By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. The privacy policy applies to all personal data processing operations carried out by us, both in the context of providing our services and particularly on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer"). The terms used are not gender-specific. Status: July 16, 2024

Table of Contents

  • Preamble
  • Responsible Party
  • Overview of Processing
  • Relevant Legal Bases
  • Security Measures
  • Transfer of Personal Data
  • International Data Transfers
  • General Information on Data Storage and Deletion
  • Rights of Data Subjects
  • Provision of the Online Offer and Web Hosting
  • Use of Cookies
  • Contact and Inquiry Management
  • Communication via Messenger
  • Video Conferences, Online Meetings, Webinars, and Screen Sharing
  • Cloud Services
  • Web Analysis, Monitoring, and Optimization
  • Online Marketing
  • Presence in Social Networks (Social Media)
  • Plugins and Embedded Functions and Content
  • Data Processing in Employment Relationships
  • Changes and Updates
  • Definitions of Terms

Responsible Party

Sonja Schütz/ Speech Therapy Practice for Stuttering Therapy Schütz GbR Büchtingstraße 35 6470 Bad Marienberg

Represented by: Sabine Schütz Email Address: info@therapie-fuer-stotternde.de

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

  • Inventory data.
  • Employee data.
  • Payment data.
  • Location data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.
  • Social data.
  • Image and/or video recordings.
  • Audio recordings.
  • Event data (Facebook).
  • Log data.
  • Performance and behavioral data.
  • Working time data.
  • Salary data.

Categories of Data Subjects

  • Employees.
  • Interested parties.
  • Communication partners.
  • Users.
  • Business and contractual partners.
  • Depicted persons.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Conversion measurement.
  • Target group formation.
  • Organizational and administrative procedures.
  • Content Delivery Network (CDN).
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offer and user-friendliness.
  • Establishment and execution of employment relationships.
  • IT infrastructure.
  • Public relations.
  • Business processes and economic procedures.

Relevant Legal Bases

Relevant legal bases according to GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence. If more specific legal bases apply in individual cases, we will inform you of them in the privacy policy.

  • Consent (Art. 6(1)(1)(a) GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Contract fulfillment and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6(1)(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Processing special categories of personal data in relation to healthcare, occupation, and social security (Art. 9(2)(h) GDPR) - Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union or Member State law or a contract with a health professional.

National Data Protection Regulations in Germany

In addition to the GDPR data protection regulations, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The BDSG contains specific regulations on the right of access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and the transmission and automated decision-making in individual cases, including profiling. Additionally, the data protection laws of individual federal states may apply.

Note on the Applicability of GDPR and Swiss DSG

These data protection notices serve both to provide information under the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that the terms of the GDPR are used due to broader territorial applicability and comprehensibility. In particular, instead of the terms "processing" of "personal data," "overriding interest," and "special categories of personal data" used in the Swiss DSG, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" used in the GDPR are applied. However, the legal meaning of the terms will continue to be determined under the Swiss DSG within the scope of its application.

Security Measures

We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.

These measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, transmission, securing of availability, and separation of the data. We have also established procedures that ensure the exercise of data subjects' rights, the deletion of data, and responses to data vulnerabilities. Furthermore, we take the protection of personal data into account already during the development or selection of hardware, software, and procedures according to the principle of data protection by design and by default.

Securing Online Connections using TLS/SSL Encryption Technology (HTTPS)

To protect the data of users transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, being the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, it is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and encrypted.

Transfer of Personal Data

In the course of our processing of personal data, it may happen that this data is transferred to other locations, companies, legally independent organizational units, or persons, or disclosed to them. Recipients of this data may include service providers tasked with IT-related duties or providers of services and content integrated into a website. In such cases, we comply with legal requirements and conclude appropriate contracts or agreements with the recipients of your data to protect it.

International Data Transfers

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if processing takes place in the context of using services of third parties or disclosing or transferring data to other persons, offices, or companies, this is done only in accordance with legal requirements. Provided that the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for data transfers. Otherwise, data transfers occur only if the data protection level is otherwise ensured, particularly through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in case of contractual or legally required transmission (Art. 49(1) GDPR). Furthermore, we will inform you of the basis of third-country transfers for individual providers from the third country, with adequacy decisions being the primary basis. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission's information offering: EU Commission International Data Protection.

EU-US Trans-Atlantic Data Privacy Framework

As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection for certain companies from the USA as secure under the adequacy decision of July 10, 2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at Data Privacy Framework (in English). We inform you within the scope of the data protection notices which service providers we use are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is withdrawn or there are no further legal grounds for the processing. This applies to cases where the original purpose of the processing ceases to exist or the data is no longer needed. Exceptions to this rule exist when legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons must be archived accordingly.

Our data protection notices contain additional information on the retention and deletion of data that apply specifically to certain processing operations.

If there are multiple indications of the retention period or deletion deadlines of a date, the longest period always applies. If a deadline does not explicitly begin on a specific date and lasts at least one year, it automatically starts at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the deadline is the date on which the termination or other end of the legal relationship takes effect.

Data that is no longer needed for the originally intended purpose but is retained due to legal requirements or other reasons will only be processed for the reasons justifying their retention.

Additional Notes on Processing, Procedures, and Services:

  • Retention and Deletion of Data: The following general periods apply to retention and archiving under German law:
    • 10 years - Retention period for books and records, financial statements, inventories, management reports, opening balance sheets, and the necessary instructions and other organizational documents for their understanding, accounting vouchers, and invoices (§ 147 Abs. 3 i. V. m. Abs. 1 Nr. 1, 4 und 4a AO, § 14b Abs. 1 UStG, § 257 Abs. 1 Nr. 1 u. 4, Abs. 4 HGB).
    • 6 years - Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, such as hourly wage slips, business accounting sheets, calculation documents, price markings, and also payroll documents, as long as they are not already accounting vouchers and cash register receipts (§ 147 Abs. 3 i. V. m. Abs. 1 Nr. 2, 3, 5 AO, § 257 Abs. 1 Nr. 2 u. 3, Abs. 4 HGB).
    • 3 years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as associated inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of Data Subjects under GDPR:

As a data subject under GDPR, you have various rights, particularly those derived from Articles 15 to 21 GDPR:

  • Right to Object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw consent at any time.
  • Right of Access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to Rectification: You have the right to request the completion of data concerning you or the correction of inaccurate data concerning you in accordance with legal requirements.
  • Right to Erasure and Restriction of Processing: You have the right to request the immediate deletion of data concerning you, or alternatively, in accordance with legal requirements, to request a restriction of the processing of the data.
  • Right to Data Portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request its transfer to another controller in accordance with legal requirements.
  • Right to Lodge a Complaint with a Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, particularly in the Member State where you usually reside, work, or where the alleged infringement occurred, if you consider that the processing of personal data concerning you infringes the GDPR.

Provision of the Online Offer and Web Hosting

We process users' data to provide our online services. To this end, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

Processed Data Types:

  • Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions);
  • Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons);
  • Log data (e.g., log files concerning logins or data retrieval or access times);
  • Content data (e.g., text or image messages and contributions as well as the information concerning them, such as authorship or creation time).

Data Subjects:

  • Users (e.g., website visitors, users of online services);
  • Business and contractual partners.

Purposes of Processing:

  • Provision of our online offer and user-friendliness;
  • IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.));
  • Security measures;
  • Content Delivery Network (CDN);
  • Office and organizational procedures.

Retention and Deletion:

Deletion as specified in the "General Information on Data Storage and Deletion" section.

Legal Bases:

Legitimate interests (Art. 6(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Provision of Online Offer on Rented Storage Space: For providing our online offer, we use storage space, computing capacity, and software that we rent from a corresponding server provider (also known as "web hoster"); Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called "server log files." Server log files may include the address and name of the retrieved web pages and files, the date and time of retrieval, the amount of data transferred, a message about successful retrieval, the browser type and version, the operating system of the user, the referrer URL (the previously visited page), and generally IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of misuse attacks, so-called DDoS attacks), and to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data required for evidence purposes is excluded from deletion until the respective incident is finally clarified.
  • Email Sending and Hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of recipients and senders as well as other information concerning email transmission (e.g., the involved providers) and the contents of the respective emails are processed. The aforementioned data may also be processed for SPAM detection purposes. Please note that emails are generally not encrypted when sent over the Internet. Emails are usually encrypted during transmission but not on the servers from which they are sent and received unless end-to-end encryption is used. We cannot therefore take responsibility for the transmission path of emails between the sender and the reception on our server; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Webflow: Creation, management, and hosting of websites, online forms, and other web elements; Service provider: Webflow, Inc., 398 11th St., Floor 2, 94103 San Francisco, USA; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: Webflow; Privacy policy: Webflow Privacy Policy; Data processing agreement: Webflow DPA. Basis for third-country transfers: Data Privacy Framework (DPF).
  • Cloudflare: Content Delivery Network (CDN) - Service that helps deliver content of an online offer, especially large media files, such as graphics or program scripts, faster and more securely using regionally distributed and connected servers over the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: Cloudflare; Privacy policy: Cloudflare Privacy Policy; Data processing agreement: Cloudflare Customer DPA. Basis for third-country transfers: Data Privacy Framework (DPF).

Use of Cookies

Cookies are small text files or other records that store information on devices and read from them. For example, they can store login status, shopping cart contents, accessed content, or used functions of an online service. Cookies serve various purposes like functionality, security, and comfort of online services, and analyzing visitor flows.

Consent Information:

We use cookies according to legal regulations and obtain prior consent from users unless not required by law. Consent is particularly unnecessary if storing and reading information (including cookies) is essential to provide a telemedia service explicitly requested by users. The revocable consent is clearly communicated to users and includes information about the specific cookie usage.

Legal Basis:

The legal basis for processing users' personal data using cookies depends on whether we request consent. If accepted, the legal basis is the declared consent. Otherwise, data processed via cookies is based on our legitimate interests (e.g., economic operation of our online services and improvement of usability) or fulfilling our contractual obligations if the use of cookies is necessary for meeting those obligations. We clarify the purposes of cookie usage in this privacy policy or during consent and processing procedures.

Storage Duration:

The following types of cookies are differentiated by storage duration:

  • Temporary Cookies (Session cookies): Deleted after a user leaves an online service and closes their device (e.g., browser or mobile application).
  • Permanent Cookies: Remain stored even after closing the device. For instance, they can store login status and display preferred content when a user revisits a website. User data collected via cookies may also be used for reach measurement. Unless specified otherwise (e.g., during consent collection), assume these are permanent and can be stored for up to two years.

General Information on Withdrawal and Objection (Opt-out):

Users can withdraw their given consents at any time and object to data processing as per legal requirements using their browser's privacy settings.

  • Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons).
  • Affected Persons: Users (e.g., website visitors, online service users).
  • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR), Consent (Art. 6(1)(a) GDPR).

Further Information on Processing, Procedures, and Services:

  • Processing of Cookie Data Based on Consent: We use a consent management solution to obtain user consent for cookie usage and related processing procedures and providers. This process collects, logs, manages, and withdraws consents, particularly concerning cookies and similar technologies used to store, read, and process information on user devices. Users can manage and withdraw their consents through this solution. Consents are stored to avoid repeated requests and to provide proof of consent per legal requirements. Storage occurs server-side and/or in a cookie (Opt-In Cookie) or similar technology to assign consent to a specific user or their device. In the absence of specific provider details, the following general notes apply: Consent storage duration is up to two years, creating a pseudonymous user identifier stored along with the consent time, consent scope (e.g., cookie categories or service providers), and information about the browser, system, and device used; Legal Basis: Consent (Art. 6(1)(a) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, phone, or social media) and within existing user and business relationships, the details of the inquiring persons are processed as far as necessary to respond to the contact inquiries and any requested measures.

  • Processed Data Types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and contributions as well as related information, such as authorship or creation time); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Affected Persons: Communication partners.
  • Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
  • Retention and Deletion: Deletion according to the "General Information on Data Storage and Deletion" section.
  • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR), Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further Information on Processing, Procedures, and Services:

  • Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and handle the respective request. This typically includes information such as name, contact details, and any additional information provided to appropriately address the request. We use this data exclusively for the specified purpose of contact and communication; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Communication via Messenger

We use messengers for communication purposes and ask you to note the following information about the functionality of messengers, encryption, the use of communication metadata, and your options to object.

You can also contact us through alternative means, such as phone or email. Please use the provided contact options or those indicated within our online offer.

End-to-End Encryption:

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we note that the communication contents (i.e., the message content and attached images) are encrypted from end to end. This means that the message contents are not viewable, not even by the messenger providers themselves. You should always use the latest version of the messengers with encryption enabled to ensure the security of message content.

Legal Basis Information:

If we ask communication partners for permission before communicating with them via messenger, the legal basis for our data processing is their consent. Otherwise, if no consent is requested and they contact us on their initiative, we use messengers in relation to our contractual partners and within the scope of contract initiation as a contractual measure and in the case of other interested parties and communication partners based on our legitimate interests in fast and efficient communication and meeting the communication needs of our communication partners. We also inform you that we do not initially transfer the contact data provided to us to the messengers without your consent.

Withdrawal, Objection, and Deletion:

You can revoke a given consent at any time and object to communication with us via messenger at any time. In the case of communication via messenger, we delete the messages according to our general deletion guidelines (e.g., as described above, after the end of contractual relationships, within the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any inquiries from the communication partners, provided no reference to a previous conversation is expected and there are no legal retention obligations against the deletion.

Reservation of Reference to Other Communication Channels:

To ensure your security, we may not be able to answer inquiries via messenger in certain cases. This applies to situations where contract details must be treated particularly confidentially or a response via messenger does not meet formal requirements. In such cases, we recommend using more appropriate communication channels.

  • Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and contributions as well as related information, such as authorship or creation time); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Affected Persons: Communication partners.
  • Purposes of Processing: Communication, Direct marketing (e.g., by email or post).
  • Retention and Deletion: Deletion according to the "General Information on Data Storage and Deletion" section.
  • Legal Basis: Consent (Art. 6(1)(a) GDPR), Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing, Procedures, and Services:

  • WhatsApp: Text messages, voice and video calls, sending images, videos, and documents, group chat functionality, end-to-end encryption for enhanced security; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: WhatsApp; Privacy policy: WhatsApp Legal. Basis for third-country transfers: Data Privacy Framework (DPF).

Videoconferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications from other providers ("conference platforms") for video and audio conferences, webinars, and other meetings ("conference"). We select conference platforms and their services in accordance with legal requirements.

Data Processed by Conference Platforms:

During a conference, the platforms process personal data of participants, including:

  • Personal data (e.g., first and last name)
  • Contact information (e.g., email address, phone number)
  • Access data (e.g., access codes or passwords)
  • Profile pictures
  • Professional details
  • IP address
  • Device and browser information
  • Communication content (e.g., chat inputs, audio and video data)
  • Usage of other available features (e.g., surveys)

Data is encrypted to the extent technically provided by the conference platforms. If participants are registered users, additional data may be processed according to their agreement with the provider.

Logging and Recordings:

If text inputs, participation results (e.g., from surveys), and video or audio recordings are logged, participants will be informed in advance and asked for consent if necessary.

Data Protection Measures for Participants:

Refer to the conference platforms' privacy notices for detailed processing information and choose optimal security and privacy settings. Ensure data and privacy protection in your background during a video conference (e.g., by informing housemates, locking doors, and using background blurring features if possible). Do not share conference links and access data with unauthorized third parties.

Legal Basis Information:

If we process user data alongside conference platforms and request users' consent to use specific functions (e.g., consent to recording), the legal basis for processing is consent. Additionally, our processing may be necessary for fulfilling contractual obligations (e.g., participant lists, summarizing meeting results). Otherwise, user data is processed based on our legitimate interest in efficient and secure communication.

Processed Data Types:

  • Inventory data (e.g., full name, address, contact information, customer number)
  • Contact data (e.g., postal and email addresses, phone numbers)
  • Content data (e.g., text or image messages, contributions, authorship details, creation time)
  • Usage data (e.g., page views, duration, click paths, intensity, frequency, device types, operating systems, interactions)
  • Image and video recordings (e.g., photographs, videos)
  • Audio recordings
  • Log data (e.g., logins, data retrieval, access times)

Affected Persons:

  • Communication partners
  • Users (e.g., website visitors, online service users)
  • Depicted persons

Purposes of Processing:

  • Providing contractual services and fulfilling contractual obligations
  • Communication
  • Office and organizational procedures

Retention and Deletion:

Deletion in accordance with "General Information on Data Storage and Deletion".

Legal Basis:

Legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing, Procedures, and Services:

  • Zoom: Conference and communication software; Provider: Zoom Video Communications, Inc., San Jose, CA, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website; Privacy Policy; DPA (Global DPA). Third-country transfers: Data Privacy Framework (DPF).

Cloud Services

We use internet-accessible software services executed on provider servers ("Cloud Services" or "Software as a Service") for storing and managing content (e.g., document storage and management, document exchange, content sharing with specific recipients, or publishing content).

Personal data may be processed and stored on provider servers as part of communication processes or as described in this privacy policy. This includes user master data, contact data, transaction data, contracts, and other processes. Cloud service providers may also process usage data and metadata for security and service optimization purposes.

If we provide forms or documents for other users or publicly accessible websites using Cloud Services, providers may store cookies on users' devices for web analytics or remembering user settings (e.g., media controls).

Processed Data Types:

  • Inventory data (e.g., full name, address, contact information, customer number)
  • Contact data (e.g., postal and email addresses, phone numbers)
  • Content data (e.g., text or image messages, contributions, authorship details, creation time)
  • Usage data (e.g., page views, duration, click paths, intensity, frequency, device types, operating systems, interactions)

Affected Persons:

  • Interested parties
  • Communication partners
  • Business and contractual partners

Purposes of Processing:

  • Office and organizational procedures
  • Information technology infrastructure (operation and provision of information systems and technical devices)

Retention and Deletion:

Deletion in accordance with "General Information on Data Storage and Deletion".

Legal Basis:

Legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing, Procedures, and Services:

  • Dropbox: Cloud storage service; Provider: Dropbox, Inc., San Francisco, CA, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website; Privacy Policy; DPA. Third-country transfers: Data Privacy Framework (DPF).
  • Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; Provider: Microsoft Ireland Operations Limited, Dublin, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website; Privacy Policy; Security Information; DPA. Third-country transfers: Data Privacy Framework (DPF).
  • Apple iCloud: Cloud storage service; Provider: Apple Inc., Cupertino, CA, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website; Privacy Policy.
  • Google Cloud Storage: Cloud storage, cloud infrastructure services, and cloud-based application software; Provider: Google Cloud EMEA Limited, Dublin, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website; Privacy Policy; DPA; Third-country transfers: Data Privacy Framework (DPF). More Information.
  • Google Cloud Services: Cloud infrastructure services and cloud-based application software; Provider: Google Cloud EMEA Limited, Dublin, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website; Privacy Policy; DPA; Third-country transfers: Data Privacy Framework (DPF). More Information.

Web Analysis, Monitoring, and Optimization

Web analysis (also known as "reach measurement") evaluates visitor flows of our online offer and may include pseudonymous data on behavior, interests, or demographics (e.g., age or gender). Reach measurement helps us understand usage patterns to improve our online offer and determine optimization needs.

In addition to web analysis, we may use testing procedures (e.g., A/B testing) to optimize different versions of our online offer.

Processed Data Types:

  • Usage data (e.g., page views, duration, click paths, intensity, frequency, device types, operating systems, interactions)
  • Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons)

Affected Persons:

  • Users (e.g., website visitors, online service users)

Purposes of Processing:

  • Reach measurement (e.g., access statistics, recognizing returning visitors)
  • Creating user profiles

Retention and Deletion:

Deletion in accordance with "General Information on Data Storage and Deletion". Cookies and similar storage methods may be stored for up to two years on users' devices.

Security Measures:

  • IP masking (pseudonymization of IP address)

Legal Basis:

  • Consent (Art. 6(1)(a) GDPR)
  • Legitimate interests (Art. 6(1)(f) GDPR).

Online Marketing

We process personal data for online marketing, which includes advertising space marketing or displaying advertising and other content based on user interests and measuring their effectiveness. This involves creating user profiles stored in cookies or similar methods, capturing data such as viewed content, visited websites, used online networks, communication partners, and technical information (e.g., browser used, operating system).

Key Points:

  • IP addresses are masked for privacy.
  • Data processing relies on pseudonyms, not clear data.
  • Cookies store profile statements, read across websites using the same marketing method, and linked to data on the provider's server.
  • Occasionally, clear data may link to profiles, especially if users are members of social networks we use.
  • We primarily access aggregated information on ad success and use conversion measurements for marketing effectiveness analysis.

Legal Basis Information

User data processing relies on consent or our legitimate interests in efficient and user-friendly services. Information on cookie usage and other data processing methods are included in our privacy policy.

Data Processing and Services:

  • Processed Data: Usage data (page views, duration, click paths, device types, operating systems, interactions); Meta-, communication, and procedural data (IP addresses, timestamps, IDs, participants).
  • Affected Persons: Users (website visitors, online service users).
  • Processing Purposes: Reach measurement, tracking, audience creation, marketing, user profiling, conversion measurement, online offer provision, user-friendliness.
  • Retention and Deletion: Cookies and similar methods may be stored for up to 2 years.
  • Security Measures: IP masking.

Providers and Services:

  • Instagram Ads: Ads on Instagram, result evaluation; Provider: Meta Platforms Ireland Limited, Dublin, Ireland; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website; Privacy Policy.
  • Facebook Pages: Facebook profiles; Joint responsibility with Meta Platforms Ireland Limited for data collection; Processing for analytics ("Page-Insights"); Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR); Website; Privacy Policy.

Social Media Presence

We maintain online presences on social networks to communicate with users and offer information. User data may be processed outside the EU, posing risks like harder enforcement of user rights. Data is usually processed for market research and advertising, creating user profiles based on behavior and interests for targeted ads.

For more details, refer to the respective network's privacy policies and information.

Plugins and Embedded Content

We integrate content from third-party providers (e.g., graphics, videos, maps), requiring IP addresses for delivery. Third-party providers may use pixel tags for statistical or marketing purposes, with information stored in cookies.

Legal Basis for Plugins

User data processing is based on consent or our legitimate interests in efficient and user-friendly services. Information on cookie usage is included in our privacy policy.

Services:

  • Google Fonts: Fonts hosted on our server.
  • Google Maps: Maps from Google; Legal Basis: Consent (Art. 6(1)(a) GDPR); Website; Privacy Policy.

Data Processing in Employment Relationships

Purpose

Processing personal data within employment relationships aims to effectively manage the establishment, execution, and termination of such relationships. This includes managing working hours, access rights, payroll, performance reviews, and employee communications.

Legal Basis

  • Contract Fulfillment (Art. 6(1)(b) GDPR)
  • Legal Obligations (Art. 6(1)(c) GDPR)
  • Legitimate Interests (Art. 6(1)(f) GDPR)
  • Special Categories (Art. 9(2)(h) GDPR)
  • Consent (Art. 6(1)(a) GDPR)

Processed Data Types

  • Employment Data: Employee details, payment data, contract data, personal data, contact data, content data, social data, protocol data, performance and behavior data, working hours data, salary data, and image/video recordings.

Data Subjects

  • Employees, including applicants, temporary staff, and other workers.

Processing Purposes

  • Establishing and executing employment contracts.
  • Business processes and economic procedures.
  • Legal and regulatory compliance.
  • Internal and external communication.

Data Retention and Deletion

  • Data is processed and retained according to legal requirements, ensuring the creation and maintenance of a fair and efficient work environment. Data is anonymized or deleted once the processing purpose is fulfilled or as per statutory retention periods.

Employee Data Disclosure

Employee data may be disclosed to internal departments or external recipients like banks, insurance companies, authorities, courts, tax and legal advisors, and third-party debtors if required by law or with employee consent.

Further Processing Purposes

  • Fulfillment of legal obligations in tax and social security law.
  • Compliance with regulatory requirements.
  • Optimization of electronic data processing and compilation of internal/external data.
  • Assertion and defense of legal claims.

Data Security Measures

Ensuring compliance with data protection regulations and maintaining a secure and fair work environment, including anonymization and timely deletion of data.

Definitions

  • Employees: Individuals in an employment relationship.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Profiles: Automated processing of personal data to evaluate personal aspects.
  • Protocol Data: Logs of system events and activities.
  • Usage Data: Information on user interactions with digital products or services.