Privacy policy XU

We take data protection seriously

The protection of your privacy when processing personal data is an important concern for us. When you visit our website, our web servers store the IP of your Internet service provider, the website from which you visit us, the web pages you visit on our site and the date and duration of your visit as standard. This information is essential for the technical transmission of the web pages and secure server operation. There is no personalised evaluation of this data.

If you send us data via the contact form, this data will be stored on our servers as part of the data backup process. Your data will only be used by us to process your enquiry. Your data will be treated as strictly confidential. It will not be passed on to third parties.

1. Who is responsible for data processing and who can you contact?

Responsible person:

XU Group GmbH
Mehringdamm 33
10961 Berlin

Phone: +49 (0) 30 959 999 99 0
E-mail: hallo@xu.de

The company data protection officer is

Mr Christian VolkmerMehringdamm 33
Projekt 29 GmbH & Co KG
Ostengasse 14
93047 Regensburg
E-mail: anfragen@projekt29.de
Phone: +49 (0)941-2986930

2. Personal data

Personal data is data about your person. This includes your name, your address and your e-mail address. You do not have to disclose any personal data in order to visit our website. In some cases, we need your name and address as well as other information in order to be able to offer you the desired service.

The same applies if we supply you with information material on request or if we answer your enquiries. In these cases, we will always point this out to you. Furthermore, we only store the data that you have transmitted to us automatically or voluntarily.

When you use one of our services, we generally only collect the data that is necessary to provide you with our service. We may ask you for further information, but this is voluntary. Whenever we process personal data, we do so in order to be able to offer you our service or to pursue our commercial objectives.

3. Website

3.1. General Use

When you visit our website, our web servers store the IP of your internet service provider, the website from which you visit us, the web pages you visit on our site and the date and duration of your visit by default. The processing of this information is absolutely necessary for the technical transmission of the web pages, the convenient use of our services and secure server operation. Our legitimate interest arises from Art. 6 para. 1 lit. f) GDPR.

It is not possible to draw any direct conclusions about your identity from the information and we will not do so. The information is stored and automatically deleted once the aforementioned purposes have been achieved. The standard periods for deletion are based on the criterion of necessity.

3.2. Automatically saved data

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

  • Date and time of the request
  • Name of the requested file
  • Page from which the file was requested
  • Access status (file transferred, file not found, etc.)
  • Web browser and operating system used
  • Complete IP address of the requesting computer
  • Amount of data transferred

This data is not merged with other data sources. Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our website.

For reasons of technical security, to defend against attempted attacks on our web server, this data is stored by us for a short time. It is not possible for us to identify individual persons from this data. After seven days at the latest, the data is anonymized by shortening the IP address at domain level so that it is no longer possible to establish a link to the individual user. The data is also processed in anonymized form for statistical purposes; it is not compared with other databases or passed on to third parties, even in excerpts.

3.3. Contact us

When contacting us (e.g. by contact form, e-mail, telephone or via social media), the data of the enquiring persons will be processed insofar as this is necessary to answer the contact enquiries and any requested measures.

The response to contact enquiries in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre)contractual enquiries and otherwise based on the legitimate interests in responding to the enquiries.

– Processed data types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Content data (e.g. entries in online forms).

– Affected persons: Communication partner.

– Purposes of processing: Contact enquiries and communication.

– Legal bases: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 lit. f. GDPR).

3.4. Cookies

When you visit our website, we may store information on your computer in the form of cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters through which websites and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified via the unique cookie ID.

By using session cookies, the controller can provide users of this website with a user-friendly service that would not be possible without the use of cookies. Without consent, we only use technically necessary cookies on the legal basis of legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

We only use personalized cookies to improve our website or for marketing/advertising purposes with your consent. On your first visit, you can voluntarily consent to tracking or analysis via the cookie banner that appears. Your data may be passed on to partners or third-party providers. Only if you explicitly consent to this will these cookies be stored; the legal basis is then your consent in accordance with Art. 6 para. 1 lit. a GDPR.

You can change your settings for the use of cookies here at any time:

3.5. Consent Management

Borlabs Cookie

Our website uses Borlabs Cookie’s cookie consent technology to obtain your consent to the storage of certain cookies in your browser and to document this in compliance with data protection regulations. The provider of this technology is Borlabs – Benjamin A. Bornschein, Rübenkamp 32, 22305 Hamburg (hereinafter referred to as Borlabs).

When you enter our website, a Borlabs cookie is stored in your browser, in which the consents you have given or the revocation of these consents are stored. This data is not passed on to the provider of Borlabs Cookie.

The data collected will be stored until you ask us to delete it or delete the Borlabs cookie yourself or until the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected. Details on data processing by Borlabs Cookie can be found at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

Borlabs cookie consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.

We have concluded an order processing contract (AV) in accordance with Art. 28 GDPR with the above-mentioned provider. This is a contract prescribed by data protection law, which guarantees that the provider will only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

4. Service optimisation

4.1. Platform and hosting

Cloudflare

 We use the “Cloudflare” service. The provider is Cloudflare Inc, 101 Townsend St., San Francisco, CA 94107, USA (hereinafter referred to as “Cloudflare”).

Cloudflare offers a globally distributed content delivery network with DNS. Technically, the information transfer between your browser and our website is routed via Cloudflare’s network. This enables Cloudflare to analyze the data traffic between your browser and our website and to act as a filter between our servers and potentially malicious data traffic from the Internet. Cloudflare may also use cookies or other technologies to recognize Internet users, but these are used solely for the purpose described here.

The use of Cloudflare is based on our legitimate interest in providing our website as error-free and secure as possible (Art. 6 para. 1 lit. f GDPR).

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://www.cloudflare.com/privacypolicy/.

Further information on security and data protection at Cloudflare can be found here: https://www.cloudflare.com/privacypolicy/.

We have concluded an order processing contract (AV) in accordance with Art. 28 GDPR with the above-mentioned provider. This is a contract prescribed by data protection law, which guarantees that the provider will only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

jsDelivr CDN

This website uses a so-called “Content Delivery Network” (CDN) from jsDelivr.

A CDN is a service used to deliver the content of our online offering, in particular large media files such as graphics or scripts, more quickly with the help of regionally distributed servers connected via the Internet. User data is processed exclusively for the above-mentioned purposes and to maintain the security and functionality of the CDN.

For this purpose, the browser you are using must establish a connection to the CDN servers. The CDN then becomes aware that our website has been accessed via your IP address.

The use is based on our legitimate interests, namely the interest in a secure and efficient provision, analysis and optimisation of our online offer in accordance with Art. 6 para. 1 lit. f. GDPR. GDPR.

Further information can be found in the privacy policy of jsDelivr: https://www.jsdelivr.com/privacy-policy-jsdelivr-net/

Unpkg

This website uses the Unpkg web service provided by Npm, Inc., 1999 Harrison Street #1150, CA 94612 Oakland, United States of America (hereinafter: Unpkg).

Unpkg is used as a Content Delivery Network (CDN). Content on this website, such as fonts and stylesheets, is delivered faster with the CDN via a network of regionally distributed servers. For this purpose, your browser must connect to the unpkg servers. In this way, unpkg learns that this website was opened via your IP address. If the files in question have already been loaded on another CDN site, your browser will usually access the copy stored in the cache. If you have activated Java Script in your browser and have not installed a Java Script blocker, your browser can transmit data to Unpkg.

This processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR on the basis of the legitimate interest in the fast and secure provision and optimization of this website.

Further information on the handling of the transmitted data can be found in the Unpkg privacy policy at https://www.npmjs.com/policies/privacy.

WPML

We use WPML from OnTheGoSystems Limited, 22/F 3 Lockhart Road, Wanchai, Hong Kong (hereinafter referred to as: WPML).

WPML is a multilingual plugin for WordPress. We use WPML to display our website in different languages. When you visit our website, WPML stores a cookie on your end device to save the language setting you have selected. This allows personal data to be stored and analyzed, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on) as well as device and browser information (in particular the IP address and operating system).

Further information on the collection and storage of data by WPML can be found here:
https://wpml.org/documentation/privacy-policy-and-gdpr-compliance

The use of WPML enables us to display our website in multiple languages.

Legal basis for the processing of personal data

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in addressing visitors to our website in their native language.

WPML stores cookies on your end device. Information on the storage duration of cookies can be found at: https://wpml.org/documentation/privacy-policy-and-gdpr-compliance

4.2. Newsletter

Pipedrive

We use Pipedrive, offered by the company Pipedrive OÜ, Paldiski mnt 80, Tallinn 10617, Estonia, to send newsletters.

The basis for sending the regular newsletter is your consent; you have the option to revoke your consent at any time and without giving reasons.

The legal basis for this is Art. 6 para. 1 sentence 1 lit. a GDPR.

We have concluded a contract for order processing in accordance with Art. 28 GDPR with the above-mentioned provider. This is a contract prescribed by data protection law, which guarantees that the provider will only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

5. Tools and services for analysis, statistics and marketing

5.1. Analysis and statistics

Google Tag Manager

 We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The Google Tag Manager is a tool with the help of which we can use tracking or statistics tools and other

technologies on our website. The Google Tag Manager itself does not create

user profiles, does not store any cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google’s parent company in the United States.

The Google Tag Manager is used on the basis of Art. 6 para. 1 lit. f GDPR.

Google Analytics (4)

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyse the behaviour of website visitors. The website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data is summarized in a user ID and assigned to the respective end device of the website visitor.

We can also use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modelling approaches to supplement the recorded data records and uses machine learning technologies for data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there. The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. You can revoke your consent at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://privacy.google.com/businesses/controllerterms/mccs/.

The European Commission has issued an adequacy decision for the USA, provided that companies are certified in accordance with the Data Privacy Framework Program. Google is certified accordingly and thus fulfils the requirements of the EU Commission.

Browser plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Google signals

We use Google signals. When you visit our website, Google Analytics records your location, search history and YouTube history as well as demographic data (visitor data), among other things. This data can be used for personalized advertising with the help of Google Signal. If you have a Google account, the visitor data from Google Signal is linked to your Google account and used for personalized advertising messages. The data is also used to compile anonymized statistics on the user behaviour of our users.

Google Analytics e-commerce measurement

This website uses the “e-commerce measurement” function of Google Analytics. With the help of e-commerce measurement, the website operator can analyse the purchasing behaviour of website visitors to improve its online marketing campaigns. Information such as orders placed, average order values, shipping costs and the time from viewing to purchasing a product is recorded. This data can be summarized by Google under a transaction ID that is assigned to the respective user or their device.

5.2. Advertising and marketing

Google Ads

 The website operator uses Google Ads. Google Ads is an online advertising program from Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to place adverts in the Google search engine or on third-party websites.

when the user enters certain search terms into Google (keyword targeting). Furthermore, targeted adverts can be displayed based on the user data available at Google (e.g. location data and interests) (target group targeting). We as the website operator can evaluate this data quantitatively, for example by analyzing which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and 25 para. 1 TDDDG. Consent can be revoked at any time.

The European Commission has issued an adequacy decision for the USA, provided that companies are certified in accordance with the Data Privacy Framework Program. Google is certified accordingly and thus fulfils the requirements of the EU Commission.

Google reCAPTCHA

We use “Google reCAPTCHA” (hereinafter referred to as “reCAPTCHA”) on this website. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of reCAPTCHA is to check whether the data input on this website (e.g. in a contact form) by a human or by an automated program. For this purpose reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. These analysis starts automatically as soon as the website visitor enters the website. For the analysis reCAPTCHA analyses various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not that an analysis is taking place.

The data is stored and analyzed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

For more information about Google reCAPTCHA, please refer to the Google Privacy Policy and the Google Terms of Service at the following links:

https://policies.google.com/privacy?hl=de and

https://policies.google.com/terms?hl=de

LinkedIn Insight Tag

This website uses the LinkedIn Insight tag. The provider of this service is LinkedIn Ireland

Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

With the help of the LinkedIn Insight Tag, we receive information about the visitors to our website. If a website visitor is registered with LinkedIn, we can, among other things, analyse the key professional data (e.g. career level, company size, country, location, industry and job title) of our website visitors and thus better tailor our site to the respective target groups. We can also use LinkedIn Insight Tags to measure whether visitors to our websites make a purchase or take another action (conversion measurement). Conversion measurement can also be carried out across devices (e.g. from PC to tablet). LinkedIn Insight Tag also offers a retargeting function that we can use to display targeted advertising to visitors to our website outside the website, whereby, according to LinkedIn, no identification of the advertising addressee takes place.

LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device and browser properties and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymized). The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data is then deleted within 180 days.

The data collected by LinkedIn cannot be assigned to specific individuals by us as the website operator. LinkedIn will store the personal data collected from website visitors on its servers in the USA and use it for its own advertising purposes. Details can be found in LinkedIn’s privacy policy at

https://www.linkedin.com/legal/privacy-policy#choices-oblig.

The use of LinkedIn Insight is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in effective advertising measures including social media. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission.

Details can be found here:

https://www.linkedin.com/legal/l/dpa and

https://www.linkedin.com/legal/l/eu-sccs.

The European Commission has also issued an adequacy decision for the USA, provided that companies are certified in accordance with the Data Privacy Framework Program. LinkedIn is certified accordingly and thus fulfils the requirements of the EU Commission.

Object to the analysis of user behaviour and targeted advertising by LinkedIn under the following link:

https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Furthermore, members of LinkedIn can object to the use of their personal data for advertising purposes in the account settings. In order to prevent a link from our website data collected by LinkedIn and your LinkedIn account, you must log out of your LinkedIn account before visiting our website.

We have concluded a contract for order processing in accordance with Art. 28 GDPR with the above-mentioned provider. This is a contract prescribed by data protection law, which guarantees that the provider will only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

Facebook & Instagram Pixel

This website uses Facebook’s visitor action pixel to measure conversions. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.

In this way, the behaviour of site visitors can be tracked after they have clicked on a Facebook ad were redirected to the provider’s website. This allows the Effectiveness of Facebook adverts evaluated for statistical and market research purposes and future advertising measures can be optimized. The data collected is anonymous for us as the operator of this website; we cannot draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Usage Policy. This enables Facebook to place adverts on Facebook pages and outside of Facebook. This use of the data cannot be influenced by us as the site operator.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission.

Facebook is also certified in accordance with the Data Privacy Framework Program.

https://www.facebook.com/legal/EU_data_transfer_addendum and

https://de-de.facebook.com/help/566994660333381.

Facebook is also certified in accordance with the Date Privacy Framework.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook. The processing carried out by Facebook after forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. You can find the wording of the agreement at

https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

You can find further information on protecting your privacy in Facebook’s data protection information: https://de-de.facebook.com/about/privacy/.

You can also activate the remarketing function “Custom Audiences” in the Settings for Deactivate adverts at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. In addition

you must be logged in to Facebook.

SalesViewer® technology

This website uses SalesViewer® technology from SalesViewer® GmbH, Universitätsstraße 60, 44789 Bochum, Germany, to collect and store data for marketing, market research and optimization purposes.

For this purpose, a javascript-based code is used to collect company-related data and use it accordingly. The data collected using this technology is encrypted using a non-reversible one-way function (known as hashing). The data is immediately pseudonymized and is not used to personally identify the visitor to this website.

The data is analyzed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in collecting data for optimization purposes. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

The data stored as part of Salesviewer will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations.

 

5.3. Social media and communication

Vimeo without tracking (Do-Not-Track)

This website uses plugins from the video portal Vimeo. The provider is Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA.

When you visit one of our pages equipped with Vimeo videos, a connection to the Vimeo servers is established. This tells the Vimeo server which of our pages you have visited. Vimeo also obtains your IP address. However, we have configured Vimeo so that Vimeo will not track your user activities and will not set any cookies.

The use of Vimeo is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on “legitimate business interests”. You can find details here:

https://vimeo.com/privacy.

Further information on the handling of user data can be found in Vimeo’s privacy policy at: https://vimeo.com/privacy.

6. Economic analyses and market research

For business reasons and in order to identify market trends and the wishes of contractual partners and users, we analyze the data we have on business transactions, contracts, enquiries, etc., whereby the group of data subjects may include contractual partners, interested parties, customers, visitors and users of our online offering.

The analyses are carried out for the purpose of business evaluations, marketing and market research (e.g. to determine customer groups with different characteristics). If available, we may take into account the profiles of registered users, including their details, e.g. on services used. The analyses are used solely by us and are not disclosed externally, unless they are anonymous analyses with summarized, i.e. anonymized values. Furthermore, we take the privacy of users into consideration and process the data for analysis purposes as pseudonymously as possible and, where feasible, anonymously (e.g. as summarized data).

7. Online presence on social media

If you have given your consent to the respective social media operator in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presences on our social media channels, from which user profiles are created using pseudonyms. These can be used, for example, to place adverts within and outside the platforms that presumably correspond to your interests. Cookies are generally used for this purpose. For detailed information on the processing and use of the data by the respective social media operator as well as a contact option and your rights and setting options for protecting your privacy, please refer to the respective linked data protection notices of the providers on their websites. If you still need help in this regard, you can contact us.

8. Security

We have taken technical and administrative security precautions to protect your personal data against loss, destruction, manipulation and unauthorized access. All our employees and service providers working for us are obliged to comply with the applicable data protection laws.

Whenever we collect and process personal data, it is encrypted before it is transmitted. This means that your data cannot be misused by third parties. Our security precautions are subject to a continuous improvement process and our data protection declarations are constantly being revised. Please ensure that you have the latest version.

9. What data is processed and from which sources does this data originate?

We process the data that we have received from you in the context of contract initiation or processing, on the basis of consent or in the context of your application to us or in the context of your employment with us.

Personal data includes the following

  • Your master/contact data, for customers this includes e.g. first name and surname, address, contact details (e-mail address, telephone number, fax), bank details.
  • For applicants and employees, this includes, for example, first name and surname, address, contact details (e-mail address, telephone number, fax), date of birth, data from CV and references, bank details, religious affiliation, photographs.
  • For business partners, this includes, for example, the name of their legal representative, company, commercial register number, VAT number, company number, address, contact details (e-mail address, telephone number, fax), bank details.
  • For visitors to our company, this includes name and signature.

 

In addition, we also process the following other personal data:

  • Information on the type and content of contract data, order data, sales and document data, customer and supplier history and consulting documents,
  • Advertising and sales data,
  • other data that we have received from you in the course of our business relationship (e.g. in discussions with customers),
  • Data that we generate ourselves from master / contact data and other data, e.g. by means of customer demand and customer potential analyses,
  • the documentation of your declaration of consent for the receipt of e.g. newsletters.
  • Photographs taken as part of events.

 

For what purposes and on what legal basis is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018 as amended:

–           for the fulfilment of (pre-)contractual obligations (Art. 6 para. 1 lit. b GDPR):

Your data will be processed for the purpose of contract fulfilment, for the contractual processing of your employment or your application to our company. The data is processed in particular when initiating business and when executing contracts with you.

 

–           for the fulfilment of legal obligations (Art. 6 para. 1 lit. c GDPR):

The processing of your data is necessary for the purpose of fulfilling various legal obligations, e.g. from the German Commercial Code or the German Fiscal Code.

 

–           to safeguard legitimate interests (Art. 6 para. 1 lit. f GDPR):

Based on a balancing of interests, data processing may take place beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties. Data processing to protect legitimate interests takes place in the following cases, for example:

  • Advertising or marketing
  • Measures for business management and further development of services and products;
  • in the context of legal prosecution
  • Sending of non-sales-promoting information and press releases.

–           within the scope of your consent (Art. 6 para. 1 lit. a GDPR):

If you have given us your consent to process your data, e.g. to send you our newsletter, to publish photos, if we do not make you a job offer following an application, you may be included in our applicant pool.

Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time, either as a whole or for individual measures, without incurring any costs other than the transmission costs according to the basic rates.

Subject to the legal requirements of Section 7 (3) UWG, we are authorized to use the email address you provided when concluding the contract for direct advertising for our own similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter.

If you do not wish to receive such recommendations from us by e-mail, you can object to the use of your address for this purpose at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form is sufficient for this. Of course, each e-mail always contains an unsubscribe link.

Who receives my data?

 If we use a service provider in the sense of order processing, we nevertheless remain responsible for the protection of your data. All processors are contractually obliged to treat your data confidentially and to process it only within the scope of providing the service. The processors commissioned by us will receive your data if they require the data to fulfil their respective service. These are, for example, IT service providers that we require for the operation and security of our IT system as well as advertising and address publishers for our own advertising campaigns.

In the event of a legal obligation and in the context of legal prosecution, authorities and courts as well as external auditors may be recipients of your data.

In addition, insurance companies, banks, credit agencies and service providers may be recipients of your data for the purpose of contract initiation and fulfilment.

How long will my data be stored?

We process your data until the termination of the business relationship or until the expiry of the applicable statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code or the Working Hours Act); in addition, until the termination of any legal disputes in which the data is required as evidence.

10. What data protection rights do I have?

You have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing as well as a right to data portability and to lodge a complaint in accordance with the requirements of data protection law.

Right to access:

You can request information from us as to whether and to what extent we process your data.

Right to rectification:

If we process your data that is incomplete or incorrect, you can request that we correct or complete it at any time.

Right to erasure:

You can demand that we erase your data if we process it unlawfully or if the processing disproportionately interferes with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention obligations.

Irrespective of the exercise of your right to erasure, we will erase your data immediately and completely, provided that there is no legal or statutory retention obligation to the contrary.

Right to restriction of processing:

You can request that we restrict the processing of your data if

-you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data.

-The     processing of the data is unlawful, but you refuse to have it erased and instead request that the use of the data be restricted,

-we      no longer need the data for the intended purpose, but you still need this data for the assertion or defence of legal claims, or

-you have objected to the processing of the data.

Right to data portability:

You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transmit this data to another controller without hindrance from us, provided that

– we process this data on the basis of a consent given and revocable by you or for the fulfilment of a contract between us, and

– this processing is carried out using automated procedures.

If technically feasible, you can request that we transfer your data directly to another controller.

Right of objection:

If we process your data on the basis of a legitimate interest, you can object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.

Right of appeal:

If you are of the opinion that we are violating German or European data protection law when processing your data, please contact us so that we can clarify any questions you may have. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.

If you wish to assert one of these rights against us, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.

Am I obliged to provide data?

The processing of your data is necessary for the conclusion or fulfilment of the contract you have entered into with us. If you do not provide us with this data, we will generally have to refuse to conclude the contract or will no longer be able to fulfil an existing contract and will therefore have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that is not relevant or legally required for the fulfilment of the contract.

11. Changes to this privacy policy

We reserve the right to change our privacy policy if this should be necessary due to new technologies. Please ensure that you have the latest version. If fundamental changes are made to this privacy policy, we will announce these on our website.