Data Privacy Statement
This Data Privacy Statement informs you about how, to what extent and for what purposes your personal data (hereinafter “data” for short) is processed on our website and associated pages, functions and content as well as on our external online presence, such as social media profiles (hereinafter collectively referred to as the “Website”). Please refer to Article 4 of the General Data Protection Regulation (GDPR) for definitions of the terms used, such as “processing” and “controller”.
Legal notice and data privacy
Lunor Allee 1
75378 Bad Liebenzell
Tel.: +49 (0)7052 40896-0
Fax: +49 (0)7052 40896-10
Executive Board members: Michael Fux
Chairman: Ulrich Fux
Types of processed data:
– User-related data (e.g. names, addresses).
– Contact details (e.g. email, telephone numbers).
– Content data (e.g. text, photographs, videos).
– Usage data (e.g. websites visited, interest in content, access times).
– Metadata/communication data (e.g. device information, IP addresses).
Purpose of processing
– Provision of the Website, its functions and content.
– Responding to queries and communicating with users.
– Security measures.
– Measuring the reach of the Website/marketing
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is wide-reaching and includes virtually all handling of data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Relevant legal bases
Pursuant to Article 13 GDPR, we hereby inform you of the legal principles upon which our data processing is based. The following applies where the legal principle is not specified in the Data Privacy Statement: The legal principle for obtaining consent is Article 6(1)(a) and Article 7 GDPR, the legal principle for processing in order to render our services, implement pre-contractual measures and respond to queries is Article 6(1)(b) GDPR, the legal principle for processing in order to comply with our legal obligations is Article 6(1)(c) GDPR, and the legal principle for processing in order to safeguard our legitimate interests is Article 6(1)(f) GDPR. If the data subject’s or another natural person’s vital interests necessitate the processing of personal data, the applicable legal principle is Article 6(1)(d) GDPR.
In accordance with Article 32 GDPR, we implement suitable technical and organizational measures – taking into account the state of the art, the cost of implementation, the nature, scope, circumstances and purposes of the processing, the various probabilities of occurrence and the seriousness of the risk to the rights and freedoms of natural persons – in order to ensure a level of protection appropriate to the risk. These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as other access thereto, entry thereof, transfer thereof, the security of its availability, and separation thereof. We have also put procedures in place that ensure the safeguarding of data subjects’ rights, the deletion of data and a response to data threats. Moreover, we consider the protection of personal data in the development and selection of hardware, software and procedures in accordance with the principle of data protection by design and by default (Article 25 GDPR).
Cooperation with processors and third parties
If we disclose, transmit or otherwise grant access to data to other persons and companies (processors or third parties) in connection with our processing, this shall only be carried if legal permission exists (e.g. if the data has to be transmitted to third parties such as payment service providers for performance of a contract in accordance with Article 6(1)(b) GDPR), if you have granted corresponding consent, if we are under legal obligation to do so, or if such measures serve our legitimate interests (where agents, web hosts, etc. are engaged).
If we engage third parties to process data on the basis of a processing contract, this takes place on the basis of Article 28 GDPR.
Transmission to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if we process data in connection with the use of third-party services or the disclosure or transfer of data to third parties, this shall only take place to implement our (pre-)contractual obligations, on the basis of your consent, owing to a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual permission, we process data or have data processed in a third country only if the special conditions set out in Article 44 et seqq. GDPR are in place. In other words, the processing is carried out on the basis of special assurances, such as the officially recognized establishment of a level of data protection equivalent to that in the EU (e.g. the Privacy Shield in the US) or the observance of officially recognized special contractual obligations (“standard contractual clauses”).
Rights of data subjects
You have the right to obtain confirmation as to whether the relevant data is being processed and the right to access information about this data as well as other information and copies of the data pursuant to Article 15 GDPR.
You have the right in accordance with Article 16 GDPR to request completion of the data concerning you and rectification of incorrect data concerning you. You have the right in accordance with Article 17 GDPR to demand that data concerning you be deleted without delay or, alternatively, the processing of data be restricted pursuant to Article 18 GDPR.
You have the right to receive the data concerning you that you have provided to us in accordance with Article 20 GDPR and to request the transmission thereof to other controllers. Pursuant to Article 77 GDPR, you also have the right to lodge a complaint with the competent supervisory authority.
Right of withdrawal
You have the right to withdraw granted consent in accordance with Article 7(3) GDPR with effect for the future.
Right to object
You can object to the future processing of the data concerning you at any time in accordance with Article 21 GDPR. You may in particular object to processing for purposes of direct advertising.
Cookies and the right to object to direct advertising
Cookies are small files stored on users’ computers. Different information may be stored within the cookies. A cookie primarily serves to store information pertaining to a user (or the device on which the cookie is stored) during or after such user’s visit to a website. Temporary cookies, known as session cookies or transient cookies, are cookies that are deleted when a user leaves a website and closes their browser. A cookie of this type may, for example, store the content of a shopping cart on an online shop or a login status. Permanent or persistent cookies are cookies that remain stored after the browser is closed. They can therefore, for example, store a person’s login status for reuse when the person revisits a website after several days. These cookies can also store the interests of users that can be used for measuring the reach of a website or marketing purposes. Third-party cookies are cookies provided by providers other than the controller that operates the website (the controller’s cookies are otherwise referred to as first-party cookies).
We may use temporary and permanent cookies and explain about these in our Data Privacy Statement.
If users do not want cookies to be stored on their computers, they are asked to disable the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Preventing cookies may restrict the functions on this Website.
Deletion of data
The data we process is deleted or the processing thereof is restricted in accordance with Articles 17 and 18 GDPR. Unless explicitly stated in this Data Privacy Statement, the data we store is deleted when it is no longer required for its intended purpose and no statutory retention obligations prevent us from doing so. If the data is not deleted because it is required for other purposes permitted by law, the processing thereof will be restricted. In other words, the data will be blocked and not processed for other purposes. This is the case for data that has to be retained for commercial or tax purposes, for example.
In accordance with legal requirements in Germany, data is retained in particular for ten years in accordance with Sections 147(1) of the German Fiscal Code (AO), 257(1) no. 1 and 4, (4) of the German Commercial Code (HGB) (books, records, status reports, accounting records, trading books, documents relevant for taxation, etc.) and six years in accordance with Section 257(1) no. 2 and 3, (4) HGB (business correspondence).
In accordance with legal requirements in Austria, data is retained in particular for seven years pursuant to Section 132(1) of the Austrian Fiscal Code (BAO) (accounting documents, records/invoices, accounts, business papers, statements of revenue and expenditure, etc.), for 22 years in connection with property and for ten years in the case of documents relating to electronically rendered services, telecommunications, broadcasting and television services that are provided to non-entrepreneurs in EU Member States and for which the mini one-stop-shop (MOSS) is utilized.
We also process
– Contract data (e.g. object of the contract, term, customer category)
– Payment data (e.g. bank details, payment history)
pertaining to our customers, interested parties and business partners for purposes of rendering contractual services, customer care, marketing, advertising and market research.
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for purposes of operating this Website.
In this context we, or our hosting providers, process user-related data, contact details, content data, contract data, usage data, metadata and communication data pertaining to customers, interested parties and visitors to this Website on the basis of our legitimate interest in the efficient and secure provision of this Website pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of processing contract).
Collection of access data and log files
We, or our hosting providers, collect data on all access to the server on which this service is located (server log files) on the basis of our legitimate interest pursuant to Article 6(1)(f) GDPR. Access data includes the name of the accessed website, file, date and time of access, volume of data transmitted, confirmation of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
For security reasons (e.g. to investigate misuse or fraud), log file information is stored for a period of no more than seven days and then deleted. Data that has to be retained for longer for evidentiary purposes is not deleted until the relevant matter is definitively clarified.
Provision of our statutory and business services
We process data pertaining to our employees, supporters, interested parties, customers or other people in accordance with Article 6(1)(b) GDPR insofar as we offer them contractual services or carry out work for them in the context of an existing business relationship, e.g. for members, or receive services or benefits. We also process data pertaining to data subjects in accordance with Article 6(1)(f) GDPR based on our legitimate interests, for example in relation to administrative tasks or public relations work.
The data processed in this context and the nature, scope, purpose and necessity of its processing are determined in accordance with the underlying contractual relationship. This includes user-related data and master data pertaining to people (e.g. name, address) as well as contact data (e.g. email address, telephone), contract data (e.g. services utilized, shared content and information, names of contact persons) and, if we offer chargeable services or products, payment data (e.g. bank details, payment history).
We delete data that are no longer required for our statutory or business purposes. This is determined based on the relevant tasks and contractual relationships. In the case of business processing, we retain data for as long as it may be of relevance for processing business and with regard to any warranties. The necessity of the retention of data is reviewed every three years. Statutory retention periods also apply.
Provision of contractual services
We process user-related data (e.g. names, addresses and contact details of users), contract data (e.g. services utilized, names of contact persons, payment information) for purposes of fulfilling our contractual obligations and services in accordance with Article 6(1)(b) GDPR. The entries marked as mandatory on the online forms are required to conclude the contract.
When our Website is used, we store the IP address and time of the respective user action. This storage is based on our legitimate interests, and users’ legitimate interests, in protecting against abuse and other unauthorized use. This data is generally not passed on to third parties, unless this is required to pursue our claims or there is a legal obligation to do so pursuant to Article 6(1)(c) GDPR.
We process usage data (e.g. the pages visited on our Website, interest in our products) and content data (e.g. entries on a contact form or user profile) in a user profile for advertising purposes in order to show users product information based on services they have utilized in the past, for example.
Data is deleted once statutory warranties and comparable obligations have expired. The necessity of the retention of data is reviewed once every three years; in the case of statutory archiving obligations, data is deleted once such obligations expire. Information in customer accounts remains there until it is deleted.
Administration, accounting, office organization, contact management
We process data in the course of performing administrative and accounting tasks, organizing our business and complying with statutory obligations such as archiving. In this context, we process the same data that we process in the provision of our contractual services. The principles upon which such processing is based are Article 6(1)(c) GDPR, Article 6(1)(f) GDPR. The processing affects customers, interested parties, business partners and website visitors. The purpose of and our interest in processing lies in administration, accounting, office organization and the archiving of data, namely tasks that serve to secure our business activities, perform our tasks and provide our services. The deletion of data with regard to contractual services and contractual communication is in accordance with the information provided for these processing activities.
In this context, we disclose or transmit data to the tax authorities, advisers such as tax advisers or auditors and other billing centers and payment service providers.
We also store information on suppliers, organizers and other business partners for purposes of making contact at a later date, for example, based on our business interests. We generally store this mostly company-related data permanently.
Business analyses and market research
In order to run our business efficiently and be able to recognize market trends and customer and user wishes, we analyze the data available to us on business processes, contracts, inquiries, etc. In this context, we process user-related data, communication data, contract data, payment data, usage data and metadata on the basis of Article 6(1)(f) GDPR, where the data subjects include customers, interested parties, business partners, visitors and users of the Website.
The analyses are carried out for purposes of business assessments, marketing and market research. We may take account of the profiles of registered users in this process, including information on their purchases, for example. The analyses serve to increase our user-friendliness and to improve our offering and operating efficiency. The analyses are for internal purposes only and are not disclosed externally, apart from in connection with anonymous analyses involving aggregated values.
If these analyses or profiles are personal, they are deleted or anonymized if users cancel, and in all other cases are deleted or anonymized two years after contract conclusion. Business analyses and determinations of general trends are otherwise created anonymously, wherever possible.
Data protection information in application processes
We only process applicant data for purposes of and in connection with application processes in accordance with legal requirements. Applicant data is processed to comply with our (pre-)contractual obligations in the application process within the meaning of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR insofar as data processing is necessary for us in connection with legal procedures, for example (Section 26 of the Federal Data Protection Act (BDSG) applies additionally in Germany).
Applicants have to provide applicant data to us in application processes. The required applicant data is marked if we provide an online form. Otherwise, it can be found in job descriptions and generally includes information on the person, mailing and contact addresses and documents pertaining to the application, such as cover letter, resume and references. Applicants can also provide us with additional information voluntarily.
By transmitting their applications to us, applicants agree to the processing of their data for purposes of the application process in accordance with the nature and scope of processing set out in this Data Privacy Statement.
Insofar as special categories of personal data within the meaning of Article 9(1) GDPR are voluntarily disclosed in the application process, they are also processed pursuant to Article 9(2)(b) GDPR (e.g. health data such as severe disabilities or ethnic origin). Insofar as special categories of personal data within the meaning of Article 9(1) GDPR are requested from applicants in the application process, they are also processed pursuant to Article 9(2)(a) GDPR (e.g. health data if this is necessary for exercise of the profession).
Applicants can send us their applications using the online form on our website, where such form is available. The data is transferred to us in encrypted form in accordance with the state of the art.
Applicants can also send us their applications via email. However, applicants should be aware that emails are generally not sent in encrypted form and applicants have to take care of encryption themselves. Therefore, we cannot accept any responsibility for the transmission route of the application between the sender and receipt on our server and instead recommend an online form or sending the application by mail. Applicants are able to send their applications by mail instead of using the online form or email.
We may process the data provided by applicants for purposes of an employment relationship if their applications are successful. Applicant data will otherwise be deleted if the application is unsuccessful. Applicant data is also deleted if an application is withdrawn, which applicants are entitled to do at any time.
The data is deleted, without prejudice to a justified revocation by the applicant, after a period of six months so that we can respond to any follow-up questions relating to the application and can meet our obligations to furnish evidence under the Equal Treatment Act. Invoices for the payment of travel expenses are archived in accordance with requirements under tax law.
In relation to applications, we give applicants the opportunity to be included in our talent pool for a period of two years based on consent within the meaning of Article 6(1)(b) and Article 7 GDPR.
The application documents in the talent pool are processed exclusively in connection with future job advertisements and searches for employees and are destroyed no later than on expiry of the period. Applicants are informed that consent to inclusion in the talent pool is voluntary, has no influence on the application process in question and can be revoked at any time with effect for the future, and they can also object within the meaning of Article 21 GDPR.
When users establish contact with us (e.g. on the contact form, by email, telephone or social media), their information is processed in order to deal with and process the inquiry in accordance with Article 6(1)(b) GDPR. Users’ information may be stored in a customer relationship management system (“CRM system”) or a comparable system for organizing inquiries.
We delete the inquiries when they are no longer required. We review the necessity of the inquiries every two years; statutory archiving obligations also apply.
Google is certified in accordance with the Privacy Shield Framework and thereby guarantees to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our instruction to analyze users’ use of our Website, to compile reports on activities on this Website, and to perform for us other services associated with use of this Website and internet use. In this context, pseudonymous user profiles may be created for users using the processed data.
We only use Google Analytics with IP anonymization enabled. This means that Google will abbreviate users’ IP addresses within Member States of the European Union and in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the entire IP address transmitted to a Google server in the US and abbreviated there.
The IP address transmitted from the user’s browser is not combined with other data held by Google. Users can prevent the storage of cookies using the corresponding setting on their browser software and can also prevent Google from collecting data generated by the cookie and relating to their use of the Website and from processing this data by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
Users’ personal data is deleted or anonymized after 14 months.
Facebook pixel, custom audiences and Facebook conversion
Based on our legitimate interest in analyzing, improving and efficiently operating our Website and for these purposes, we use the Facebook pixel on our Website from the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
Facebook is certified in accordance with the Privacy Shield Framework and thereby guarantees to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
The Facebook pixel allows Facebook to determine the visitors to our Website as well as the target group for ads (“Facebook ads”). Accordingly, we use the Facebook pixel to show our Facebook ads only to those Facebook users that have also shown interest in our Website or that have certain characteristics (e.g. interest in certain topics or products determined based on the pages visited) that we communicate to Facebook (“custom audiences”). By using the Facebook pixel, we would also like to ensure that our Facebook ads relate to users’ potential interests and are not annoying. Using the Facebook pixel also allows us to track the effectiveness of Facebook ads for statistical and market research purposes in that we can see whether users were forwarded to our website after clicking on a Facebook ad (“conversion”).
Data is processed by Facebook in accordance with Facebook’s data use policy. Accordingly, general information on the display of Facebook ads can be found in Facebook’s data use policy: https://www.facebook.com/policy.php. Specific information and details on the Facebook pixel and its operation can be found in Facebook’s help section: https://www.facebook.com/business/help/651294705016616.
You can object to the recording of your data by the Facebook pixel and use of your data to show you Facebook ads. To determine which types of ad you are shown on Facebook, you can access the page set up by Facebook and follow the directions given on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads. The settings apply on all platforms, i.e. they are adopted for all devices such as desktop computers and mobile devices.
Online presence on social media
We have an online presence on social networks and platforms so that we can communicate with customers, interested parties and users who actively use these sites and inform them of our services. The terms and conditions and data policies of the operators of these networks and platforms apply when they are accessed.
Unless stated otherwise in our Data Privacy Statement, we process users’ data if they communicate with us on social networks and platforms, for example by writing posts on our online presence or sending us messages.
Integration of third-party services and content
Based on our legitimate interest (i.e. interest in analyzing, improving and efficiently operating our Website within the meaning of Article 6(1)(f) GDPR), we use content and services offered by third-party providers on our Website for purposes of incorporating their content and services such as videos and fonts (hereinafter collectively referred to as “content”).
The third-party providers of this content have to use users’ IP addresses as they would not be able to send the content to their browsers without these IP addresses. The IP address is therefore required to show this content. We endeavor to exclusively use content offered by providers that will only use the IP address to deliver the content. Third-party providers may also use pixel tags (transparent images also known as web beacons) for statistical or marketing purposes. The pixel tags may be used to analyze information such as visitor traffic to the pages on this website. The pseudonymous information may also be stored in cookies on users’ devices and include technical information on the browser and operating system, referring websites, visit times as well as other information on use of our Website, and may also be combined with such information from other sources.
Use of Facebook social plugins
Based on our legitimate interest (i.e. interest in analyzing, improving and efficiently operating our Website within the meaning of Article 6(1)(f) GDPR), we use social plugins (“plugins”) offered by the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins may constitute interactive elements or content (e.g. videos, pictures or text) and can be identified by one of the Facebook logos (white ‘f’ on a blue tile, the term ‘Like’ or a ‘thumbs up’ symbol) or are labeled as a “Facebook social plugin”. The list and appearance of Facebook social plugins can be seen here: https://developers.facebook.com/docs/plugins/.
Facebook is certified in accordance with the Privacy Shield Framework and thereby guarantees to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
If a user calls a function on this Website that contains such a plugin, the user’s device will establish a direct connection to Facebook’s servers. Facebook transmits the plugin content directly to the user’s device, which embeds it in the Website. In this context, the processed data can be used to create user profiles for users. We therefore cannot influence the scope of the data collected by Facebook using this plugin and accordingly inform users in accordance with our level of knowledge.
By embedding the plugins, Facebook is informed that a user has accessed a corresponding page on the Website. If users are logged in on Facebook, Facebook can assign the visit to their Facebook account. If users interact with the plugins, for example by clicking the Like button or leaving a comment, the corresponding information is transmitted directly to Facebook by their device and stored there. If users do not have Facebook accounts, Facebook may nevertheless find out and store their IP addresses. According to Facebook, only anonymized IP addresses are stored in Germany.
If users have Facebook accounts and do not want Facebook to collect data on them via this Website and combine it with their membership data stored at Facebook, they must log out of Facebook before using our Website and delete their cookies. There are additional settings and opportunities to object to the use of data for advertising purposes on Facebook’s profile settings: https://www.facebook.com/settings?tab=ads or on the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings apply on all platforms, i.e. they are adopted for all devices such as desktop computers and mobile devices.