Data Privacy Notice

Controller

Wucherpfennig & Krohn GmbH
Birkenallee 2-4
23738 Lensahn, Germany

04363 903 10

info@wucherpfennig.de

Persons authorised to represent the company:

Matthias Krohn, Dr Lars Wucherpfennig, Christine Meyer

Legal notice: www.wucherpfennig.de/impressum

 

Data protection officer contact details

a.s.k. Datenschutz e.K.
Schulstrasse 16a
91245 Simmelsdorf

Phone: 0049-(0)9155-263 99 70
info@ask-datenschutz.de

Overview of processing

The following overview summarises the types of data processed, the purposes of processing and the categories of data subjects.

Types of data processed

Master data
Contact data
Content data
Usage data
Meta, communication and process data
Log data
 

Categories of data subjects
Visitors to the website
Communication partners
Users

Purposes of processing

Provision of contractual services and fulfilment of contractual obligations
Communication
Security measures
Reach measurement
Tracking
Conversion measurement
Target group formation
Organisational and administrative procedures
Feedback
Marketing
Profiles with user-related information
Provision of our website and user-friendliness
Information technology infrastructure

Relevant legal bases

Below you will find an overview of the legal provisions of the GDPR on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we inform you of these in the privacy policy.

Consent (Art. 6(1) sentence (1) point (a) GDPR)
Contract fulfilment and pre-contractual enquiries (Art. 6(1) sentence (1) point (b) GDPR)
Legal obligation (Art. 6(1) sentence (1) point (c) GDPR)
Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR)

In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, processing of special categories of personal data, processing for other purposes, transmission and automated decision-making in individual cases, including profiling. The data protection laws of the individual federal states may also apply.

Security measures

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to it, software access, input, disclosure, safeguarding of availability and separation of data. Furthermore, we have established procedures that ensure that data subjects can exercise their rights, that data is erased and that there is an appropriate response to data threats. We also take the protection of personal data into account during the development and selection of hardware, software and processes in accordance with the principle of data protection, through design of the technology and default settings that support data protection.

If IP addresses are processed by us or by the service providers and technologies used and the processing of a full IP address is not required, the IP address is truncated (also known as “IP masking”). In this process, the last two digits or the last part of the IP address after the dot are removed or replaced by placeholders. Truncation of the IP address is intended to prevent or significantly complicate identification of a person based on their IP address.

To protect user data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is indicated by the letters HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.

International data transfers

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing is carried out in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements. If the level of data protection in the third country has been recognised by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data will only be transferred if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46(2) point (c) GDPR), with express consent or in the case of contractual or legally required transfer (Art. 49(1) GDPR). In addition, we will inform you of the basis for third country transfers for the individual providers from the third country, whereby the adequacy decisions take precedence. Details of third country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=en.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognised the level of data protection for certain companies from the USA as secure in the context of the adequacy decision of 10.07.2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at www.dataprivacyframework.gov. As part of our privacy policy, we inform you which of the service providers we use are certified under the Data Privacy Framework.

 

Transmission of personal data

Within the framework of our processing of personal data, it may be transmitted or disclosed to other bodies, companies, legally independent organisational units or persons. The recipients of the data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into the website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect it.

We may transfer personal data to other companies within our corporate group or grant them access to this data. If this transfer takes place for administrative purposes, the transfer of data is based on our legitimate business and commercial interests, is necessary to fulfil our contractual obligations or is carried out with the consent of the data subjects or on the basis of an existing legal permission.

General information about data storage and erasure

We erase personal data that we process in accordance with the statutory provisions as soon as the underlying consent is withdrawn or there is no further legal basis for the processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be stored in accordance with commercial or tax law or the storage of which is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy policy includes additional information about the retention and erasure of data that applies specifically to certain processing operations.

If there is more than one specification of the length of a retention or erasure period, the longest period shall always take precedence.

If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the date on which the cancellation or other termination of the legal relationship takes effect.

We only process data that is no longer stored for the originally intended purpose in accordance with the legal requirements or other reasons that justify its storage.

Rights of data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing.

Right to withdraw consent: You have the right to withdraw your consent at any time.

Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to obtain information about this data, further information and a copy of the data in accordance with the legal requirements.

Right to rectification: In accordance with the statutory provisions, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.

Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.

Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.

Complaint to a supervisory authority: In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you are habitually resident, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Provision of the website and web hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

Types of data processed: Usage data (e.g. page views and length of visit, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved). Log data (e.g. log files relating to logins or the retrieval of data or access times).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of our website and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; provision of contractual services and fulfilment of contractual obligations.

Storage and erasure: Erasure in accordance with the information in the section “General information about data storage and erasure”.

Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Further information about processing operations, procedures and services:

Provision of website on rented storage space: For the provision of our website, we use storage space, computing capacity and software that we rent or otherwise obtain from an appropriate server provider (also called “web host”); Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Provision of website on our own/dedicated server hardware: To provide our website, we use server hardware operated by us and the associated storage space, computing capacity and software;

Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Collection of access data and log files: Access to our website is logged in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and to safeguard the capacity utilisation and stability of the servers; Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR). Erasure of data: Log file information is stored for a maximum of 30 days and then erased or anonymised. Data which must be stored for longer for evidentiary purposes is excluded from erasure until the incident in questions has been finally resolved.

1&1 IONOS: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR); Website: www.ionos.de; Privacy policy: www.ionos.de/terms-gtc/terms-privacy. Commissioned data processing agreement: www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.

Use of cookies

Cookies are small text files or other storage notes that store information on end devices, which can then be read from them. This includes, for example, storing the log-in status for a user account, the contents of a shopping basket in an e-shop, the content accessed or the functions used on a website. Cookies can also be used for various other purposes, for example to ensure the functionality, security and convenience of online services and to create analyses of visitor flows.

Information about consent: We use cookies in accordance with the statutory provisions. We therefore obtain prior consent from users, unless this is not required by law. In particular, consent is not required if the storage and reading of information, including cookies, is absolutely necessary in order to provide users with a telemedia service that they have expressly requested (i.e. our website). The fact that you have given your consent and may withdraw it is communicated clearly to you and the information includes details of the use of cookies.

Information on legal bases under data protection law: The legal basis under data protection law on which we process users’ personal data using cookies depends on whether we ask for their consent. If users accept, the legal basis for processing their data is their declared consent. Otherwise, the data processed using cookies is carried out on the basis of our legitimate interests (e.g. in the commercial operation of our website and improvement of its usability); or, if it occurs in the context of the fulfilment of our contractual obligations, the use of cookies is necessary to fulfil those contractual obligations. We explain the purposes for which we use cookies in the course of this privacy policy and as part of our consent and processing procedures.

Storage period: With regard to the storage period, a distinction is made between the following types of cookies:

Temporary cookies (also: session cookies): Temporary cookies are erased at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).

Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the log-in status can be saved and favourite content can be displayed directly when the user visits the website again. The user data collected with the help of cookies can also be used to measure reach. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), they should assume that they are permanent and that the storage period can be up to two years.

General information about withdrawal and objection (opt-out): Users may withdraw the consent they have given at any time and object to the processing in accordance with the legal provisions, including by means of the privacy settings of their browser.

Processed data types: Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).

Data subjects: Users (e.g. website visitors, users of online services).

Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Contact and enquiry management

When contacting us (e.g. by post, contact form, email or telephone) and in the context of existing user and business relationships, the details of the person submitting the enquiry are processed insofar as this is necessary to answer the enquiry and carry out any measures requested.

Processed data types: Master data (e.g. full name, contact information, etc.); contact data (e.g. email addresses); content data (e.g. text or image messages and posts and the information relating to them, such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).

Data subjects: Communication partners.

Purposes of processing: Communication; organisational and administrative procedures; feedback; provision of our website and user-friendliness.

Storage and erasure: Erasure in accordance with the information in the section “General information about data storage and erasure”.

Legal bases: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR). Contract fulfilment and pre-contractual enquiries (Art. 6(1) sentence (1) point (b) GDPR).

Further information about processing operations, procedures and services:

Contact form: When contacting us via our contact form, by email or other communication channels, we process the personal data transmitted to us to answer and process the enquiry. This generally includes details such as name, contact information and any other information that is provided to us and is required for appropriate processing. We use this data exclusively for the stated purpose of establishing contact and communication; Legal basis: fulfilment of contract and pre-contractual enquiries (Art. 6(1) sentence (1) point (b) GDPR), legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Web analysis, monitoring and optimisation

Web analysis (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our website and may include behaviour, interests and demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify the time at which our website or its functions or content are most frequently used or invite visitors to reuse them. It also enables us to identify areas which require optimisation.

In addition to web analysis, we may also use test procedures, for example to test and optimise different versions of our website or its components.

Unless otherwise stated below, profiles, i.e. data summarised for a usage process, can be created for these purposes and information can be stored in a browser or end device and then read from there. The information collected includes, in particular, pages visited and the elements used there as well as technical information such as the browser used, the computer system used and information about usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, it is also possible that that location data will be processed.

In addition, the IP addresses of users are stored. However, we use an IP masking procedure (i.e. pseudonymisation by truncating the IP address) to protect users. In general, no unique user data (such as email addresses or names) is stored in the context of web analysis, A/B testing and optimisation, but pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective process.

Information about legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information about the use of cookies in this privacy policy.

Processed data types: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our website and user-friendliness.

Storage and erasure: Erasure in accordance with the information in the section “General information about data storage and erasure”. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).

Security measures: IP masking (pseudonymisation of the IP address).

Legal bases: Consent (Art. 6(1) sentence (1) point (a) GDPR). Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

 

Further information about processing operations, procedures and services: Google Analytics: We use Google Analytics to measure and analyse the use of our website on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to recognise which content users have accessed within one or more usage processes, which search terms they have used, which they have retrieved again and which they have interacted with on our website. The time of use and its duration are also stored, as well as the sources of the users who refer to our website and technical aspects of their end devices and browsers. Pseudonymised user profiles are created with information from the use of various devices, and cookies may be used in this context. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographical location data by deriving the following metadata from IP addresses: city (and the city’s inferred latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, the IP address data is used exclusively for this derivation of geolocalisation data before it is immediately erased. It is not logged, is not accessible and is not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1) sentence (1) point (a)) GDPR); Website: marketingplatform.google.com/intl/en/about/analytics/; Security measures: IP masking (pseudonymisation of the IP address); Privacy policy: policies.google.com/privacy; Data processing agreement: business.safety.google/adsprocessorterms/; Basis for third country transfers: Data Privacy Framework (DPF);

Opportunity to object (opt-out): Opt-out plug-in: tools.google.com/dlpage/gaoptout; Settings for the display of advertisements: myadcenter.google.com/personalisationoff. Further information: business.safety.google/adsservices/ (types of processing and data processed).

Google Tag Manager: We use Google Tag Manager, a piece of software from Google that enables us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that are used to record and analyse visitor activity. This technology helps us to improve our website and the content offered on it. Google Tag Manager does not create any user profiles itself, does not store any cookies with user profiles and does not carry out any independent analyses. Its function is limited to simplifying the integration and management of tools and services that we use on our website and making them more efficient. Nevertheless, when using Google Tag Manager, the IP address of the user is transmitted to Google, which is necessary for technical reasons in order to implement the services we use. Cookies may also be set in the process. However, this data processing only takes place if services are integrated via Tag Manager. For more detailed information on these services and their data processing, please refer to the relevant sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1) sentence (1) point (a) GDPR); Website: marketingplatform.google.com; Privacy policy: policies.google.com/privacy;Data processing agreement: business.safety.google/adsprocessorterms. Basis for third country transfers: Data Privacy Framework (DPF).

Online marketing

We process personal data for the purpose of online marketing, which may include in particular the marketing of advertising space or presentation of advertising and other content (collectively referred to as “content”) based on the potential interests of users and the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called “cookie”) or similar procedures are used, by means of which the information about the user relevant for the presentation of the aforementioned content is stored. This may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information, such as the browser used, the computer system used and information about usage times and functions used. If users have consented to the collection of their location data, this may also be processed.

The IP addresses of users are also stored. However, we use available IP masking procedures (i.e. pseudonymisation by truncating the IP address) for user protection. In general, no unique user data (such as email addresses or names) is stored as part of the online marketing process, but pseudonyms are used. This means that neither we nor the providers of the online marketing processes know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is generally stored in the cookies or by means of similar procedures. These cookies can generally also be read later by other websites that use the same online marketing process and analysed for the purpose of displaying content, supplemented with further data and stored on the server of the online marketing process provider.

In exceptional cases, it is possible to assign clear data to the profiles, primarily if the users are, for example, members of a social network whose online marketing processes we use and the network links the user profiles with the aforementioned data. Please note that users may make additional agreements with the providers, for example by giving their consent during registration.

In principle, we only receive access to summarised information about the effectiveness of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing procedures have led to a so-called conversion, e.g. to the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures.

Unless otherwise stated, we ask you to assume that the cookies used are stored for a period of two years.

Information about legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information about the use of cookies in this privacy policy.

Information about withdrawal and objection: We refer to the privacy policies of the respective providers and the objection options (so-called “opt-outs”) specified for the providers. If no explicit opt-out option has been specified, you have the option of switching off cookies in your browser settings. However, this may restrict the functions of our website. We therefore recommend the following additional opt-out options, which are available in the specified areas:

a) Europe: www.youronlinechoices.eu.

b) Canada: www.youradchoices.ca/choices.

c) USA: www.aboutads.info/choices.

d) Cross-territory: https://optout.aboutads.info.

Processed data types: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors);

tracking (e.g. interest/behavioural profiling, use of cookies); target group formation; marketing; profiles with user-related information (creation of user profiles). Conversion measurement (measurement of the effectiveness of marketing measures).

Storage and erasure: Erasure in accordance with the information in the section “General information about data storage and erasure”. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).

Security measures: IP masking (pseudonymisation of the IP address).

Legal bases: Consent (Art. 6(1) sentence (1) point (a) GDPR). Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Further information about processing operations, procedures and services: Google Ads and conversion measurement: Online marketing procedures for the purpose of placing content and adverts within the service provider’s advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who are presumed to be interested in the adverts. In addition, we measure conversion of the adverts, i.e. whether users have taken the opportunity to interact with the ads and use the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1) sentence (1) point (a)) GDPR), Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR); Website: marketingplatform.google.com; Privacy policy: policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Further information: Types of processing and data processed: business.safety.google/adsservices/. Data processing conditions between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.

Presence on social networks (social media)

We maintain an online presence on social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behaviour and the resulting interests of users. The latter may in turn be used, for example, to place adverts within and outside the networks that are assumed to correspond to the interests of the users. Cookies in which the user behaviour and interests of the users are stored are therefore generally set on users’ computers. In addition, data can also be stored in the user profiles independently of the devices used by the users (especially if they have accounts on the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the latter have access to the user data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

Processed data types: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and posts and the information relating to them, such as authorship or time of creation). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Communication; feedback (e.g. collecting feedback via the online form). Public relations.
Storage and erasure: Erasure in accordance with the information in the section “General information about data storage and erasure”.
Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).
Further information about processing operations, procedures and services:

Instagram: Social network that allows you to share photos and videos, comment on and like posts, send messages, subscribe to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third country transfers: Data Privacy Framework (DPF).

LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitors’ data, which is collected for the purpose of creating “page insights” (statistics) for our LinkedIn profiles.

This data includes information about the types of content that users view or interact with, the actions they take and the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data) and information from the user’s profile, such as job function, country, industry, hierarchy level, company size and employment status. Data protection information about the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy

We have concluded a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum (the ‘Addendum’)”, https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfil the rights of data subjects (i.e. users can, for example, send information or erasure requests directly to LinkedIn). The rights of users (in particular to access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint controller status is limited to the collection of data by and transfer to Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of Ireland Unlimited Company, which in particular involves transmission of the data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR); Website: www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third country transfers: Data Privacy Framework (DPF). Option to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Plug-ins and embedded functions and content

We incorporate functional and content elements into our website that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may be, for example, graphics, videos or city maps (hereinafter uniformly referred to as “content”).

Such integration always requires that the third-party providers of this content process the IP address of the user, as they would not be able to send the content to the user’s browser without the IP address. The IP address is therefore required to display this content or function. We endeavour only to use content for which the providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our website, and may also be linked to such information from other sources.

Information about legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to draw your attention to the information about the use of cookies in this privacy policy.

Processed data types: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).

Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our website and user-friendliness.
Storage and erasure: Erasure in accordance with the information in the section “General information about data storage and erasure”. Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
Legal bases: Consent (Art. 6(1) sentence (1) point (a) GDPR). Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Further information about processing operations, procedures and services:

Google Maps APIs and SDKs: Interfaces with Google’s map and location services, which allow, for example, the addition of address entries, location determination, distance calculations and provision of additional information about locations and other places; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1) sentence (1) point (a)) GDPR); Website: mapsplatform.google.com; Privacy policy: policies.google.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF).

Management, organisation and support tools

We use services, platforms and software from other providers (hereinafter referred to as “third-party providers”) for the purposes of organising, managing, planning and providing our services. When selecting third-party providers and their services, we observe the legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. This may affect various data that we process in accordance with this privacy policy. That data may include, in particular, master data and contact data of users, data about transactions, contracts, other processes and their content.

If users are referred to the third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to consult the privacy policies of the respective third-party providers.

Processed data types: Content data (e.g. text or image messages and posts and the information relating to them, such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).

Data subjects: Communication partners; users (e.g. website visitors, users of online services).
Purposes of processing: Provision of contractual services and fulfilment of contractual obligations. Office and organisational procedures.
Storage and erasure: Erasure in accordance with the information in the section “General information about data storage and erasure”.
Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR).

Further information about processing operations, procedures and services:

ChatGPT: AI-based service designed to understand and generate natural language and related input and data, analyse information and make predictions (“AI” is to be understood in the applicable legal sense of the term); Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Legal basis: Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR); Website: openai.com/product; Privacy policy: openai.com/en/policies/eu-privacy-policy. Option to object (opt-out): docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.

Amendments and updates

We ask you to check the content of our privacy policy regularly. We amend the privacy policy as soon as changes to the data processing we carry out make this necessary. We inform you whenever the amendments require action on your part (e.g. consent) or any other individual notification.

Where we provide addresses and contact information about companies and organisations in this privacy policy, please note that the addresses may change over time and you should check the information before contacting us.

Definitions of terms

This section provides you with an overview of the terms used in this privacy policy. Insofar as the terms are defined by law, their legal definitions apply. The following explanations, on the other hand, are primarily intended to aid understanding.

Master data: Master data includes essential information that is necessary for the identification and administration of contractual partners, user accounts, profiles and similar assignments. This data may include personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Master data forms the basis for any formal interaction between people and services, facilities or systems by enabling clear assignment and communication.

Content data: Content data includes information generated in the course of creating, editing and publishing content of all kinds. This category of data can include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content, but also includes metadata that provides information about the content itself, such as tags, descriptions, author information and publication dates.

Contact data: Contact data is essential information that enables communication with individuals or organisations. It includes telephone numbers, postal addresses and email addresses, as well as communication tools such as social media handles and instant messaging identifiers.

Conversion measurement: Conversion measurement (also referred to as “user action evaluation”) is a process that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the user’s device on the websites on which the marketing measures are placed and this is then retrieved on the target website. For example, this allows us to track whether the advertisements we have placed on other websites have been successful.

Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about the way in which data is processed, transmitted and managed. Metadata, also known as data about data, includes information that describes the context, origin and structure of other data. It can include information about the file size, the creation date, the author of a document and the change histories. Communication data records the exchange of information between users via various channels, such as email traffic, call logs, messages on social networks and chat histories, including the persons involved, time stamps and transmission paths. Process data describes the processes and procedures within systems and organisations, including workflow documentation, logs of transactions and activities, and audit logs used to track and review processes.

Usage data: Usage data refers to information that captures how users interact with digital products, services and platforms. This data includes a wide range of information that shows how users use applications, which functions they favour, how long they stay on certain pages and which paths they take to navigate through an application. Usage data can also include frequency of use, timestamps for activities, IP addresses, device information and location data. It is particularly valuable for analysing user behaviour, optimising the user experience, personalising content and improving products or services. In addition, usage data plays a crucial role in recognising trends, preferences and potential problem areas in digital services

Personal data: Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Profiles with user-related information: The processing of “profiles with user-related information”, or “profiles” for short, includes any type of automated processing of personal data that consists of using the personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (e.g. interests in certain content or products, click behaviour on a website or location). Depending on the type of profiling, this may include various information relating to demographics, behaviour and interests, such as interaction with websites and their content, etc. Cookies and web beacons are often used for profiling purposes.

Log data: Log data is information about events or activities that have been logged on a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system. Log data is often used to analyse system problems, for security monitoring or to create performance reports.

Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to a website and can include the behaviour or interests of visitors in certain information, such as website content. With the help of reach analysis, operators of websites can, for example, recognise the time at which users visit their websites and what content they are interested in. This allows them to customise the content of their websites to the needs of their visitors, for example.

Pseudonymous cookies and web beacons are often used for reach analysis purposes in order to recognise returning visitors and thus obtain more precise analyses of the use of a website.

Tracking: The term “tracking” is used when the behaviour of users can be traced across several websites. As a rule, behaviour and interest information with regard to the websites used is stored in cookies or on the servers of the providers of the tracking technologies (so-called profiling). This information can then be used, for example, to display advertising to users that is likely to match their interests.

Controller: A controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing: Processing means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses practically every type of handling of data, whether it is collecting, analysing, storing, transmitting or erasing it.

Contract data: Contract data is specific information that relates to the formalisation of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged or sold. This category of data is essential for the management and fulfilment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include start and end dates of the contract, the type of services or products agreed, price agreements, payment terms, cancellation rights, renewal options and special terms or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarification of rights and obligations, enforcement of claims and resolution of disputes.

Payment data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction data, verification numbers and billing information. Payment data can also include information about payment status, chargebacks, authorisations and fees.

Custom audience formation: Custom audience formation is when target groups are determined for advertising purposes, e.g. the display of advertisements. For example, based on a user’s interest in certain products or topics on the internet, it can be concluded that the user will be interested in advertisements for similar products or the online shop in which they viewed the products. In turn, “lookalike audiences” (or similar target groups) is the term used when the content deemed suitable is displayed to users whose profiles or interests are assumed to match those of the users for whom the profiles were created. Cookies and web beacons are generally used for the purpose of creating custom audiences and lookalike audiences.