Privacy Policy

1. CONTACT PERSON

The responsible person in the sense of the Basic Data Protection Regulation (DSGVO) is:

LUTZ | ABEL Rechtsanwalts PartG mbB
Brienner Street 29, 80333 Munich, Germany
+49 89 544147-0
kanzlei@lutzabel.com

Questions regarding data protection can also be addressed directly to our external data protection officer: Attorney David Heimburger, dh@davidheimburger.de, 040 / 22863648

2. YOUR RIGHTS IN GENERAL

We summarize here once the general rights that you are entitled to under the GDPR with regard to your personal data processed by us. For an explanation of the legal terms, we refer to the applicable definitions in the GDPR (see Article 4 there). If anything remains incomprehensible, please feel free to ask us.

You may revoke any consent given to us to process or share your data at any time for the future (Article 7(3) DSGVO).

Should the legal basis for processing your data be a legitimate interest pursuant to Article 6(1)(f) DSGVO, you may lodge an objection to the data processing pursuant to Article 21 DSGVO. Insofar as the relevant data processing is direct marketing, you do not have to justify your objection in any way; in all other cases, you would have to provide reasons for your objection that arise from your particular situation.

If we have stored incorrect information about you, you can request us to correct your data (Article 16 DSGVO).

You can request information from us about which of your data we process (Article 15 DSGVO, Section 34 BDSG).

You can demand that we delete your data or restrict its processing, provided that your request does not conflict with any higher-ranking retention obligations (Article 17 or 18 DSGVO, Section 35 BDSG).

You may request that we provide you with the data you have provided to us yourself in a machine-readable format for disclosure to third parties (Article 20 DSGVO).

You may complain to a supervisory authority for data protection, e.g. the Bavarian State Office for Data Protection Supervision, about data protection-related matters with us.

3. DATA PROCESSING BY US IN GENERAL

Any form of processing of personal data requires a legal basis that allows us to do so. The legal basis is primarily derived from the purpose for which the data is processed. The lawfulness within a legal basis is regularly measured according to the specific scope of the data processing and the measures we have taken to protect your data.

Legal bases for data processing arise from Article 6(1) DSGVO and for data requiring special protection, such as health data, from Article 9(2) DSGVO. These two regulations name the preparation or fulfillment of contractual, legal or even social obligations as the most important legal bases for data processing. In addition, many data processing operations are carried out in our legitimate interest, unless, in view of the specific circumstances, the interests of the data subjects prevail. If one of the previously mentioned types of legal basis is relevant, the processing does not require any further consent from you.

In addition, data processing may be carried out on the basis of consent from you (Article 7 of the GDPR) or, for persons under the age of 16, when using information society services (e.g. websites, online games, social media platforms) by the children or young people in conjunction with the consent of a legal guardian (Article 8 of the GDPR).

At this point, we expressly point out that none of our offers are directed at persons under 16 years of age.

In some cases, our obligation to ask for your consent does not or not solely result from the GDPR but from the Telemedia Telecommunications Data Protection Act (TDDDG) or the Unfair Competition Act (UWG). We have taken into account the obligations arising from these laws without explicitly referring to them in the following.

If a data transfer to a state outside the European Economic Area (EEA) takes place, we ensure that data protection is secured in the sense of Articles 44 - 49 DSGVO. Such a transfer outside the EEA is called a third country transfer in data protection law.

4. GENERAL NOTE ON COOKIES

Cookies are a specific form of text entries that are stored by your browser on your device when you visit a website. Different information can be stored in a cookie. In some cases, a cookie only stores a yes or no ("true" or "false") or a country identifier such as "de" for German; in other cases, a string of characters is stored that enables the browser to be uniquely identified when the Internet page is called up again (a so-called cookie ID).

The right to set cookies is not measured solely according to the GDPR, but primarily according to Section 25 TDDDG. The standard distinguishes between cookies that are absolutely necessary for the operation of the online offer (essential) and those that are not. Essential cookies may be set even without consent, but non-essential cookies always require consent - even if this is not required under the GDPR (e.g., if there is a legitimate interest as a legal basis or the data is not personal).

Before we store non-essential cookies on your terminal device, we ask you for your consent in accordance with the requirements of Section 25 TDDDG.

The purpose of each cookie as well as the legal basis for its use according to the GDPR can be found in the following description of the individual data processing.

There are various ways for you to prevent the acceptance of cookies on your device:

The standard case is likely to be that you decide which cookies you allow and which not via our consent manager when you call up one of our Internet pages. In some cases, we can only offer you a blanket acceptance or rejection of all cookies or cookie groups.

In principle, you can set your browser so that it never accepts cookies. By such a complete exclusion, you will most likely lose functions that are based on cookies and that you would actually like to allow or that do not require consent at all.

You can access Internet pages in the private mode of your browser. Private mode also blocks the setting of cookies in your browser memory or automatically deletes all cookies at the end of the session.

Some browsers or browser plug-ins offer you the possibility to make more differentiated default settings as to which cookies you generally want to accept by default and which you do not.

A special case: Google offers a browser plug-in that prevents the setting of the various cookies from Google. You can find the corresponding plug-in here: https://tools.google.com/dlpag…

5. CONCRETE DATA PROCESSING

5.1 Visiting our Internet pages

5.1.1 Provision of our Internet pages

Description: In order for a web server to provide our Internet pages to your browser, the server must collect technical data about your device used for this purpose, your browser and your Internet access. This is referred to as the log file or web log. This is the same data that you necessarily leave behind with every Internet page that you call up. At the center is the IP address from which you call up our pages. To this Internet address, the web server sends you the data you want to see.

Data categories: IP address from which our site was accessed; date and time of access; objects on our website accessed in the browser; type and version of internet browser; type and version of operating system.

Data recipient (third country transfer, if applicable): Our hosting service provider, which is committed to data protection via an order processing agreement. In the event of attacks on our pages, transfer to forensic experts and investigating authorities commissioned by us. A third country transfer does not take place.

Purpose + legal basis: Provision of our website as well as investigations should an unlawful access to our websites occur (e.g. a hacker attack). Legal basis is a legitimate interest, as the operation of a website is not possible without the collection of the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with circumstantial evidence of how the attack took place.

Storage period: 30 days

5.1.2 Cookie management

Description: For all cookies requiring consent, we ask for your consent before storing them in your browser cache. The decisions you make are stored with our consent management service provider so that we do not have to ask for your consent again when you visit our websites again. In order for the service to recognize your decision, it stores an identification number in the local memory of your browser. You can revise your decision at any time by deleting the corresponding entry in the local memory of your browser.

Data categories: Consent status

Data recipients (third country transfer, if applicable): Our service provider for consent management, who is committed to data protection via an order processing agreement. A third country transfer does not take place.

Purpose + legal basis: Consent management for cookies and comparable technologies. Legal basis is a legitimate interest, as storing the consent decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits. This entry may also be set according to § 25 TDDDG without your consent, as the consent management is an essential function.

Storage period: Until the deletion of the corresponding entry in the local memory of the browser.

5.1.3 Contact form

Description: Our Internet pages have a contact form that you can use to send us messages. Your input is technically sent to us as an e-mail.

Once you send your message, the data processing is equivalent to sending an e-mail to our central contact address. While you are on the website and enter your information in the form, the data processing corresponds to calling up any of our websites.

Data categories: See the processing operations "Provision of a website" and "E-mail inbox".

Data recipients (if applicable, third country transfer): See the processing operations "Provision of a website" and "E-mail inbox".

Purpose + legal basis: Provision of a contact form as an additional way to contact us. Depending on the content of your contact, the legal basis is the preparation of a contract performance or a legitimate interest.

Storage period: See the processing operations "Provision of a website" and "E-mail inbox".

5.1.4 Podcast player

Description: We make audio files (podcasts) on our website available via a player of the streaming provider Podigee.

As the technical provider of the audio hosting, Podigee processes the typical web log data that an end device transmits to the technical provider when retrieving the streaming offer, such as your IP address.

Details on data protection at Podigee can be found at: https://www.podigee.com/de/ueb...

Data categories: IP address from which our page with the Podigee player was accessed; date and time of access; objects on our website accessed in the browser; type and version of the Internet browser; type and version of the operating system.

Data recipient (third country transfer, if applicable): Our hosting service provider for audio streaming, which is committed to data protection via an order processing agreement, is located in the EEA. A third country transfer does not take place.

Purpose + legal basis: Provision of audio contributions via the audio player of a powerful streaming provider. Legal basis is a legitimate interest, as the streaming is pure hosting without advertising tracking.

Storage period: The storage period is the responsibility of Podigee.

5.1.5 Analysis of usage behavior (Google Analytics)

Description: We use the web analytics service Google Analytics. On our behalf, Google creates statistical reports about the activities on our website, the regional origin of visitors and technical key data of the devices used to visit our pages based on the information collected.

We use Analytics with the extension "anonymizeIP" so that the IP addresses are only processed in abbreviated form to reduce the possibility of a personal reference. Through IP anonymization, the end of your IP address is replaced by zeros by Google within the European Union before the data is transferred to the USA. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

Google Analytics collects, on the one hand, in the sense of server-side analytics, the information from a weblog that is sent to a web server by default when internet pages are called up. If you have consented to the setting of Google cookies, Google collects the data stored in the cookies, such as a cookie ID. In addition, Google recognizes general information about your device such as installed software or fonts and forms a so-called digital fingerprint from this.

In contrast to simple server-side analytics, the cookie ID or digital fingerprint allows us to assign several actions on our pages to the same visitor. In this way, recurring visitors can be determined and usage paths within our web pages can be traced. In particular, statements about usage paths are essential for drawing valuable conclusions about user behavior.

The Analytics cookies are named _ga (to recognize returning visitors), _gid (to be able to form statistical groups) and _gat (to reduce data matching with advanced Google features).

We do not link the data we collect through Google Analytics with personal data we collect through other means. However, we have linked our Google Analytics account to our Google Ads account so that Google can make a connection between visitors to our website and clicks on our Google Ads. Google provides us with the data only in an anonymized and statistical form, so that we ourselves do not have our own access to data characteristics that could allow us to identify individual persons.

For comprehensive information on the use of data collected by Google, please refer to Google's privacy information (https://policies.google.com/privacy) and Google's information on cookies (https://policies.google.com/technologies/cookies). The responsibility between Google and us regarding the exchange of data is regulated via Google's order data processing conditions for Google advertising products (https://business.safety.google/adsprocessorterms/).

For further details, please also refer to the information on Google cookies in our Cookie Consent Manager.

Data categories: IP address via which the device goes online; location or country linked to the IP address as well as Internet service provider for Internet access; date and time of access; objects on our website called up (clicked on) in the browser; type and version of Internet browser; type and version of operating system; Information on the screen resolution and other technical parameters of the terminal device used; websites from which the user accessed our website; websites that the user accesses from our website; Google ID stored in the cookie; digital fingerprint of the terminal device used calculated by Google.

Data recipients (third country transfer, if applicable): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google is obligated to us to observe data protection via a corresponding data protection contract. Insofar as Google transfers data to third countries, Google guarantees that the data will be handled at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our website based on the analysis findings and to measure and optimize its success by linking it to our advertising activities on Google. The legal basis is your consent, which you have given via our cookie manager.

Storage period: 14 months; this storage period of the raw data enables us to export annual statistics.

5.1.6 Analysis of usage behavior (meta)

Description: our websites set cookies from Meta, often called Facebook Pixel or Meta Pixel. By doing so, we provide Meta with data about your use of our site. In this way, we enable Meta to provide ads for us within Facebook and Instagram in a more targeted manner.

The relevant data is only transferred to Meta if you consent to the setting of the relevant cookie (named _fbp).

For comprehensive information on the use of data collected by Meta, please refer to Meta's privacy information: www.facebook.com/policy.php.

For more details, please also refer to the information on Meta Pixel in our Cookie Consent Manager.

Data categories: IP address through which the device goes online; location or country linked to the IP address, as well as Internet service provider for Internet access; date and time of access; objects on our website called up (clicked on) in the browser; type and version of Internet browser; type and version of operating system; websites from which the user has accessed our website; websites that the user calls up from our website; meta ID stored in the cookie.

Data recipients (third country transfer, if applicable): Meta Platforms Inc, addressable to us as a European organization through Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta is obligated to us to observe data protection via a contract for commissioned processing in accordance with Article 28 DSGVO. Insofar as Meta transfers data to third countries, the company guarantees handling of the data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: The purpose of the transfer of data to Meta is to be able to provide ads on Facebook and Instagram that are as target group-specific as possible. The legal basis is your consent, which you have given via our cookie manager.

Storage period: Meta is responsible for the storage period. It is not necessary for us to delete your data, as we do not collect any data from you ourselves through the use of the Meta Pixel.

6.1.7 Analysis of user behavior (LinkedIn)

Description: Our web pages set cookies from LinkedIn (also called LinkedIn Insight Tag). By doing so, we provide LinkedIn with data about your use of our site. In this way, we enable LinkedIn to provide ads for us within LinkedIn in a more target group-specific manner.

The corresponding data is only transferred to LinkedIn if you consent to the setting of the corresponding cookies. The names of the LinkedIn cookies are: bcookie, lidc, li_gc, ln_or.

For comprehensive information on the use of data collected by LinkedIn, please refer to LinkedIn's privacy information: https://www.linkedin.com/legal...?_l=de_DE" class="redactor-autoparser-object">https://www.linkedin.com/legal...

For more details, please also refer to the information on LinkedIn Insight Tags in our Cookie Consent Manager.

Data categories: IP address via which the device goes online; location or country linked to the IP address as well as Internet service provider for Internet access; date and time of access; objects on our website called up (clicked on) in the browser; type and version of Internet browser; type and version of operating system; websites from which the user has accessed our website; websites that the user calls up from our website; LinkedIn ID stored in the cookie.

Data recipients (third country transfer, if applicable): LinkedIn Corp, addressable to us as a European organization via LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn is obligated to us to observe data protection via a contract for commissioned processing in accordance with Article 28 DSGVO. Insofar as LinkedIn transfers data to third countries, the company guarantees handling of the data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: The purpose of the data transfer to LinkedIn is to be able to provide ads on LinkedIn that are as target group-specific as possible. The legal basis is your consent, which you have given via our Cookie Manager.

Storage period: The storage period is the responsibility of LinkedIn. Data deletion on our part is not necessary, as we do not collect any data from you ourselves through the use of the LinkedIn cookies.

5.2 MARKETING COMMUNICATION

5.2.1 E-mail newsletter

Description: You can sign up for our email newsletter. To do so, you only need to provide an email address and your name. We use your name so that we can personalize the sending of the e-mails with a direct salutation. The indication of your company is voluntary.

If you register online for the newsletter, you will receive an e-mail at the address you have provided in which we ask you to confirm your registration. This is to prevent you from being signed up for our newsletter by someone who does not or should not have access to that address. This two-step process is called double opt-in for double consent.

By subscribing to our newsletter, you consent, both under data protection law and competition law, to us sending you emails on the subject matter described on the subscription page.

You can revoke your registration and thus your consent at any time for the future. This is possible via the corresponding link at the end of each newsletter we send out or by sending an e-mail to marketing@lutzabel.com.

We record the use of our newsletter via so-called counting pixels and campaign URLs for the internet links in the newsletter. The counting pixel calls our newsletter server when you open the e-mail. The call of the internet links in the newsletter is recorded via the campaign mapping in our web analytics.

Data categories: Email address, documentation of email verification (double opt-in), time of your registration; your name, company/institution (voluntary); selection of specific newsletter packages; usage data (opening the email + clicking on internet links).

Data recipient (third country transfer, if applicable): Our service provider for newsletter dispatch, which is committed to data protection via an order processing agreement, is located in the EEA. A third country transfer does not take place.

Purpose + legal basis: Provision of an e-mail newsletter and optimization of our newsletter content. Legal basis is your consent.

Storage period: After revocation of your consent, your data will be deleted immediately.

5.2.2 Postal information

Description: In some cases, we send business partners and potential business partners information about our firm and our service offerings by mail.

You may object to postal mailings that constitute a form of direct advertising at any time without giving reasons. You can send your objection to us by e-mail to marketing@lutzabel.com or by mail to LUTZ | ABEL Rechtsanwalts PartG mbB, Brienner Straße 29, 80333 Munich.

Data categories: Name, company/institution, address

Data recipient (if applicable, third country transfer): none

Purpose + legal basis: Postal dispatch of information material (direct advertising). The legal basis is a justified interest, as it results from § 7 UWG and the existing case law on this subject.

Storage period: Data is not stored beyond the mailing process. In the event of an objection, indefinite inclusion in our list of advertising blocks.

5.2.3 Sweepstakes participation

Description: We regularly invite participants to take part in competitions in which we raffle off specialist literature, for example. We record the participants in a list in order to be able to carry out a raffle. The list of participants is destroyed after notification of the winner.

The selection of the winners will be made without recourse to legal action. Winners will be notified by us and will receive their prize.

For tax reasons, we store the names and contact details of the winners in order to be able to prove that our prize has been used correctly. No further use of the contacts will be made.

Data categories: Name, e-mail address, address

Data recipient (third country transfer if applicable): None

Purpose + legal basis: selection and notification of the winners as well as provision of the prize. Legal basis for the raffle is fulfillment of the free raffle contract.

Storage period: for data of the winning participants six years (like business letters according to the German Commercial Code); for non-winning participants until notification of the winning participants.

5.2.4 Webinars/video conferences

Description: We regularly offer webinars as video conferences. The hosting of the webinar is carried out by external service providers who, as telecommunications providers, fall under the TDDDG and are thus legally obligated to data protection or have concluded an order processing agreement with us.

The scope of data processing depends on the individual functions of the conference tool that you use. You can participate with or without a video or audio signal, with or without a profile picture, background picture, hand signals or activities in the chat. You can regularly give yourself user names (i.e. also pseudonyms).

In particular, access to your camera and microphone will only be granted after you have given your consent.

Before conferences are recorded, all participants are asked for their consent or inactivity or this inactivity is technically enforced by us. If a recording is made, the course of the conversation can be transcribed automatically or manually.

It is technically possible for each participant to make screenshots or recordings in whole or in part using means outside the conference tool. Such behavior without the corresponding agreement of all participants constitutes a data protection violation on the part of the acting person and, if it is not one of our employees, is beyond our responsibility. Surreptitious recording of the spoken word may constitute a criminal offense under Section 201 of the German Criminal Code (StGB). We reserve the right to take legal action of any kind against persons who use their participation in a videoconference to engage in conduct that is hostile to data protection.

Data categories: User name, e-mail address; participation times; video or audio signal; video or audio recording (only with consent); audio transcript (only after recording); actions in chat, status word message; profile data (profile picture, contact data, background picture), telephone number (if participating by telephone); log file (IP address, device identifiers, activity history).

Data recipients (third country transfer if applicable): Providers of video conferencing systems who, as telecommunication providers, are covered by the TDDDG or have concluded an order processing agreement with us. Insofar as third country transfers take place through the providers, the service provider guarantees handling of the data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Use of a video conference. Legal basis is contract performance, as you have regularly registered explicitly for a webinar in the form of a video conference. For recordings, consent is the legal basis.

Storage period: If no recording takes place, all data is deleted at the end of the conference. If the conference was recorded, the recording is deleted as soon as the last purpose for which the recording was made has been achieved.

5.2.5 Google Ads

Description: We place advertisements via Google Ads. In order to optimize our marketing activities, Google Ads accesses personal data available to Google via cookies and its various analytics services for internet browsers, apps and the Android and Chrome OS operating systems provided by Google. We ourselves do not have access to the personal data underlying the playout of our ads. We only select general parameters for the target group to which our ads are to be made available. In this respect, we do not process any personal data.

By linking our Google Ads account with our Google Analytics account, we make it easier for Google to recognize interested parties who have already visited our website.

The coupling of the accounts constitutes a processing of personal data. In this respect, a joint responsibility within the meaning of Article 26 DSGVO arises with regard to the personal data, for which we have concluded a corresponding contract with Google (https://privacy.google.com/businesses/controllerterms/).

The contract divides the responsibility between Google and us in such a way that we are responsible for the collection of the analysis data and Google is responsible for the use of the data for advertising purposes. It follows that you should exercise all your rights with respect to the use of your data within Google Analytics with us and exercise all your rights with respect to the use of your data for the provision of targeted ads directly with Google.

We cannot provide any information on the details of data processing at Google. Google's privacy information (https://policies.google.com/privacy) applies in this regard.

Data categories: For the data categories processed by Google, see Google's data protection information and our information on our use of Google Analytics; target group formation according to demographic, regional, technical or economic factors and, above all, according to areas of interest.

Data recipients (third country transfer, if applicable): Google LLC, addressable to us as a European organization through Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google is committed to data protection via a shared responsibility agreement. Google guarantees handling of data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Target group-specific publication of advertisements. Legal basis is consent vis-à-vis Google and Google tracking partners, as Google's tracking technology may only be started after your corresponding consent.

Storage period: The storage period is the responsibility of Google. Data deletion on our part is not necessary, as we do not collect any data from you through the use of Google Ads.

5.2.6 Meta Ads

Description: We place ads on Facebook and Instagram via Meta Ads. To optimize our marketing activities, Meta accesses personal data available to Meta on its own platform (facebook.com, instagram.com as well as the associated apps and other Facebook services), via its analytics services for websites and apps, and WhatsApp metadata. We ourselves do not have access to the personal data on which the playout of our ads is based. We only select general parameters for the target group to which our ads are to be made available. In this respect, we do not process any personal data.

By linking our Meta Ads account with our company profiles on Facebook and Instagram, we make it easier for Meta to recognize interested parties who have visited our profiles. In addition, we enable Meta to make our ads available to people who have a similar usage profile to typical visitors to our pages (so-called lookalike campaigns).

Our own websites also set cookies from Meta. Please see the processing "Analysis of usage behavior (Meta)".

We cannot provide any information on the details of data processing at Meta. Meta's data protection information applies in this regard: https://www.facebook.com/about...

Data categories: Usage data from Meta's various services; target group formation according to gender, age groups, regions, areas of interest, occupation.

Data recipients (third country transfer, if applicable): Meta Platforms Inc, contactable for us as a European organization via Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Facebook guarantees handling of data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Target group-specific publication of ads. Legal basis is consent vis-à-vis Meta - mostly via the Meta Usage Agreement - and Meta tracking partners, as Meta's tracking technology may only be started after your corresponding consent.

Storage period: Meta is responsible for the storage period. Data deletion from us is not required, as we do not collect any data from you through the use of Facebook Ads.

5.2.7 LinkedIn Ads

Description: We place ads on LinkedIn. We ourselves do not have access to the personal data on which the playout of our ads is based. We only select general parameters for the target group to which our ads are to be made available. In this respect, no processing of personal data takes place by us.

Since our website sets cookies from LinkedIn, we make it easier for LinkedIn to recognize interested parties who have visited our pages. See the processing "Analysis of user behavior (LinkedIn)".

In addition, we enable LinkedIn to make our ads accessible to people who have a similar usage profile to typical visitors to our pages (so-called lookalike campaigns).

All processing of personal data mentioned here is the sole responsibility of LinkedIn.

We cannot provide any information on the details of data processing at LinkedIn. In this regard, the data protection information of LinkedIn applies: https://www.linkedin.com/legal...?_l=de_DE" class="redactor-autoparser-object">https://www.linkedin.com/legal...

Data categories: Usage data from LinkedIn various services; target group formation according to gender, age groups, regions, areas of interest, occupation.

Data recipient (if applicable, third country transfer): LinkedIn Corp, addressable in Europe through LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn guarantees handling of data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Target group-specific publication of advertisements. Legal basis is consent vis-à-vis LinkedIn - mostly via the LinkedIn usage agreement - and LinkedIn tracking partners, as LinkedIn's tracking technology may only be started after your corresponding consent.

Storage period: Not applicable

5.3 OUR SOCIAL MEDIA PROFILES

5.3.1 Facebook and Instagram.

Description: We operate company profiles (also called fan pages) on Facebook and Instagram. Such a fan page enables us to present our organization on Facebook or Instagram, to contact you on this social media platform and to refer to our services and offers via advertisements on these platforms.

Meta provides us with analytics data about the use of our Fanpage (called Page Insights). This gives us an impression of how successful each of our communication measures is.

The data protection information of Meta applies to the details of data processing at Meta: https://www.facebook.com/about...

In accordance with a ruling of the European Court of Justice, the use of this analytics data is carried out in a joint responsibility with Meta pursuant to Article 26 DSGVO. Meta has provided a shared responsibility agreement accordingly (https://www.facebook.com/legal/terms/page_controller_addendum). In the agreement, Meta has assumed sole responsibility for all data processing issues. If you wish to exercise your rights under the GDPR with respect to data processed in Page Insights, you should contact Meta directly through your Meta account. However, in accordance with the legal rules on shared responsibility, you are also free to contact us with your concern. We would then pass your concern on to Meta.

Data Categories: Meta username; comments, likes and page views within Facebook or Instagram and time of action.

Data recipients (third country transfer if applicable): Meta Platforms Inc, contactable for us as a European organization via Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta guarantees handling of data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Analysis of usage behavior on our fan page or Instagram profile. The legal basis is the consent you have given in the context of your meta-registration.

Storage period: Meta is responsible for the storage period.

5.3.2 Twitter

Description: We operate a company profile on Twitter. Such a Twitter profile enables us to present our organization on Twitter, to contact you on this social media platform and to refer to our services and offers via advertisements on these platforms.

Twitter provides us with analytics data about the use of our profile page (Twitter Analytics). This gives us an impression of how successful the individual communication measures we take are.

For details of data processing at Twitter, please refer to Twitter's data protection information: https://twitter.com/de/privacy

Data categories: Twitter user name; comments, likes and page views within Twitter as well as time of action.

Data recipients (third country transfer, if applicable): Twitter Inc, addressable to us as a European organization via Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. Twitter guarantees handling of data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Analysis of usage behavior on our Twitter profile. The legal basis is the consent you have given as part of your Twitter registration.

Storage period: The storage period is the responsibility of Twitter.

5.3.3 LinkedIn

Description: We operate a company profile on LinkedIn. Such a LinkedIn profile enables us to present our organization on LinkedIn, to contact you on this social media platform and to refer to our services and offers via advertisements on these platforms.

LinkedIn provides us with analytics data about the use of our profile page. This gives us an impression of how successful each of our communication measures is.

The data protection information of LinkedIn applies to the details of data processing at LinkedIn: https://www.linkedin.com/legal...

Data categories: LinkedIn username; comments, likes and page views within LinkedIn as well as time of action.

Data recipients (third country transfer, if applicable): LinkedIn Corp, addressable to us as a European organization via LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn guarantees handling of the data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Analysis of usage behavior on our LinkedIn profile. The legal basis is the consent you have given as part of your LinkedIn registration.

Storage period: The storage period is the responsibility of LinkedIn.

5.3.4 Xing

Description: We operate a company profile on Xing. Such a Xing profile enables us to present our organization on Xing, to contact you on this social media platform and to refer to our services and offers via advertisements on these platforms.

Xing provides us with analytics data about the use of our profile page. This gives us an impression of how successful each of our communication measures is.

For details of data processing at Xing, please refer to Xing's data protection information: https://privacy.xing.com/de/da...

Data categories: Xing username; comments, likes and page views within Xing as well as time of action.

Data recipient (third country transfer, if applicable): New Work SE (operator of xing.com), Dammtorstraße 30, 20354 Hamburg. A third country transfer does not take place.

Purpose + legal basis: Analysis of usage behavior on our Xing profile. The legal basis is the consent you have given as part of your Xing registration.

Storage period: The storage period is the responsibility of Xing.

5.4 SUPPLIERS AND SERVICE PROVIDERS

Description: From our suppliers and service providers who are self-employed or partnerships, or our contacts at such organizations, we process personal data as a customer in order to be able to communicate with you about the processing of the order.

In addition to the substantive communication, your data is typically processed in the separately described processing operations for "communication with us" (see there).

Data categories: Contact, contract and billing data

Data recipients (third country transfer, if applicable): Tax consultants, auditors, lawyers in their function as professional secrecy holders.

Purpose + legal basis: Proper business management. Legal bases are contract fulfillment as well as legal obligations and legitimate interests.

Storage period: In accordance with tax law, invoice data must be stored for 10 years; contract data must be stored for different periods depending on the type of contract. In the case of copyrights, such periods extend up to 70 years beyond the death of the author.

5.5 JOB PLACEMENTS

5.5.1 Applications

Description: If you apply for a position with us, we will process your application documents until the application process is completed solely for the purpose of deciding whether to hire you. We limit access to your documents to those persons whom we reasonably involve in the decision about your hiring.

If you are hired, your application documents will become part of your personnel file. If hiring does not occur, we will either ask for your consent to be included in our candidate pool or return or destroy your records as soon as it is no longer reasonable to expect opposition to our decision under anti-discrimination law.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, educational certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipients (third country transfer, if applicable): None

Purpose + legal basis: decision-making basis for job filling. Legal basis is preparation for fulfillment of a contract (employment contract) and subsequently a legitimate interest in defending against appeals against negative decisions.

Storage period: 6 months after completion of the original application process.

5.5.2 Candidate pool

Description: If we are not currently able to offer you a suitable position, but would like to consider you again in the selection process for positions to be filled in the future, we request your consent to store your application documents beyond the conclusion of the current application process. If we are unable to get back to you for more than two years, we will ask for your consent to keep them again or return or delete your documents.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, training certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipients (third country transfer, if applicable): None

Purpose + legal basis: decision-making basis for future staffing. Legal basis is consent.

Storage period: 2 years since last contact or last consent.

5.5.3 Job ads on Facebook/Instagram

Description: We advertise for new employees on the online platforms Facebook and Instagram. You can use the ads to communicate your interest in our company directly to us. For this purpose, Meta, as the operator of Facebook and Instagram, transmits your contact data and your answers to some questions to us in combination with the statement that you wish to receive further information or to be contacted by us.

This description here relates solely to how we obtain your contact information after you have expressed your relevant interest on Facebook or Instagram.

Meta independently processes your usage behavior within the online platform as well as the contact data passed on to us. In this respect, we refer to Meta's data protection information and your personal legal relationship with Meta.

Insofar as Meta provides us with analysis data, there is a joint responsibility, which we present separately in the section "Company profiles on social media platforms" and there in the subsections "Facebook" and "Instagram".

For further processing of your data as part of the application process, see the relevant subsections in our data protection information.

Data categories: Name + contact details (e.g., email, phone, address); answers to questions (e.g., about work experience and availability); timestamp and reference to the ad to which you responded.

Data recipients (third country transfer, if applicable): None (We receive data from you via Meta).

Purpose + legal basis: contacting for job filling. Legal basis is preparation of a contract performance (employment contract).

Storage period: 6 months after completion of the original application process.

5.6 GENERAL INFRASTRUCTURE

5.6.1 E-mail box, contact directory, calendar

Description: For email, contact directory and calendar, we use Exchange accounts that collect these groups of data in a bundled manner. Emails you send to us or receive from us, your contact details and appointments with you are stored both on our hosting provider's servers and as a local copy on the end devices we have connected to our Exchange accounts.

Data categories: Name, contact data (e-mail, telephone, address, fax), your company, your company's business field, your job title, your area of responsibility, place, time and circumstance of contact, as well as any special notes on your availability or the business topics addressed; time of sending or receiving an e-mail; content of the e-mail (texts, documents, images, other files); other typical metadata of an e-mail.

Data recipient (third country transfer, if applicable): Our service provider for hosting the Exchange server, which is committed to data protection via a contract for processing orders. The service provider is located in the EU and uses data centers in the EU, but belongs to a US company. Insofar as third-country transfers take place due to the group affiliation, the service provider guarantees handling of the data at EU data protection level by concluding standard data protection clauses.

Purpose + legal basis: Use of email inbox, calendar and contact directory synchronized with each other. The legal basis is legitimate interest, as without such digital infrastructure participation in modern business would not be possible in a reasonably efficient manner.

Storage period: we store the e-mails and entries for as long as is necessary to fulfill a purpose. Depending on the content of an email, business relationship to a contact or background to an appointment, these can be very different purposes; accordingly, the retention periods are varied.

Example: If your e-mail serves to prepare the conclusion of a contract, the obligation from the German Commercial Code (HGB) to retain business letters for six years applies.

5.6.2 Telephone calls

Description: If we make a telephone call to each other, our telephone system or our cell phones record your number and the time of the call.

If the content of the conversation suggests that this is the case, we create a memo of the conversation and document it in the appropriate place (e.g., in the customer database or for applicants and employees in the HR department). It is conceivable that we will include your data in our contact directory for further communication. If your number is stored in the contact directory of the device, your name will be displayed to us in addition to your number.

Audio recordings of conversations will only take place in exceptional circumstances and after we have obtained your explicit consent to do so.

Data categories: Telephone number; time of call; name, if applicable (if stored in files); call content, if applicable (if noted or recorded).

Data recipients (third country transfer, if applicable): Telecommunications providers covered by telecommunications secrecy. There is no transfer to third countries.

Purpose + legal basis: communication by telephone call. Depending on the content of the conversation, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depending on the content of the conversation. Individual call notes may be subject to the six-year retention requirement for business letters under commercial law.

5.6.3 IT administration

Description: We use service providers for the administration, maintenance and care of our information technology. These service providers do not deal with the content of the personal data processed by us. But in the maintenance of databases and other system units, personal data may come to the attention of the service providers. All our service providers have been explicitly committed to confidentiality through appropriate contracts, in accordance with the sensitivity of the data to which they may have access.

Data categories: Any type of data

Data recipients (third country transfer, if applicable): IT service providers who are committed to data protection via an order processing agreement or another form of confidentiality commitment. A third country transfer does not take place.

Purpose + legal basis: Use of competent service providers for professional IT administration. The legal basis is a legitimate interest, as the service providers have been committed to data protection via adequate confidentiality obligations.

Storage period: Independent storage does not take place.

5.6.4 Data protection management

Description: If you assert your data protection rights against us, we document the associated communication and processes in our data protection management application.

Data categories: Name, contact data, information on the data protection request.

Data recipient (third country transfer, if applicable): Our data protection officer, who is legally bound to confidentiality, is located in the EEA. Our service provider for the cloud application for data protection management, who is obligated to data protection via an order processing agreement, is located in the EEA. A third country transfer does not take place so.

Purpose + legal basis: data protection management. Legal basis is the legal accountability from the DSGVO.

Storage period: We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. If the repetition of a comparable dispute with you or other persons is conceivable, we will store at least the documents that are decisive for the proceedings - if necessary in anonymized form - for a correspondingly longer period.

Last updated: February 20231. contact partner