Privacy Policy

    With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences.

    Last Update: 11 April 2024

    Controller

    Image Engineering GmbH & Co. KG

    Image Engineering GmbH & Co. KG – HRA 28334 Amtsgericht Köln
    Image Engineering Komplementär GmbH – HRB 93293 Amtsgericht Köln
    Managing Directors: Dipl.-Ing. Nicola Best, Dipl.-Ing. Uwe Artmann

    Im Gleisdreieck 5
    50169 Kerpen

    E-mail address: nicola.best@image-engineering.de
    Phone: +49 (2273) 99991-0
    Legal Notice: /imprint

    Contact information of the Data Protection Officer

    Frau Franziska Müller

    Image Engineering GmbH & Co. KG

    Im Gleisdreieck 5, 50169, Kerpen

    datenschutz@image-engineering.de

    Overview of processing operations

    The following table summarises the types of data processed, the purposes for which they are processed and the concerned data subjects.

    Categories of Processed Data

    • Inventory data.

    • Employee Data.

    • Payment Data.

    • Contact data.

    • Content data.

    • Contract data.

    • Usage data.

    • Meta, communication and process data.

    • Job applicant details.

    Categories of Data Subjects

    • Customers.

    • Employees.

    • Prospective customers.

    • Communication partner.

    • Users.

    • Job applicants.

    • Business and contractual partners.

    • Participants.

    • Persons depicted.

    • Third parties.

    • Whistleblowers.

    Purposes of Processing

    • Provision of contractual services and fulfillment of contractual obligations.

    • Contact requests and communication.

    • Security measures.

    • Direct marketing.

    • Web Analytics.

    • Office and organisational procedures.

    • Managing and responding to inquiries.

    • Job Application Process.

    • Feedback.

    • Marketing.

    • Profiles with user-related information.

    • Provision of our online services and usability.

    • Information technology infrastructure.

    • Whistleblower protection.

    Relevant legal bases

    Relevant legal bases according to the GDPR: In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.

    • Consent (Article 6 (1) (a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

    • Performance of a contract and prior requests (Article 6 (1) (b) GDPR) - Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

    • Compliance with a legal obligation (Article 6 (1) (c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.

    • Legitimate Interests (Article 6 (1) (f) GDPR) - the processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not prevail.

    • Job application process as a pre-contractual or contractual relationship (Article 6 (1) (b) GDPR) - If special categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data, such as severely handicapped status or ethnic origin) are requested from applicants within the framework of the application procedure, so that the responsible person or the person concerned can carry out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, their processing shall be carried out in accordance with Article 9 (2)(b) GDPR, in the case of the protection of vital interests of applicants or other persons on the basis of Article 9 (2)(c) GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Article 9 (2)(d) GDPR. In the case of a communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Article 9 (2)(a) GDPR.

    National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making, including profiling. Furthermore, data protection laws of the individual federal states may apply.

    Reference to the applicability of the GDPR and the Swiss DPA: These privacy notices serve both to provide information in accordance with the Swiss Federal Act on Data Protection (Swiss DPA) and the General Data Protection Regulation (GDPR).

    Security Precautions

    We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

    The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects' rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers, in accordance with the principle of privacy by design and privacy by default.

    Masking of the IP address: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address is shortened (also referred to as "IP masking"). In this process, the last two digits or the last part of the IP address after a full stop are removed or replaced by wildcards. The masking of the IP address is intended to prevent the identification of a person by means of their IP address or to make such identification significantly more difficult.

    Securing online connections through TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information that is transferred between the website or app and the user's browser (or between two servers), thereby safeguarding the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions conform to the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being securely and encryptedly transmitted.

    Transmission of Personal Data

    In the course of processing personal data, it may happen that this data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and particularly conclude relevant contracts or agreements that serve to protect your data with the recipients of your data.

    Data Transmission within the Group of Companies: We may transfer personal data to other companies within our group of companies or otherwise grant them access to this data. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and economic interests or otherwise, if it is necessary to fulfill our contractual obligations or if the consent of the data subjects or otherwise a legal permission is present.

    International data transfers

    Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if the processing is done within the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies, this is only done in accordance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Article 45 GDPR), this serves as the basis for data transfer. Otherwise, data transfers only occur if the data protection level is otherwise ensured, especially through standard contractual clauses (Article 46 (2)(c) GDPR), explicit consent, or in cases of contractual or legally required transfers (Article 49 (1) GDPR). Furthermore, we provide you with the basis of third-country transfers from individual third-country providers, with adequacy decisions primarily serving as the foundation. Information regarding third-country transfers and existing adequacy decisions can be obtained from the information provided by the EU Commission: EU Commission – International dimension of data protection.

    EU-US Trans-Atlantic Data Privacy Framework: Within the context of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the data protection level for certain companies from the USA as secure within the adequacy decision of 10th July 2023. The list of certified companies as well as additional information about the DPF can be found on the website of the US Department of Commerce at dataprivacyframework.gov. We will inform you which of our service providers are certified under the Data Privacy Framework as part of our data protection notices.

    Data Retention and Deletion

    The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose). If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or for which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person. In the context of our information on data processing, we may provide users with further information on the deletion and retention of data that is specific to the respective processing operation. Where multiple statements regarding a date for retention periods or deletion deadlines are made, the longer specifications shall apply. If no start is specified for periods, they generally begin at the end of the calendar year in which the event triggering the period has taken place, provided they have a duration of at least one year. If data is not preserved or archived for the purpose for which it was collected, but for legal or other reasons, the processing of this data is carried out exclusively for the purposes for which it is preserved or archived.

    Rights of Data Subjects

    Rights of the Data Subjects under the GDPR: As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

    • Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on letter (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.

    • Right of withdrawal for consents: You have the right to revoke consents at any time.

    • Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.

    • Right to rectification: You have the right, in accordance with the law, to request the completion of the data concerning you or the rectification of the incorrect data concerning you.

    • Right to Erasure and Right to Restriction of Processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.

    • Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.

    • Complaint to the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

    Business services

    We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") within the context of contractual and comparable legal relationships as well as associated actions and communication with the contractual partners or pre-contractually, e.g. to answer inquiries.

    We process this data in order to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of administrative tasks associated with these obligations and company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and economical business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the scope of this privacy policy.

    Which data are necessary for the aforementioned purposes, we inform the contracting partners before or in the context of the data collection, e.g. in online forms by special marking (e.g. colors), and/or symbols (e.g. asterisks or the like), or personally.

    We delete the data after expiry of statutory warranty and comparable obligations, i.e. in principle after expiry of 4 years, unless the data is stored in a customer account or must be kept for legal reasons of archiving. The statutory retention period for documents relevant under tax law as well as for commercial books, inventories, opening balance sheets, annual financial statements, the instructions required to understand these documents and other organizational documents and accounting records is ten years and for received commercial and business letters and reproductions of sent commercial and business letters six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report was prepared, the commercial or business letter was received or sent, or the accounting document was created, furthermore the record was made or the other documents were created.

    • Processed data types: Inventory data; Payment Data; Contact data; Contract data.

    • Data subjects: Prospective customers; Business and contractual partners.

    • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Contact requests and communication; Office and organisational procedures; Managing and responding to inquiries.

    • Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

    Payment Procedure

    Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers for this purpose in addition to banks and credit institutions (collectively referred to as "payment service providers").

    The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. I.e. we do not receive any account or credit card related information, but only information with confirmation or negative information of the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check identity and creditworthiness. Please refer to the terms and conditions and data protection information of the payment service providers.

    The terms and conditions and data protection information of the respective payment service providers apply to the payment transactions and can be accessed within the respective websites or transaction applications. We also refer to these for further information and the assertion of revocation, information and other data subject rights.

    • Processed data types: Inventory data; Payment Data; Contract data; Usage data; Meta, communication and process data.

    • Data subjects: Customers; Prospective customers.

    • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations.

    • Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).

    Services used

    • Mastercard: Payment service provider; Mastercard Europe SA, Belgium. Privacy Policy

    • PayPal: Payment service provider; PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg. Privacy Policy

    • Visa: Payment service provider; Visa Europe Services Inc., London, UK. Privacy Policy

    Provision of online services and web hosting

    We process user data in order to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.

    • Processed data types: Usage data; Meta, communication and process data; Content data.

    • Data subjects: Users (e.g. website visitors, users of online services).

    • Purposes of processing: Provision of our online services and usability; Information technology infrastructure; Security measures.

    • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

    Services and procedures used

    • Provision of online offer on rented hosting space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a "web hoster").

    • Collection of Access Data and Log Files: The access to our online services is logged in the form of so-called "server log files". Server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL and IP addresses. Retention period: max. 30 days, then deleted or anonymized.

    • E-mail Sending and Hosting: The web hosting services we use also include sending, receiving and storing e-mails. Please note that e-mails on the Internet are generally not sent in encrypted form.

    • Dogado: Hosting and e-mail services; dogado GmbH, Antonio-Segni-Straße 11, D-44263 Dortmund. Privacy Policy

    Use of Cookies

    Cookies are small text files or other types of storage markers that store information on end devices and read information from them. For example, to save the login status in a user account, the contents of a shopping cart in an e-shop, the content accessed, or the functions used of an online offer. Furthermore, cookies can be used for various concerns, such as for the functionality, security, and comfort of online offers as well as the creation of analyses of visitor flows.

    Notes on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Permission is particularly not necessary if the storage and reading of information, including cookies, are absolutely necessary to provide a telemedia service expressly requested by the users. The revocable consent is clearly communicated and contains information on the respective cookie usage.

    Notes on the legal basis for data protection: The legal basis on which we process users' personal data with the help of cookies depends on whether we ask them for consent. If users accept, the legal basis for processing their data is the declared consent. Otherwise, the data processed with the help of cookies are based on our legitimate interests or contractual fulfilment.

    Storage Duration

    • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his end device.

    • Permanent cookies: Permanent cookies remain stored even after closing the end device. Storage duration can be up to two years.

    General notes on revocation and objection (Opt-out): Users can revoke the consents they have given at any time and also declare an objection to the processing according to legal requirements, also via the privacy settings of their browser.

    • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

    Contact and Inquiry Management

    When contacting us (e.g. via mail, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

    • Processed data types: Contact data; Content data; Usage data; Meta, communication and process data.

    • Data subjects: Communication partner.

    • Purposes of processing: Contact requests and communication; Managing and responding to inquiries; Feedback; Provision of our online services and usability.

    • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR).

    Procedures used

    • Contact form: When users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the communicated request.

    Video Conferences, Online Meetings, Webinars and Screen-Sharing

    We use platforms and applications of other providers (hereinafter referred to as "Conference Platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings. When using the Conference Platforms and their services, we comply with the legal requirements.

    Data processed by Conference Platforms: In the course of participation in a Conference, the data of the participants includes personal information (first/last name), contact information, access data, profile pictures, professional position, IP address, end device information, browser, communication content (chat, audio, video) and other functions used (e.g. surveys). Content of communications is encrypted to the extent technically provided by the conference providers.

    Logging and recording: If text entries, participation results or video/audio recordings are recorded, this will be transparently communicated to the participants in advance and they will be asked - if necessary - for their consent.

    Data protection measures of the participants: Please refer to the data privacy information of the Conference Platforms and select the optimum security and privacy settings.

    • Processed data types: Inventory data; Contact data; Content data; Usage data; Meta, communication and process data.

    • Data subjects: Communication partner; Users; Persons depicted.

    • Purposes of processing: Provision of contractual services; Contact requests and communication; Office and organisational procedures.

    • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

    Services used

    • Microsoft Teams: Conference and communication software; Microsoft Ireland Operations Limited, Dublin, Ireland. Privacy Policy. Basis for third-country transfers: Data Privacy Framework (DPF).

    Cloud Services

    We use Internet-accessible software services (so-called "cloud services", also referred to as "Software as a Service") provided on the servers of its providers for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).

    Within this framework, personal data may be processed and stored on the provider's servers insofar as this data is part of communication processes with us or is otherwise processed by us in accordance with this privacy policy. This data may include in particular master data and contact data of data subjects, data on processes, contracts, other proceedings and their contents. Cloud service providers also process usage data and metadata that they use for security and service optimization purposes.

    If we use cloud services to provide documents and content to other users or publicly accessible websites, forms, etc., providers may store cookies on users' devices for web analysis or to remember user settings.

    • Processed data types: Inventory data; Contact data; Content data; Usage data; Meta, communication and process data.

    • Data subjects: Customers; Employees; Prospective customers; Communication partner.

    • Purposes of processing: Office and organisational procedures; Information technology infrastructure.

    • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

    Services used

    • Microsoft Cloud Services: Cloud storage, cloud infrastructure and cloud-based application software; Microsoft Ireland Operations Limited, Dublin, Ireland. Privacy Policy. Basis for third-country transfers: Data Privacy Framework (DPF).

    Newsletter and Electronic Communications

    We send newsletters, e-mails and other electronic communications (hereinafter referred to as "newsletters") only with the consent of the recipient or a legal permission. Insofar as the contents of the newsletter are specifically described within the framework of registration, they are decisive for the consent of the user. Otherwise, our newsletters contain information about our services and us.

    In order to subscribe to our newsletters, it is generally sufficient to enter your e-mail address. We may, however, ask you to provide a name for the purpose of contacting you personally in the newsletter or to provide further information if this is required for the purposes of the newsletter.

    Double opt-in procedure: The registration to our newsletter takes place in general in a so-called Double-Opt-In procedure. This means that you will receive an e-mail after registration asking you to confirm your registration. This confirmation is necessary so that no one can register with external e-mail addresses.

    The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes storing the login and confirmation times as well as the IP address. Likewise the changes of your data stored with the dispatch service provider are logged.

    Deletion and restriction of processing: We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to provide evidence of prior consent.

    Contents

    Information about us, our services, promotions and offers.

    • Processed data types: Inventory data; Contact data; Meta, communication and process data; Usage data.

    • Data subjects: Communication partner.

    • Purposes of processing: Direct marketing.

    • Legal Basis: Consent (Article 6 (1) (a) GDPR).

    • Opt-Out: You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt.

    Procedures used

    • Measurement of opening rates and click rates: The newsletters contain a so-called "web beacon". This information is used to technically improve our newsletter and is based on user consent.

    Surveys and Questionnaires

    We conduct surveys and interviews to gather information for the survey purpose communicated in each case. The surveys and questionnaires ("surveys") carried out by us are evaluated anonymously. Personal data is only processed insofar as this is necessary for the provision and technical execution of the survey.

    • Processed data types: Contact data; Content data; Usage data; Meta, communication and process data.

    • Data subjects: Communication partner; Participants.

    • Purposes of processing: Feedback.

    • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

    Web Analysis, Monitoring and Optimization

    Web analysis is used to evaluate the visitor traffic on our website and may include the behaviour, interests or demographic information of users, such as age or gender, as pseudonymous values. With the help of web analysis we can recognize at which time our online services or their functions or contents are most frequently used or requested for repeatedly, as well as which areas require optimization.

    In addition to web analysis, we can also use test procedures, e.g. to test and optimize different versions of our online services or their components.

    Profiles, i.e. data aggregated for a usage process, can be created for these purposes and information can be stored in a browser or in a terminal device and read from it. The information collected includes, in particular, websites visited and elements used there as well as technical information such as the browser used, the computer system used and information on usage times.

    The IP addresses of the users are also stored. However, we use any existing IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect the user.

    • Processed data types: Usage data; Meta, communication and process data.

    • Data subjects: Users.

    • Purposes of processing: Web Analytics; Profiles with user-related information.

    • Security measures: IP Masking (Pseudonymization of the IP address).

    Profiles in Social Networks (Social Media)

    We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

    We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. by making it more difficult to enforce users' rights.

    In addition, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the associated interests of users.

    • Processed data types: Contact data; Content data; Usage data; Meta, communication and process data.

    • Data subjects: Users.

    • Purposes of processing: Contact requests and communication; Feedback; Marketing.

    • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

    Services used

    • Facebook Pages: Profiles within the social network Facebook; Meta Platforms Ireland Limited, Dublin, Ireland. Privacy Policy. Basis for third-country transfers: DPF. Joint controllership for Page Insights.

    • LinkedIn: Social network; LinkedIn Ireland Unlimited Company, Dublin, Ireland. Privacy Policy. Basis for third-country transfers: DPF.

    • YouTube: Social network and video platform; Google Ireland Limited, Dublin, Ireland. Privacy Policy. Basis for third-country transfers: DPF.

    Plugins and Embedded Functions and Content

    Within our online services, we integrate functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may, for example, be graphics, videos or city maps.

    The integration always presupposes that the third-party providers of this content process the IP address of the user, since they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of these contents or functions. We strive to use only those contents whose respective offerers use the IP address only for the distribution of the contents. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes.

    • Processed data types: Usage data; Meta, communication and process data; Inventory data; Contact data; Content data.

    • Data subjects: Users.

    • Purposes of processing: Provision of our online services and usability.

    • Legal Basis: Consent (Article 6 (1) (a) GDPR).

    Services used

    • YouTube videos: Video contents; Google Ireland Limited, Dublin, Ireland. Privacy Policy. Basis for third-country transfers: DPF.

    Job Application Process

    The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information contained therein.

    In principle, the required information includes personal information such as name, address, a contact option and proof of the qualifications required for a particular employment. Upon request, we will be happy to provide you with additional information.

    If made available, applicants can submit their applications via an online form. The data will be transmitted to us encrypted according to the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails on the Internet are generally not sent in encrypted form.

    Processing of special categories of data: To the extent that special categories of personal data (Article 9(1) GDPR, e.g., health data) are requested from applicants or communicated by them during the application process, their processing is carried out so that the controller or the data subject can exercise rights arising from employment law and the law of social security and social protection.

    Erasure of data: In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant's data will be deleted. Applicants' data will also be deleted if an application is withdrawn. Subject to a justified revocation by the applicant, the deletion will take place at the latest after the expiry of a period of six months.

    Admission to a talent pool: Admission to a talent pool, if offered, is based on consent. Applicants are informed that their consent is voluntary, has no influence on the current application process and can be revoked at any time for the future.

    • Processed data types: Inventory data; Contact data; Content data; Job applicant details.

    • Data subjects: Job applicants.

    • Purposes of processing: Job Application Process.

    • Legal Basis: Job application process as a pre-contractual or contractual relationship (Article 6 (1) (b) GDPR).

    Privacy Information for Whistleblowers

    In this section, you will find information on how we handle data from individuals who provide tips (whistleblowers), as well as from affected and involved parties within the framework of our whistleblower procedure. Our aim is to offer a straightforward and secure means of reporting potential misconduct by us, our employees, or service providers, especially for actions that violate laws or ethical guidelines. Furthermore, we ensure appropriate processing and handling of the reports.

    Legal Bases (Germany): To the extent that we process data to fulfil our legal obligations in accordance with the Whistleblower Protection Act (HinSchG), the legal basis for processing is Article 6(1)(c) GDPR and, in the case of special categories of personal data, Article 9(2)(g) GDPR, § 22 BDSG, in conjunction with § 10 HinSchG.

    To the extent that we process data (especially in cases of identified misconduct) for the purpose of or in preparation for legal defence, this is done on the basis of our legitimate interests in lawful and ethical conduct in accordance with Article 6(1)(f) GDPR.

    To the extent that consent has been given for processing personal data for specific purposes, processing is based on this consent according to Article 6(1)(a) of the GDPR and in case of special categories of personal data Article 9(2)(a) of the GDPR.

    • Processed data types: Inventory data; Employee Data; Contact data; Content data; Usage data.

    • Data subjects: Employees; Third parties; Whistleblowers.

    • Purposes of processing: Whistleblower protection.

    • Legal Basis: Consent (Article 6 (1) (a) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

    Whistleblower Systems

    As part of our whistleblower procedure, we employ external service providers. In doing so, we operate within the framework of legal requirements and ensure that the technical and organizational demands for security measures that we adhere to are also met by the external providers.

    • Processed data types: Inventory data; Employee Data; Contact data; Content data; Usage data.

    • Data subjects: Employees; Third parties; Whistleblowers; Users; Business and contractual partners.

    • Purposes of processing: Whistleblower protection; Security measures.

    • Legal Basis: Consent (Article 6 (1) (a) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

    Services used

    • EQS Integrity Line: Whistleblowing Channel and System; EQS Group AG, Karlstraße 47, 80333 Munich, Germany. Privacy Policy

    Changes and Updates to the Privacy Policy

    We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

    If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.

    Supervisory authority competent for us

    Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
    Postfach 20 04 44
    40102 Düsseldorf
    Telefonzentrale: +49 (0)211 / 38424 – 0
    https://www.ldi.nrw.de/kontakt

    Terminology and Definitions

    In this section, you will find an overview of the terminology used in this privacy policy. Where the terminology is legally defined, their legal definitions apply. The following explanations, however, are primarily intended to aid understanding.

    • Contact data: Contact details are essential information that enables communication with individuals or organizations. They include phone numbers, postal addresses, email addresses, social media handles and instant messaging identifiers.

    • Content data: Content data comprise information generated in the process of creating, editing, and publishing content of all types: texts, images, videos, audio files, and other multimedia, as well as related metadata.

    • Contract data: Contract data are specific details pertaining to the formalisation of an agreement between two or more parties. They document the terms under which services or products are provided, exchanged, or sold.

    • Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

    • Employees: Individuals engaged in an employment relationship, whether as staff, employees, or in similar positions, including identification details, salary information, working hours, holiday entitlements, health data, and performance assessments.

    • Inventory data: Essential information required for the identification and management of contractual partners, user accounts, profiles, and similar assignments.

    • Meta, communication and process data: Information about how data is processed, transmitted, and managed, including metadata, communication logs, and procedural records.

    • Payment Data: All information necessary for processing payment transactions between buyers and sellers, e.g. credit card numbers, bank account information, payment amounts, transaction dates.

    • Personal Data: Any information relating to an identified or identifiable natural person.

    • Processing: Covers a wide range and practically every handling of data, be it collection, evaluation, storage, transmission or erasure.

    • Profiles with user-related information: Any kind of automated processing of personal data that consists of using these data to analyse, evaluate or predict certain personal aspects relating to a natural person.

    • Usage data: Information that captures how users interact with digital products, services, or platforms.

    • Web Analytics: Evaluation of visitor traffic of online services to determine behaviour or interests in certain information; uses pseudonymous cookies and web beacons.