Privacy Policy

1 An overview of data protection

1.1 General information

The following information will provide you with an easy to navigate overview of what will happen with your personal data when you visit this website. The term “personal data” comprises all data that can be used to personally identify you. For detailed information about the subject matter of data protection, please consult our Data Protection Declaration, which we have included beneath this copy.

1.2 Data recording on this website

1.2.1 Who is the responsible party for the recording of data on this website (i.e., the “controller”)?

The data on this website is processed by the operator of the website, whose contact information is available under section “Information about the responsible party (referred to as the “controller” in the GDPR)” in this Privacy Policy.

1.2.2 How do we record your data?

We collect your data as a result of your sharing of your data with us. This may, for instance be information you enter into our contact form.

Other data shall be recorded by our IT systems automatically or after you consent to its recording during your website visit. This data comprises primarily technical information (e.g., web browser, operating system, or time the site was accessed). This information is recorded automatically when you access this website.

1.2.3 What are the purposes we use your data for?

A portion of the information is generated to guarantee the error free provision of the website. Other data may be used to analyze your user patterns.

1.2.4 What rights do you have as far as your information is concerned?

You have the right to receive information about the source, recipients, and purposes of your archived personal data at any time without having to pay a fee for such disclosures. You also have the right to demand that your data are rectified or eradicated. If you have consented to data processing, you have the option to revoke this consent at any time, which shall affect all future data processing. Moreover, you have the right to demand that the processing of your data be restricted under certain circumstances. Furthermore, you have the right to log a complaint with the competent supervising agency.

Please do not hesitate to contact us at any time if you have questions about this or any other data protection related issues.

1.2.5 Analysis tools and tools provided by third parties

There is a possibility that your browsing patterns will be statistically analyzed when your visit this website. Such analyses are performed primarily with what we refer to as analysis programs.

For detailed information about these analysis programs please consult our Data Protection Declaration below.

2 Hosting

We are hosting the content of our website at the following provider:

2.1 Hetzner

The provider is the Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (hereinafter referred to as Hetzner).

For details, please view the data privacy policy of Hetzner: https://www.hetzner.com/de/rechtliches/datenschutz.

We use Hetzner on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable depiction of our website possible. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

2.1.1 Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

3 General information and mandatory information

3.1 Data protection

The operators of this website and its pages take the protection of your personal data very seriously. Hence, we handle your personal data as confidential information and in compliance with the statutory data protection regulations and this Data Protection Declaration.

Whenever you use this website, a variety of personal information will be collected. Personal data comprises data that can be used to personally identify you. This Data Protection Declaration explains which data we collect as well as the purposes we use this data for. It also explains how, and for which purpose the information is collected.

We herewith advise you that the transmission of data via the Internet (i.e., through e-mail communications) may be prone to security gaps. It is not possible to completely protect data against third-party access.

3.2 Information about the responsible party (referred to as the “controller” in the GDPR)

The data processing controller on this website is:

Sebapharma GmbH & CO. KG
Binger Straße 80
56154 Bad Salzig

Vertretungsberechtigte Geschäftsführer:
Thomas Maurer, Vorsitzender der Geschäftsleitung
Dr. Daniel Rothoeft, stellvertretender Vorsitzender der Geschäftsleitung

Phone: +49 (0) 6742 / 9000
E-mail: info@sebamed.de

The controller is the natural person or legal entity that single-handedly or jointly with others makes decisions as to the purposes of and resources for the processing of personal data (e.g., names, e-mail addresses, etc.).

3.3 Storage duration

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted, unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, the deletion will take place after these reasons cease to apply.

3.4 General information on the legal basis for the data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9 (2)(a) GDPR, if special categories of data are processed according to Art. 9 (1) DSGVO. In the case of explicit consent to the transfer of personal data to third countries, the data processing is also based on Art. 49 (1)(a) GDPR. If you have consented to the storage of cookies or to the access to information in your end device (e.g., via device fingerprinting), the data processing is additionally based on § 25 (1) TTDSG. The consent can be revoked at any time. If your data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, if your data is required for the fulfillment of a legal obligation, we process it on the basis of Art. 6(1)(c) GDPR. Furthermore, the data processing may be carried out on the basis of our legitimate interest according to Art. 6(1)(f) GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.

3.5 Designation of a data protection officer

We have appointed a data protection officer.

Contact details of our data protection officer:

Phone: +49 151 730 44 032
E-mail: datenschutz@sebamed.de

3.6 Information on the data transfer to third-party countries that are not secure under data protection law and the transfer to US companies that are not DPF-certified

We use, among other technologies, tools from companies located in third-party countries that are not safe under data protection law, as well as US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). If these tools are enabled, your personal data may be transferred to and processed in these countries. We would like you to note that no level of data protection comparable to that in the EU can be guaranteed in third countries that are insecure in terms of data protection law.

We would like to point out that the US, as a secure third-party country, generally has a level of data protection comparable to that of the EU. Data transfer to the US is therefore permitted if the recipient is certified under the “EU-US Data Privacy Framework” (DPF) or has appropriate additional assurances. Information on transfers to third-party countries, including the data recipients, can be found in this Privacy Policy.

3.7 Recipients of personal data

In the scope of our business activities, we cooperate with various external parties. In some cases, this also requires the transfer of personal data to these external parties. We only disclose personal data to external parties if this is required as part of the fulfillment of a contract, if we are legally obligated to do so (e.g., disclosure of data to tax authorities), if we have a legitimate interest in the disclosure pursuant to Art. 6 (1)(f) GDPR, or if another legal basis permits the disclosure of this data. When using processors, we only disclose personal data of our customers on the basis of a valid contract on data processing. In the case of joint processing, a joint processing agreement is concluded.

3.8 Revocation of your consent to the processing of data

A wide range of data processing transactions are possible only subject to your express consent. You can also revoke at any time any consent you have already given us. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

3.9 Right to object to the collection of data in special cases; right to object to direct advertising (Art. 21 GDPR)

IN THE EVENT THAT DATA ARE PROCESSED ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO AT ANY TIME OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA BASED ON GROUNDS ARISING FROM YOUR UNIQUE SITUATION. THIS ALSO APPLIES TO ANY PROFILING BASED ON THESE PROVISIONS. TO DETERMINE THE LEGAL BASIS, ON WHICH ANY PROCESSING OF DATA IS BASED, PLEASE CONSULT THIS DATA PROTECTION DECLARATION. IF YOU LOG AN OBJECTION, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA, UNLESS WE ARE IN A POSITION TO PRESENT COMPELLING PROTECTION WORTHY GROUNDS FOR THE PROCESSING OF YOUR DATA, THAT OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOMS OR IF THE PURPOSE OF THE PROCESSING IS THE CLAIMING, EXERCISING OR DEFENCE OF LEGAL ENTITLEMENTS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS BEING PROCESSED IN ORDER TO ENGAGE IN DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR AFFECTED PERSONAL DATA FOR THE PURPOSES OF SUCH ADVERTISING AT ANY TIME. THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS AFFILIATED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT ADVERTISING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

3.10 Right to log a complaint with the competent supervisory agency

In the event of violations of the GDPR, data subjects are entitled to log a complaint with a supervisory agency, in particular in the member state where they usually maintain their domicile, place of work or at the place where the alleged violation occurred. The right to log a complaint is in effect regardless of any other administrative or court proceedings available as legal recourses.

Contact details for the supervisory agency:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz

Postfach 30 40
55020 Mainz
Telefon: +49 (0) 6131 8920-0
E-Mail: poststelle@datenschutz.rlp.de

3.11 Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you should demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.

3.12 Information about, rectification and eradication of data

Within the scope of the applicable statutory provisions, you have the right to demand information about your archived personal data, their source, and recipients as well as the purpose of the processing of your data at any time. You may also have a right to have your data rectified or eradicated. If you have questions about this subject matter or any other questions about personal data, please do not hesitate to contact us at any time.

3.13 Right to demand processing restrictions

You have the right to demand the imposition of restrictions as far as the processing of your personal data is concerned. To do so, you may contact us at any time. The right to demand restriction of processing applies in the following cases:

  • In the event that you should dispute the correctness of your data archived by us, we will usually need some time to verify this claim. During the time that this investigation is ongoing, you have the right to demand that we restrict the processing of your personal data.

  • If the processing of your personal data was/is conducted in an unlawful manner, you have the option to demand the restriction of the processing of your data instead of demanding the eradication of this data.

  • If we do not need your personal data any longer and you need it to exercise, defend or claim legal entitlements, you have the right to demand the restriction of the processing of your personal data instead of its eradication.

  • If you have raised an objection pursuant to Art. 21(1) GDPR, your rights and our rights will have to be weighed against each other. As long as it has not been determined whose interests prevail, you have the right to demand a restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data – with the exception of their archiving – may be processed only subject to your consent or to claim, exercise or defend legal entitlements or to protect the rights of other natural persons or legal entities or for important public interest reasons cited by the European Union or a member state of the EU.

3.14 SSL and/or TLS encryption

For security reasons and to protect the transmission of confidential content, such as purchase orders or inquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption program. You can recognize an encrypted connection by checking whether the address line of the browser switches from “http://” to “https://” and also by the appearance of the lock icon in the browser line.

If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.

3.15 Encrypted payment transactions on this website

If you are under an obligation to share your payment information (e.g. account number if you give us the authority to debit your bank account) with us after you have entered into a fee-based contract with us, this information is required to process payments.

Payment transactions using common modes of paying (Visa/MasterCard, debit to your bank account) are processed exclusively via encrypted SSL or TLS connections. You can recognize an encrypted connection by checking whether the address line of the browser switches from “http://” to “https://” and also by the appearance of the lock icon in the browser line.

If the communication with us is encrypted, third parties will not be able to read the payment information you share with us.

3.16 Rejection of unsolicited e-mails

We herewith object to the use of contact information published in conjunction with the mandatory information to be provided in our Site Notice to send us promotional and information material that we have not expressly requested. The operators of this website and its pages reserve the express right to take legal action in the event of the unsolicited sending of promotional information, for instance via SPAM messages.

3.17 Commercialization via Amazon

The operator uses the Amazon platform to market its products. Amazon Europe Core S.à.r.l., Amazon EU S.à.r.l., Amazon Services Europe S.à.r.l. and Amazon Media EU S.à.r.l., all four located at 38, avenue John F. Kennedy, L-1855 Luxembourg, and Amazon Digital Germany GmbH, Domagkstr. 28, 80807 Munich (together "Ama-zon Europe") are responsible for all personal information collected and processed by Amazon Europe. Further information can be found at https://www.amazon.de/gp/help/customer/display.html?nodeId=GR2TDVTNRVM2PY2M.

By using Amazon, information on the use of the website (e.g. date and time of access, IP address, etc.) is transmitted to the Amazon servers (possibly also in the USA) and stored.

The transfer of your personal data to Amazon outside the European Economic Area takes place using standard data protection clauses in accordance with Art. 46 (2) c) GDPR, which were issued by the European Commission in accordance with Art. 93 (2) GDPR. Information on the standard data protection clauses can be found on the website of the European Commission (https://ec.europa.eu/info/index_de). This may also include a link to your user account if you are logged in there.

If you do not want Amazon to create a link to your user account, you must log out before using the service. Amazon's terms of use and privacy policy apply.

When you created your user profile on Amazon, you were informed about the collection and storage of your personal data, as well as the type and purpose of its processing. You can find this information in the privacy policy provided by Amazon at www.amazon.de/gp/help/customer/display.html?nodeId=3312401. Consent was obtained from Amazon as part of your registration.

We do not collect any personal data from you other than that provided by Amazon. You have already consented to Amazon transmitting your personal data to us for the purpose of processing the contract. This personal data transmitted to us by Amazon will be stored by us.

We use this data

  • to identify you as our customer to process, fulfil and process your order;

  • to correspond with you;

  • for invoicing;

  • to process any liability claims that may exist and to assert any claims against you.

As part of your registration with Amazon and during order processing, we will obtain your consent to process this data.

The data processing takes place in response to your order and is required in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR for the purposes mentioned for the appropriate processing of your order and for the mutual fulfilment of obligations arising from the purchase contract.

The personal data collected by Amazon for the processing of your order and transmitted to us will be stored by us until the expiry of the statutory retention obligation and then deleted, unless we are obliged to store it for a longer period of time in accordance with Article 6 para. 1 sentence 1 lit. c GDPR due to tax and commercial law storage and documentation obligations or you have consented to further storage in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

4 Recording of data on this website

4.1 Cookies

Our websites and pages use what the industry refers to as “cookies.” Cookies are small data packages that do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or they are permanently archived on your device (permanent cookies). Session cookies are automatically deleted once you terminate your visit. Permanent cookies remain archived on your device until you actively delete them, or they are automatically eradicated by your web browser.

Cookies can be issued by us (first-party cookies) or by third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services of third-party companies into websites (e.g., cookies for handling payment services).

Cookies have a variety of functions. Many cookies are technically essential since certain website functions would not work in the absence of these cookies (e.g., the shopping cart function or the display of videos). Other cookies may be used to analyze user behavior or for promotional purposes.

Cookies, which are required for the performance of electronic communication transactions, for the provision of certain functions you want to use (e.g., for the shopping cart function) or those that are necessary for the optimization (required cookies) of the website (e.g., cookies that provide measurable insights into the web audience), shall be stored on the basis of Art. 6(1)(f) GDPR, unless a different legal basis is cited. The operator of the website has a legitimate interest in the storage of required cookies to ensure the technically error-free and optimized provision of the operator’s services. If your consent to the storage of the cookies and similar recognition technologies has been requested, the processing occurs exclusively on the basis of the consent obtained (Art. 6(1)(a) GDPR and § 25 (1) TTDSG); this consent may be revoked at any time.

You have the option to set up your browser in such a manner that you will be notified any time cookies are placed and to permit the acceptance of cookies only in specific cases. You may also exclude the acceptance of cookies in certain cases or in general or activate the delete-function for the automatic eradication of cookies when the browser closes. If cookies are deactivated, the functions of this website may be limited.

Which cookies and services are used on this website can be found in this privacy policy. Details of all cookies used on this website can be found under this link: Open Cookie-Center.

 

4.2 CCM19

Our website uses CCM19 to obtain your consent for the storage of certain cookies on your device or for the use of specific technologies and to document the former in a data protection compliant manner. The provider of this technology is Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn, Germany (hereinafter referred to as “CCM19”).

When you access our website, a connection with the servers of CCM19 is established to obtain your consent and other declarations related to the use of cookies. Subsequently, CCM19 will store a cookie in your browser to be able to allocate the granted consent or revocation. The data generated using this system will be archived by us until you ask us to delete it, delete the CCM19 cookie yourself or the purpose for the archiving of the data no longer applies. This shall be without prejudice to any mandatory statutory archiving periods.

We use CCM19 to obtain the consent mandated by law for the use of cookies. The legal basis for this is Art.6 (1)(1)(f) GDPR.

4.2.1 Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

4.3 Server log files

The provider of this website and its pages automatically collects and stores information in so-called server log files, which your browser communicates to us automatically. The information comprises:

  • The type and version of browser used

  • The used operating system

  • Referrer URL

  • The hostname of the accessing computer

  • The time of the server inquiry

  • The IP address

This data is not merged with other data sources.

This data is recorded on the basis of Art. 6(1)(f) GDPR. The operator of the website has a legitimate interest in the technically error free depiction and the optimization of the operator’s website. In order to achieve this, server log files must be recorded. The server log files are stored for a maximum of 3 months and are then deleted.

4.4 Contact Form

If you would like to contact the operator, a contact form is available for this purpose. You must provide the following information in this form: Title (Mr, Mrs, family), first name, surname, street, postcode, city, e-mail address, message. You can also provide the following information voluntarily: Age group, skin type, skin sensitivity, hair type, mobile phone number. Furthermore, your referrer URL, i.e. the URL from which you came to the website, may be processed.

The operator processes your data to communicate with you, e.g. to respond to your contact enquiry. The permissibility of this processing is based on Art. 6 para. 1 b) GDPR (pre-contractual or contractual measure). The provision of the data is necessary because otherwise you will not be able to send a message to the operator and the operator will not be able to provide you with the requested information.

In individual cases, the permissibility of processing may be based on Art. 6 para. 1 c) GDPR if you provide information that must be forwarded as part of a complaint due to legal obligations. In addition, if you provide data on incompatibilities, processing may be permitted under Art. 9 (2) (i) GDPR if you provide health data that must be processed for health care purposes.

In addition, the permissibility of processing may be based on Art. 6 para. 1 f) GDPR. The legitimate interest of the operator lies in particular in the analysis and optimization of marketing measures.

The personal data processed in the context of communication will be deleted after expiry of the statutory retention obligations, unless the controller has a legitimate interest in further storage. In any case, only the data that is absolutely necessary to fulfil the relevant purpose will continue to be stored. Where possible, personal data will be anonymized.

4.5 Request by e-mail, mail, telephone, or fax

If you contact us by e-mail, mail, telephone or fax, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We do not pass these data on without your consent.

These data are processed on the basis of Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is required for the performance of pre-contractual measures. In all other cases, the data are processed on the basis of our legitimate interest in the effective handling of inquiries submitted to us (Art. 6(1)(f) GDPR) or on the basis of your consent (Art. 6(1)(a) GDPR) if it has been obtained; the consent can be revoked at any time.

The data sent by you to us via contact requests remain with us until you request us to delete, revoke your consent to the storage or the purpose for the data storage lapses (e.g. after completion of your request). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

4.6 Registration on this website

You have the option to register on this website to be able to use additional website functions. We shall use the data you enter only for the purpose of using the respective offer or service you have registered for. The required information we request at the time of registration must be entered in full. Otherwise, we shall reject the registration.

To notify you of any important changes to the scope of our portfolio or in the event of technical modifications, we shall use the e-mail address provided during the registration process.

We shall process the data entered during the registration process on the basis of your consent (Art. 6(1)(a) GDPR).

The data recorded during the registration process shall be stored by us as long as you are registered on this website. Subsequently, such data shall be deleted. This shall be without prejudice to mandatory statutory retention obligations.

When creating a customer account, we collect and process all data required for order fulfilment (e.g. name, email address, delivery and billing address, payment information). In your customer account, you have the option of assigning or changing a password or saving or changing your delivery and billing address.

4.7 Facebook contest/raffle

The operator is the owner of a Facebook page on which he regularly organizes competitions. As a rule, participation in these competitions requires the publication of a comment under the operator's corresponding prize draw using one's own Facebook account. Once the winners have been determined, they will be contacted by the operator using the "Send message" function for the purpose of distributing the prize. The winners must then provide the following information: Title, first name, surname, street, postcode, city.

The requested data of the participants will only be used for the realization and processing of the prize draw. The permissibility of this processing is based on Art. 6 para. 1 f) GDPR (legitimate interest). The operator organizes competitions to publicize its products and attract new customers. The provision of your data is necessary for participation in the competition. If you do not provide your data, you cannot participate and cannot win any of the advertised prizes.

After the end of the competition, the participants' data will be deleted along with the communication made via Facebook. The comments under the competition on the operator's Facebook page will not be deleted. 

4.8 Competition/raffle on the website

The operator also organizes competitions directly on the website. As a rule, participation requires the answering of a question. The following information must also be provided: Title, first name, surname, street, postcode, city, email address.

The requested data of the participants will only be used for the realization and processing of the competition. The permissibility of this processing is based on Art. 6 para. 1 f) GDPR (legitimate interest). The operator organizes competitions to publicize its products and attract new customers. The provision of your data is necessary for participation in the competition. If you do not provide your data, you will not be able to participate and will not be able to win any of the advertised prizes.

Your data will be deleted at the end of the competition

4.9 Becoming a skin researcher

The operator offers users of the website the opportunity to take part in a comprehensive survey under the menu item "Become a skin researcher". The subject of this survey is general information, the skin type, the care products used by the user, the living conditions, and other habits of the user. The operator stores the user's details in a database. This is used by the operator to identify suitable persons for product tests carried out by the operator. Furthermore, the operator analyses the user data in order to obtain information for product development. User data is stored by the operator for an unlimited period of time.

To participate, the user must fill out a multi-page contact form in which the following general information must first be provided: Title, first name, surname, street, house number, postcode, city, e-mail address. Further information on your skin condition and other health-related attributes in the contact form is voluntary. If the user is selected for a product test, they will be notified by e-mail and sent the product to be tested by post. The e-mail contains a link to a questionnaire for evaluating the product. The questions are answered anonymously and do not allow any conclusions to be drawn about the person of the user.

The permissibility of this processing is based on Art. 6 para. 1 f) GDPR (legitimate interest). The operator has a legitimate interest in storing and analyzing information on the use of its products for the purpose of product development and to have product tests carried out by suitable persons. The provision of your data and storage in the operator's database is necessary for participation in the product tests carried out by the operator. Failure to provide (part of) your data will mean that you will not be selected for a product test and will therefore not receive any products.

The operator stores the data provided by the data subjects without any time limit. The user can request deletion from the operator's database at any time.

5 Social Media

5.1 Facebook

Icons (image of the logo of the social media platform, with a link to our social media presence there) of the social network Facebook are integrated on this website. By clicking on the icon, you will be redirected to the Facebook page. This is not a Like or Share button. The provider of the service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected when the Facebook page is accessed is also transferred to the USA and other third countries.

If you click on the Facebook icon provided on this website, a direct connection is established between your browser and the Facebook server. Facebook thereby receives the information that you have visited this website with your IP address. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Facebook. Further information on this can be found in Facebook's privacy policy at: https://de-de.facebook.com/privacy/explanation.

If you do not want Facebook to be able to associate your visit to our Facebook website with your Facebook user account, please log out of your Facebook user account beforehand.

The use of the Facebook icon with a link to our Facebook page is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the widest possible visibility in social media.

If you click on the icon and are redirected to our Facebook page, personal data will be collected on our website and forwarded to Facebook. In this respect, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR).

The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The wording of the agreement can be found under: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool/icon and for the privacy-secure implementation of the tool/icon on our website. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g., requests for information) regarding data processed by Facebook directly with Facebook. If you assert the data subject rights with us, we are obliged to forward them to Facebook.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://de-de.facebook.com/help/566994660333381 and https://www.facebook.com/policy.php.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

5.2 X (formerly Twitter)

Icons (image of the logo of the social media platform, with a link to our social media presence there) of the social network X are integrated on this website. The provider is the parent company X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The branch Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, is responsible for the data processing of individuals living outside the United States.

If you click on the X icon provided on this website, a direct connection is established between your browser and the X server. X thereby receives the information that you have visited this website with your IP address.

We must point out, that we, the providers of the website and its pages do not know anything about the content of the data transferred and the use of this information by X (formerly Twitter). For more details, please consult the X (formerly Twitter) Data Privacy Declaration at: https://twitter.com/en/privacy.

If you do not want X to be able to associate your visit to our X website with your X user account, please log out of your X user account beforehand.

The use of the X icon with a link to our X page is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the widest possible visibility in social media.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

You have the option to reset your data protection settings on X (formerly Twitter) under the account settings at https://twitter.com/account/settings.

5.3 Instagram

Icons (image of the logo of the social media platform, with a link to our social media presence there) of the social network Instagram are integrated on this website. By clicking on the icon, you will be redirected to the Instagram page. This is not a Like or Share button. The provider of the Instagram website is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook and Instagram, the data collected when you visit the Instagram page is also transferred to the USA and other third countries.

If you click on the Instagram icon provided on this website, a direct connection is established between your browser and the Instagram server. Instagram thereby receives the information that you have visited this website with your IP address. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Instagram.

If you click on the icon and are redirected to our Instagram page, personal data will be collected on our website and forwarded to Facebook or Instagram. In this respect, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR).

The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook or Instagram. The processing by Facebook or Instagram that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The wording of the agreement can be found under: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook or Instagram tool/icon and for the privacy-secure implementation of the tool/icon on our website. Facebook is responsible for the data security of Facebook or Instagram products. You can assert data subject rights (e.g., requests for information) regarding data processed by Facebook or Instagram directly with Facebook. If you assert the data subject rights with us, we are obliged to forward them to Facebook.

If you do not want Instagram to be able to associate your visit to our Instagram website with your Insta-gram user account, please log out of your Instagram user account beforehand.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://privacycenter.instagram.com/policy/ and https://de-de.facebook.com/help/566994660333381.

For more information on this subject, please consult Instagram’s Data Privacy Declaration at: https://privacycenter.instagram.com/policy/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

5.4 LinkedIn

Icons (image of the logo of the social media platform, with a link to our social media presence there) of the social network LinkedIn are integrated on this website. When you click on the icon, you will be redirected to the LinkedIn page. This is not a Recommend button or Share button. The provider of the LinkedIn website is LinkedIn Ire-land Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

When you click on the LinkedIn icon provided on this website, a direct connection is established between your browser and the LinkedIn server. LinkedIn thereby receives the information that you have visited this website with your IP address. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by LinkedIn. Further information on this can be found in LinkedIn's privacy policy at: https://www.linkedin.com/legal/privacy-policy.

If you do not want LinkedIn to be able to associate your visit to our LinkedIn website with your LinkedIn user account, please log out of your LinkedIn user account.

The use of the LinkedIn icon with a link to our LinkedIn page is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the widest possible visibility in social media.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.linkedin.com/help/linkedin/answer/62538/datenubertragung-aus-der-eu-dem-ewr-und-der-schweiz?lang=en.

For further information on this subject, please consult LinkedIn’s Data Privacy Declaration at: https://www.linkedin.com/legal/privacy-policy.

5.5 XING

Icons (image of the logo of the social media platform, with a link to our social media presence there) of the social network Xing are integrated on this website. When you click on the icon, you will be redirected to the Xing page. This is not a Like or Share button. The provider of the Xing website is New Work SE, Am Strandkai 1 20457 Hamburg, Germany.

If you click on the Xing icon provided on this website, a direct connection is established between your browser and the Xing server. Xing thereby receives the information that you have visited this website with your IP address. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Xing. Further information on this can be found in Xing's privacy policy (https://privacy.xing.com/de/datenschutzerklaerung).

If you do not want Xing to be able to associate your visit to our Xing website with your Xing user account, please log out of your Xing user account.

The use of the Xing icon with a link to our Xing page is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the widest possible visibility in social media.

Xing is responsible for the data security of Xing products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Xing directly with Xing.

5.6 TikTok

Information on data protection in connection with TikTok can be found at the following link:

https://www.sebamed.com/en/info/help/privacy-policy-for-tiktok/

6 Our social media appearances

This privacy policy applies to the following social media presence

6.1 Data processing through social networks

We maintain publicly available profiles in social networks. The individual social networks we use can be found below.

Social networks such as Facebook, X etc. can generally analyze your user behavior comprehensively if you visit their website or a website with integrated social media content (e.g., like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. In detail:

If you are logged in to your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.

Using the data collected in this way, the operators of the social media portals can create user profiles in which their preferences and interests are stored. This way you can see interest-based advertising inside and outside of your social media presence. If you have an account with the social network, interest-based advertising can be displayed on any device you are logged in to or have logged in to.

Please also note that we cannot retrace all processing operations on the social media portals. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policy of the respective social media portals.

6.2 Legal basis

Our social media appearances should ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6 (1) (a) GDPR).

6.3 Responsibility and assertion of rights

If you visit one of our social media sites (e.g., Facebook), we, together with the operator of the social media platform, are responsible for the data processing operations triggered during this visit. You can in principle protect your rights (information, correction, deletion, limitation of processing, data portability and complaint) vis-à-vis us as well as vis-à-vis the operator of the respective social media portal (e.g., Facebook).

Please note that despite the shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are determined by the company policy of the respective provider.

6.4 Storage time

The data collected directly from us via the social media presence will be deleted from our systems as soon as you ask us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses. Stored cookies remain on your device until you delete them. Mandatory statutory provisions - in particular, retention periods - remain unaffected.

We have no control over the storage duration of your data that are stored by the social network operators for their own purposes. For details, please contact the social network operators directly (e.g., in their privacy policy, see below).

6.5 Your rights

You have the right to receive information about the origin, recipient, and purpose of your stored personal data at any time and free of charge. You also have the right to object, the right to data portability and the right to file a complaint with the responsible regulatory agency. Furthermore, you can request the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

6.6 Individual social networks

6.6.1 Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Meta). According to Meta’s statement the collected data will also be transferred to the USA and to other third-party countries.

We have signed an agreement with Meta on shared responsibility for the processing of data (Controller Addendum). This agreement determines which data processing operations we or Meta are responsible for when you visit our Facebook Fanpage. This agreement can be viewed at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can customize your advertising settings independently in your user account. Click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Details can be found in the Facebook privacy policy: https://www.facebook.com/about/privacy/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

6.6.2 Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://privacycenter.instagram.com/policy/ and https://de-de.facebook.com/help/566994660333381.

For details on how they handle your personal information, see the Instagram Privacy Policy: https://privacycenter.instagram.com/policy/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

6.6.3 XING

We have a profile on XING. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. Details on their handling of your personal data can be found in the XING Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

6.6.4 LinkedIn

We have a LinkedIn profile. The provider is the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you want to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal information, please refer to LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

6.6.5 YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how they handle your personal data can be found in the YouTube privacy policy: https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

6.6.6 TikTok

We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Details on how they handle your personal data can be found in the TikTok privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=en.

Data transmission to third countries is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.tiktok.com/legal/privacy-policy?lang=en.

6.6.7 Kununu

We have a profile on Kununu. The provider of this service is the Kununu platform as a service of New Work SE, Am Strandkai 1, 20457 Hamburg. Details on how they handle your personal data can be found in the Kununu privacy policy at

https://privacy.xing.com/de/datenschutzerklaerung.

You can contact Kununu's data protection officer at datenschutzbeauftragter@xing.com.

7 Analysis tools and advertising

7.1 etracker

This website uses the analysis service etracker. The provider of this service is the etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany.

etracker allows us to analyze the behavior patterns of our website visitors. For this purpose, etracker, among other things, records your abridged IP-address, geographic information (does not exceed details such as the city level), log files and other information your browser transfers to our webserver when you access the website. As a result, we are able to measure the website interactions, such as the length of the visit, conversions (e.g., registrations, purchase orders), scroll events, clicks and page access by the website visitor. These interactions are allocated to the website visitor for the duration of the current day, so that the data can be recognized during follow-up visits. Once the day has ended, visitor recognition is no longer possible.

No cookies will be stored in your browser in the absence of your consent. Moreover, no information is read in the archive of your device. Using this analysis tools without cookies occurs on the basis of Art. 6(1)(f) GDPR. The website operator has legitimate interest in the analysis of user patterns so that the operator can optimize the web portfolio and the ads. The rights and principal liberties of the data subject are protected. During the analysis with etracker, the IP address is anonymized as soon as possible, and the recognition of visitors is possible only for the duration of the current day.

If your respective consent has been obtained, processing will occur exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.

You have the option to deactivate etracker here:

 

7.1.1 Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

7.2 Matomo

This website uses the open-source web analysis service Matomo.

Through Matomo, we are able to collect and analyze data on the use of our website-by-website visitors. This enables us to find out, for instance, when which page views occurred and from which region they came. In addition, we collect various log files (e.g. IP address, referrer, browser, and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).

The use of this analysis tool is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the analysis of user patterns, in order to optimize the operator’s web offerings and advertising. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

7.2.1 Hosting

We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.

7.3 Google Conversion-Tracking

This website uses Google Conversion Tracking. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

With the assistance of Google Conversion Tracking, we are in a position to recognize whether the user has completed certain actions. For instance, we can analyze the how frequently which buttons on our website have been clicked and which products are reviewed or purchased with particular frequency. The purpose of this information is to compile conversion statistics. We learn how many users have clicked on our ads and which actions they have completed. We do not receive any information that would allow us to personally identify the users. Google as such uses cookies or comparable recognition technologies for identification purposes.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.

For more information about Google Conversion Tracking, please review Google’s data protection policy at: https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

7.4 Meta Pixel (formerly Facebook Pixel)

To measure conversion rates, this website uses the visitor activity pixel of Facebook/Meta. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook’s statement the collected data will be transferred to the USA and other third-party countries too.

This tool allows the tracking of page visitors after they have been linked to the website of the provider after clicking on a Facebook ad. This makes it possible to analyze the effectiveness of Facebook ads for statistical and market research purposes and to optimize future advertising campaigns.

For us as the operators of this website, the collected data is anonymous. We are not in a position to arrive at any conclusions as to the identity of users. However, Facebook archives the information and processes it, so that it is possible to make a connection to the respective user profile and Facebook is in a position to use the data for its own promotional purposes in compliance with the Facebook Data Usage Policy (https://www.facebook.com/about/privacy/). This enables Facebook to display ads on Facebook pages as well as in locations outside of Facebook. We as the operator of this website have no control over the use of such data.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 DSGVO). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The wording of the agreement can be found under: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for the privacy-secure implementation of the tool on our website. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g., requests for information) regarding data processed by Facebook directly with Facebook. If you assert the data subject rights with us, we are obliged to forward them to Facebook.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

In Facebook’s Data Privacy Policies, you will find additional information about the protection of your privacy at: https://www.facebook.com/about/privacy/.

You also have the option to deactivate the remarketing function “Custom Audiences” in the ad settings section under https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you first have to log into Facebook.

If you do not have a Facebook account, you can deactivate any user-based advertising by Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

7.5 Google “Looker Studio”

This website uses functions of the web analysis service Looker Studio. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. We use Segment for optimization and marketing purposes. Above all, to evaluate and analyze the use of our website and to continuously improve the user experience, offers and individual functions. In order to make our website more appealing and to continuously improve our offer, we statistically evaluate user behavior. The data we utilize in this context does not contain any direct personal reference.

Looker Studio is used on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the best possible presentation of our website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

Further information on data processing by Looker can be found at https://looker.com/trust-center/privacy/policy.

8 Newsletter

8.1 Newsletter data

To receive additional information about the operator and its offers, you can subscribe to an e-mail newsletter. The so-called double opt-in procedure is used to send the newsletter, i.e. you will only receive a newsletter by e-mail if you have previously expressly confirmed that the newsletter service should be activated. After you have activated the newsletter, you will receive a notification e-mail with an activation link. You will not receive the newsletter until you click on this link. You can deactivate the newsletter at any time. To do so, please contact the operator or use the unsubscribe link provided in each newsletter.

The permissibility of this processing is based on Art. 6 para. 1 a) GDPR (consent). The provision of your data is necessary for the receipt of the newsletter. If you do not provide your data, you will not be able to subscribe to the newsletter or receive information from the operator.

Your data will be deleted after you withdraw your consent, unless the controller has a legitimate interest in further storage. This may be the case if the operator must continue to store your data due to a contract with you. In each case, only the data that is absolutely necessary to fulfil the relevant purpose will continue to be stored.

8.2 MailJet

This website uses Mailjet to send newsletters. The provider is Mailjet SAS, 1, rue Jules Lefebvre, 75009 Paris, France.

Mailjet is a service that can be used to organize and analyze the sending of newsletters, among other things. The data you enter for the purpose of subscribing to the newsletter is stored on Mailjet's servers by Mailjet.

With the help of Mailjet, we are able to analyze our newsletter campaigns. For example, we can see whether a newsletter message has been opened and which links have been clicked on. In this way, we can determine, among other things, which links were clicked on particularly often.

We can also recognize whether certain previously defined actions were carried out after opening/clicking (conversion rate). For example, we can recognize whether you have made a purchase after clicking on the newsletter.

Mailjet also allows us to subdivide ("cluster") newsletter recipients according to various categories. The newsletter recipients can be categorized by age, gender, or place of residence, for example. In this way, the newsletters can be better customized to the respective target groups. If you do not wish to be analyzed by Mailjet, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message.

Detailed information on the functions of Mailjet can be found at the following link: https://www.mailjet.de/funktion/.

You can find Mailjet's privacy policy at https://www.mailjet.de/sicherheit-datenschutz/.

8.2.1 Legal basis

You can voluntarily subscribe to our email newsletter service on our website by entering your personal details, including your email address, in the input field and then clicking on the button labelled "Subscribe".

The subscription to the newsletter and your consent required for this will only become effective when you confirm this by clicking on the link sent to you via the e-mail address you entered (so-called double opt-in procedure).

The granting of your consent is recorded by us in a log file. The following information is processed:

  • E-mail address entered;

  • Consent text;

  • Click on the "Subscribe" button;

  • Date and time of granting consent (time stamp);

  • IP address.

Your consent is logged so that we can prove it.

Processing within the scope of the newsletter is based on your consent. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.

8.2.2 Storage period

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this.

After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

We store the log data about your consent until you unsubscribe from the newsletter. The log data will then be stored by us for the duration of the limitation period for your claims (three years) plus a safety margin of one month for legal service, i.e. a total of 37 months.

8.2.3 Order processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which guarantees that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

8.2.4 Data transmission/recipients

The recipient of the data is the hosting service provider of our website (see above) and an e-mail dispatch service provider commissioned by us (Art. 28 GDPR) based in the European Union.

8.3 Newsletter mailing to existing customers

If you order goods or services from us and enter your e-mail address, this e-mail address may subsequently be used by us to send you newsletters, provided we inform you of this in advance. In such a case, only direct advertising for our own similar goods or services will be sent via the newsletter. You can unsubscribe from this newsletter at any time. There is a corresponding link in every newsletter for this purpose. In this case, the legal basis for sending the newsletter is Art. 6 (1)(f) GDPR in conjunction with Section 7 (3) UWG.

After you unsubscribe from the newsletter distribution list, we may store your email address in a blacklist to prevent future mailings to you. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 (1)(f) GDPR). Storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

9 Plug-ins and Tools

9.1 Friendly Captcha

We use Friendly Captcha (hereinafter referred to as “Friendly Captcha”) on this website. The provider is Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is used to verify whether the entry of data into this website (e.g., into a contact form) is being processed by a person or an automated program. For this purpose, Friendly Captcha analyzes the behavior patterns of website visitors based on numerous characteristics. For the analysis, Friendly Captcha examines a wide range of information (e.g., anonymized IP address, referrer, time of the visit, etc.). For more related information please visit: https://friendlycaptcha.com/legal/privacy-end-users/.

The storage and analysis of the data occurs on the basis of Art. 6 (1)(f) GDPR. The website operator has a legitimate interest in protecting the operator’s web presentations against abusive automatic spying and SPAM. In the event that respective consent has been obtained, the data will be processed exclusively on the basis of Art. 6 (1)(a) GDPR and § 25 (1) TTDSG, if the consent comprises the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) as defined in the TTDSG (German Telecommunications Act). Such consent may be revoked at any time.

9.1.1 Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

9.2 Site Search 360

We have integrated Site Search 360 into this website. The provider is SEMKNOX GmbH, Webergasse 1, Haus B/1, 01067 Dresden, Germany (hereinafter referred to as “Site Search 360”).

Site Search 360 enables us to integrate a search function into our website that allows you to search our website. If you use the search function on our website, your entries are processed on the servers of Site Search 360 to present matching search results from our website to you. For this purpose, Site Search 360 processes, among other things, your IP address, your session ID, and the interaction data. For more information, please consult the data privacy policy of Site Search 360 at https://www.sitesearch360.com/de/datenschutz/.

The use of Site Search 360 on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in being able to ensure proper search functions on our website. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

9.2.1 Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

9.3 Press mailing list

Publishers and journalists have the option of being added to the press mailing list. The following data is required for this: e-mail address. You can also provide the following information voluntarily: Publisher, editorial office, name, position / area of responsibility, address, telephone, fax, inclusion in press distribution list, message. The data will be used to inform you about product innovations and news from our company.

The permissibility of the processing is based on Art. 6 para. 1 a) GDPR (consent). The provision of your data is necessary for the receipt of the press mailing list. If you do not provide your data, you will not receive the press mailing list and will not be able to receive any information from the operator.

Your data will be deleted after you withdraw your consent, unless the controller has a legitimate interest in further storage. This may be the case if the operator must continue to store your data due to a contract with you. In each case, only the data that is absolutely necessary to fulfil the relevant purpose will continue to be stored.

9.4 Flockler

We use the Flockler service to display our social media content on our website. The provider is Flockler, Flockler Oy Rautatienkatu 26 B 32, 33100, Tampere, Finland. With this service, we combine or bundle relevant social media channels via a so-called "social media wall" and thus display different posts from various social media channels on our website.

By interacting with the provider and the content, connections to their servers are established and your IP address is recorded/processed. This happens regardless of whether you have an account with the respective social media provider, are logged in there or not. The websites you visit are linked to your social media account (if you have a user account there or are logged in) and displayed to other users, whereby data is also transferred to the respective social media provider.

As the website operator, we have no knowledge of the content of the transmitted data or its use by or with the social media provider. You can find more information in the provider's privacy policy (https://flockler.com/privacy-policy) and via the following link, https://flockler.com/de/dsgvo.

The use of Flockler is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in an optimized and versatile presentation and visibility in social media.

When you visit our website (first visit with your device or after deleting your cookies in your browser), you can use the cookie banner to decide your preferences regarding our use and processing of your data for marketing purposes. The service we use, and therefore the processing of your data as part of this service, will only take place if you have given us your consent via the cookie banner or the corresponding overlay. If you have not given your consent, the content of our social media wall will not be displayed to you.

9.5 Google Storelocator

9.5.1 General information on data processing

We have integrated the Google Maps API map service of Google Ireland Limited (Google) on our website, which you can use to find specialist dealers of our products in your area. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When using this service, you can enter the following data for the purpose of finding a dealer:

  • Street, house number;

  • Postcode, city;

  • country.

9.5.2 Scope and purposes of data processing

If you activate the search by clicking on the magnifying glass after entering your location data, the following data will be transmitted to Google. If you then click on "Find dealer", the specialist dealer search is activated.

This informs Google that you have accessed the corresponding subpage of our website. The following data is also transmitted to Google:

  • Your IP address;

  • Calling up the page with the dealer search;

  • Date and time of the enquiry;

  • the time zone difference to Greenwich Mean Time (GMT);

  • Content of the request (specific page);

  • Access status/HTTP status code;

  • amount of data transferred in each case;

  • Website from which the request originates;

  • Browser type;

  • Operating system and its interface;

  • Language and version of the browser software

If you have a Google user account and are logged in, further personal data may be processed by you. This depends on the agreement made between you and Google. Further information on the scope and purposes of data processing by Google and your rights can be found here.

9.5.3 Data transmission/recipients

Your data will be transmitted to Google Ireland Limited and, as a rule, also to a server of Google LLC in the USA, which is affiliated with Google Ireland Limited. The transfer takes place on the basis of standard data protection clauses of the EU Commission.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

9.5.4 Storage period

The processed data will be stored by Google until the purpose has been achieved and then deleted. Further information on data storage by Google Maps can be found in the data protection declaration of Google Ireland Limited (https://policies.google.com/privacy?hl=de) and at https://cloud.google.com/maps-platform/terms/.

9.6 Product reviews

9.6.1 General information on data processing

You can give us your opinion on individual products in our online shop using the "Rate now!" (“Jetzt bewerten!” link. The following data will be processed by us:

  • The number of stars you award to the product;

  • Your e-mail address;

  • Your comment.

9.6.2 Scope and purposes of data processing

We process your data in order to publish your review on our website. We process your email address to ensure that the review is genuine, i.e. that it was written by a person and not by a computer program (bot), and to check whether you have actually purchased the reviewed product in our online shop by comparing it with our ordering system.

9.6.3 Data transmission/recipients

The recipient of the data is the hosting service provider of our website (see above).

9.6.4 Storage period

Your rating will be stored in the online shop for an indefinite period of time. However, your email address will be anonymized after two months.

9.6.5 Legal basis of the processing

The data processing is carried out on the basis of our interest in increasing the attractiveness of our product presentation by supplementing customer experiences. According to our assessment, this legitimate interest does not conflict with any overriding interests or fundamental rights and freedoms of yours (Art. 6 para. 1f GDPR). On request, we will provide you with further information about our balancing of interests.

In some cases (authenticity check of reviews), data processing is also carried out to fulfil a corresponding legal obligation to which we are subject.

9.7 Product availability notification service (restock notifier)

9.7.1 General information on processing

If a product displayed in our online shop is temporarily out of stock, you can use the notification function to leave an e-mail address to which we will send an automated e-mail notification when the product in question becomes available again. The following data is processed when you use the notification function:

  • Your e-mail address;

  • the product in question.

The provision of your data is voluntary. However, if you do not provide this data, we will not be able to provide you with the notification function.

9.7.2 Scope and purposes of processing

We process your personal data in order to process your enquiry and to contact you for this purpose.

9.7.3 Data transmission/recipients

The recipient of the data is the hosting service provider of our website (see above).

9.7.4 Storage period

We store the data you provide to us until we have replied to you. If the product in question is not available again within six months, your data will be automatically deleted and you will not be notified.

9.7.5 Legal basis for processing

The processing is carried out because it is necessary for the implementation of pre-contractual measures (Art. 6 para. 1 b GDPR). Insofar as it is not a pre-contractual matter, the legal basis is our legitimate interest in processing your enquiry. We assume that no overriding interests or fundamental rights and freedoms of yours conflict with this (Art. 6 para. 1 f GDPR). On request, we will provide you with further information about our balancing of interests. 

10 eCommerce and payment service providers

10.1 Processing of Customer and Contract Data

We collect, process, and use personal customer and contract data for the establishment, content arrangement and modification of our contractual relationships. Data with personal references to the use of this website (usage data) will be collected, processed, and used only if this is necessary to enable the user to use our services or required for billing purposes. The legal basis for these processes is Art. 6(1)(b) GDPR.

The collected customer data shall be deleted upon completion of the order or termination of the business relationship and upon expiration of any existing statutory archiving periods. This shall be without prejudice to any statutory archiving periods.

10.2 Data transfer upon closing of contracts for online stores, retailers, and the shipment of merchandise

Whenever you order merchandise from us, we will share your personal data with the transportation company entrusted with the delivery as well as the payment service commissioned to handle the payment transactions. Only the data these respective service providers require to meet their obligations will be shared. The legal basis for this sharing is Art. 6 (1)(b) GDPR, which permits the processing of data for the fulfillment of contractual or pre-contractual obligations. If you give us your respective consent pursuant to Art. 6 (1)(a) GDPR, we will share your email address with the transportation company entrusted with the delivery so that this company can notify you on the shipping status for your order via email. You have the option to revoke your consent at any time.

10.3 Payment services

We integrate payment services of third-party companies on our website. When you make a purchase from us, your payment data (e.g. name, payment amount, bank account details, credit card number) are processed by the payment service provider for the purpose of payment processing. For these transactions, the respective contractual and data protection provisions of the respective providers apply. The use of the payment service providers is based on Art. 6(1)(b) GDPR (contract processing) and in the interest of a smooth, convenient, and secure payment transaction (Art. 6(1)(f) GDPR). Insofar as your consent is requested for certain actions, Art. 6(1)(a) GDPR is the legal basis for data processing; consent may be revoked at any time for the future.

We use the following payment services / payment service providers within the scope of this website:

10.3.1 PayPal

The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.

Details can be found in PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

10.3.2 Apple Pay

The payment service provider is Apple Inc, Infinite Loop, Cupertino, CA 95014, USA. The Apple privacy policy can be found at: https://www.apple.com/legal/privacy/de-ww/.

10.3.3 Klarna

The supplier is Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter “Klarna“). Klarna offers various payment options (e.g., hire purchase). If you choose to pay with Klarna (Klarna checkout solution), Klarna will collect various personal data from you. Klarna uses cookies to optimize the use of Klarna checkout solution. For details on the use of Klarna cookies, please see the following link: https://cdn.klarna.com/1.0/shared/content/policy/cookie/de_de/checkout.pdf.

Details can be found in Klarna’s privacy policy under the following link: https://www.klarna.com/de/datenschutz/.

10.3.4 Mollie

The provider of this payment service is Mollie B.V, Keizersgracht 126, 1015CW Amsterdam, Netherlands (hereinafter "Mollie"). With the help of Mollie, we can integrate various payment methods on our website. Details can be found in Mollie's privacy policy: https://www.mollie.com/de/privacy.

10.3.5 American Express

The provider of this payment service is the American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany (hereinafter “American Express”).

American Express may transfer data to its parent company in the US. The data transfer to the US is based on the Binding Corporate Rules. Details can be found here: https://www.americanexpress.com/en-nl/company/legal/privacy-centre/european-implementing-principles/.

For more information, please see the American Express privacy policy: https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html.

10.3.6 Mastercard

The provider of this payment service is the Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter “Mastercard”).

Mastercard may transfer data to its parent company in the US. The data transfer to the US is based on Mastercard's Binding Corporate Rules. Details can be found here: https://www.mastercard.de/de-de/datenschutz.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.

10.3.7 VISA

The provider of this payment service is the Visa Europe Services Inc, London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom (hereinafter “VISA”).

Great Britain is considered a secure non-EU country as far as data protection legislation is concerned. This means that the data protection level in Great Britain is equivalent to the data protection level of the European Union.

VISA may transfer data to its parent company in the US. The data transfer to the US is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zu-zustandigkeitsfragen-fur-den-ewr.html.

For more information, please refer to VISA’s privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

11 Online-based Audio and Video Conferences (Conference tools)

11.1 Data processing

We use online conference tools, among other things, for communication with our customers. The tools we use are listed in detail below. If you communicate with us by video or audio conference using the Internet, your personal data will be collected and processed by the provider of the respective conference tool and by us. The conferencing tools collect all information that you provide/access to use the tools (email address and/or your phone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other “context information” related to the communication process (metadata).

Furthermore, the provider of the tool processes all the technical data required for the processing of the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

Should content be exchanged, uploaded, or otherwise made available within the tool, it is also stored on the servers of the tool provider. Such content includes, but is not limited to, cloud recordings, chat/ instant messages, voicemail uploaded photos and videos, files, whiteboards, and other information shared while using the service.

Please note that we do not have complete influence on the data processing procedures of the tools used. Our possibilities are largely determined by the corporate policy of the respective provider. Further information on data processing by the conference tools can be found in the data protection declarations of the tools used, and which we have listed below this text.

11.2 Purpose and legal bases

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest in the meaning of Art. 6(1)(f) GDPR). Insofar as consent has been requested, the tools in question will be used on the basis of this consent; the consent may be revoked at any time with effect from that date.

11.3 Duration of storage

Data collected directly by us via the video and conference tools will be deleted from our systems immediately after you request us to delete it, revoke your consent to storage, or the reason for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the duration of storage of your data that is stored by the operators of the conference tools for their own purposes. For details, please directly contact the operators of the conference tools.

11.4 Conference tools used

We employ the following conference tools:

11.4.1 Zoom

We use Zoom. The provider of this service is Zoom Communications Inc, San Jose, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. For details on data processing, please refer to Zoom’s privacy policy: https://explore.zoom.us/en/privacy/.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://explore.zoom.us/en/privacy/.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

11.4.2 Microsoft Teams

We use Microsoft Teams. The provider is the Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy: https://privacy.microsoft.com/en-us/privacystatement.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

12 Custom Services

12.1 Handling applicant data

We offer website visitors the opportunity to submit job applications to us (e.g., via e-mail, via postal services on by submitting the online job application form). Below, we will brief you on the scope, purpose and use of the personal data collected from you in conjunction with the application process. We assure you that the collection, processing, and use of your data will occur in compliance with the applicable data privacy rights and all other statutory provisions and that your data will always be treated as strictly confidential.

12.2 Scope and purpose of the collection of data

If you submit a job application to us, we will process any affiliated personal data (e.g., contact and communications data, application documents, notes taken during job interviews, etc.), if they are required to make a decision concerning the establishment or an employment relationship. The legal grounds for the aforementioned are § 26 BDSG according to German Law (Negotiation of an Employment Relationship), Art. 6(1)(b) GDPR (General Contract Negotiations) and – provided you have given us your consent – Art. 6(1)(a) GDPR. You may revoke any consent given at any time. Within our company, your personal data will only be shared with individuals who are involved in the processing of your job application.

If your job application should result in your recruitment, the data you have submitted will be archived on the grounds of § 26 BDSG and Art. 6(1)(b) GDPR for the purpose of implementing the employment relationship in our data processing system.

12.3 Data Archiving Period

If we are unable to make you a job offer or you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application procedure (rejection or withdrawal of the application). Afterwards the data will be deleted, and the physical application documents will be destroyed. The storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the expiry of the 6-month period (e.g., due to an impending or pending legal dispute), deletion will only take place when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your agreement (Article 6(1)(a) GDPR) or if statutory data retention requirements preclude the deletion.

12.4 Admission to the applicant pool

If we do not make you a job offer, you may be able to join our applicant pool. In case of admission, all documents and information from the application will be transferred to the applicant pool in order to contact you in case of suitable vacancies.

Admission to the applicant pool is based exclusively on your express agreement (Art. 6(1)(a) GDPR). The submission agreement is voluntary and has no relation to the ongoing application procedure. The affected person can revoke his agreement at any time. In this case, the data from the applicant pool will be irrevocably deleted, provided there are no legal reasons for storage.

The data from the applicant pool will be irrevocably deleted no later than two years after consent has been granted.

12.5 Applicant portal

Users have the opportunity to apply for job vacancies advertised by the operator via the website. The operator uses a software application from Sage GmbH, Franklinstraße 61-63, 60486 Frankfurt am Main, Germany, for this purpose.

The operator collects a range of personal data via an application form. Specifically, the following information is requested:

  • Master data: Title, first name, surname, street, postcode, city, country, telephone, e-mail

  • General data: Information about the job offer

  • School, training, profession: School-leaving certificate, completed studies, completed vocational training

Users also have the option of applying with their own finest-jobs or LinkedIn profile. For this purpose, the user needs a corresponding profile.

If the user clicks on the button "Apply with finest jobs profile" or "Apply with LinkedIn profile", they will be redirected to the page of the corresponding network where they can log in with their user data. During this process, a link is created with the user's corresponding profile. This automatically transmits the user's data stored there to the operator (including surname, first name, email address, profile photo, profile, and application data). The transmitted data is mandatory for the application. Further information on the processing of personal data in this context can be found at the respective portal operators LinkedIn (https://www.linkedin.com/legal/privacy-policy) and Finest-Jobs (www.finest-jobs.com/Datenschutz).

The user also has the option of providing their own files and sending them to the operator:

  • Attachments: Photo, cover letter, CV, references, confirmations / certificates, other attachments

All data provided to the operator in the context of the applicant portal is transmitted via a secure, i.e. encrypted connection. The permissibility of this processing is based on § 26 BDSG (application procedure). The provision of your data is necessary for participation in the application process and the conclusion of a contract with the operator. If you do not provide any or incomplete information, the operator will not consider you in the application process.

Application documents received by the operator will be stored for 3 months after rejection, unless the applicant has given consent for longer storage.

Further information can be found in the privacy policy on our careers page.

12.6 Links to third party websites

When visiting the website, content may be displayed that is linked to third-party websites. The operator has no access to the cookies or other functions used by third-party sites, nor can the operator control them. Such third-party sites are not subject to the operator's data protection provisions.