Privacy policy

userwerk GmbH

Privacy Policy

The protection of privacy is important to us. If and to the extent that personal data is provided to us, it will be processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and its current interpretation, as well as, in particular, the statutory data protection provisions of the Federal Data Protection Act (BDSG). All data will, of course, be treated confidentially. With the following data protection information, we would like to explain in more detail how data is handled.

1. Contact details of the controller and the data protection officer

1.1 Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection provisions (Art. 4 (7) GDPR) is:

userwerk GmbH
represented by the managing directors Dr. Markus Kalb & Daniel Speyer
Ehinger Str. 19
D-89077 Ulm
E-Mail: office@userwerk.com

1.2 Questions about data protection; Data protection officer

If you have any questions about data processing or data protection at userwerk, you can contact us directly or our data protection officer at Kulitz & Twelmeier GmbH in Ulm at any time.

c/o Kulitz & Twelmeier GmbH
Magirus-Deutz-Str. 12
89077 Ulm
Germany

You can reach them by post at the above address (please mark the envelope “For the attention of the data protection officer”) or by email at datenschutz@userwerk.com.

Data disclosure
You can submit data subject requests directly and confidentially via our data protection portal.

2. General information about the collection of personal data

2.1 Principle

This privacy policy applies to all customers, interested parties, employees, contractual partners, and other natural persons who use our online offerings and the associated websites, functions, and content (hereinafter collectively referred to as “online offering” or “website”). The privacy policy applies regardless of the domains, systems, platforms, and devices (e.g., desktop or mobile) used to run the online offering or website.

2.2 Principles governing the scope of personal data processing

We share the philosophy underlying the GDPR and the Federal Data Protection Act (BDSG) that the collection and processing of personal data (“data”) must be limited as far as possible. Therefore, we only process personal data to the extent necessary for clearly defined purposes, which are set out below (principles of data avoidance and data minimization). Data processing is only permitted if it can be based on a sufficient legal basis or consent (principle of lawfulness). This means that we only process personal data to the extent necessary to provide a functional website and our content and services. The processing of personal data is generally only carried out with consent. An exception applies in cases where it is not possible to obtain prior consent for practical reasons and the processing of the data is permitted by law. Unless otherwise stated below, the terms “process” and “processing” also include, in particular, the collection, use, disclosure, and transfer of personal data (see Art. 4 No. 2 GDPR).

2.3 General information on the legal basis for the processing of personal data

2.3.1 General legal principles

The processing of personal data is prohibited in principle and only permitted in exceptional cases. The permissibility of data processing can only be based on the fact that the processing of the data can be supported by an appropriate legal basis. The following are conclusively considered as such:

Insofar as we have obtained the consent of the data subject for the processing of personal data, Art. 6 (1) (a) GDPR serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which we are subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
In the case that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
Insofar as processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, Art. 6 para. 1 lit. e GDPR is the legal basis for processing.
If processing is necessary to safeguard a legitimate interest of our company or a third party, and if the interests, fundamental rights, and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

2.3.2 Special legal bases for the processing of special categories of personal data pursuant to Art. 9 GDPR

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation, is prohibited. In exceptional cases, we may also be permitted to process these special categories of personal data if there is an appropriate legal basis for doing so. The following in particular may be considered as such:

If the data subject has expressly consented to the processing of special categories of special data for one or more specific purposes, this constitutes the legal basis for the processing (Art. 9(2)(a) GDPR). This does not apply if Union law or the law of the Member States cannot be overridden by the prohibition on the processing of special categories of personal data.
In the event that the data subject has clearly made the data public, Art. 9(2)(e) GDPR is the legal basis for processing.
Insofar as the processing of data is necessary for the assertion, exercise, or defense of legal claims, processing is permissible under Article 9(2)(f) GDPR.
The processing of data is permissible if it is necessary for reasons of substantial public interest on the basis of Union law or the law of a Member State which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject, cf. Art. 9 (2) (g) GDPR.

2.4 Objection and revocation of data processing

If consent to the processing of data has been given, it can be revoked at any time. Such revocation affects the permissibility of the processing of personal data after it has been communicated to us.

Insofar as we base the processing of personal data on a balancing of interests, an objection to the processing can be lodged. This is the case if the processing is not necessary for the fulfillment of a contract, as described below in the description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process personal data as we have done. In the event of a justified objection, we will examine the situation and either stop or adapt the data processing or point out our compelling legitimate grounds on the basis of which we will continue the processing.

2.5 Data deletion and storage period

We delete or block personal data as soon as the purpose for storing it no longer applies; in this context, blocking means any removal of the reference to the person. Data may also be stored if this is provided for by European or national legislators in regulations, laws, or other provisions to which we are subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract. Personal data is regularly anonymized after 3 months (Art. 5 (1) (e) GDPR). Anonymization can be carried out at any time at the customer’s request, for example in the case of unintentionally or unjustifiably collected data (Art. 17 GDPR).

3. Purposes and legal bases for the processing of your personal data, as well as further information on specific data processing

3.1 Visiting our website

3.1.1 Description and scope of data processing

Every time you visit our website, our system automatically collects data and information from the computer system of the accessing computer (personal data that your browser transmits to our server). This is purely technical and also intended, provided that no registration takes place or other information is transmitted. The following data is collected in this process:

User’s IP address
Date and time of the request or access
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request originates (from which the user’s system accesses our website)
Website accessed by the user’s system via our website
Information about the browser type and version used
Operating system and its interface
Language and version of the browser software

3.1.2 Purposes of data processing

The temporary storage of the aforementioned data, in particular the IP address by the system, is necessary to enable the website to be delivered. For this purpose, the IP address must remain stored for the duration of the session. It is generally not possible to access pages on the Internet without transmitting the IP address. This also serves the purposes of evaluating and continuing to ensure system security and stability, as well as other administrative purposes. Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context.

3.1.3 Legal basis for data processing

3.1.4 Duration of storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collection for the provision of the website, this is the case when the respective session has ended. In the case of data storage in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated so that it is no longer possible to assign the calling client.

3.1.5 Option to object and remove data

The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no possibility to object.

3.2 Cookies and similar technologies

3.2.1 Essential cookies

Our website uses so-called session cookies, which are technically necessary for the operation of the site. These cookies store a session ID, which is used to assign various requests from your browser to a session. This allows our server to correctly process your usage during your visit.
These cookies are automatically deleted when you close your browser.

In addition, our hosting and security service providers (e.g., Cloudflare or Amazon AWS) set temporary cookies to ensure the stability, performance, and security of the website. These cookies do not contain any personal data and are used exclusively for technical purposes.

We also use the consent management tool Borlabs Cookie to store your cookie settings. This cookie remembers which consents you have given or refused so that these settings are retained for your next visit. Without this cookie, consent management cannot function properly.

Cookie-Name	Provider	Purpose	storage period	Typ
PHPSESSID	userwerk.com	Browser session identification	end of session	Essential
__cf_bm (or similar)	Cloudflare	Bot protection, performance	approx. 30 min	Essential
AWSALB / AWSALBCORS	Amazon AWS	Load balancing, server stability	7 days	Essential
borlabs-cookie	userwerk.com	Saves the visitor's selected cookie settings	1 year	Essential

3.2.2 Third-party cookies (after your interaction)

When you access interactive content such as Google Maps or YouTube videos, cookies are set by these providers. These cookies are not necessary for the basic functionality of the website. They are used exclusively to display content and are only activated after you actively use them.

3.2.3 Opt-out / Browser settings

Essential cookies cannot be disabled as they are necessary for the use of the website. However, you can block or delete third-party cookies via your browser settings.

3.3 Other online offerings (integration with advertising partners)

In addition to the purely informational use of our website, we offer various services via our online offerings that customers can use if they are interested. Specifically, we convey the special offers of various product providers (product providers), in particular free samples of various media. For this purpose, our advertising material is integrated into the websites of advertising partners who operate their own services, such as web shops. If the customer, who must be of legal age, completes the advertising partner’s order process, they will be given the opportunity to choose from the special offers of the product providers at the end of the order process as a thank you for their order. After selecting the desired offer, an order form operated by us appears, in which the customer’s personal data stored in the shop system during the purchase is already pre-filled. This pre-filling only takes place in the customer’s browser; there is no transfer of personal data without the customer’s authorization. The customer receives all necessary information about the product provider and, if applicable, links to their terms and conditions and privacy policy. If the customer wishes to take advantage of the special offer, they must activate the checkbox “Yes, I agree to the terms of use.” The terms of use linked here contain, where applicable, a statement that by placing an order, the customer consents to receiving advertising from the product provider (by telephone or email). In order to take advantage of the aforementioned special offers, additional personal data may need to be provided, which will be used by the product provider to provide the respective service and to which the aforementioned principles of data processing apply. Specifically, the data is processed as follows.

3.3.1 Use of the order form

3.3.1.1 Description and scope of data processing

When you access our order form, our system collects the data and information specified in section 3.1.1. from the accessing computer for purely technical reasons. In addition, the advertising partner transmits your title, year of birth, country, postal code, any variables relating to your behavior within the advertising partner’s offering, and the hash value of the email address you provided in pseudonymized form. Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

3.3.1.2 Purposes of data processing

The temporary storage of the aforementioned data is necessary for technical reasons and serves to ensure system security and stability, as well as for warranty and administration purposes. The hash value of the email address is compared in pseudonymized form in order to comply with any objections to advertising that may already have been expressed with regard to a stored hash value.

3.3.1.3 Legal basis for data processing

The legal basis for the temporary storage of data is Art. 6 (1) lit. f GDPR. Our legitimate interest follows from the purposes listed above for data collection. Under no circumstances do we use the collected data to draw conclusions about the person. Furthermore, the legal basis for analyzing the hash value of the email address in order to be able to legally exclude a possible objection to advertising is Art. 21 (3), Art. 6 (1) (c) GDPR.

3.3.1.4 Duration of storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collection for the provision of the order form, this is the case when the respective session has ended. In the case of data storage for data security purposes, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated so that it is no longer possible to assign the calling client.

3.3.1.5 Option to object and remove data

The collection of data for the provision of the order form and the storage of data is necessary for the operation of the order form. Consequently, there is no possibility of objection. However, the analysis of potential interest in relation to the offers provided can generally be objected to at any time.

3.3.2 Use of offers from product providers

3.3.2.1 Description and scope of data processing

If an offer from the product provider is to be ordered via our order form, it is necessary for the conclusion of the contract that the personal data required for processing the order be provided. Only the mandatory information necessary for the execution of the contracts is collected. The data is transmitted to the product provider.

3.3.2.2 Purposes of data processing

We process the data provided exclusively for the purpose of processing the order.

3.3.2.3 Legal basis for data processing

The legal basis for data processing in connection with the processing of an order is Art. 6 (1) (b) GDPR. If data is processed for further advertising purposes, exclusively on behalf of the product providers, the legal basis for this is Art. 6 (1) (b) and Art. 6 (1) (f) GDPR; the legitimate interests arise from the purposes of data processing described above. If consent has also been given for the use of data for direct marketing purposes, also exclusively on behalf of the product providers, the legal basis for this is Art. 6 (1) (a) GDPR.

3.3.2.4 Duration of storage

With regard to order processing, there are general commercial and tax law requirements to store address, payment, and order data for a period of ten years. If the data is processed for advertising purposes on behalf of the product provider, this data will be stored until consent is revoked or the processing of the data for advertising purposes is objected to.

3.3.3 Direct marketing/newsletter distribution by product providers

3.3.3.1 Description and scope of data processing

When confirming the order, you can also consent to receiving separate information about current and future products and services from the product provider (by telephone or email). We use the double opt-in procedure to confirm your registration to receive this information. This means that after the order has been placed, an email is sent to the email address provided, asking for voluntary confirmation that the registration/order was made by the respective customer. In addition, we store the IP addresses used and the times of registration/order and confirmation.

3.3.3.2 Purposes of data processing

The purpose of the double opt-in procedure is to verify the registration and, if necessary, to be able to investigate any possible misuse of personal data. After confirmation, the email address is stored by the product provider for direct marketing purposes. The data is transmitted to the product provider for these purposes. The data is processed exclusively for administrative purposes on behalf of the product providers.

3.3.3.3 Legal basis for data processing

Insofar as the contract declaration with regard to the order declares consent to data processing for advertising purposes by the product provider, the legal basis for this is Art. 6 (1) lit. a and Art. 6 (1) lit. b GDPR, as well as § 7 (2) No. 3 UWG (German Unfair Competition Act). Insofar as data is collected within the framework of the double opt-in procedure, this is done for documentation purposes in accordance with Art. 7 (1) and Art. 6 (1) (c) GDPR. If, in exceptional cases, we do not already process the data on the basis of consent, the processing of personal data is carried out to the extent necessary to safeguard our legitimate interests or the legitimate interests of a third party and does not outweigh the interests, fundamental rights, and freedoms of the customer that require the protection of personal data (Article 6(1)(f) GDPR).

3.3.3.4 Duration of storage

If the customer does not confirm the order using the double opt-in procedure, and if the terms of the contract between the customer and the product provider do not require this for the purchase of the order, the information will be blocked and automatically deleted after one month.

Otherwise, the data will be deleted as soon as it is no longer required for the purpose for which it was collected. We store personal data only for the purpose of verification, anonymize it after 6 months, and delete it later.

3.3.4 Option to object and remove data

Consent can be revoked at any time. Revocation can be declared to us by clicking on the link provided in every newsletter email, by email to office@userwerk.com, or by sending a message to the contact details specified in section 1.1, or preferably by revoking consent directly with the product provider, whose contact details are listed in the offers and the confirmation email.

3.4 Communication

Due to our legitimate interest in fast and customer-friendly communication and technical administration, we use the following application in accordance with Art. 6 (1) lit. f and Art. 6 (1) lit. b of the GDPR: Emails and telephone inquiries are processed and stored using Zendesk, a customer service platform provided by Zendesk Inc., 1019 Market Street San Francisco, CA 94103. Zendesk Inc. has several certificates that guarantee the applicable levels of data protection. For more information, please refer to Zendesk’s privacy policy: https://www.zendesk.de/product/zendesk-security

3.4.1 Consent to the transfer of personal data to a non-EU country

Subject to legal or contractual permissions, personal data may only be processed in a third country if the specific requirements of Art. 44 et seq. GDPR are met. Data may be transferred if the European Commission has determined, by means of a decision within the meaning of Art. 45 (1), (3) GDPR, that the third country in question offers an adequate level of protection under data protection law. Through such adequacy decisions, the European Commission certifies that third countries offer a level of data protection comparable to the recognized standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html).

Insofar as data is transferred between the US and the EU in exceptional cases, it should be noted that no such adequacy decision exists for the US. Therefore, other suitable safeguards would generally have to be in place to ensure that data protection is adequately guaranteed in the US. This would generally be possible through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data, certificates, or recognized codes of conduct.

Although Zendesk has submitted to the relevant standard contractual clauses of the European Commission, US companies are still obliged to disclose personal data to security authorities without you, as the data subject, being able to take legal action against this. It cannot therefore be ruled out that US authorities (e.g., intelligence services) may process, evaluate, and permanently store your data located on US servers for surveillance purposes. We have no influence on these processing activities. Furthermore, you may not be able to assert or enforce your rights to information against the service provider in the long term. Furthermore, the technical and organizational measures for the protection of personal data at Google may not fully comply with the requirements of the GDPR in terms of quantity and quality. It is therefore possible that the standard contractual clauses of the European Commission used by Zendesk do not provide sufficient guarantees within the meaning of Art. 46 (2) (a) GDPR. Zendesk has nevertheless undertaken to disclose data to US security authorities only if the service provider has been legally bound to do so by a government order. The service provider is also obliged to take legal action to challenge the official order to disclose the data. By consenting to the collection of data by Zendesk, you expressly agree to the data transfer described here, having been informed above of the possible risks of such data transfers without an adequacy decision and without appropriate safeguards. This consent may be revoked at any time. Revocation does not affect the lawfulness of processing based on consent before revocation.

3.4.2 Legal basis for data processing

The legal basis for the processing of your data is Art. 6 (1) (a) and (f) GDPR. Processing is based on implied consent and our legitimate interests. In this respect, we assume that the positions protected by fundamental rights are not seriously affected and therefore do not outweigh our interests.

3.5 Loopingo

We display voucher offers from loopingo GmbH, Nymphenburgerstr. 12, 80335 Munich, in our online offering. To prepare the voucher, we transmit the email address to loopingo in encrypted form (the legal basis for this is Art. 6 (1) (b) and (f) GDPR), as well as any voucher code used. The IP address, which is used by loopingo exclusively for data security purposes, is anonymized after seven days. In addition, we transmit the pseudonymized order number, order value with currency, postal code, gender, and timestamp to loopingo for the purpose of preparing the offer. For more information on how loopingo processes your data, please refer to the online privacy policy at: https://www.loopingo.com/datenschutz.

3.6 Integration of Amazon Web Services (AWS) services

3.6.1 Description and scope of data processing

We use services, namely cloud solutions, provided by Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, a subsidiary of Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, United States. Amazon Web Services, Inc. (hereinafter referred to as “AWS”) is a company incorporated and registered under the laws of the State of Delaware (registration number: 4152954, Secretary of State, State of Delaware, tax number: 204938068).

Personal data is also processed and stored when using AWS services. In accordance with the contract with AWS, this information is generally only processed within the EU or the EEA. However, data transfer outside the EU cannot be ruled out. We have no influence on this data transfer.

3.6.2 Purpose of data processing

The use of AWS services is essential for the functionality and complete provision of our content and services. The purpose may be to provide services to fulfill our contractual relationship with you.

3.6.3 Consent to the transfer of personal data to a non-EU country

Use of AWS services Subject to legal or contractual permissions, personal data may only be processed in a third country if the specific requirements of Art. 44 et seq. GDPR are met. Data may be transferred if the European Commission has determined, by means of a decision within the meaning of Art. 45 (1), (3) GDPR, that the third country in question offers an adequate level of protection under data protection law. Through such adequacy decisions, the European Commission certifies that third countries offer a level of data protection comparable to the recognized standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.html).

Insofar as data transfers between the US and the EU take place in exceptional cases, it should be noted that no such adequacy decision exists for the US. Therefore, other appropriate safeguards would generally have to be in place to ensure that data protection is adequately guaranteed in the US. This could generally be achieved through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct. Although AWS has submitted to the relevant standard contractual clauses of the European Commission, US companies are nevertheless obliged to disclose personal data to security authorities without you, as the data subject, being able to take legal action against this. It cannot therefore be ruled out that US authorities (e.g. secret services) may process, evaluate and permanently store your data stored on US servers for surveillance purposes. We have no influence on these processing activities. It may also be the case that you are unable to assert or enforce your rights to information against AWS in the long term. Furthermore, the technical and organisational measures taken by AWS to protect personal data may not fully comply with the requirements of the GDPR in terms of quantity and quality. It is therefore possible that the standard contractual clauses of the European Commission used by AWS do not provide sufficient guarantees within the meaning of Art. 46(2)(a) GDPR. Nevertheless, AWS has undertaken, in accordance with the document available here https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf to disclose data to US security authorities only if AWS is legally bound to do so by a government order. AWS is also obliged to take legal action to challenge the official order to disclose the data. By consenting to the collection of data by AWS, you also expressly agree to the data transfer described here, having been informed above of the possible risks of such data transfers without an adequacy decision and without appropriate safeguards. This consent may be revoked at any time. Revocation does not affect the lawfulness of processing based on consent before revocation.

3.6.4 Legal basis for data processing

The legal basis for the processing of your data is Art. 6 (1) (a) and (f) GDPR. Processing is based on implied consent and our legitimate interests. If the use of AWS services is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.

3.6.5 Further informations

Further information on the purpose and scope of data collection and processing, as well as further information on your rights in this regard and settings options for protecting your privacy, can be found at: https://aws.amazon.com/de/legal/aws-emea/ and at: https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf

3.7 YouTube

3.7.1 Description and scope of data processing

We operate a company profile (YouTube channel) on the YouTube platform. Content from YouTube is only loaded on our website once you have actively consented to this, e.g. by clicking on a video or by agreeing to the cookie banner. Only then can usage data and, if applicable, cookies be set by YouTube.

3.7.2 Purpose of data processing

The data is used to provide you with video content, to present our products, services and news, and to ensure an effective means of providing information about our company.

3.7.3 Legal basis

The processing of your personal data when accessing YouTube content is based on your consent (Art. 6(1)(a) GDPR).
If you actively access content and accept cookies, this consent is the legal basis for data processing by YouTube. In addition, the provider’s terms of use and privacy policy apply to processing by YouTube.

3.7.4 Further informations

We have no influence on the processing of personal data by YouTube. As a rule, when you visit our content, cookies are stored in your browser, in which your usage behaviour or interests are stored for market research and advertising purposes.
For detailed information about data processing when using our YouTube content and your rights, please refer to YouTube’s privacy policy (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and the opt-out: https://policies.google.com/privacy

3.8 Instagram and LinkedIn

We operate a channel on Instagram and LinkedIn. However, we do not embed content from these channels on our website; therefore, no data is transferred to social networks when you visit our website.

4. Disclosure of data to third parties

We do not disclose personal data to companies, organisations or individuals outside the company, except in one of the following circumstances:

4.1 With consent

We share personal data with companies, organisations or individuals outside the company if we have obtained the customer’s consent to do so; this applies in particular to the uses described above.

4.2 Processing by other entities

We disclose personal data to other companies affiliated with the same group or group of companies, as well as to third-party business partners, other trustworthy companies or individuals who process it on our behalf. This is done on the basis of our instructions and in accordance with the privacy policy and other appropriate confidentiality and security measures.

4.3 For legal reasons

We will disclose personal data to companies, organisations or individuals outside our company if we believe in good faith that access to, or the use, retention or disclosure of, such data is reasonably necessary, in particular to comply with applicable laws, regulations or legal proceedings, or to comply with an enforceable official order.

5. Transfer of personal data to a third (non-EU) country or an international organisation

Unless expressly stated in this privacy policy, personal data will not be transferred to third countries or international organisations.

6. Automated decision-making

There is no automated decision-making.

7. Rights

If personal data is processed, users are data subjects within the meaning of the GDPR and have the following rights vis-à-vis us, the controller:

7.1 Right to information

Data subjects may request confirmation from the controller as to whether personal data concerning them is being processed by us. If such processing is taking place, you may request the following information from the controller:

The purposes for which the personal data is processed.
The categories of personal data that are processed.
The recipients or categories of recipients to whom your personal data has been or will be disclosed.
The planned duration of storage of your personal data or, if specific information on this is not possible, criteria for determining the storage period.
The existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing.
The existence of a right of appeal to a supervisory authority.
All available information on the source of the data, if the personal data is not collected from the data subject.
The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Data subjects have the right to request information about whether personal data concerning them is being transferred to a third country or to an international organisation. In this context, data subjects may request to be informed about the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer.

7.2 Right to correction

Data subjects have the right to request the controller to correct and/or complete their personal data if it is inaccurate or incomplete. The controller must make the correction without delay.

7.3 Right to restriction of processing

Under the following conditions, data subjects may request the restriction of the processing of personal data concerning them:

If they dispute the accuracy of the personal data concerning them for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
The controller no longer needs the personal data for the purposes of processing, but they are required for the establishment, exercise or defence of legal claims.
If you have lodged an objection to the processing pursuant to Article 21(1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override your grounds.

Where the processing of personal data concerning them has been restricted, such data may, with the exception of storage, only be processed with their consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been restricted in accordance with the above conditions, data subjects shall be informed by the controller before the restriction is lifted.

7.4 Rights of deletion

7.4.1 Obligation to delete data

Data subjects may request the controller to delete personal data concerning them without delay, and the controller is obliged to delete such data without delay if one of the following reasons applies:

The personal data concerning them are no longer necessary for the purposes for which they were collected or otherwise processed.
You revoke the consent on which the processing was based in accordance with Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
Personal data concerning you has been processed unlawfully.

The erasure of personal data concerning them is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject. The personal data concerning them has been collected in relation to the services offered by information society services in accordance with Article 8(1) of the GDPR.

7.4.2 Information to third parties

If the controller has made the personal data concerning the data subject public and is obliged to erase it pursuant to Article 17(1) GDPR, the controller shall take reasonable steps, including technical measures, taking into account the available technology and implementation costs, to inform controllers who process the personal data that they have requested the erasure of all links to this personal data or copies or replications of this personal data.

7.4.3 Exceptions

The right to erasure does not apply if processing is necessary:

For exercising the right of freedom of expression and information.
To fulfil a legal obligation which requires processing under Union or Member State law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller.
For reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR.
For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of this processing.
For the establishment, exercise or defence of legal claims.

7.5 Right to information

If data subjects have exercised their right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning them have been disclosed of such rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort.

The data subject has the right to obtain from the controller information about these recipients.

7.6 Right to data portability

Data subjects have the right to receive the personal data concerning them that they have provided to the controller in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that:

The processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR.
The processing is carried out using automated means.

In exercising this right, data subjects also have the right to have the personal data concerning them transmitted directly from one controller to another controller, where technically feasible. The freedoms and rights of other persons must not be affected by this. The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.7 Right to object

Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. The controller shall no longer process the personal data concerning them unless the controller can demonstrate compelling legitimate grounds for the processing which override their interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If the personal data concerning you is processed for the purpose of direct marketing by product providers, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is related to such direct marketing by product providers. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. In connection with the use of information society services, you have the option, irrespective of Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

7.8 Right to revoke the declaration of consent under data protection law

Data subjects have the right to revoke their declaration of consent under data protection law at any time. Revocation of consent does not affect the lawfulness of processing based on consent before its revocation.

7.9 Right not to be subject to automated decision-making in individual cases, including profiling

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This does not apply:

If the decision is necessary for entering into, or performance of, a contract between them and the controller.
It is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard their rights and freedoms and legitimate interests.
With their explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and appropriate measures have been taken to protect their rights and freedoms and their legitimate interests. With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard your rights and freedoms and your legitimate interests. This includes at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.

7.10 Right to make a complaint to a regulatory authority

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority. In particular, in the Member State of their habitual residence, place of work or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

Stand: November 2025