This data privacy statement informs you about the kind, scope and purpose of collecting and processing personal data (henceforth ‘data’) within our online products and with the associated websites, features and content, as well as online presence, for example, in social media. We understand the terms as they are defined Article 4 of the General Data Protection Regulation (GDPR).
Data protection officer
Types of processed data
- Inventory data (e.g. names, addresses)
- Contact details (e.g. e-mail, telephone number)
- Content details (e.g. text entry, photographs, videos)
- Contract data (e.g. contractual obligation, duration, customer category)
- Payment information (e.g. bank account, payment history)
- Usage data (e.g. websites visited, interest in content, access times)
- Meta/communication data (e.g. device information, IP addresses)
Processing of special categories of personal data (Art. 9 Paragraph 1)
- No particular category of data will be processed.
Category of people affected by processing
- Customers/potential customers/suppliers
- Visitors and users of online services
- Newsletter subscription
We will henceforth refer to the above-mentioned people as “users”.
Purpose of processing
- Provision of online services, content and features.
- Rendering of contractual obligations, services and customer care.
- Answering contact requests and communication with users
- Marketing, advertising and market research
- Security measures.
1. Standard legal basis
3. Security measures
3.1 In line with Art. 32 of the GDPR, allowing for the status of technology, the implementation costs and the type, scope, circumstances and purposes of processing as well as the occurrence likelihoods and weight of risks for the rights and freedoms of natural persons, we meet the recommended technical and organizational measures to guarantee an appropriate level of protection from risks. In particular this includes confidentiality, integrity and availability of data through controlling physical access to data as well as the relevant access, entries, forwarding, security of availability and its separation. Additionally we have arranged procedures that guarantee awareness of rights, deleting data and reactions to data endangerment. Furthermore, we consider the protection of personal data at the point of development, i.e. the selection of hardware, software, as well as procedures, namely the principle of data protection through technology development and through data-protection-friendly preconfigurations.
3.2 Security measures include, in particular, the encrypted transmission of data between your browser and our server.
4. Cooperation with processors and third parties
4.1 If we disclose data with other people and businesses (data processing companies or third parties) in the course of processing, transmit it to them or grant them access to the data in another way, this only occurs on the basis of legal permission (for instance, where it is necessary to transfer data to a third party like a payment provider according to Art. 6 Par. 1 lit b of the GDPR), or where you have given permission, or when a legal obligation requires us to do so, or on the basis of our legitimate interests (for instance, when using agents, web hosts, etc).
4.2 If we commission third parties with data processing on the basis of a processor contract, this will occur on the basis of Art. 28 of the GDPR.
5. Tranfers to third countries
If we process data in a third country (this refers to countries outside of the European Union (EU) or the European Economic Area (EEA) or if this occurs within the use of services from third parties or the disclosure or transmission of data to a third party occurs, then this will only happen if it is to fulfil our (pre)contractual obligations, on the basis of your consent, because of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or store the data in third countries when there is a particular requirement of Article 44 ff. GDPR. This means that processing will happen only, for example, on the basis of particular guarantees like the officially recognized statement of an EU-appropriate data protection level (for example, for the USA with the Privacy Shield) or compliance with officially recognized contractual obligations (standard contractual clauses).
6. Data subject rights
6.1 You have the right to request a confirmation of whether data has been processed and information about this data as well as further information and a copy of the data corresponding to Art. 15 of the GDPR.
6.2 You have the right to request a complete record of data held about you or to correct incorrect data held about you according to Art. 16 of the GDPR.
6.3 According to the measure of Art. 17 of the GDPR, you have the right to request the data held on you is deleted immediately, or alternatively, according to the measure of Art. 18 GDPR, the right to request a restriction of processing of your data.
6.4 You have the right to request the data you have given us about you and request this data be given to another controller.
6.5 You have the right to file a complaint with the relevant authority in accordance with Art. 77 of the GDPR.
7. Right of revocation
You have the right to withdraw your consent with future effect in accordance with Art. 7 Par. 3 of the GDPR.
8. Right of objection
You can withdraw permission to process your data in the future according to Art. 21 at any time. In particular, this withdrawal can be used against processing data for the purposes of direct marketing.
9. Cookies and right of rejection with direct advertising
10. Deleting data
10.2 In line with legal requirements, data will be stored for six years according to § 257 Abs. 1 HGB (account books, inventories, opening balance sheets, annual financial statements, commercial correspondence, accounts documentation, etc.) and for ten years according to § 147 Abs. 1 AO (books, records, management reports, commercial correspondence, documents relevant to taxation, etc.).
11. Rendering of contractual obligations
11.1 We process inventory data (e.g. names and addresses as well as user contact data), control data (e.g. obligatory tasks, names of contact people, payment information) for the purpose of fulfilling our contractual obligations and services according to Art. 6 Par. 1 lit b. of the GDPR. The mandatory fields in the online forms are required to close a contract.
11.2 In the framework of registering and logging in again as well as using our online services, we save the IP address and the time of each user action. This is for our own legitimate interests as well as to protect the user from misuse and other unauthorized usage. This data is not forwarded to third parties, unless it is necessary for pursuing our claims or if a legal obligation to do so arises according to Art. 6 Par. 1 lit c of the GDPR.
11.3 We will process usage data (e.g. which of our sites a user visits, interest in our products) and content data (e.g entries in form data or user profile) into a user profile for advertising purposes in order to show the user, for example, product suggestions based on previously used services.
11.4 Data is deleted after the expiry of warranty and comparable obligations; the necessity of keeping the information will be checked every three years, in the case of legal archiving obligations, the data will be deleted after these expire: six years for commercial law and ten years for taxation law. Data in a customer profile remain until they are deleted.
12. Making contact
12.1 When contacting us via the contact form or via email, user data will be processed to deal with the contact query and its settlement according to Art. 6 Par. 1 lit b of the GDPR.
12.2 User data may be saved in our internal customer relationship management system (CRM system) or a comparable inquiry organization.
12.3 We delete these queries when that they are no longer necessary. We check the necessity every two years, inquiries from customers with a customer account are saved long-term and refer to the deletion of customer account data. In the case of a legal storage obligation, the data will be deleted when the obligation expires, six years for commercial law and ten for taxation law.
13. Comments and contributions
13.1 If a user wants to leave comments or other contributions, the IP address will be saved for seven days on the basis of our legitimate interests as per Art. 6 Par. 1 lit. f of the GDPR.
13.2 This happens for our security, in case of wrongful conduct (insults, forbidden political propaganda, etc.). In these cases, we could be prosecuted for the comments or contributions and so we are have an interest in the identity of the writer.
14. Retrieval of profile pictures from Gravatar
For our online content, and particularly for our blog., we use the service Gravatar by Automattic, Inc, 132 Hawthorne Street San Francisco, CA 94107, USA.
Gravatar is a service where a user logs in and can save their profile pictures and e-mail address. When a user leaves comments or contributions, (above all with blogs) this service enables a profile picture to be displayed next to the comments or contributions. To do this, the user’s e-mail address will be encrypted and transmitted with Gravatar to check whether a profile picture is attached. This is the only purpose of the data transmission and data will not be used for any other purpose, but rather will be immediately deleted.
The use of Gravatar occurs on the basis of our legitimate interests as per Art. 6 Par. 1 lit f of the GDPR, because we offer users the option of personalizing their contributions with a profile picture by means of Gravatar. Automattic is certified by the Privacy Shield Agreement and therefore guarantees compliance with the European data protection regulations (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active).
If the user does not want a user photo connected with their e-mail address at Gravatar to be displayed next to their comments, then they should use an e-mail address that is not connected with Gravatar to leave comments. It is also possible to use an anonymous e-mail address, or none at all, if the user does not want their e-mail address to be shared with Gravatar. Users can completely prevent the transfer of data by not using the comment system.
15. Collection of access data and log files
15.1 On the basis of our legitimate interests as per Art. 6 Par. 1 lit. f. of the GDPR, we gather data of all access to the server where this service is located (these are called server log files). This data includes the name of the website visited, file, date and time of the visit, the amount of data transferred, notification of successful data retrieval, browser type and version, operating system used, referrer URL (the site visited previously), IP address and the provider making the request.
15.2 Log file information is saved for a maximum of seven days for security reasons (e.g. to explain misuse or defraudation) and then deleted. Data that must be stored for longer for evidentiary purposes is excepted from deletion until the particular incident has been resolved.
16. Online presence in social media
16.1 We maintain an online presence on social networks and platforms to communicate with customers who are active there, as well as interested parties and users about our services. On each of these networks and platforms, the terms and conditions and data processing rules of each provider apply.
17. Cookies and reach measurements
17.1 Cookies are information that is transferred from one web server or a third party web server to the web browser of the user and saved there to be retrieved later. Cookies are small files or other methods of saving information.
17.3 If the user does not want cookies to be saved on their computer, then they can deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browsers. Not allowing cookies can lead to limited features of this online content.
18. Google Analytics
18.1 We use Google Analytics and Google Analytics 4 (GA4) to pursue our legitimate interests (that is, the interests in the analysis, optimization and economic operation of our online content as per Art. 6 Par. 1 lit f. of the GDPR). Google Analytics and GA4 are web analysis services operated by Google LLC (“Google”). As a general rule, the information generated by cookies about how you are using the website is sent to a Google server in the US and stored there.
18.2 Google is certified under the Privacy Shield Agreement and therefore guarantees that it will comply with the European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3 Google will use this information on our account to evaluate the user’s usage of our online content, to compile reports about activities within our online content and to render more services linked to the us of this online content and internet use. This means that a pseudonymous user profile of the user may be created.
18.4 We implement Google Analytics to display ads within the web services of Google and its partners only to users who have shown interest in our online content or have particular characteristics (e.g. interest in particular themes or products that can be determined from the websites they have visited) which we share with Google (“remarketing” or “Google Analytics audiences”). With remarketing audiences, we want to make sure that our ads are in line with the potential interests of the user and do not irritate the user.
18.5 We only use Google Analytics with active IP anonymization. This means that the IP address of the user will be shortened by Google within the member states of the European Union or other signatories to the agreement through the European Economic Area. The IP address will only be transferred to the USA and shortened there in exceptional cases.
18.6 The IP address transferred by the browser will not be merged with other data from Google. The user can stop cookies from being saved in the browser settings, the user can also stop the collection of data that is generated from cookies and related to online behavior and stop it being transferred to Google as well as stop Google from processing this information by downloading the following browser plugin and installing it: https://tools.google.com/dlpage/gaoptout
18.7 Further information about Google’s data use, and options for settings and objections can be read on Google’s website: https://policies.google.com/technologies/partner-sites (How Google uses information from sites or apps that use our services), https://policies.google.com/technologies/ads, https://adssettings.google.com/ (Control the information Google uses to show you ads)
19. Google Re/Marketing services
19.1 On the basis of our legitimate interests (interests in analytics, optimization and economic operation of our online content as per Art. 6 Par. 1 lit f. of the GDPR), we use the marketing and remarketing services of Google LLC, 1600 Amphitheatre Parkway, Mountain View CA 94043 USA (Google marketing services)
19.2 Google is certified by the Privacy Shield agreement and therefore guarantees compliance with the European Data protection laws. (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
19.3 Google marketing services allows us to use targeted ads for our website, to display ads to users who might be interested in our products. If a user, for example, is shown ads for products that they have been interested in on other websites, this is known as re-marketing. For these purposes, on websites where Google Marketing services are active, a Google code will be executed immediately by Google and remarketing tags (invisible graphics or code, also known as web beacons) will be connected with this website. With these, an individual cookie will be saved on the user’s device (another similar technology might be used instead of cookies). Cookies can be set from different domains like google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file will contain information on the websites the user has searched for, the content the user was interested in and what they clicked, as well as technological information such as the browser and operating system, referring websites, time of visit as well as other data about website use. The user’s IP address is also shared with Google, but as stated in Google Analytics, the IP address is shortened within a member state of the European Union or a signatory state of the European data privacy laws belonging to the European Economic Area, and only in exceptional cases will the IP address be transferred to the US and shortened there. The aforementioned information can also be connected with information from other sources by Google. If a user then visits other websites, targeted ads may be shown there that correspond to their interests.
19.4 The user data in Google Marketing services is processed with a pseudonym. This means that Google doesn’t save users’ names and email addresses, but processes the relevant data with cookie files within a pseudonymous user profile. This means that from Google’s point of view, the ads are not managed and shown for a particular person, but rather for the cookie holder, whomever they may be. This does not apply if a user has explicitly allowed Google to process their information without the pseudonym. The data collected about users by Google Marketing Services are transferred to Google and saved on Google servers in the USA.
19.5 We also use the service “Google optimizer”. It allows us to track the effects of different changes to our websites with “A/B testing” (e.g. changing the design, entry fields, etc.). Cookies are saved on the user’s device for the purpose of these tests. Only pseudonymous user data will be processed.
19.6 We also use “Google Tag Manager” to connect and manage the Google Analytics and Marketing Services on our website.
19.8 If you would like to opt out of targeted advertising by Google Marketing Services, you can use the Google settings and opt-out options here: https://adssettings.google.com/authenticated.
20. Social plugins
20.1 On the basis of our legitimate interest (i.e. in analysis, optimization and economic operation of our online content as per Art. 6 Par. 1 lit f. of the GDPR), we use the social share plugin Monarch by the business Elegant Themes Inc., 1233 Howard Street, Apartment 3A, San Francisco, California 94114. The plugin enables users to share our blog articles to social media platforms like Facebook, Twitter, Google+, Pinterest or LinkedIn.
20.2 When a user uses a feature of the online content that contains a plugin, no data exchange with social media takes place yet. A connection to the social network is only executed when the user actively clicks on the share button for the selected network, which also enables a transfer of user data. We do not have any influence on the scope of this data and therefore inform the user according to our knowledge.
21.1 In the following we would like to inform you of the content of our newsletter as well as the registration process, sending process and static evaluation processes, and well as your right to withdraw from the newsletter. By subscribing to our newsletter, you agree to receive our newsletter and to the described processes.
21.2 Content of the newsletter: we only send newsletters, e-mails and other electronic notifications with promotional materials (henceforth newsletters) with the consent of the recipient or with legal permission. If a newsletter’s content changes specifically over the course of registration, this is relevant to the permission of the user.
21.3 Double opt-in and protocol: Registration for our newsletter is a double opt-in process. This means that you get an email after registering in which you are asked for a confirmation of your registration. This confirmation is necessary so no one can register a false e-mail address. The registrations for e-mail are logged to provide evidence of the legal requirements of the registration process. These include saving the login and confirmation times as well as the IP address. The changes will also be saved by the e-mail marketing service.
21.4 E-mail marketing service: The newsletter is sent via “MailChimp”, an e-mail marketing platform by the US provider Rocket Science Group LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The provider’s data protection measures can be seen here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified by the Privacy Shield agreement and therefore guarantees compliance with the European data protection laws.
21.5 Additionally, the provider can collect some information in pseudonymous form, this means without allocating the data to a user, for the means of optimizing or improving their own servers, e.g. technological optimization of distribution and presentation of the newsletter or for statistical purposes to determine which countries the recipients come from. The provider does not use the data of our newsletter recipients to contact them nor to transfer the information to third parties.
21.6 Registration data: To register for the newsletter, it is sufficient to just enter an e-mail address. Optionally, we ask for your name as well so we can address you personally in the newsletter.
21.7 Performance measurement: The newsletters contain a web beacon, which is a pixel sized file that is retrieved by the e-mail marketing service when the newsletter is opened. This retrieval allows the technical information like information about your browser and system as well as your IP address and the time of the retrieval to be recorded. This information will be used for technical improves to the services based on technical information or information about the target group, their reading behavior and where they read (based on the IP address) or the time of access. Statistic recording of data also includes whether the newsletter was opened, when it was opened and which links were clicked. This information can be allocated to individual newsletter recipients for technical reasons. However, it is neither our goal, nor that of the e-mail marketing service, to track individual users. The evaluation serves to recognize reading habits of our users and to adapt our content to them, or to provide different content according to their interests.
21.8 The newsletter is send and performance is measured on the basis of the recipient’s consent according to Art. 6 Par. 1 lit a, Art. 7 of the GDPR in connection with § 7 Abs. 2 Nr. 3 UWG or on the basis of legal permission according to § 7 Par. 3 UWG.
21.9 The registration process record keeping occurs on the basis of our legitimate interest according to Art. 6 Par. 1 lit f of the GDPR and serves as evidence of consent to receive the newsletter.
21.10 Cancellation – You can cancel our newsletter at any time, this means withdraw your consent. A link to cancel the newsletter can be found at the bottom of every newsletter. If the user has only registered for the newsletter and cancels this service, their personal data will be deleted.
22. Connection to services and contents of third parties
22.1 We use third party services to operate our online services on the basis of our legitimate interests (this means interest in analysis, optimization and economical operation of our online content as per Art. 6 Par. 1 lit f. of the GDPR.) and these services allow, for example, videos or fonts to be displayed on our website – henceforth referred to as contents. This always requires that third party providers are able to access this content and the user’s IP address, because without the IP address they can’t send information to the browser. So the IP address is necessary to display the content. We make sure to only use content where the provider only needs the IP address to provide the content. Third party may use pixel tags or web beacons for statistical or marketing purposes. These pixel tags can collect information which can be used to evaluate website traffic. Pseudonymous information can also be saved on the device in the form of cookies and, inter alia, technical information about the browser and operating system, referring websites, visiting times, as well as other information on the use of our website might also be connected with information from other sources.
22.2 The following information offers an overview of the third parties as well as their contents, links to their privacy policies which reference data processing and opt-out options.
22.2.4 Sharing with “Instagram”
There are features of our online service that are connected with the service Instagram. These features are provide through Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Instagram”). If you are logged into your Instagram account, then you can link contents from our site with your Instagram profile. Then Instagram can allocate a visit to our page to your account.
22.2.5 Sharing with “Facebook”
There are features of our online service that are connected with the service Facebook. These features are provide through Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). If you are logged into your Facebook account, then you can link contents from our site with your Facebook profile. Then Facebook can allocate a visit to our page to your account.
22.2.6 Sharing with “LinkedIn”
There are features of our online service that are connected with the service LinkedIn. These features are provide through LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA., USA. If you are logged into your LinkedIn account, then you can link content from our side to your LinkedIn profile by clicking the LinkedIn button. Then LinkedIn can allocate a visit to our page to your account.
22.2.7 Sharing with “Pinterest”
22.2.8 Sharing with “Twitter”
This website uses a service from AddThisEvent, https://www.addthisevent.com/, to add appointments to selected calendars (Apple, iCalendar, Google (online), Outlook, Outlook.com (online) as well as Yahoo (online). It is possible to see when this service is being used by the text “powered by AddThisEvent Free” under appointments downloaded from this website.
No personal data is collected, processed or used when using AddThisEvent. Without explicit consent from you, AddThisEvent will neither identify nor publish your information, unless they are legally required to do so or if they have good reason to believe that rights, security or property of AddThisEvent or its users are in danger.
22.2.13 Content delivery network “Cloudfare”
This website uses a CDN service (content delivery service) from Cloudflare Inc. A CDN serves to increase performance of the website and provides content for a specific purpose to your browser from a nearby server. Cloudfare Inc. has many servers in Europe to be able to send content to you as quickly as possible. However, it is not technically impossible that your browser will access a server located outside of the EU and send your data to this country (for instance if you access a website that is not located in the EU or for some other reason). In such cases, you agree to send your data to the USA or the country where the server is located. Information on the security policy of Cloudfare, Inc. can be found here: https://www.cloudflare.com/privacypolicy/