Data protection declaration
Name and contact details of the data controller according to Article 4 para. 7 GDPR
Security and protection of your personal data
We consider it our prime duty to protect the confidentiality of personal data provided by you and to protect it from unauthorised access. This is why we take the utmost care and adopt the latest security standards, in order to guarantee maximum protection of your personal data.
As a company governed by private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the regulations of the Federal Data Protection Act (BDSG). We have adopted technical and organisational measures to ensure that the rules concerning data protection are observed both by us and by our external service providers.
The legislator demands that personal data is processed in a lawful way, in good faith and in a way that is comprehensible for the data subject (“lawfulness, processing in good faith, transparency”). In order to guarantee this, we would like to inform you about the individual statutory definitions, which are also used in this data protection declaration:
1. Personal data
“Personal data” is any information relating to an identified or identifiable private individual (hereafter “data subject”). An identifiable private individual is someone who directly or indirectly, can be identified especially by allocation to an identity such as a name, ID number, location data, online identification or to one or more special features, which express the physical, physiological, genetic, emotional, economic, cultural or social identity of this private individual.
“Processing” refers to any procedure or series of procedures performed by or without the help of automated methods, in connection with personal data, such as gathering, acquiring, organising, arranging, archiving, adjusting or changing, reading out, calling up, using, disclosing by transmission, disseminating or any other form of provision, reconciling or correlating, restricting, deleting or destroying.
3. Restricting processing
”Restricting processing” is the marking of archived personal data with the aim of restricting its future processing.
“Profiling” is any kind of automated processing of personal data, which involves this personal data being used in order to evaluate specific personal aspects, which refer to a private individual, in particular to analyse or predict aspects concerning work performance, financial situation, health, personal preferences, interests, reliability, behaviour, place of abode or change of location of this private individual.
“Pseudonymisation” is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual.
6. Filing system
“Filing system” is any structured collection of personal data, accessible according to specific criteria, irrespective of whether this collection is organised centrally, decentrally or according to functional or geographic aspects.
7. Data controller
The “Data controller” is any private individual or legal entity, authority, institution or other agency, which alone or together with others decides on the purposes and means of processing personal data. If the purposes and means of such processing are specified by Union law or the law of member states, then the data controller or the specific criteria of his/her appointment may be provided in accordance with Union law or the law of the member states.
8. Data processor
“Data processor” is any private individual or legal entity, authority, institution or other agency, which processes personal data by order of the data controller.
“Recipient” is any private individual or legal entity, authority, institution or other agency to which personal data is disclosed, irrespective of whether they are a third party or not. However, authorities, which may receive personal data as part of a specific enquiry under Union law or the law of the member states, do not count as recipients. Such data is processed by the named authorities in compliance with the applicable data protection rules, according to the purposes of the processing.
10. Third party
“Third party” is a private individual or legal entity, authority, institution or other agency, apart from the data subject, the data controller, the data processor or the persons who are authorised under the direct responsibility of the data controller or of the data processor, to process the personal data.
“Consent” of the data subject is any declaration of will issued voluntarily in respect of the specific case, in an informed and unmistakable manner, in the form of a declaration or any other clear, confirmatory action, by which the data subject makes it clear that he/her agrees with the processing of the personal data concerning this individual.
Lawfulness of processing
The processing of personal data is lawful only if and to the extent that there is a legal basis for this. The legal basis for processing according to article 6, para. 1, letters a-f GDPR may be, in particular:
a. The data subject has given consent to the processing of his/her personal data for one or more specific purposes;
b. processing is necessary for the performance of a contract, to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c. processing is necessary for compliance with a legal obligation, to which the controller is subject;
d. processing is necessary in order to protect the vital interests of the data subject or of another private individual;
e. processing is necessary for the performance of a task, carried out in the public interest or in the exercise of official authority vested in the controller;
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject, which require protection of personal data, in particular, where the data subject is a child.
Information concerning the collection of personal data
(1) Below we provide information about collecting personal data when using our website. Examples of personal data are: name, address, e-mail addresses, user behaviour.
(2) If you contact us by e-mail, the data which you provide (your e-mail address, your name and telephone number) will be archived by us in order to reply to your questions. We will delete the data accrued in this connection once archiving is no longer necessary or processing is restricted, if there are statutory duties of retention.
Collection of personal data when visiting our website
When using the website purely for information, in other words, if you do not register or provide us with information in any other way, we will only collect the personal data, which your browser sends to our server. If you wish to look at our website, we will collect the following data, which is technically necessary for us, in order to display our website to you and to guarantee stability and security (legal basis is Art. 6 para. 1 page 1 letter f GDPR):
– Date and time of enquiry
– Time zone difference in relation to Greenwich Mean Time (GMT)
– Content of request (actual page)
– Access status / HTTP status code
– volume of data transmitted in each case
– Website from which the request comes
– Operating system and its interface
– Language and version of browser software.
(1) In addition to the data mentioned above, when our website is used cookies are stored in your computer. Cookies are small text files, which are stored on your hard disc assigned to your browser and by which certain information flows to the location, which sets the cookie. Cookies cannot execute any programs or transfer viruses to your computer. Their purpose is to make the Internet offer as a whole, more user-friendly and effective.
(2) This website uses the following types of cookies, the scope and functionality of which are explained below:
– Transient cookies (see a.)
– Persistent cookies (see b.).
a. Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. They store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This enables your computer to be recognised again when you return to our website. Session cookies are deleted when you log out or close the browser.
b. Persistent cookies are automatically deleted after a preset time, which may differ according to the cookie. You can delete cookies at any time in the security settings of your browser.
c. You can configure your browser setting as you wish and, for example, refuse to accept third party or all cookies. So-called third party cookies are cookies, which have been set by a third party and consequently cannot be found on the actual website that you are using. We would point out that by deactivating cookies, you may not be able to use all the functions of this website.
Additional functions and offers of our website
(1) Apart from using our website purely for information, we offer various services, which you may use if you are interested. To do this you will, as a rule, have to declare additional personal data, which we will use to provide the service in question and to which the principles of data processing quoted above apply.
(2) In some cases we make use of external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.
(3) Furthermore, we can pass on your personal data to third parties if you take part in promotions, competitions, conclude contracts or similar offered by us together with partners. You can obtain further information about this when you declare your personal data or below in the description of the offer.
(4) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will tell you about the consequences of this situation in the offer description.
Our offer is addressed in principle to adults. Persons under 18 years of age should not send us any personal data without the consent of their parents or guardians.
Rights of the data subject
(1) Withdrawal of consent
If the processing of personal data rests on consent given, you have the right at any time to withdraw such consent. The withdrawal of consent will not affect the lawfulness of the processing that has been done by consent up to the time of withdrawal.
You can contact us at any time regarding exercising the right of withdrawal.
(2) Right to confirmation
You have the right to demand from the data controller, confirmation about whether we are processing personal data relating to you. You can request confirmation at any time using the contact data quoted above.
(3) Right to information
Where personal data is processed, you can demand information about such personal data and the following information at any time:
a. the purposes of processing;
b. the categories of personal data being processed;
c. the recipients or categories of recipients, to whom the personal data has been disclosed or will be disclosed, particularly in the case of recipients in third countries or international organisations;
d. if possible, the intended duration for which the personal data is being stored, or if this is not possible, the criteria for establishing this duration;
e. the existence of a right to correct or delete your personal data or to restricting processing by the controller or a right to object to such processing;
f. the existence of a right of appeal to a supervisory authority;
g. if the personal data is not obtained from the data subject, all available information about the origin of the data;
h. the existence of automatic decision-making, including profiling in accordance with article 22 paragraphs 1 and 4 GDPR and – at least in such cases – meaningful information about the logic involved as well as the consequences and the intended effects of such processing on the data subject.
If personal data is sent to a third country or to an international organisation, then you have the right to be informed about the appropriate guarantees under Article 46 GDPR in connection with the transmission. We will provide a copy of the personal data that is the subject of processing. For all other copies which you request in person, we can demand a reasonable charge, based on the administrative costs. If you make application electronically, then the information shall be provided in a common electronic format, unless otherwise specified. The right to receive a copy under paragraph 3 must not jeopardise the rights and freedoms of other persons.
(4) Right to correction
You have the right to demand from us immediate correction of incorrect personal data concerning you. Taking into consideration the purposes of the processing, you have the right to demand the completion of incomplete personal data, including by means of a supplementary statement.
(5) Right to deletion (“Right to be forgotten”)
You have the right to demand of the controller that personal data concerning you be immediately deleted and we are obliged immediately to delete personal data should one of the following reasons apply:
a. The personal data is no longer required for the purposes for which it was collected or processed in any other way.
b. The data subject revokes his/her consent on which processing under Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a GDPR was based and there is no other legal basis for processing.
c. The data subject lodges an objection to the processing in accordance with Article 21 paragraph 1 GDPR and there are no overriding and justified reasons for processing, or the data subject lodges an objection under Article 21 paragraph 2 GDPR to the processing.
d. The personal data was unlawfully processed.
e. Deletion of the personal data is necessary to fulfil a legal obligation under Union law or the law of the member states, to which the controller is subject.
f. The personal data was collected in respect of services offered by the information society under Article 8 para. 1 GDPR.
If the controller has publicised the personal data and if he is obliged, under paragraph 1 to delete it, then, taking into account the technology available and the implementation costs, he will take reasonable measures, including those of a technical nature, in order to inform data processing controllers who process personal data that a data subject has demanded from them the deletion of all links to this personal data or of copies or replications of such personal data.
There is no right to deletion (“Right to be forgotten”) if processing is necessary:
– to exercise the right to free expression and information;
– to fulfil a legal obligation, which the processing requires under the law of the Union or member states, to which the controller is subject, or to discharge a task, which is in the public interest or which is undertaken in exercising public authority, which was assigned to the controller;
– for reasons of public interest in the area of public health under Article 9 paragraph 2 letters h and i and Article 9 para. 3 GDPR;
– for archiving purposes that are in the public interest, scientific or historical research purposes or for statistical purposes under Article 89 paragraph 1 GDPR, provided the right named in paragraph 1 is likely to render impossible or seriously impair the achievement of the specific purposes of this processing, or
– to assert, exercise or defend legal claims.
(6) Right to restrict processing
You have the right to demand from us restriction of processing of your personal data, if any of the following conditions applies:
a. the correctness of the personal data of the data subject is disputed, for a period which will enable the controller to check the correctness of the personal data,
b. the processing is unlawful and the data subject refuses deletion of the personal data and instead demands restriction of the use of the personal data;
c. the controller no longer requires the personal data for the purpose of processing, but the data subject requires it to assert, exercise or defend legal claims, or
d. the data subject has lodged an objection to the processing under Article 21 para. 1 GDPR, as long as it is not yet established whether the controller’s justified reasons outweigh those of the data subject.
If processing has been restricted under the above-mentioned conditions, then this personal data will only be processed – apart from its archiving – with the consent of the data subject or in order to assert, exercise or defend legal claims or to protect the rights of any other private individual or legal entity or for reasons of important public interest of the Union or a member state.
In order to assert the right to restrict processing, the data subject can get in touch with us at any time, indicating the contact information quoted above.
(7) Right to transfer data
You have the right to receive the personal data concerning you, which you have provided us with, in a structured, established and machine-readable format, and you have the right to send this data to another data controller without obstruction by the controller, to whom the personal data was provided, if:
a. processing is based on consent under Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a or on a contract in accordance with Article 6 paragraph 1 letter b GDPR and
b. processing is carried out with the help of automated methods.
In exercising the right to transfer data under paragraph 1, you have the right to have the personal data sent directly from one controller to another, if this is technically feasible. Exercising the right to transfer data does not affect the right to deletion (“right to be forgotten”). This right does not apply to processing necessary to discharge a duty, which is in the public interest, or in exercising public authority, which has been transferred to the controller.
(8) Right of objection
You have the right, at any time, for reasons arising from your particular situation, to lodge an objection to the processing of personal data concerning you, which has occurred by virtue of Article 6 paragraph 1 letters e or f GDPR. This also applies to any profiling based on these provisions. The controller will no longer process the personal data, unless he can demonstrate compelling reasons for protection of processing, which outweigh the interests, rights and freedoms of the data subject or processing serves to assert, exercise or defend legal claims.
If personal data is processed for the purpose of direct advertising, then you have the right at any time to object to the processing of personal data concerning you for the purpose of such advertising. The same applies to profiling, if it is associated with such direct advertising. If you object to processing for purposes of direct advertising, then the personal data will no longer be used for such purposes.
In connection with the use of services of the information society, you may exercise you right to object, notwithstanding directive 2002/58/EC, by automated means, whereby technical specifications are used.
You have the right, for reasons arising from your particular situation, to object to the processing of your personal data, which is done for scientific or historical research purposes or for statistical purposes according to Article 89 paragraph 1, unless the processing is required in order to fulfil a duty in the public interest.
You may exercise the right to object at any time, by contacting the respective controller.
(9) Automated decisions in individual cases, including profiling
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – which has legal effect on you or which considerably disadvantages you in a similar way. This does not apply if the decision:
a. is required to conclude or perform a contract between the data subject and the controller,
b. is admissible by virtue of legal provisions of the Union or member states, to which the controller is subject, and these legal provisions include reasonable measures to protect the rights and freedoms as the justified interests of the data subject or
c. is taken with the express consent of the data subject.
The controller will take reasonable measures to protect the rights and freedoms as well as the justified interests of the data subject, which include at least the right to obtain the intervention of a person on behalf of the controller, to present one’s own viewpoint and to challenge the decision.
The data subject may exercise this right at any time by contacting the controller in question.
(10) Right of appeal to a supervisory authority
Notwithstanding any other administrative or legal remedy, you also have the right to appeal to a supervisory authority, particularly in the member state of your place of residence, your place of work or the place of the alleged infringement, if the data subject is of the view that processing the personal data concerning him/her, infringes this regulation.
(11) Right to effective legal remedy
Notwithstanding any available administrative or extra-judicial remedy, including the right to appeal to a supervisory authority under Article 77 GDPR, you have the right to an effective judicial remedy if it is of the opinion that the rights accruing to it by virtue of this regulation have been infringed as a result of processing its personal data that is not compliant with this regulation.