appropriate consent has been requested, processing is carried out exclusively based on Art. 6 Para. 1 lit. a of the GDPR; consent can be revoked at any time.
Further information on the processing of personal data as part of the application process can be found in this data privacy notice.
18. Additional Data Protection Information for our Business Partners
Data Categories and Purposes of Processing
We process the personal data of our service providers and partners that we receive directly as part of our business relationship. If we have received data from you, we generally only process it for the purposes for which we received or collected it.
We generally process the following categories of data from you:
- Surname, first name
- Address and/or company address
- Telecommunications data
- E-mail address
- Company
- Professional function and/or position
- Bank details/other payment details
- Data on the history of the business relationship
As part of the business initiation phase and during the business relationship, in particular through personal, telephone or written contact initiated by you or one of our employees, further personal data is created, e.g. B. Information about contact channel, date, occasion and result; (electronic) copies of correspondence and information about participation in direct marketing measures.
On the other hand, we process personal data that we have legitimately obtained and are permitted to process from publicly accessible sources (e.g. commercial and association registers, press, media, internet).
Data processing for other purposes is only possible if the necessary legal requirements in accordance with Art. 6 (4) GDPR are met. In this case, we will of course observe any information obligations pursuant to Art. 13 Paragraph 3 GDPR and Art. 14 Paragraph 4 GDPR.
Information on Deletion Periods for Personal Data
Principle of purpose limitation and compliance with statutory retention periods
We process the data as long as this is necessary for the respective purpose. If necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and processing of a contract.
In addition, like every company, we are obliged to comply with statutory retention periods, for example the deadlines under commercial and tax law. If there are statutory retention requirements, the relevant personal data will be stored for the duration of the retention period. The storage period also depends on the statutory limitation periods, which, for example, according to Sections 195 ff. of the Civil Code (BGB), can usually be three years, but in certain cases can also be up to thirty years. After the retention period has expired, it will be checked whether further processing is necessary. If it is no longer necessary, the data will be deleted.
Emails and business letters
If you send us an email, your data and the entire email content will be stored in accordance with the principles of proper accounting. Most emails count as business letters, and emails can also contain information relevant to tax law. In our opinion, the effort involved in checking every single e-mail in this respect is not in proportion to the benefit and the sender’s legitimate interests. However, you can of course ask us to delete them at any time and we will carry out a case-by-case review and inform you of the result. This may lead to erasure or restriction of processing, depending on the content of the correspondence.
Withdrawal of your consent
If we process your data on the basis of your consent (Art. 6 para. 1 lit. a GDPR), we will delete it after you withdraw your consent. Unless there are legitimate interests against complete erasure. For example, we generally retain declarations of consent for up to three years after receipt of your revocation in the legitimate interest (Art. 6 para. 1 lit. f GDPR). We only retain the consent with restriction of processing in order to be able to defend ourselves in the event of a dispute.
Legal or contractual Obligation to provide Personal Data
The provision of personal data is regularly necessary for the initiation, conclusion, processing, and reversal of a contract. If you do not provide the required personal data, we will not be able to conclude and fulfill a contract with you.
Transfer to a Third Country
We generally process your personal data in data centers in the Federal Republic of Germany or the European Union. A transfer to a third country is only possible if you have given us your consent or we have concluded a contract for order processing in accordance with Art. 28 GDPR, considering suitable guarantees or other suitable guarantees.
17 Our social media presence
Data Processing through Social Networks
We maintain publicly available profiles in social networks. The individual social networks we use can be found below.
Social networks such as Facebook, Twitter etc. can generally analyze your user behavior comprehensively if you visit their website or a website with integrated social media content (e.g., like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. In detail:
If you are logged in to your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.
Using the data collected in this way, the operators of the social media portals can create user profiles in which their preferences and interests are stored. This way you can see interest-based advertising inside and outside of your social media presence. If you have an account with the social network, interest-based advertising can be displayed on any device you are logged in to or have logged in to.
Please also note that we cannot retrace all processing operations on the social media portals. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policy of the respective social media portals.
Legal basis
Our social media appearances should ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6 Para. 1 lit. a GDPR).
Responsibility and assertion of rights
If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. Facebook).
Please note that despite the shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are determined by the company policy of the respective provider.
Storage time
The data collected directly from us via the social media presence will be deleted from our systems as soon as you ask us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses. Stored cookies remain on your device until you delete them. Mandatory statutory provisions – in particular, retention periods – remain unaffected.
We have no control over the storage duration of your data that are stored by the social network operators for their own purposes. For details, please contact the social network operators directly (e.g., in their privacy policy, see below).
Individual social networks
Facebook
We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Meta). According to Meta’s statement the collected data will also be transferred to the USA and to other third-party countries.
Die Datenübertragung in die USA wird auf die Standardvertragsklauseln der EU-Kommission gestützt. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. Further details can be found in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.
Instagram
Wir verfügen über ein Profil bei Instagram. Anbieter dieses Dienstes ist die Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland. Die Datenübertragung in die USA wird auf die Standardvertragsklauseln der EU-Kommission gestützt. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum
https://help.instagram.com/519522125107875
https://de-de.facebook.com/help/566994660333381.
Details on how they handle your personal data can be found in Instagram’s privacy policy: https://help.instagram.com/519522125107875.
XING
We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. Details on how they handle your personal data can be found in XING’s privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
LinkedIn
We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to deactivate LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Die Datenübertragung in die USA wird auf die Standardvertragsklauseln der EU-Kommission gestützt. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. Details on how they handle your personal data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
YouTube
We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how they handle your personal data can be found in the YouTube privacy policy: https://policies.google.com/privacy?hl=en.