In general, you can browse our website without providing personal data. To the extent that personal data is processed by us (e.g. name, address, or e-mail), it is always, where feasible, done so on the basis of data you have voluntarily provided to us. Without your explicit consent, this data is not disclosed to third parties. However, it should be noted that data transmission via internet (e.g. communication via e-mail) may in principle have security vulnerabilities. Therefore, an absolute protection from unauthorized access by third parties cannot be accounted for.
The processing of your or another data subject’s personal data — in particular name, address, telephone or mobile phone number, e-mail, and bank information — is always and under all circumstances handled in strict accordance with the EU’s General Data Protection Regulation as well as the country-specific data protection laws.
Name and address of the data controllers
Pursuant to the General Data Protection Regulation as well as every other data regulation law and legal document relevant to data protection that is valid for the member states of the European Union, the data controllers are:
Christiane Weidenbach, Thomas Knauf and Wolfgang Wichert
Alte Wittener Str. 50
Data protection officer
You can contact our data protection officer under the following address:
Herr Jürgen Golda
Tel: +49 (0) 234 893970
Consent to the processing of personal data
With the voluntary use of our website and our scope of services, the user consents to the processing of personal data required for one of the following purposes:
eggheads GmbH offers services that are of interest to its clients, namely sales, installation, support, service and consulting concerning eggheads Suite, a standard software in the field of Product Information Management.
The user consents that eggheads GmbH collects the data necessary to realize and provide all of the above-stated services. For this purpose, the user also gives consent that data may, where necessary, be shared with partner companies of eggheads GmbH, with whom it has entered into a legal data processing contract pursuant to GDPR.
Personal data — in particular name, address, telephone or mobile phone number, e-mail, and bank information — is only necessary and required for the purpose of service provisions or potential contractual relationships, and is only collected on the grounds of legal authorization. For every use of personal data that is not part of the above-stated services as well as for the collection of additional information, the data subject is to give consent regularly.
With regards to this, further aspects — in particular the right to object — are elaborated in the following paragraphs.
Our website utilizes cookies. Cookies are small data files exchanged between the server of the website and the browser of the visitor. When you visit our website, cookies are automatically stored on your device (computer, laptop, tablet, smartphone etc.). Cookies are not harmful to your device, in particular they do not contain viruses or other malicious software.
In a cookie, information is stored related to the specific device utilized to access our website. However, this does not mean that we gain immediate knowledge of your identity. Cookies serve the purpose of making our services more ergonomic for you. In relation to this, we utilize so-called ‘session cookies’ in order to recognize which webpages of our website you have already visited as part of the current session. Session cookies are automatically deleted after closing our website.
To optimize the usability of our website, we also utilize temporary cookies that are stored on your device for a predefined time. In case you visit our website again in order to make use of our services, your system automatically recognizes that you have already visited our website and which settings or inputs you have entered so that you do not need to enter them again.
Among other things, we utilize cookies to statistically evaluate how our website is utilized in order to optimize it. Accordingly, these cookies recognize that you have visited our website before, and are automatically deleted after a predefined time.
The data processed by cookies is necessary for the above-stated purposes to preserve our legitimate interests or that of a third party pursuant to GDPR, point (f) of Article 6 (1).
Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your device or that you are to be notified before a cookie is created.
3. Server log files
When our website is visited by a data subject or an automated system, the provider of the website collects a set of general data. This set is then automatically saved into a server log file, which is automatically transmitted to us via your browser. Accordingly, this set of general data consists of:
- Browser type and browser version
- Operating system
- HTTP referrer ID (previously visited website)
- Host name of device (IP address)
- Date and time of server request
- Related data that is relevant for guaranteeing the security of our information technology systems against cyberattacks etc.
The anonymous data stored in the server log file cannot be linked to any individual and is not merged with other data sources. Consequently, it is saved separately from all personal data provided by a data subject. We reserve the right to analyze this data after its initial processing should we become aware of or have justified reasons to suspect illegal use.
4. Registration on our website
As a data subject, you can register on the data controller’s website, providing personal data as may be required. Consequently, the respective input mask for registration determines what personal data is transmitted to the data controller. To this extent, the data processing pursuant to GDPR, point (a) Article 6 (1) is carried out only with your consent. The personal data inserted by the data subject is exclusively collected and saved by the collector for internal use only. The collector may — where valid reasons can be provided — disclose this data to individual or multiple processors, who may also only utilize this data for an internal use that is to be communicated to the collector.
Furthermore, when registering on the data controller’s website, the following data is also saved: the data subject’s IP address as communicated by the internet service provider (ISP) as well as the date and time of registration. The reason as to why this data is saved is that we can only prevent the misuse of our services by following this procedure. Where necessary, the data is also utilized for the detection and prosecution of criminal offences. To this extent, saving this data is required for the legal protection of the collector. In principle, this data is not disclosed to third parties unless there are legal obligations to disclose it or it is required for legal prosecution.
The personal data provided by the data subject for registration on a voluntary basis serves the purpose of allowing the data controller to provide the respective data subject with content and services which may only be accessible for registered users due to the nature of this content and services. Registered users are free to change their personal data they submitted for registration or to completely erase it from the data controller’s database.
At any time, the data subject can submit a request to the data controller in order to gain insight into the respective data subject’s personal data stored in the data controller’s database. Accordingly, the data controller is to rectify or erase the subject’s personal data on the behalf of her request to the extent that there are no legal obligations for data retention in play.
5. Subscription and newsletters
Customers and partner companies of eggheads can subscribe to the newsletter of our company. The respective data subject’s subscription request that is sent via e-mail determines what personal data is transmitted to the data controller. On a regular basis, we inform our customers and business partners via newsletter about the services of our company. Our company’s newsletter can, in principle, only be received by the data person where the following two conditions are met:
- The data subject has a valid e-mail address
- The data subject has subscribed to our newsletter
The corresponding data collection is required to detect (potential) misuse of the data subject’s e-mail address after its initial processing and is, consequently, required for the legal protection of the collector.
The personal data collected as part of the subscription to our newsletter is exclusively utilized to send newsletters on a regular basis. Furthermore, subscribers to our newsletter may receive e-mails containing relevant information concerning our newsletter service. For example, this may be the case if changes are made to our regular newsletter service. No personal data is disclosed to third parties as part of the newsletter service. The subscription to our newsletter may be canceled at any time by the data subject. At any time, the data subject may withdraw her consent to the storage of personal data which was collected as part of the subscription to the newsletter. Our newsletter readers can exercise their right to withdraw consent by clicking the respective link provided in any of our newsletters. Additionally, newsletter readers can also unsubscribe via the data controller’s website or by communicating a request directly to the data controller via any other viable channel.
6. Newsletter tracking
Our newsletters contain so-called web beacons. A web beacon is a pixel-sized graphic that is embedded in HTML-formatted e-mails, allowing for log data tracking and log data analysis. On the basis of this, a statistical evaluation of the success of our online marketing campaigns can be carried out: By utilizing web beacons, we can track whether and when an e-mail was read and which links contained in the e-mail have been opened by the data subject.
Personal data collected via web beacons that are contained in our newsletters are saved and evaluated by the collector in order to optimize our newsletter service and to further adjust the content of our future news letters on the basis of the data subjects’ interests. This personal data is not disclosed to third parties. At any time, a data subject may withdraw consent. Where a data subject exercises her right to withdraw consent, the collector is to erase the respective personal data. Unsubscribing from our newsletter is regarded as a withdrawal of consent.
7. Contact via website
Due to legal regulations, our website allows for a quick electronic communication with our company via contact formula as well as immediate communication via e-mail. To the extent that a data subject communicates with the collector via contact formula or e-mail, the personal data provided by the data subject is saved automatically. This personal data, provided to the collector by the data subject on a voluntary basis, is saved for the purpose of processing and communication. It is not disclosed to third parties.
When you contact us via e-mail, there is no guarantee that third parties may gain access to or falsify the content of the e-mail on the transmission path. Accordingly, you should only send messages containing confidential content to us via our contact form or in encrypted form.
8. Analysis tool: Google Analytics
The cookies collect information about your use of our website, such as:
- Browser type and browser version
- Operating system
- HTTP referrer ID (previously visited website)
- Host name of device (IP address)
- Date and time of server request
This information is then gathered and stored on a Google server. The information is utilized to evaluate the use of our website, to create reports on website activities, and to offer services related to market research and demand-actuated design. As circumstances may require, this information may also be distributed to third parties, to the extent that this is legally required or is part of the order processing. On no account, your IP address is merged with other data of Google to the extent that we can influence this process. The IP addresses are anonymized so that a clear mapping is not possible (IP masking).
You can disable cookies by configuring your browser accordingly. Please note, however, that you may not be able to use all functions of our website if required cookies are blocked.
Furthermore, you can prevent that data generated by cookies and your use of our website is collected (including your IP address) as well as processed by Google by downloading and installing a browser addon: (https://tools.google.com/dlpage/gaoptout?hl=de).
For further information concerning data protection related to Google Analytics, please refer to the Google Analytics help.
We’ve enabled the „Google Signal“ function in Google Analytics. With this additional function, the so-called “Cross-Device Tracking” can be used. This allows for bundling together a website user’s activity even if she’s browsing it using different devices. For this service, cookies are utilized and user data is collected. As far as we’re concerned, no personal data is processed as part of this analysis in Google Analytics. To website operators, no usage profiles are accessible. What kind of analysis Google conducts on this basis isn’t clearly defined. In Google Analytics, such data is only bundled together if users are also signed into their Google account.
If you don’t want to be subject to such analysis, you can deactivate the “Personalized Advertisement” setting in your Google account. For further information, please refer to Google: https://marketingplatform.google.com/about/partners/tos or https://policies.google.com/.
9. Google Tag Manager
On our website, we use Google Tag Manager. This service allows for managing website tags using a graphical interface. The Google Tag Manager serves the exclusive purpose of implementing tags. No cookies are set and no sensible information is collected. Google Tag Manager activates other tags which may collect data. Google Tag Manager does not access this data. If tags are deactivated on the level of domain or cookies, then this applies to all tracking tags insofar as they are implemented via Google Tag Manager. More information on Google Tag Manager can be found under the following link: https://www.google.com/analytics/terms/tag-manager/.
10. Google – reCAPTCHA
On our website, we use the reCAPTCHA service of Google Inc. (USA) for protection against spam and bots. This serves the purpose of protecting both website and forms, and is therefore used on the grounds of Legitimate Interest. The following data is processed: IP address, website identifier, date, browsing time of our website, browser information, information on the operating system, and mouse cursor movement on the reCAPTCHA area. If you are logged into a Google account, this information is also processed. For further information, please consult the Google reCAPTCHA page under: https://www.google.com/recaptcha/intro/v3.html.
11. Google Search Console
We use the Google Search Console to monitor our website in case any technical errors should occur. Google Search Console is a free service provided by Google, allowing us to monitor and manage our visibility in the Google search index. Hereby, we are provided with relevant information which Google collects about our website. The use of Google Search Console does not concern data protection, since no user or tracking data is sent from our website to Google in this manner. Only the data about the visibility of our website is sent from Google to us.
12. Google Fonts
Our website uses Google Fonts to load fonts and icons. Google Fonts is a service provided by Google. The implementation is made up of a server request and related data exchange. Google collects the accessed websites and IP addresses. To learn more about further data requested or processed, please refer to the official statement by Google: https://fonts.google.com/#AboutPlace:about. Data protection policy of Google: https://policies.google.com/privacy
13. Google Ads
We use the remarketing functions as part of the Google Ads service. With these remarketing functions, we can display advertisements to you as a user of our website on other websites participating in the Google Ads network based on your interests (e.g. Google Search and so-called “Google Adwords” displayed as the top search results, or YouTube and other websites). For this purpose, an analysis is conducted on how you interact with our website (e.g. the offers you may be interested in). This way, we can provide relevant advertisement to you even after visiting our website. To do so, Google saves a number in your internet browser, registering that you visited particular Google websites or services participating in the Google display network. Such numbers are referred to as “cookies”. They serve as the unique identifier of your browser on your end device; it does not serve as the identification of a person or personal data.
There are many ways for you to prohibit this tracking method:
a) Use the respective settings of your internet browser, in particular you may disable third-party cookies so that you receive no third-party advertisement.
b) Install the plugin provided by Google: https://www.google.com/settings/ads/plugin.
c) Deactivate the targeted advertisement by providers participating in the “About Ads” self-regulation campaign using this link: https://www.aboutads.info/choices, (this setting is deleted when deleting your cookies).
d) Permanently deactivate tracking in your Mozilla Firefox, Internet Explorer, or Google Chrome under the link: https://www.google.com/settings/ads/plugin.
e) Use relevant cookie settings. In this case, however, you may not be able to use all features provided to you by our website.
For further information, please refer to the data protection policy of Google: https://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html.
Alternatively, you can visit the website of the Network Advertisement Initiative (NAI) under: https://www.networkadvertising.org/.
Used cookies: Type C. For further information, refer to the section “Cookies”. Life cycle of cookies: up to 1 month (this only applies to cookies of our website). Legal basis: GDPR, Art. 6 (1).
14. Google Optimize
To optimize our website’s usability, we use the “Google Optimize” service by the provider Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). This service is a functional extension for Google Analytics and is cookie-based. According to Google, this extension anonymizes your IP address after processing it. In some exceptional cases, the complete IP address is transferred over to the provider in the US but stored in an encrypted format. According to Google, IP addresses will not be merged with other data from Google.
You can block the processing of cookies in your internet browser. You can do so either via individual settings in your specific browser or by using the browser plugin provided here: https://tools.google.com/dlpage/gaoptout?hl=us For further information on Google Optimize, please refer to this webpage: https://support.google.com/optimize/answer/6197440?hl=en&ref_topic=11608543#zippy=%2Cin-this-article.
15. Bing Webmaster Tools
For Search Engine Optimization (SEO), we use Bing Webmaster Tools developed by Microsoft. According to Microsoft, personal data is neither collected nor processed. The tool operates on the basis of one or more cookies which are stored locally on your computer (which you may delete or block anytime). In particular, this entails…
- Cookie: For saving your unique search ID. Thanks to this, relevant search results can be provided to you.
- Webbeacons: For saving cookies and creating analysis data. According to Microsoft, no personal data is collected or processed as part of this either.
The tool provides information which contributes to the quality, security, and integrity of Microsoft services. Additionally, this information is used for improving the Bing search results. Lastly, Microsoft utilizes it to strengthen security against vulnerabilities and potential threads.
The following links provide you with further information:
Here, you can configure your Bing privacy settings: https://account.microsoft.com/privacy/ad-settings/signedout
16. Social Plugin: Facebook
Our website features so-called social media plugins (hereafter ‘plugins’) from the social network facebook in order to personalize the experience of our website. The address of the company in response is Facebook Inc. (1601 South California Avenue, Palo Alto, CA 94304, USA; hereafter ‘facebook’). A facebook plugin is represented by the facebook logo displayed on our website. An overview over all facebook plugins can be found here: http://developers.facebook.com/docs/plugins/
When you open a webpage of our website that contains a feature of this kind, your browser establishes a direct connection to the facebook servers. The content of the plugin is directly transmitted to your browser by facebook and integrated into the webpage.
When you open a webpage of our website that contains a feature of this kind, your browser establishes a direct connect to the facebook servers. The content of the plugin is directly transmitted to your browser by facebook and integrated into the webpage.
By implementing the plugin, facebook receives the information that your browser has accessed the respective webpage of our website, even if you do not have a facebook account or are currently not logged into facebook. This information (including your IP address) is directly transmitted to a facebook server by your browser.
If you are currently logged into facebook, facebook can directly map your visit to our website with your facebook account. When you interact with plugins, such as clicking on the ‘Like’ or ‘Share’ button, corresponding information is also directly transmitted to and saved by a facebook server. The information is also published on facebook and visible to your facebook friends.
Facebook may utilize this information for the purpose of advertisement, market research, and demand-actuated design of facebook pages. For this, facebook creates use, interest, and relationship profiles (e.g. to evaluate your use of our website in relation to the advertisement displayed on facebook), inform other facebook users about your activities on our website, as well as other services related to the use of facebook.
If you do not want that facebook can map the data collected via the use of our website, you have to log out of facebook before visiting our website.
17. Social Plugin: Instagram
On our website, we feature so-called ‘social plugins’ (plugins) by Instagram. The address of the company in response — hereafter ‘Instagram’ — is LLC., 1601 Willow Road, Menlo Park, CA 94025, USA. The plugins are represented in the form of the Instagram logo, e.g. in the form of the ‘Instagram camera’. An overview of all Instagram plugins can be found here: http://blog.instagram.com/post/36222022872/introducing-instagram-badges
When visiting one of our webpages, a direct connection between your browser and the Instagram servers is established. Hereby, the content of the plugin is directly transmitted to your browser and implemented into the respective webpage of our website by Instagram. Instagram receives the information that your browser has accessed our website even if you do not have an Instagram account or are currently not logged into your Instagram account. This information (including your IP address) is directly transmitted and saved to one of the servers of Instagram in the US. If you are logged into your Instagram account, Instagram can immediately link your visit of our website to your Instagram profile.
If you interact with the plugins, e.g. press the ‘Instagram’ button, the corresponding information is also directly transmitted and saved on one of the Instagram servers. Likewise, this information is published on Instagram and visible to your contacts.
If you do not want that Instagram can immediately link your data gathered from your use of our website on your Instagram profile, please log out of your Instagram account before browsing our website.
18. Social Plugin: LinkedIn
On our website, we feature so-called ‘social plugins’ (plugins) by LinkedIn. The address of the company responsible is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (LinkedIn). The plugins are represented in the form of the ‘In’ button on white or colored background.
An overview of all LinkedIn plugins can be found here: https://developer.linkedin.com/plugins
When visiting one of our webpages that features such a plugin, your browser establishes a direct connection to the LinkedIn servers. The content of the plugin is transmitted directly to your browser and implemented into the respective webpage of our website by LinkedIn. This way, LinkedIn receives the information that you have accessed our website even if you do not have a LinkedIn account or are currently not logged into your LinkedIn account. This information (including your IP address) is directly transmitted from your browser to a LinkedIn server in the US.
When you click the “LinkedIn” button while you are also logged into your LinkedIn account, you can link contents from our website on your LinkedIn profile page. This way, LinkedIn can associate your visit of our website with you and your user account.
19. Social Plugin: XING
On our website, we feature so-called ‘social plugins’ (plugins) by Instagram. The address of the company responsible is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany (XING). The plugins are represented in the form of buttons with the ‘XING’ logo on white or colored background. An overview of all XING plugins can be found here: https://dev.xing.com/
When visiting one of our webpages that features such a plugin, your browser establishes a direct connection to the server of XING. The content of the plugin is transmitted directly to your browser and implemented into the respective webpage of our website by XING. This way, XING receives the information that you have accessed the respective webpage of our website even if you do not have a XING account or are currently not logged into your XING account. This information (including your IP address) is directly transmitted from your browser to a server of XING in Europe or, as the circumstances require, the US.
When you click the “XING” button while you are also logged into your XING account, you can link contents from our website on your XING profile page. This way, XING can associate your visit of our website with you and your user account.
20. Social Plugin Twitter
On our website, we use so-called “Social Plugins” by the social network twitter.com (“Twitter”). Twitter is developed by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. You may find further information on the functions of individual plugins and how they can be identified on the following website: https://dev.twitter.com/docs/twitter-for-websites
To block Twitter from collecting aforementioned data by browsing our webpages, please log out of Twitter before accessing our website. In order to block Twitter from collecting your data in general, you may also activate add-ons of your internet browser which allow you to disable Twitter Social Plugins.
On some of our webpages, we use embedded content from YouTube. When opening such webpages, no personal data is processed, with the exception of the IP address which is transferred to the service provider. In the case of YouTube, the IP address is transferred to Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA).
We always embed videos from YouTube in the privacy-enhanced mode. Pursuant to the data protection policies of Google, this means that personal data is not evaluated automatically. Viewer information is only stored if the visitor of the webpage views the video. According to the official description, the IP address is transferred to YouTube and may be assigned to a YouTube account. This assignment can be avoided if you are not logged into Google/YouTube.
22. WhatsApp Button
On our website, we use the WhatsApp service which allows you to share hyperlinks to our blog entries either with yourself or with third parties. In the process, our website does not send personal data to the WhatsApp service, it only shares the relevant hyperlink.
For our Online Marketing activities, we use HubSpot on our website. HubSpot is a software company headquartered in the US and with a sub-branch in Ireland. Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland; Phone: +353 1 5187500.
HubSpot is an integrated software solution, allowing us to provide various functions revolving around our Online Marketing. Such functions include:
E-Mail Marketing (newsletters and automated mailing, e.g. for providing downloads), Social Media Publishing/Reporting, Reporting (e.g. traffic sources, accessed pages, … etc.), Contact Management (e.g. user segmentation), Landing Pages, and Contact Forms.
Our forms allow users to get more information about our company and our software solutions, to download content, and receive contact information. This information is saved on the servers of our software partner HubSpot. We may use this information to get into contact with visitors of our website or to analyze which of our services is to interest of you. All processed information is subject to this data protection policy. This information is only processed for the exclusive use of optimizing our marketing measures.
Additionally, for improving the user experience on our website, we use HubSpot’s “Messages” live chat service on some of our webpages for sending and receiving text chat messages. When consenting to and using this function, the following data is transferred to HubSpot’s servers:
- Content of all sent and received text chat messages
- Context information (e.g. on which webpage the chat is used)
- Optional: User’s e-mail address (if explicitly provided by the user via this chat function)
By utilizing the lead synchronization of Google Ads, we receive your data through the lead form extensions of Google. Consequently, we then proceed to process your data after receiving your approval through the double-opt-in procedure.
The legal grounds for using HubSpot’s services is Art. 6 I f GDPR, on the lawfulness of processing for the purposes of legitimate interests. Our legitimate interest is the use of this service for optimizing our marketing measures and improving the service quality of our website.
This website uses the Spotify streaming service (Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm, Sweden). This service is implemented into our website using iFrames.
Spotify utilizes cookies to identify users and establish a connection to the Spotify servers. Related cookies and links process, among other things, IP addresses and the visited website. If you’re logged into your Spotify account, Spotify will assign this activity to your account. If you don’t want this to be the case, please log out of Spotify prior to giving your consent.
25. SSL encryption
For our website, we utilize the common SSL encryption (Secure Socket Layer) in combination with the highest security level supported by your browser. In general, this is a 256-bit encryption. If your browser does not support a 256-bit encryption, we instead utilize 128-bit v3 technologies. The key or locker symbol in your browser address bar indicates that a specific webpage of our website is encrypted.
Furthermore, we utilize technical and organizational security measures to protect your data against contingent or intentional manipulation, partial or total loss, erasure, or unauthorized third-party access to the best of our abilities. Our security measures are continuously improved in accordance with state-of-the-art technologies.
26. Routine erasure of personal data and restriction of processing
The data controller processes and saves the data subject’s personal data for the envisaged period of 10 years, unless specified differently by the European directives and regulations or other relevant laws, to which the data controller is to abide.
After the 10 years have passed or after the period of data retention, as specified by European guidelines and regulations or other relevant laws, has run out, the personal data is routinely erased or access or blocked.
27. Rights of the data subject concerning access, rectification, deletion, blocking etc.
a) Right of confirmation
At any time, any data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning her is being processed and saved. To exercise this right of confirmation, a data subject can contact our data protection officer or any other of the data controller’s employees at any time.
b) Right of access
Pursuant to GDPR, Article 15, the data subject of whom personal data is processed shall have the right, at any time, to receive from the data controller information about the personal data concerning her as well as a copy thereof. Furthermore, the data subject shall have the right of access for the following information:
- the purposes of the processing
- the categories of personal data being processed
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- the right to lodge a complaint with a supervisory authority
- where the personal data are not collected from the data subject, any available information as to their source
- the existence of automated decision-making — including profiling — referred to in GDPR, Article 22 (1) and (4) and, at the very least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
Where personal data is transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
To exercise this right of access, a data subject can contact our data protection officer or any other of the data controller’s employees at any time — an e-mail to the following address is sufficient for this: firstname.lastname@example.org.
c) Right to rectification
Pursuant to GDPR, Article 16, any data subject of whom personal data is processed shall have the right, at any time, to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
To exercise this right of rectification, a data subject can contact our data protection officer or any other of the data controller’s employees at any time.
d) Right to erasure (‘right to be forgotten’)
Pursuant to GDPR, Article 17 any data subject of whom personal data is processed shall have the right, at any time, to obtain from the data controller the erasure of personal data concerning her without undue delay and the data controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based according to GDPR, point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to GDPR, Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2).
- The personal data has been unlawfully processed.
- The personal data is to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject.
- The personal data has been collected in relation to the offer of information society services referred to in GDPR, Article 8 (1).
The erasure can be requested to the extent that it is not required to exercise the freedom of speech and information, to fulfill a legal obligation related to public interests or the exercise and defense of legal claims.
If one of the above-stated grounds applies and a data subject wants to exercise her right to erasure, she can contact our data protection officer or any other of the data controllers’ employees at any time. Our data protection officer or respective employee is then responsible for the due erasure of the respective personal data.
Where the data controller has made the personal data public and is obliged pursuant to GDPR, Article 17 (1) to erase the personal data, the data controller, taking account of available technologies and the cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that the data subject has requested the erasure by such data controllers of any links to, or copy or replication of, those personal data. In individual cases, our data protection officer or respective employee is to assure that the erasure of the respective personal data is carried out accordingly.
e) Right to restriction of processing
Pursuant to GDPR, Article 18 any data subject of whom personal data is processed shall have the right, at any time, to obtain from the data controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
- The data subject has objected to processing pursuant to GDPR, Article 21 (1) pending the verification whether the legitimate grounds of the data controller override those of the data subject.
If one of the above-stated cases applies and a data subject wants to exercise here right to restrict the processing of her personal data saved by us, she can contact our data protection officer or any other of the data controller’s employees at any time. Our data protection officer or respective employee is responsible for the due restriction of the respective personal data.
f) Right to data portability
Pursuant to GDPR, Article 20 any data subject of whom personal data is processed shall have the right, at any time, to receive the personal data concerning her, which she has provided to a data controller, in a structured, commonly used and machine-readable format and she shall have the right to transmit this data to another data controller without hindrance from the data controller to which the personal data has been provided, where:
- the processing is based on consent pursuant to GDPR, point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1);
- and the processing is carried out by automated means.
This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
In exercising her right to data portability pursuant to GDPR, Article 20 (1) as stated above, the data subject shall have the right to have the personal data transmitted directly from one data controller to another, where technically feasible and where there is no conflict with the freedom and rights of other persons.
To exercise this right to data portability, a data subject can contact our data protection officer or any other of the data controller’s employees at any time.
g) Right to object
Pursuant to GDPR, Article 21 any data subject of whom personal data is processed shall have the right, at any time, to object, on grounds relating to her particular situation, to processing of personal data concerning him or her which is based on GDPR, point (e) or (f) of Article 6 (1) — including profiling based on those provisions. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Where we process personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning her for such marketing — which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to GDPR, Article 89 (1), the data subject, on grounds relating to her particular situation, shall have the right to object to processing of personal data concerning her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise this right to object, a data subject can contact our data protection officer or any other of the data controllers’ employees at any time — an e-mail to the following address is sufficient for this: email@example.com. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise her right to object by automated means using technical specifications.
h) Automated individual decision-making, including profiling
Pursuant to GDPR, Article 22 any data subject of whom personal data is processed shall have the right, at any time, not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning her or similarly significantly affects her. This shall not apply if the decision:
- (1) is necessary for entering into or the fulfillment of a contract between the data subject and a data controller;
- (2) is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
- (3) is based on the data subject’s explicit consent.
In the cases referred to in points (1) for the making or fulfillment of a contract between the data subject and a data controller and (2) for the data subject’s explicit consent, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the data controller, to express her point of view and to contest the decision.
i) Right to withdraw consent
Pursuant to GDPR, Article 7 (3) any data subject of whom personal data is processed shall have the right, at any time, to withdraw consent to the processing of her personal data at any time.
To exercise this right to withdraw consent, a data subject can contact our data protection officer or any other of the data controller’s employees at any time — an e-mail to the following address is sufficient for this: firstname.lastname@example.org.
j) Right to consult the Federal Commissioner for Data Protection and Freedom of Information
Pursuant to GDPR, Article 7 (3) any data subject of whom personal data is processed shall have the right, at any time, to consult or form a complaint and send it to the supervisory authorities. In general, you can contact the nearby supervisory authority or the supervisory authority of our company headquarters.
28. Data protection for applications and application processes
29. Lawfulness of processing
Pursuant to GDPR, point (a) Article 6 (1), the lawfulness of processing procedures is provided where the data subject has given consent to the processing of her data for a specific purpose.
Pursuant to GDPR, point (b) Article 6 (1), the lawfulness of processing procedures is provided where the processing is necessary for the performance of a contract to which the data subject is party (e.g. processing for the supply of products and services and to provide services in return) or in order to take steps at the request of the data subject prior to entering into a contract (e.g. all cases that concern requests for our products and services).
Pursuant to GDPR, point (c) Article 6 (1), the lawfulness of processing procedures is provided where the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. tax obligation).
Pursuant to GDPR, point (d) Article 6 (1), the lawfulness of processing procedures is provided in rare cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person. This may be the case if a visitor of our company is injured and is to provide her name, age, medical records, as well as other vital information to doctors, hospitals or other third parties. The processing is lawful if the processing is required to preserve our legitimate interests or that of a third party, to the extent that the data subject’s interests, basic rights, and fundamental liberties are not violated.
Where the processing is pursuant to GDPR, point (f) of Article 6 (1), our legitimate interests pursued lie in our business activities in support of all of our employees as well as our shareholders.
Pursuant to GDPR, point (f) Article 6 (1), the lawfulness of processing procedures is provided in cases that are not governed by the aforementioned types of lawfulness and where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller — to the extent that this does not outweigh the rights of the individual data subject. In particular, this is justified by Union law to the extent that legitimate interests may be pursued in cases where the data subject is one of the controller’s customer (GDPR, Recital 47: Overriding legitimate interest).
30. Period of data retention
The criterium for our company’s period of data retention is the respective legal retention period for personal data. With the end of this period, the respective data is routinely erased, to the extent that it is no longer required for the performance or initiation of a contract.
31. Recipients of personal data / third country disclosure
Pursuant to GDPR, point (9) Article 4, recipients of personal data are limited to our company and, in individual cases as circumstances may require, legal recipients such as public authorities, partner companies or suppliers (e.g. our website operator).
32. Legal or contractual requirements for the provision of personal data; necessity for initiation of contract; obligations of the data subject to provide the respective personal data; possible consequences in case of failure to provide such data
We inform you that the provision of personal data is in part legally required (e.g. tax regulations) or contractually required (e.g. contract partners). Among other cases, it may be required that a data subject is to provide personal data to us as part of entering into a contract, which is then processed by us. Accordingly, the data subject is required to provide the respective personal data necessary; failure to provide such data results in failure to enter into the respective contract. Prior to the provision of personal data by the data subject, she may contact our data protection officer. For each individual case, our data protection officer informs the data subject whether the provision of data is legally or contractually required, or necessary for entering into a contract, or whether there is a legal obligation. Furthermore, information concerning the consequences in case of failure to provide such data is also provided.
33. Automated operational decision management
As a company with ethical responsibilities, we do not utilize automated operational decision management or profiling
Sources: German Society for Data Protection (Deutsche Gesellschaft für Datenschutz DGD) https://dg-datenschutz.de, eRecht24 www.e-recht24.de intersoft consulting services AG: https://gdpr-info.eu/ und easyrechtssicher https://easyrechtssicher.de