1. GENERAL INFORMATION
This privacy policy informs you about the type, scope and purpose of the processing of your personal data by us. On the one hand, this information relates to the processing of personal data on or through our website. On the other hand, you will receive information about the processing of your personal data in other internal and external processes of our company. If necessary, you will receive additional information on further processing in an appropriate manner. For example, if we use your personal data to register your visit to our site, you will also be informed on site. We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with the statutory national and European regulations and the requirements and recommendations of the state data protection authority responsible for us.
Bayerisches Landesamt für Datenschutzaufsicht
https://www.lda.bayern.de
[email protected]
0981/180093-0
Promenade 18
91522 Ansbach
Postfach 1349
91504 Ansbach
We reserve the right to implement published recommendations of other data protection authorities if, in our opinion, this can better ensure the protection of your personal data. The same applies to publications in literature and case law. Please note, however, that the transmission of data is generally not secure. We cannot technically rule out the possibility of third parties accessing your data. Therefore, please handle your data and the data of other persons responsibly. For the sole purpose of better readability, gender-specific spelling has been omitted. All personal designations in this "Information on data protection" (e.g. customer, controller, data subject, data protection officer) are therefore to be understood as gender-neutral.
1.1 SCOPE OF APPLICATION
With this data protection information (also "data protection declaration", "data protection information") we inform you in accordance with Art. 12 ff. GDPR about which of your personal data we process (definition of the terms "personal data", "processing": see below) in order to display this website and to be able to use the functions of the website. We also inform you about the other processes associated with the presentation of the website or the functions used (e.g. hosting, newsletter, etc.). If and insofar as we process personal data in other processes (e.g. telephone system, guest WLAN, video surveillance, etc.), you will receive further information in a timely and comprehensive manner. This information may also be provided on this website; we will therefore also inform you about the way in which we provide the information in the further processes. This data protection information also applies to our other online presences (e.g. websites, landing pages, stores, social media presences) and to other processes, insofar as we expressly refer to this data protection information.
1.2. CONTACT DATA OF THE CONTROLLER
The controller in charge of data processing on this website, within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
Floy GmbH
Loristraße 12
80335 Munich
Germany
[email protected]
You can contact us at any time if you have questions about this privacy policy or wish to assert rights.
1.3 CONTACT DATA OF THE DATA PROTECTION OFFICER
You - and any other data subject - can contact our data protection officer directly, verbally or in writing at any time with any questions or suggestions regarding data protection. You can reach him via our contact details above (see imprint) and via the e-mail address [email protected].
1.4. DEFINITIONS
This data protection declaration or this data protection notice uses, among other things, the terms defined in the European General Data Protection Regulation (GDPR), OJ L 119 of 4 May 2016, p. 1. L 119 of May 4, 2016, p. 1-88 (in the version applicable at the time this data protection notice was prepared) and the German Federal Data Protection Act (BDSG) in the version of June 30, 2017; (BGBl. I p. 2097), last amended by Art. 12 G of November 20, 2019; (BGBl. I p. 1626, 1633). Insofar as additional terms arise from other laws that are used in this privacy policy or the terms serve the understanding of this privacy policy, we have also explained these in the following text.
1.4.1 PERSONAL DATA
Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (cf. Art. 4 No. 1 GDPR). Personal data are, for example, the name, address, account or telephone number, but also the IP address or ID card number
1.4.2DATA SUBJECT
Data subject is any identified or identifiable natural person whose personal data are processed by the controller (cf. Art. 4 No. 1 GDPR). Data subject is, for example, the user of the website or the customer, client, patient, etc. of a company
1.4.3 END USER
End user is any natural or legal person who uses a public telecommunications service (e.g. Internet access services) without providing a public telecommunications network or a publicly available telecommunications service himself.
1.4.4 PROCESSING
Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (cf. Art. 4 No. 2 DSGVO). Processing therefore occurs when we collect, pass on, store or delete personal data.
1.4.5 RESTRICTION OF PROCESSING
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing (cf. Art. 4 No. 3 DSGVO). For example, if you contact us and inform us that your data is incorrect, we will restrict the processing of your data in order to check the accuracy of the data (cf. Art. 18(1)(b) DSGVO).
1.4.6 PROFILING
Profiling is any automated processing of personal data which consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location (cf. Art. 4 No. 4 DSGVO). Profiling would be, for example, the assessment of your economic situation based on your shopping behavior.
1.4.7 PSEUDONYMIZATION
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures which ensure that the personal data cannot be attributed to an identified or identifiable natural person (cf. Art. 4 No. 5 DSGVO). Pseudonymization is given, for example, if the personal data is replaced by, for example, a customer number. Without knowledge of which customer number was assigned to which customer, the data cannot be assigned to a specific person (customer).
1.4.8 ANONYMIZATION
Anonymization is the complete and irrecoverable removal of the personal reference of the data. If, for example, all customer contact data is overwritten with random numbers and no storage has been made of which customer was assigned which number, the data can no longer be assigned to a person. Anonymized data is not subject to the rules of the GDPR and the BDSG due to the lack of personal reference (cf. recital 26 of the GDPR).
1.4.9 "CONTROLLER" OR "PROCESSOR"
The controller or processor is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law (cf. Art. 4 No. 7 GDPR). The controller for the processing of data when using the website is the provider of this website (see (contact details of the controller).
1.4.10 PROCESSOR
A processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller (see Article 4 No. 8 of the GDPR). We use as a processor, for example, a so-called hoster, i.e. a company that stores our website on its own servers. If you enter your personal data (e.g. name, e-mail address, etc.) via a contact form, for example, this data is stored by the hoster on its server, etc.. The hoster processes the data only in the manner in which we have contractually agreed with him. It therefore processes the data "on our behalf" and is therefore a "processor".
1.4.11 RECIPIENT
Recipientis a natural or legal person, authority, institution or other body to which personal data is disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law are not considered recipients (cf. Art. 4 No. 9 GDPR). Recipients of this privacy statement are, for example, you.
1.4.12 THIRDPARTY
Third party is a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor. A third party is, for example, an authority that accesses data on the basis of a legal authorization (cf. Art. 4 No. 10 GDPR).
1.4.13CONSENT
Consent is any expression of will in the form of a declaration or other unambiguous affirmative action made voluntarily by the data subject for the specific case in an informed and unambiguous manner, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her (cf. Art. 4 No. 11, Art. 7 DSGVO). For example, you give us consent when you place your order - then you consent to us processing the data you provide so that we can also fulfill your order.
1.4.14 CONTENT DELIVERY NETWORK (CDN)
A content deliverynetwork(CDN)is a network of servers that are connected via the Internet and send data to end devices. A CDN can consist of several thousand regionally distributed servers that deliver data as quickly as possible according to specific rules. The advantage of a CDN is essentially that not only the server on which, for example, our website is stored (hosted), performs the delivery of the required data (e.g. texts or images), but many servers simultaneously. This allows our website to be displayed much faster at your site. In order for the CDN to work, it requires data such as browser type, IP address, screen resolution, etc. If you do not want to use the CDN, you can install a JavaScript blocker (e.g. Sybu https://sybu.co.za or NoScript https://noscript.net) on the end device you are using. Delivery of the website may then be slower.
1.4.15TERMINAL EQUIPMENT
By the term "terminal equipment" we mean any equipment connected directly or indirectly to the interface of the telecommunications network you are using for the purpose of transmitting, processing or receiving messages or data, regardless of the type of connection (wire, electromagnetic, etc.).
1.4.16 MOBILE TERMINALEQUIPMENT
By the term "mobile terminal equipment" we mean all Internet-capable devices that are not kept stationary but are mobile, i.e. movable. These can be, for example, smartphones, tablets, etc.
1.4.17 WEBSITE
By "website" (also: web presence, internet presence, web presence, etc.) we mean the presence of a provider that can be reached at an individual web address. A website can be rendered with browsers. It can be compared to a "house" at a specific address (domain) and usually has several web pages (i.e. "rooms"). In addition to the web application (homepage), other services such as e-mail, storage space, etc. can be used.
1.4.19 IP ADDRESS
The IP address is the unique address (e.g. 216.58.190.0) of your computer or terminal device used, similar to a postal address. According to a decision of the European Court of Justice (judgment of 19.10.2016, ref.: C-582/14), IP addresses are personal data (cf. also recital 30 DSGVO). It follows that the GDPR and the BDSG also apply to IP addresses. The IP address is used to deliver data to your computer. You can find out the IP address of your computer in the network by using the command "ipconfig" or you can also research it online (e.g. at https://www.heise.de/netze/tools/meine-ip-adresse/). In doing so, your IP address is transmitted to the provider.
1.4.20 JAVA, JAVASCRIPT
Java is a platform-independent programming language developed in 1995 by the U.S. company Sun Microsystems Inc., Santa Clara, USA (today part of Oracle Corporation, Austin, USA), whose language specification is constantly being further developed. Java is used today not only by web browsers, but also in cars, hi-fi systems and other electronic devices. JavaScript (JS for short) is a scripting language developed in 1995 by Brendan Eich for dynamic HTML in web browsers. JS extends the capabilities of HTML. JavaScript was developed independently of Java and differs in many ways.
1.4.21 COOKIES
Cookies are small data packages (small text files consisting of numbers and letters) that are used to store certain information locally on your terminal device for some time. This can be used, for example, to recognize the user's computer when the page is called up again or to save the contents of a form or shopping cart. Tracking services use cookies to store collected information. In some cases, cookies are automatically deleted when you close your web browser (so-called transient cookies). These include, in particular, so-called session cookies or session cookies. These cookies store a so-called session ID, which can be used to assign various requests from your web browser to the current session. This makes it possible to recognize your terminal device when you return to our website. Session cookies are deleted as soon as you log out or close the web browser. In some cases, cookies are only deleted after a specified period of time (so-called persistent cookies). The storage period varies depending on the cookie. Technically necessary cookies are required to display the website. These include, for example, shopping cart cookies, login cookies or cookies for language selection. If you do not agree to cookies being stored, you can deactivate the storage of cookies in the settings of your web browser. You can delete already existing cookies in the settings of your web browser. Help on the settings can be found in the respective help menu of your browser under the following links:
- Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
- Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
- Chrome: http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647
- Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac
- Opera: [https://help.opera.com/en/latest/web-preferences/#cookies](https://help.opera.com/en/latest/web-preferences/#_blank)
You can also object to the collection and forwarding of personal data or prevent the processing of this data by deactivating ("blocking") the execution of Java script in your browser. You can also install script blockers that prevent the execution of codes. Script blockers can be found, for example, here:
- https://addons.mozilla.org/de/firefox/addon/noscript/
- https://noscript.net
- https://www.ghostery.com
- https://chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf
Further information on cookies can be found, for example, at Bundesverband Digitale Wirtschaft (BVDW) e. V., Berliner Allee 57, 40212 Düsseldorf, www.bvdw.org. BVDW e. V. provides additional information on its website at http://meine-cookies.org/. We use a separate tool to obtain and document any necessary consent to the processing of cookies. For each cookie, we will provide you with the necessary information to enable you to decide whether you agree to the use of the tool.
1.4.22 COOKIE CONSENT TOOL
Cookie Consent Tools ("consent") manage the consents you give to use certain technically unnecessary tools. A pop-up window informs you about the cookies you want before using tools that require cookies. You can then decide whether or not you agree and with which cookies. Your decision is then stored for a period of up to twelve months. Personal data, such as your IP address - as well as a pseudonymous user ID, the time of consent and selection, etc., are used in the process. This data is stored either in a cookie on your terminal device or on the server we use. You can readjust or revoke your consent at any time.The use of the Cookie Consent Tool is based on our legitimate interest in operating the website in an efficient manner in compliance with the law. Without its use, it is not possible for us to ask for the necessary consents and to document the user's decision. We need the documentation pursuant to Art. 5 (2) DSGVO to be able to prove that we operate the website in compliance with applicable law. For more information, see the explanation of the cookie consent tool used.
1.4.23 WEB BEACONS
Web beacons are not graphics in HTML emails or on web pages. Usually the image is only 1 × 1 pixel in size, often transparent or designed in the color of the background and thus not or hardly visible. When the document is loaded, the Web beacon is downloaded from a server and the download is registered there. You can prevent the use of web beacons if, for example, you open the e-mail offline, do not open the e-mail as HTML e-mail or block external graphics with your e-mail program. You can also use tools that detect and block web beacons, such as
- Privoxy - https://www.privoxy.org/
- Proxomitron - https://www.proxomitron.info/
For more information, see the explanations of the "web beacons" used.
1.4.24 THIRD COUNTRIES/THIRD COUNTRIES, TRANSFER OF DATA TO THIRD COUNTRIES
Theterm "third countries" or "third countries" refers to the countries that are not part of the European Union (i.e. Belgium, Bulgaria, Romania, Czech Republic, Denmark, Germany, Estonia, Greece, Spain, France, Ireland, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Slovenia, Slovakia, Finland and Sweden) or the European Economic Area (EU member states plus Iceland, Liechtenstein and Norway). In addition to the United States of America (USA), India, China, Russia, Brazil, South Africa, Australia, there are approximately 160 other countries that are potential third countries. Data transfers to third countries are lawful according to the strict legal requirements (cf. Art. 44 et seq. DSGVO) if:- Either the European Commission has determined in accordance with Art. 45 (3) DSGVO that an adequate level of data protection exists in the third country. Such so-called adequacy decisions are in place for Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and the United Kingdom. An overview of adopted adequacy decisions is provided by the European Commission.- Or if the data recipient provides appropriate safeguards for the protection of personal data and enforceable and effective remedies are available to data subjects (Art. 46(1) GDPR). Such appropriate safeguards, according to Art. 46(2) GDPR, include the use of the Commission's standard data protection clauses (Art. 46(2)(c), Art. 93(2) GDPR). These standard data protection clauses or standard contractual clauses (SCC) are model templates of the EU Commission. You can find these clauses here, among other places: (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de).The clauses used ensure that personal data is also processed in the third country concerned at a level of data protection that corresponds to that in Europe.For data transfers to the USA, the "Trans Atlantic Data Privacy Framework" (TADPF) has applied since 10.07.2023. The TADPF introduces new mandatory safeguards for U.S. recipients of data. These include restrictions on access to EU citizens' data by U.S. intelligence agencies and the establishment of the Data Protection Review Court (DPRC), a review body also accessible to non-U.S. citizens. The DPRC can also order the deletion of data in the event of a breach. The TADPF will be reviewed regularly by the European Commission together with representatives of the European data protection authorities and the relevant U.S. authorities. The first review is scheduled to take place within one year of the TADPF's entry into force. The TADPF has the effect of an adequacy decision pursuant to Article 45(1) of the GDPR and applies in principle with immediate effect to U.S. companies participating in the TADPF. Additional legitimation instruments such as standard contractual clauses (SCC) are thus no longer required for data exports to U.S. recipients, as the U.S. is once again considered a safe third country. However, U.S. companies must self-certify and agree to comply with certain data protection obligations in order to benefit from the effects of the TADPF. The current status can be viewed as of 07/17/2023 at [link to TADPF](https://www.dataprivacyframework.gov/s/).A data transfer is also permitted if the data subject has consented to the transfer pursuant to Art. 49 (1) (a) DSGVO or if the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject by the controller with another natural or legal person (Art. 49 (1) lit. c DSGVO) or another exception of Art. 49 DSGVO applies.If we work with providers that are either based in a third country or process data in a third country (e.g. in the USA), we ensure compliance with the legal requirements and check this regularly. We also only work with providers who have concluded the necessary contracts with us.Should we need or want to deviate from this in exceptional cases, we will inform you accordingly and seek your consent.
1.5 STORAGE PERIOD
Data is therefore only deleted in compliance with the legal, official and, if applicable, judicial requirements for the storage or deletion of personal data. Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.
1.6. RIGHTS OF THEDATA SUBJECT
The applicable data protection law grants you comprehensive rights of the data subject (rights of information and intervention) vis-à-vis the controller with regard to the processing of your personal data, which we inform you about below:
1.6.1 RIGHT OF INFORMATION PURSUANT TO ART. 15 DSGVO
You may request confirmation from the controller as to whether personal data concerning you is being processed by the controller ("right to confirmation"). Furthermore, you have the right to obtain information about:the purposes of the processing;the categories of personal data processed;the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;The existence of a right to rectification or erasure of the personal data concerning them or to restriction of processing by the controller or a right to object to such processing;The existence of a right of appeal to a supervisory authority;If the personal data are not collected from the data subject: Any available information about the origin of the data;the existence of automated decision-making, including profiling pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.Furthermore, you have a right of access to whether personal data have been transferred to a third country or to an international organization. If this is the case, you also have the right to obtain information about the appropriate safeguards in the context of the transfer.If you would like to exercise this right to information, you can contact us or our data protection officer at any time.
1.6.2 RIGHT OF CONSIDERATION PURSUANT TO ART. 16 DSGVO
You have a right to the immediate correction of incorrect data relating to you and/or the completion of your incomplete data stored by us; the correction or completion must take place without delay.
1.6.3 RIGHT TO ERASURE PURSUANT TO ART. 17 DSGVO
You have the right to request that personal data concerning you be erased without undue delay, provided that one of the following reasons applies and to the extent that processing is no longer necessary:The personal data were collected or otherwise processed for such purposes for which they are no longer necessary.The data subject revokes the consent on which the processing was based pursuant to Art. 6(1)(a) DSGVO or Art. 9(2)(a) DSGVO and there is no other legal basis for the processing.The data subject objects to the processing pursuant to Article 21(1) DSGVO and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) DSGVO.The personal data have been processed unlawfully.The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.The personal data have been collected in relation to information society services provided pursuant to Article 8 (1) DSGVO.If one of the aforementioned reasons applies, and a data subject wishes to arrange for the erasure of personal data stored, he or she may, at any time, contact us.If the personal data have been made public and our company, as controller, is obliged pursuant to Article 17 (1) DSGVO to erase the personal data. 1 DSGVO to erase the personal data, we shall implement reasonable measures, including technical measures, taking into account the available technology and the cost of implementation, in order to inform other data controllers which process the published personal data that the data subject has requested from those other data controllers to erase all links to or copies or replications of the personal data, unless the processing is necessary.
1.6.4 RIGHT TO RESTRICT PROCESSING PURSUANT TO ART. 18DSGVO
You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you dispute, is being verified, if you refuse the erasure of your data due to unlawful data processing and instead request the restriction of the processing of your data, if you need your data for the assertion, exercise or defense of legal claims after we no longer need this data after the purpose has been achieved or if you have objected on the grounds of your particular situation as long as it has not yet been determined whether our legitimate grounds prevail.If the processing of personal data relating to you has been restricted, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. If the restriction of processing has been restricted, you will be informed by the controller before the restriction is lifted.
1.6.5 RIGHT TO INFORMATION PURSUANT TO ART. 19 DSGVO
So long asyou have exercised your right to rectification, erasure or restriction of processing, the controller is obliged to inform all recipients to whom your personal data have been disclosed of this rectification or erasure of the data or restriction of processing, unless this is impossible or involves a disproportionate effort. You also have the right to be informed about these recipients.
1.6.6 RIGHT TO DATA TRANSFER IN ACCORDANCE WITH ART. 20 DSGVO
Youhave the right to receive your personal data disclosed to us in a structured, common and machine-readable format or to request that it be transferred to another controller, insofar as this is technically possible.
1.6.7 RIGHT OF REVOCATION PURSUANT TO ART. 7 ABS. 3 DSGVO
You have the right to object at any time to the processing of personal data relating to you that is carried out on the basis of Art. 6 (1) (e) or (f) DSGVO; this also applies to profiling based on these provisions.You also have the right to revoke your declaration of consent under data protection law at any time with effect for the future. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.We shall no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.If we process personal data for the purposes of direct marketing, you have the right to object at any time to processing of personal data for such marketing. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to direct marketing, we will no longer process the personal data for these purposes.In addition, you have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the DS-GVO, unless such processing is necessary for the performance of a task carried out in the public interest.To exercise the right to object, you may contact us directly. You are also free to exercise your right to object in the context of the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.
1.6.8 RIGHT OF APPEAL PURSUANT TO ART. 77 DSGVO
Without prejudice toany other administrative or judicial remedy or recourse, you have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority of your place of residence, your place of work or the place of the alleged infringement if you believe that the processing of personal data concerning you violates data protection rules.
1.7. LEGAL BASIS OF PROCESSING
Anydata processing is carried out on the basis of a valid legal basis (cf. Art. 5 (1) lit. a DSGVO - Grundsatz der Rechtmäßigkeit/principle of lawfulness. We process personal data either on the basis of consent, for the performance of a contract or a legal obligation, or on the basis of our legitimate interest.
1.7.1 CONSENT
Ifyou have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) DSGVO or Art. 9(2)(a) DSGVO, if special categories of data pursuant to Art. 9(1) DSGVO (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data uniquely identifying a natural person, health data or data concerning a natural person's sex life or sexual orientation) are processed.In addition, in the case of explicit consent to the transfer of personal data to third countries, data processing is carried out on the basis of Article 49 (1) (a) DSGVO. If you have consented to the storage of cookies or access to information on your terminal device or information stored there, the data processing is additionally carried out on the basis of Section 25 (1) TTDSG. The consent can be revoked at any time.
1.7.2 FULFILLMENT OF A CONTRACT
Ifthe processing of personal data is necessary for the fulfillment of a contract to which you are a party (e.g., in the case of a purchase or consulting contract), the processing is based on Art. 6 (1) lit. b DSGVO. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services.
1.7.3 LEGAL OBLIGATION
Ifour company issubject toa legal obligation by which the processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c in conjunction with. Abs. 3 DSGVO.
1.7.4vital interests
Inrare cases, the processing of personal data might become necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if you were injured during a visit to our company and we then had to pass on your name to a doctor, hospital or other third party, for example. Then the processing would be based on Art. 6 (1) lit. d DSGVO.
1.7.5 LEGITIMATE INTEREST
Processing may also be based on a so-called legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO. Processing operations which are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company (e.g. profit-making intention, presentation of the company, etc.) or of a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. The weighing of the possibly conflicting interests is always a - process- or system-related - case-by-case consideration and decision.Pursuant to EC 47 Sentence 2, a legitimate interest in data processing exists if the data subject is a customer of the controller, or the processing of personal data is necessary for the prevention of fraud, etc. (cf. EC 47 sentence 6) or for direct marketing purposes (cf. EC 47 sentence 7).
2. DATA PROCESSING BY THIS WEBSITE
Each time our website is accessed, our system automatically collects and stores data and information that your browser transmits to our server (so-called "server log files"). The following data is collected in the process:Date and time at the time of accessQuantity of data sent in bytesSource/reference from which other website you came to our websiteMeta and communication data (information about the system used, operating system, browser used, IP addresses, etc.).The collection of data to provide the website and the storage of data in log files is mandatory for the operation of the website. The legal basis for the processing is Art. 6 (1) lit. f DSGVO; we have a legitimate interest in improving the stability and maintaining the functionality of our website.The temporary storage of the IP address by the system is necessary to enable delivery of our website to your computer ("client"). For this purpose, the IP address of the terminal device used by you must be stored for the duration of the session. If you do not agree with the processing of this data, you have the option to completely refrain from using and visiting our website.A transfer or other use of the data does not take place. However, if we have concrete evidence of illegal use of our website, we will subsequently check the server log files and use the data, for example, to file a criminal complaint or assert civil claims.Insofar as personal data are stored in log files, they will be deleted no later than seven days after use. Longer storage is possible if, for example, illegal use pp. has been established and we want to pursue this misconduct. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.
2.1 COLLECTION OF GENERAL DATA AND INFORMATION
Our website collects a series of general data and informationwith each call of the website. This general data and information is stored in the log files of the server. Collected can be the: browser types and browser versions used,the operating system used by the accessing system,the website from which an accessing system accesses our website (so-called referrer URL),the sub-websites that are accessed by an accessing system on our website,the date and time of an access to the website,an Internet protocol address (IP address),the Internet service provider of the accessing system andother similar data and information that serve to avert danger in the event of attacks on our information technology systems.This data is not merged with other data sources. The data is always anonymized. However, there is basically the possibility that we may not or cannot carry out anonymization due to legal, official or judicial requirements.The basis for the collection of general data and information when calling up our website is Art. 6 (1) lit. b DSGVO, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. Insofar as you do not enter into a contract with us or no pre-contractual measures are necessary, we process the data on the basis of Art. 6 (1) f DSGVO (so-called "legitimate interest"). If we are legally obliged to process data, the processing is based on Art. 6 (1) lit. c DSGVO. If we request your consent for processing, the legal basis for data processing is Art. 6 (1) a, 4 No. 11, 7, 9 DSGVO.We do not use the above-mentioned information to draw conclusions about the data subject, but in order to:correctly deliver the content of our website,optimize the content of our website and the advertising for it,ensure the long-term functionality of our information technology systems and the technology of our website, as well as to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.Therefore, these anonymously collected data and information are evaluated by us on the one hand statistically and on the other hand with the aim of increasing the data protection and data security of our enterprise, in order to ensure an optimal level of protection for the personal data we process.The anonymous data of the server log files are stored separately from any personal data you might provide. It is therefore not possible to draw any conclusions about you. We can therefore not determine, for example, what type of browser you are using. We only have data on which browser types were used by visitors during a certain period of time.If, for example, a visitor logs into the customer area incorrectly several times, we store the IP address - which is a personal data - in order to detect (hacker) attacks on our system and ward them off in good time.
2.2 EXTERNAL HOSTING
Our website is technically hosted and stored by an external service provider ("hoster"). The personal data collected on this website is therefore stored directly on the hoster's servers and not on servers that we maintain directly. The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in our interest in the secure, fast and efficient provision of our online offer and the presentation of our company and our services by a professional provider (so-called "legitimate interest" within the meaning of Art. 6 para. 1 lit. f GDPR). When weighing our interests against your interests, in particular your right to informational self-determination, we have come to the conclusion that our interests prevail; the interference with your rights is minimal. You are also free to use our service and disclose data, and our host will only process your data to the extent necessary to fulfill its contractual obligations. We have concluded a contract with the hoster for the processing of personal data on our behalf (so-called "order processing contract") and thus comply with the strict requirements of the General Data Protection Regulation, the Federal Data Protection Act and other laws (e.g. Telemedia Act, Telecommunications Act, Telecommunications Telemedia Data Protection Act). Data is only processed by the hoster on our instructions and within the framework of the applicable laws, and we work together with the hoster Amazon Web Services (AWS) 410 Terry Avenue North, Seattle WA 98109 (USA). Further information can be found on the provider's website, in particular in the privacy policy https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.
2.3 TLS ENCRYPTION
For security reasons and to protect the transmission of confidential content that you send to us as the site operator, our website uses TLS encryption. TLS (Transport Layer Security) is an encryption technology that enables secure access to the internet. TLS has so-called end-to-end encryption, i.e. the information is encrypted before being sent by the sender (e.g. a client) and only decrypted at the recipient (e.g. a web server). This is made possible by asymmetric encryption of the information and the exchange of a common symmetric session key between the communication partners. Only the communication partners can decrypt the information, as the encryption technologies also check the authenticity of the communication partners and they must first acquire the corresponding certificates from a special certification authority. Data that you transmit via this website cannot be read by third parties thanks to SSL encryption. You can recognize the encryption of our website by the fact that you access it with "https://". You can also recognize the use of the technology by a small lock symbol in your browser. The certificate we use was issued by the certification authority Let's Encrypt (LE) 548 Market St, PMB 77519, San Francisco, CA 94104-5401 (USA). The certification authority may process your IP address. Information on data protection and data processing can be found on the website of the certification authority https://letsencrypt.org/privacy/.
2.4. WEBSITE CONTENT MANAGEMENTSYSTEM
Weuse a content management system (abbreviation: "CMS") from the provider Webflow 398 11th Street, 2nd Floor, San Francisco, CA 94103 (USA) to design our website. With the help of the CMS, we can use many functions for our website and our web store without any programming effort. The CMS processes technical data such as operating system, browser, language and keyboard settings as well as personal data (e.g. IP address) The legal basis for the processing of personal data is our legitimate interest in designing our website efficiently and effectively (Art. 6 para. 1 lit. f GDPR). When weighing our interests against your interests, in particular your right to informational self-determination, we have come to the conclusion that our interests prevail; the interference with your rights is minimal. You are also free to use our website and disclose data. Insofar as the CMS uses cookies, you also have the option of objecting to their use. Further information on data protection can be found on the website and in the privacy policy of the provider https://webflow.com/
2.5 CONTACT, CONTACT OPPORTUNITIES
Due to legal regulations, the website contains data that enable a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or by using a contact form, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted on a voluntary basis by a data subject to the controller will be stored for the purpose of processing or contacting the data subject. No disclosure of this personal data to third parties will take place. If you contact us by e-mail, telephone or fax, your inquiry including all personal data resulting from it (name, inquiry) will be stored and processed by us for the purpose of processing your request. We do not disclose this data without your consent.The processing of this data is based on Art. 6 (1) lit. b DSGVO, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests sent to us (Art. 6 (1) (f) DSGVO) or on your consent (Art. 6 (1) (a) DSGVO) if this was requested. The data you send us via contact requests will be stored by us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.
2.6 APPLICATION PROCEDURE
We offer you the opportunity to apply online on our website. For your participation in the application process, it is necessary to provide personal data. This data may include personal master data such as first name, last name, address, date of birth, contact data such as telephone number or e-mail address, as well as data relating to your educational and/or professional background, such as school and work certificates, data on training, internships or previous employers.This data may originate from an application form to be completed by you online on the application platform or from documents provided by you, such as a cover letter, a resume, an application photo, certificates or other evidence. Data that is mandatory for participation in the application process is marked accordingly as mandatory data. Insofar as no third-party provider is named in this data protection declaration whose service we use to provide the online application function, the data is not passed on to third parties. We process the above data for the purpose of carrying out the application process. Insofar as you have given us your consent, the legal basis for the processing of the data is Art. 6 para. 1 p. 1 lit. a) DSGVO. Insofar as the processing of the above data is carried out for the purpose of initiating contractual relationships, the legal basis is Art. 6 para. 1 p. 1 lit. b) DSGVO. The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the event that an employment relationship, training relationship, internship or other service relationship is established following the application process, the data will initially continue to be stored and transferred to the personnel file. Otherwise, the application process ends with the receipt of a rejection. In this case, the data will be deleted. Deletion does not take place if further processing and storage of your personal data is necessary in individual cases for the assertion, exercise or defense of legal claims. In this case, we have a legitimate interest in the further processing and storage of your personal data. The legal basis is Art. 6 para. 1 p. 1 lit. f) DSGVO. Deletion will also not take place if we are obliged to continue storing your personal data due to legal regulations. You can revoke consent given to us at any time and object to the processing of your personal data at any time. In particular, you also have the option of withdrawing your application at any time without giving reasons.As part of the application process, you should only provide us with the personal data that is required for participation in the application process and its implementation. There is no legal or contractual obligation to provide data, unless an obligation to apply may arise for other reasons (e.g. official request, etc.). However, we would like to point out that we cannot carry out the application process without this data and cannot consider your application. The same applies in the event of an objection to the processing of your data. If you are required to apply, we will inform the respective institution of the application or revocation of processing pp. if this makes it impossible for us to carry out the application procedure. We also offer you the option of having your application stored in an application pool. This gives you the opportunity for us to consider your application beyond the specific application occasion also in the context of further future application procedures. The storage of your application in the application pool requires your consent, which we request in individual cases. The legal basis for processing (inclusion in the applicant pool) is Art. 6 (1) sentence 1 lit. a) DSGVO if consent has been given. You can revoke your consent at any time with effect for the future.
2.7. WEB ANALYTICS
This website uses functions of web analytics services, in particular Plausible Analytics (provider: Plausible Insights OÜ, address: Västriku tn 2, 50403, Tartu, Estonia, website: https://plausible.io, privacy policy: https://plausible.io/data-policy). Web analytics services allow us to analyze the behavior of website visitors. In doing so, we obtain various usage data, such as page views, dwell time, operating systems used and origin of users. This data can be summarized in a profile that is assigned to the respective user or his end device.Plausible collects the following information, among others, for this purpose: Date and time of your visit, title and URL of the pages visited, and the country in which you are located. However, Plausible does not use or store "cookies" on your terminal device. All personal data, such as your IP address, is stored completely anonymously in the form of a so-called hash. A hash is an encryption of data that is not reversible, so it cannot be "decrypted". In this way, we can analyze your visit without processing personal data.The use of these analysis tools is based on Art. 6 (1) lit. f DSGVO. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its web offering and its advertising. Insofar as a corresponding consent has been requested (e.g. consent to store cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO, and the consent can be revoked at any time.There is a possibility that data may be transferred to the USA. Please refer to our notes in the "Definitions" section on the keyword "Data transfer to third countries".As far as possible, we have activated the IP anonymization function. This means that your IP address is shortened. Only in exceptional cases will the full IP address also be transmitted to a server of the provider in the USA and only there shortened. On behalf of the operator of this website, this information is used to evaluate your use of the website, to compile reports on website activity and to provide other services to the website operator relating to website activity and internet usage.
3MINORS
Our services are not directed to children under the age of 13.We do not knowingly collect information from children under 13. If you are under the age limit, do not use the Services or provide us with any personally identifiable information. If you are a parent of a child under the age limit and you become aware that your child has provided us with personal data, contact our data protection officer (see above for contact details) or us directly without delay so that we can take the necessary steps, such as blocking or deleting the data.