Privacy Policy

userwerk GmbH

Privacy policy

The protection of privacy is an important concern for us. If and to the extent that personal data is provided to us, it will be processed in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and its current interpretation, and in particular the statutory data protection provisions of the German Federal Data Protection Act (BDSG). Of course, all data will be treated confidentially. With the following data protection information, we would like to explain in more detail how data is handled.

1. Contact details of the responsible person and the data protection officer

1.1 Name and address of the responsible person

The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions (Art. 4 para. 7 DSGVO) is:

userwerk GmbH
Ehinger Str. 19
89077 Ulm
Germany

E-mail: office@userwerk.de

Represented by:
Dr. Markus Kalb
Daniel Speyer

1.2 Name and address of the data protection officer

The data protection officer of the responsible party is:

Stefan Schwytz

c/o Kulitz & Twelmeier GmbH
Magirus-Deutz-Str. 12
89077 Ulm
Germany

E-Mail: datenschutz@userwerk.com

2. General information on the collection of personal data

2.1 Principle

This privacy policy applies to all customers, prospective customers and employees as well as contractual partners and other natural persons who use our online offers and the websites, functions and content connected to them (hereinafter collectively referred to as „online offer“ or „website“). The privacy policy applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) used on which the online offer or website is executed.

2.2 Principles on the scope of personal data processing

We share the philosophy underlying the GDPR and the German Federal Data Protection Act (BDSG) that the collection and processing of personal data („data“) must be limited wherever possible. Therefore, we process personal data only insofar as this is necessary for clearly defined purposes, which are outlined below (principles of data avoidance and data economy). In this context, data processing is only permissible insofar as it can be based on a sufficient legal basis or consent (principle of lawfulness). This means that we generally only process personal data insofar as this is necessary to provide a functional website and our content and services. Personal data is regularly processed only after consent has been given. An exception applies in those cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal regulations. Unless otherwise stated below, the terms „process“ and „processing“ also include, in particular, the collection, use, disclosure and transfer of personal data (see Article 4 No. 2 of the GDPR).

2.3 General information on the legal basis for processing personal data

2.3.1 General legal bases

The processing of personal data is prohibited in principle and only permissible by way of exception. The permissibility of data processing can follow solely from the fact that the processing of the data can be based on a suitable legal basis. As such, the following can be considered in conclusion:

Insofar as we have obtained the consent of the data subject for processing operations of personal data, Art. 6 (1) lit. a DSGVO serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as processing of personal data is necessary for compliance with a legal obligation to which we are subject, Art. 6 (1) c DSGVO serves as the legal basis.
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) (d) DSGVO serves as the legal basis.
If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, Art. 6 (1) lit. e DSGVO is the legal basis for the processing.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing.

2.3.2 Special legal bases for the processing of special categories of personal data pursuant to Art. 9 GDPR

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation is prohibited. Exceptionally, the processing of these special categories of personal data by us may also be permitted, provided that there is a suitable legal basis for this. As such, the following in particular come into consideration:

Insofar as the data subject has expressly consented to the processing of the special categories of special data for one or more specified purposes, this shall be the legal basis for the processing (Article 9 (2) (a) DSGVO). This does not apply insofar as, under Union law or the law of the Member States, the prohibition on processing the special categories of personal data cannot be lifted.
In the event that the data subject has obviously made the data public, Art. 9 (2) (e) DSGVO is the legal basis for the processing.
Insofar as the processing of the data is necessary for the assertion, exercise or defense of legal claims, the processing is permissible under Art. 9 (2) lit. f DSGVO.
Processing of the data is permissible insofar as it is necessary for reasons of substantial public interest on the basis of Union law or the law of a Member State which is proportionate to the aim pursued, preserves the essence of the right to data protection and provides for adequate and specific measures to safeguard the fundamental rights and interests of the data subject, cf. Art. 9 (2) lit. g DSGVO.

2.4 Objection and revocation against the processing of the data

If consent to the processing of data has been given, this may be revoked at any time. Such a revocation affects the permissibility of the processing of personal data after it has been expressed to us.

Insofar as we base the processing of personal data on a balance of interests, an objection to the processing may be lodged. This is the case if the processing is not necessary, in particular, for the performance of a contract, as described below in the description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process personal data as we do. In the event of a justified objection, we will review the situation and either discontinue or adjust the data processing or demonstrate our compelling legitimate grounds for continuing the processing.

2.5 Data deletion and storage period

Personal data will be deleted or blocked by us as soon as the purpose of the storage no longer applies; blocking in this context means any removal of the reference of the data to the person. Storage may also take place if this has been provided for by the European or national legislator in regulations, laws or other provisions to which we are subject. Blocking or deletion of data also takes place when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract. As a rule, personal data is anonymized after 3 months (Art. 5 para. 1 lit. e) DSGVO). Anonymization can take place at any time at the request of the customer, for example in the case of data collected unintentionally or without authorization (Art. 17 DSGVO).

3. Purposes and legal bases of the processing of your personal data as well as further information on the specific data processing

3.1 Visiting our website

3.1.1 Description and scope of data processing

Each time you visit our website, our system automatically collects data and information from the computer system of the calling computer (personal data that your browser transmits to our server). This is purely technical and also intended, provided that no registration takes place or other information is transmitted. The following data is collected:

IP address of the user
Date and time of the request or access
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request comes (from which the user’s system accesses our website)
Website that is accessed by the user’s system via our website
Information about the type of browser and the version used
Operating system and its interface
Language and version of the browser software

3.1.2 Purposes of data processing

The temporary storage of the aforementioned data, in particular the IP address by the system, is necessary to enable delivery of the website. For this purpose, the IP address must remain stored for the duration of the session. Calls to pages on the Internet are generally not possible without the transmission of the IP. This also serves the purposes of evaluating and ensuring system security and stability, as well as other administrative purposes. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

3.1.3 Legal basis for data processing

3.1.4 Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

3.1.5 Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Consequently, there is no possibility to object.

3.2 Integration of Google Maps

3.2.1 Description and scope of data processing

For our website (not the integration of online offers), we rely on maps from Google, which we embed on our pages (third-party content). The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission.

3.2.2 Purposes of data processing

Third-party providers on our website may use the data thus obtained for statistical or marketing purposes.

3.2.3 Consent to the transfer of personal data to a third country

Third-party providers on our website may process the data thus obtained for statistical purposes or data in a third country only if the special requirements of Art. 44 et seq. DSGVO are met. Accordingly, the data transfer may be carried out if the European Commission has determined by way of a decision within the meaning of Art. 45 (1), (3) of the GDPR that an adequate level of protection is provided under data protection law in the third country concerned. By means of such so-called adequacy decisions, the European Commission certifies that third countries provide a level of data protection that is comparable to the recognized standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). To the extent that data is transferred between the USA and the EU in exceptional cases, it should be noted that no such adequacy decision exists for the USA. Therefore, in principle, other suitable guarantees would have to exist to ensure that data protection is sufficiently guaranteed in the USA. This would generally be possible via binding corporate regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. Although Google has submitted to corresponding standard contractual clauses of the European Commission, U.S. companies are nevertheless obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this. It can therefore not be ruled out that US authorities (e.g. intelligence services) process, evaluate and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities. Furthermore, you may not be able to assert or enforce your rights to information against Google in the long term. Furthermore, the technical and organizational measures for the protection of personal data at Google may not fully meet the requirements of the GDPR in terms of quantity and quality. There is thus the possibility that the standard contractual clauses of the European Commission used by Google do not constitute sufficient guarantees within the meaning of Article 46 (2) a) of the GDPR. Google has nevertheless committed itself to only handing over data to U.S. security authorities if the service provider has in fact been legally bound to do so by a government order. The service provider is also obliged to take legal action to challenge the government order to hand over the data. By consenting to the collection of data by Google, you expressly consent to the transfer of data as set forth herein, and you have been informed above of the potential risks of such data transfers in the absence of an adequacy decision and appropriate safeguards. This consent can be revoked at any time. A revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

3.2.4 Legal basis of data processing

The legal basis for the processing of your data is Art. 6 para. 1 p. 1 lit. a as well as f DSGVO. The processing is based on an implied consent and on our legitimate interests. In this respect, we assume that the positions protected by fundamental rights are not seriously affected and therefore do not prevail.

3.2.5 Duration of storage; possibility of objection and elimination

Google Maps requires an NID cookie that is stored in browsers. Therefore, you as a user have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transfer of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for Google Maps, it may no longer be possible to use all functions to their full extent.

3.2.6 Further information

For more information on the purpose and scope of data collection and processing, as well as further information on your rights in this regard and settings options for protecting your privacy, please contact: Google Inc, 1600 Amphitheater Parkway, Mountainview, California 94043, USA; Privacy information: https://www.google.de/intl/de/policies/privacy.

3.3 Other online offers (integrations with advertising partners)

In addition to the purely informational use of our website, we offer various services via our online offerings that customers can use if they are interested. Namely, we mediate for suppliers of various products (product suppliers) their advantage offers, in particular free samples of various media. For this purpose, our advertising media are integrated on websites of advertising partners who operate web stores for the sale of their own services, for example. If the customer, who must be of legal age, goes through the order process of the advertising partner, he is given the opportunity to choose from the product providers‘ special offers at the end of the order process as a thank-you for his order. After the choice of the desired offer an order form operated by us appears, in which already the personal data of the customer deposited with the purchase in the Shopsystem are pre-filled. This pre-filling takes place only in the customer’s browser, there is no transfer of personal data not authorized by the customer. The customer receives all the necessary information about the product provider and, if applicable, their terms and conditions and privacy information linked. If the customer wants to take advantage of the offer, he must activate a checkbox „Yes, I agree to the terms of use“. The linked terms of use contain, if applicable, the declaration that the customer consents to receiving advertising from the product provider (by telephone or e-mail) by placing an order. In order to use the aforementioned advantage offers, additional personal data must be provided in some cases, which is used by the product provider to provide the respective service and for which the aforementioned data processing principles apply. Specifically, the data is processed as follows.

3.3.1 Use of the order form

3.3.1.1 Description and scope of data processing

When our order form is called up, our system records the data and information of the calling computer mentioned in section 3.1.1. for purely technical reasons. In addition, the salutation, year of birth, country, postal code, possibly variables on the behavior within the offer of the advertising partner, as well as the hash value of the specified e-mail address are transmitted pseudonymously by the advertising partner. Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures that ensure that the personal data cannot be assigned to an identified or identifiable natural person.

3.3.1.2 Purposes of data processing

The temporary storage of the aforementioned data is for technical reasons and serves on the one hand system security and system stability, and on the other hand warranty and administration purposes. The hash value of the e-mail address is matched pseudonymously in order to meet a possibly already expressed objection to advertising with regard to a stored hash value.

3.3.1.3 Legal basis for data processing

The legal basis for the temporary storage of the data is Art. 6 para. 1 lit. f DSGVO. Our legitimate interest follows from the purposes for data collection listed above. In no case do we use the collected data to draw conclusions about the person. Furthermore, the legal basis for the analysis of the hash value of the email address in order to be able to exclude a possible advertising objection in a legally compliant manner is Art. 21 para. 3, Art. 6 para. 1 lit. c DSGVO.

3.3.1.4 Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the order form, this is the case when the respective session has ended. In the case of storage of data for data security purposes, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

3.3.1.5 Possibility of objection and removal

The collection of data for the provision of the order form and the storage of the data is necessary for the operation of the order form. Consequently, there is no possibility to object. However, it is generally possible to object to the analysis of the potential interest in relation to the mediated offers at any time.

3.3.2 Utilization of the product providers' offerings

3.3.2.1 Description and scope of data processing

If an offer of the product providers is to be ordered via our order form, it is necessary for the conclusion of the contract that the personal data necessary for the processing of the order are provided. Only the mandatory data necessary for the processing of the contracts will be collected. The data will be transmitted to the product provider.

3.3.2.2 Purposes of data processing

We process the data provided exclusively for processing the order.

3.3.2.3 Legal basis for data processing

The legal basis for data processing in the context of processing an order is Art. 6 para. 1 lit. b DSGVO. Insofar as data processing is carried out for further advertising purposes, exclusively on behalf of the product providers, the legal basis for this is currently Art. 6 para. 1 lit. b and Art. 6 para. 1 lit. f DSGVO; the legitimate interests follow from the purposes for data processing described. Insofar as consent to use the data for direct marketing purposes has been given, also exclusively on behalf of the product providers, the legal basis for this is Art. 6 (1) a DSGVO.

3.3.2.4 Duration of storage

With regard to order processing, there are general commercial and tax law requirements to store address, payment and order data for a period of ten years. Insofar as the data is processed for advertising purposes on behalf of the product provider, this data will be stored until the consent in this regard is revoked or the processing of the data for advertising purposes is objected to.

3.3.3 Direct marketing / newsletter dispatch by product suppliers

3.3.3.1 Description and scope of data processing

With the contractual declaration to receive the order can also consent to receive separately information about current, future products and services of the product provider (by phone or e-mail). For the confirmation of the registration to receive this information, we offer the so-called double opt-in procedure. This means that after the order is placed, an e-mail is sent to the specified e-mail address asking for voluntary confirmation that the registration/order has been executed by the respective customer. In addition, we store the IP addresses used and the times of registration/ordering and confirmation.

3.3.3.2 Purposes of data processing

The purpose of the double opt-in procedure is to provide proof of registration and, if necessary, to be able to clarify any possible misuse of personal data. After confirmation, the e-mail address is stored for the purpose of direct marketing by the product provider. To fulfill these purposes, the data will be transmitted to the product provider. The data is processed exclusively for administrative purposes on behalf of the product provider.

3.3.3.3 Legal basis for data processing

Insofar as consent to data processing for advertising purposes by the product provider is declared with the contractual declaration with regard to the order, the legal bases for this are Art. 6 para. 1 lit. a and Art. 6 para. 1 lit. b DSGVO, furthermore § 7 para. 2 no. 3 UWG. Insofar as data is collected as part of the double opt-in procedure, this is done for documentation purposes in accordance with Art. 7 para. 1 and Art. 6 para. 1 lit. c DSGVO. If, exceptionally, we do not already process the data on the basis of consent, the personal data will be processed insofar as this is necessary to protect our legitimate interests or the legitimate interests of a third party and the interests, fundamental rights and freedoms of the customer, which require the protection of personal data, do not prevail (Art. 6 (1) lit. f DSGVO).

3.3.3.4 Duration of storage

If the customer does not confirm the order by means of the double opt-in procedure, and if the terms of the contract between the customer and the product provider do not require this in order to receive the order, the information will be blocked and automatically deleted after one month. The data will otherwise be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Personal data is stored by us only for the purpose of proof, anonymized after 6 months, deleted later.

3.3.4 Possibility of objection and removal

The consent can be revoked at any time. The revocation can be declared to us, for example, by clicking on the link provided in each newsletter e-mail, by e-mail to kontakt@userwerk.com or by sending a message to the contact details given in section 1.1, or preferably by revocation directly to the product provider whose contact is listed in the offers and the confirmation e-mail.

3.4 Communication

Due to the legitimate interest in fast and customer-friendly communication and technical administration, we use the following application in accordance with Art. 6 para. 1 lit. f and Art. 6 para. 1 lit. b of the DSGVO: Emails and inquiries by phone are processed and stored with Zendesk, a customer service platform of Zendesk Inc. 1019 Market Street San Francisco, CA 94103. Zendesk Inc. has several certificates that guarantee the applicable data protection levels. For more information, please refer to Zendesk’s privacy policy: https://www.zendesk.de/product/zendesk-security

3.4.1 Consent to the transfer of personal data to a third country

Subject to legal or contractual permissions, personal data may in principle only be processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. Accordingly, data may be transferred if the European Commission has determined by way of a decision within the meaning of Article 45 (1), (3) of the GDPR that an adequate level of data protection is provided in the third country concerned. By means of such so-called adequacy decisions, the European Commission certifies that third countries provide a level of data protection that is comparable to the recognized standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html).

To the extent that data is transferred between the USA and the EU in exceptional cases, it should be noted that no such adequacy decision exists for the USA. Therefore, in principle, other suitable guarantees would have to exist to ensure that data protection is sufficiently guaranteed in the USA. This would generally be possible via binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct.

Although Zendesk has signed up to the European Commission’s standard contractual clauses, U.S. companies are still obliged to hand over personal data to security authorities without you as a data subject being able to take legal action against this. It can therefore not be ruled out that US authorities (e.g. intelligence services) process, evaluate and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities. Furthermore, you may not be able to assert or enforce your rights to information against the service provider in the long term. Furthermore, the technical and organizational measures for the protection of personal data at Google may not fully meet the requirements of the GDPR in terms of quantity and quality. There is thus the possibility that the standard contractual clauses of the European Commission used by Zendesk do not constitute sufficient guarantees within the meaning of Article 46 (2) a) of the GDPR. Nevertheless, Zendesk has committed itself to only disclose data to U.S. security authorities if the service provider has been legally bound to do so by a government order. The service provider is also obligated to take legal action to challenge the government order to release the data. By consenting to the collection of data by Zendesk, you expressly consent to the transfer of data as set forth herein, and you have been informed above of the potential risks of such data transfers without an adequacy decision and without appropriate safeguards. This consent can be revoked at any time. A revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

3.4.2 Legal basis of data processing

3.5 Loopingo

We display voucher offers of loopingo GmbH, Nymphenburgerstr. 12, 80335 Munich in the integration of our online offer. To prepare the voucher, we transmit the e-mail address to loopingo in encrypted form (legal basis for this is Art. 6 para.1 b, f DSGVO), as well as any voucher code used. The IP address, which is used by loopingo exclusively for data security purposes, is anonymized after seven days. In addition, we transmit order number, order value with currency, postal code, gender and time stamp to loopingo in a pseudonymized form for the preparation of the offer. For further information on the processing of your data by loopingo, please refer to the online privacy policy at: https://www.loopingo.com/datenschutz.

3.6 Integration of Amazon Web Services (AWS) services

3.6.1 Description and scope of data processing

We use services, namely cloud solutions, of Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, a subsidiary of Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, United States. Amazon Web Services, Inc. (hereinafter referred to as „AWS“) is a corporation incorporated and registered under the laws of the State of Delaware (Registration Number: 4152954, Secretary of State, State of Delaware, Tax ID: 204938068).

In the course of using AWS’s services, personal information is also processed and stored. According to the contract with AWS, this information is generally only processed within the EU or the EEA. Nevertheless, a data transfer outside the EU cannot be excluded. We have no influence on this data transfer.

3.6.2 Purpose of the data processing

The use of AWS services is essential for the functionality and full provision of our content and services. The purpose may be to provide services to fulfill the contractual relationship that exists with you.

3.6.3 Consent to the transfer of personal data to a third country

The use of AWS services Subject to legal or contractual permissions, personal data may in principle only be processed in a third country if the special requirements of Art. 44 et seq. DSGVO are met. Accordingly, data may be transferred if the European Commission has determined by way of a decision within the meaning of Article 45 (1), (3) of the GDPR that the third country in question offers an adequate level of protection under data protection law. By means of such so-called adequacy decisions, the European Commission certifies that third countries provide a level of data protection that is comparable to the recognized standard in the European Economic Area (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.html). To the extent that data is transferred between the USA and the EU in exceptional cases, it should be noted that no such adequacy decision exists for the USA. Therefore, in principle, other suitable guarantees would have to exist to ensure that data protection is sufficiently guaranteed in the USA. This would generally be possible via binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. Although AWS has submitted to corresponding standard contractual clauses of the European Commission, US companies are nevertheless obliged to hand over personal data to security authorities without you as a data subject being able to take legal action against this. It can therefore not be ruled out that US authorities (e.g. intelligence services) process, evaluate and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities. Furthermore, you may not be able to sustainably assert or enforce your rights to information against AWS. Furthermore, the technical and organizational measures for the protection of personal data at AWS may not fully comply with the requirements of the GDPR in terms of quantity and quality. There is thus the possibility that the standard contractual clauses of the European Commission used by AWS do not constitute sufficient guarantees within the meaning of Article 46 (2) a) of the GDPR. AWS has nevertheless complied with this https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf AWS is obligated to release data to U.S. security authorities only if AWS has been legally bound to do so by a de facto government order. AWS is also obligated to take legal action to challenge the government order to release the data. By consenting to the collection of data by AWS, you also expressly consent to the transfer of data as set forth herein, and you have been informed above of the potential risks of such data transfers in the absence of an adequacy decision and appropriate safeguards. This consent can be revoked at any time. A revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

3.6.4 Legal basis of data processing

The legal basis for the processing of your data is Art. 6 para. 1 p. 1 lit. a as well as f DSGVO. The processing is based on an implied consent as well as on our legitimate interests. If the use of the services of AWS aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO.

3.6.5 Further information

Further information on the purpose and scope of the data collection and its processing, as well as further information on your rights in this regard and setting options for protecting your privacy, can be found at: https://aws.amazon.com/de/legal/aws-emea/ and at: https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf

3.7 Instagram

3.7.1 Description and scope of data processing

We maintain a profile on the Instagram social network. We have communication data of the users there who communicate with us.

3.7.2 Purpose of the data processing

It is used to communicate with users registered there and to inform them about our products, services and news.

3.7.3 Legal basis

When you use and access our profile on the respective network, the data protection information and terms of use of the respective social media provider apply. The processing of your personal data when visiting our profile on Instagram is based on our legitimate interests in a diverse external presentation of our company and the use of an effective information option and communication with you. The legal basis is Art. 6 para. 1 lit. f DSGVO. Insofar as you have given the responsible party of the social network consent to the processing of your personal data, the legal basis is Art. 6 (1) lit. a DS-GVO.

3.7.4 Further information

We have no influence on the processing of personal data by the respective social media provider. As a rule, when you visit our profiles, cookies are stored in your browser by the social media provider, in which your usage behavior or interests are stored for market research and advertising purposes. For detailed information on data processing when using our social media profiles and on your rights, please refer to the privacy policy of the social media provider: Instagram (provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) Privacy Policy / Opt-Out: https://instagram.com/about/legal/privacy

4. Disclosure of data to third parties

We do not disclose personally identifiable information to companies, organizations or individuals outside of the Company, except in one of the following circumstances:

4.1 With consent

We pass on personal data to companies, organizations or persons outside the company if the customer’s consent has been obtained for this purpose; this refers in particular to the circumstances of use outlined above.

4.2 Processing by other bodies

We provide personal data to other companies affiliated in the same group or group of companies, as well as to third party business partners, other trusted companies or persons who process it on our behalf. This is done on the basis of our instructions and in accordance with the privacy policy and other appropriate confidentiality and security measures.

4.3 For legal reasons

We will disclose personal information to companies, organizations or individuals outside the Company when it is reasonably believed that access to, use, preservation or disclosure of such information is necessary, in particular, to comply with any applicable law, regulation or legal process, or to comply with an enforceable governmental request.

5. Transfer of personal data to a third country or an international organization

Unless expressly stated in this privacy policy, personal data is not transferred to third countries or international organizations.

6. Automated decision making

Automated decision making does not take place.

7. Rights

If personal data are processed, the users are data subjects within the meaning of the GDPR and the data subjects are entitled to the following rights against us, the controller:

7.1 Right to information

Data subjects may request confirmation from the controller as to whether personal data concerning them are being processed by us. If such processing is taking place, you may request information from the controller about the following:

The purposes for which the personal data are processed.
The categories of personal data which are processed.
The recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed.
The planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage period.
The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing.
The existence of a right of appeal to a supervisory authority.
Any available information about the origin of the data, if the personal data is not collected from the data subject.
The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

Data subjects have the right to request information on whether personal data concerning them is transferred to a third country or to an international organization. In this context, data subjects may request to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

7.2 Right to rectification

Data subjects have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning them are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

7.3 Right to restriction of processing

Under the following conditions, data subjects may request the restriction of the processing of personal data concerning them:

If they contest the accuracy of the personal data concerning them for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful and they object to the erasure of the personal data and request instead the restriction of the use of the personal data.
The controller no longer needs the personal data for the purposes of the processing, but they need it for the assertion, exercise or defense of legal claims.
If they have objected to the processing pursuant to Article 21 (1) DSGVO and it has not yet been determined whether the legitimate grounds of the controller outweigh your grounds.

If the processing of personal data concerning them has been restricted, such data may – apart from being stored – only be processed with their consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the restriction of processing has been restricted in accordance with the above conditions, data subjects shall be informed by the controller before the restriction is lifted.

7.4 Rights to deletion

7.4.1 Obligation to delete

Data subjects may request the controller to erase personal data concerning them without undue delay, and the controller is obliged to erase such data without undue delay, if one of the following reasons applies:

The personal data concerning them are no longer necessary for the purposes for which they were collected or otherwise processed.
You revoke the consent on which the processing was based pursuant to Art. 6 (1) a or Art. 9 (2) a DSGVO and there is no other legal basis for the processing.
You object to the processing pursuant to Art. 21 (1) DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) DSGVO.
Personal data concerning them have been processed unlawfully.

The erasure of the personal data concerning them is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. The personal data concerning them have been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.

7.4.2 Information to third parties

If the controller has made the personal data concerning the data subject public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested erasure of all links to or copies or replications of such personal data.

7.4.3 Exceptions

The right to erasure does not exist insofar as the processing is necessary:

For the exercise of the right to freedom of expression and information.
For compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) DSGVO.
For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) DSGVO, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing.
For the assertion, exercise or defense of legal claims.

7.5 Right to information

If data subjects have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller shall be obliged to notify all recipients to whom the personal data concerning them have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

The data subject shall have the right vis-à-vis the controller to be informed about these recipients.

7.6 Right to data portability

Data subjects have the right to receive the personal data concerning them that they have provided to the controller in a structured, commonly used and machine-readable format. In addition, they have the right to transmit this data to another controller without hindrance by the controller to whom the personal data was provided, provided that:

The processing is based on consent pursuant to Art. 6 (1) a DSGVO or Art. 9 (2) a DSGVO or on a contract pursuant to Art. 6 (1) b DSGVO.
The processing is carried out with the help of automated procedures.

In exercising this right, data subjects also have the right to obtain that the personal data concerning them be transferred directly from one controller to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this. The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.7 Right of objection

Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is carried out on the basis of Article 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. The controller shall no longer process the personal data concerning them unless it can demonstrate compelling legitimate grounds for the processing which override their interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. If the personal data concerning them is processed for the purposes of direct marketing by the product providers, they have the right to object at any time to processing of personal data concerning them for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing by the product providers. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. You have the possibility, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

7.8 Right to revoke the declaration of consent under data protection law

Data subjects have the right to revoke their declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

7.9 Right not to be subject to automated decision-making in individual cases, including profiling

Data subjects have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning them or similarly significantly affects them. This does not apply:

Where the decision is necessary for the conclusion or performance of a contract between them and the controller.
Permitted by legislation of the Union or the Member States to which the controller is subject, and that legislation contains adequate measures to safeguard their rights and freedoms and their legitimate interests.
Is done with their explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as their legitimate interests. With regard to the cases mentioned in (1) and (3), the controller shall take reasonable measures to safeguard the rights and freedoms as well as your legitimate interests. Which includes, at a minimum, the right to obtain the intervention of a person on the part of the controller, to express his own point of view and to contest the decision.

7.10 Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, data subjects shall have the right to lodge a complaint with a supervisory authority. In particular, in the Member State of their residence, their place of work or the place of the alleged infringement, if they consider that the processing of personal data concerning them infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

8. Applications

We are pleased that you would like to apply for a job with us. You will find our special data protection information for applicants here on an extra information page. You can also access this information directly in the online form there, where we will inform you in particular about the purposes, legal bases and other information regarding the specific processing in connection with your application to us.

As of: November 2022