Status: Feb 2022
Responsible: viadee Unternehmensberatung AG Anton-Bruchausen-Str. 8 48147 Münster Commercial register/no: HRB 17380 Managing directors: Rita Helter, Dr. Volker Oshege Phone number: +49 (0)251 7777 70 E-mail address: firstname.lastname@example.org
Data protection officer: Frau Heike Wedekind, Datenschutz süd GmbH, Oskar-Jäger-Straße 50, 50825 Köln, Telefon: +49 221 179 186 0, E-mail address: email@example.com
If you have any questions regarding data protection, please first contact our data protection coordinator at firstname.lastname@example.org.
1. BASIC PRINCIPLES FOR PROCESSING DATA; LEGAL BASIS
1.1. This privacy statement explains to you the nature, scope and purpose of the personal data processed within our online offering and the websites, functions and content associated with it (hereinafter jointly referred to as “online offering” or “website”) as well as within the products, solutions and consulting services of our company (hereinafter referred to as “products and services”). The privacy statement applies regardless of the domains, systems, platforms and devices used (e.g. desktop or mobile) on which the online offering or our products and solutions are handled. 1.2. As regards the use of terms such as “personal data” or “data processing”, we refer to the definitions in Art. 4 General Data Protection Regulation (GDPR). 1.3. The personal data of the users processed within the scope of the online offering, products and services include the general data (e.g. names and addresses of customers), contract data (e.g. services used, names of the responsible persons, payment information), usage data (e.g. the visited pages of our website, interest in our products) and content data (e.g., entries in contact forms). 1.4. The term “user” covers all categories of data subjects affected by data processing. These include our business partners, customers, interested parties and other visitors to our website. Terms such as “user” are used in a gender-neutral sense. 1.5. We process users’ personal data only in compliance with the relevant data protection regulations. This means that users’ data is only processed if legal permission has been given for this. This refers in particular to data processing that is necessary for providing our contractual services (e.g. processing of orders) and online services, or that is required by law or if consent has been given by the user as well as on the basis of our legitimate interests (i.e. interest in analysing, optimising and efficiently operating our website and in securing our online offering within the meaning of Art. 6 (1) lit. f. GDPR, particularly for range measurement, creating profiles for advertising and marketing purposes, collecting access data and using the services of third parties). 1.6. The legal basis for obtaining consent is Art. 6 (1) lit. a. and Art. 7 GDPR, the legal basis for processing data to enable us to perform our services and carry out contractual measures is Art. 6 (1) lit. b. GDPR, the legal basis for processing data to enable us to fulfil our legal obligations is Art. 6 (1) lit. c. GDPR and the legal basis for processing data to preserve our legitimate interests is Art. 6 (1) lit. f. GDPR.
2. SECURITY MEASURES
2.1. We apply organisational, contractual and technical security measures in accordance with the latest technological standards to ensure that the provisions of the data protection laws are complied with and to thereby protect the data processed by us from accidental or intentional manipulation, loss, destruction or from access by unauthorised persons. 2.2. The security measures include in particular the encrypted transmission of data between your browser and our server.
3. DATA TRANSFER TO THIRD PARTIES AND THIRD-PARTY SUPPLIERS
3.1. Data is only passed on to third parties within the framework of legal requirements. We only pass on user data to third parties if, for example, this is necessary for contractual purposes on the basis of Art. 6 (1) lit. b) GDPR or for legitimate interests in efficiently and effectively managing our business operations pursuant to Art. 6 (1) lit. f. GDPR. 3.2. If we use subcontractors to provide our services, we will take appropriate legal precautions and corresponding technical and organisational measures to ensure the protection of personal data in accordance with the relevant statutory provisions. 3.3. If content, tools or solutions of other providers (hereinafter jointly referred to as “third party providers”) are used within the scope of this privacy statement and their named offices are domiciled in a third country, it must be assumed that data is transferred to the country of domicile of the third party providers. Third countries are countries in which the GDPR is not a directly applicable law, i.e. countries outside the EU or the European Economic Area. Data is transferred to third countries either if there is an appropriate level of data protection, if the user has consented to the aforesaid transfer or other legal permission has been obtained.
4. PROVISION OF CONTRACTUAL SERVICES
4.1. We process general data (e.g. names and addresses as well as contact data of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 (1) lit. b GDPR. 4.2. Within the context of registering and renewing logins, we store the IP address and the time of user action. The storage is based on our legitimate interests and is also done to protect users against misuse and other unauthorised use. This data will not be passed on to third parties unless it is necessary to assert our claims or we are obliged to do so by law pursuant to Art. 6 (1) lit. c GDPR. 4.3. We process usage data (e.g. the visited pages of our website, interest in our products) and content data (e.g., entries in the contact form or user profile) for advertising purposes in a user profile in order to display product information to the user based, for example, on the services they have previously used.
5.1. When contacting us (via the contact form or e-mail), the user’s details are processed in order to handle the contact request and its settlement in accordance with Art. 6 (1) lit. b) GDPR. 5.2. The user data can be stored in our Customer Relationship Management System (“CRM system”) or comparable inquiry system. We use the marketing automation system “HubSpot” of the provider HubSpot, Inc., HubSpot Headquarters (Cambridge, MA) 25 First St., 2nd floor Cambridge, Massachusetts 02141 on the basis of our legitimate interests (efficient and fast processing of user requests). For this purpose we have signed a contract with HubSpot containing so-called standard contractual clauses in which HubSpot agrees to process user data only in accordance with our instructions and to comply with the EU data protection laws. Moreover, HubSpot is certified under the Privacy Shield Agreement which provides an additional guarantee of compliance with European data protection laws. Hubspot is an integrated software solution that covers various aspects of our online marketing. These include:
- E-mail marketing (newsletters and automated mailings, e.g. for providing downloads)
- Social media publishing and reporting
- Reporting and data processing (tracking e.g. traffic sources, access, etc. …)
- Contact management (e.g. user segmentation and CRM)
- Landing pages and contact forms
6. COMMENTS AND CONTRIBUTIONS
6.1. If users leave comments or make other contributions, their IP addresses are stored on the basis of our legitimate interests within the meaning of Art. 6 (1) lit. f. GDPR. 6.2. This is done for security reasons if someone writes illegal contents (insults, forbidden political propaganda etc.) in comments and contributions. In cases of this kind, we ourselves could be held responsible for the comment or contribution and are therefore interested in the identity of the author.
7. COLLECTING ACCESS DATA AND LOGFILES
7.1. On the basis of our legitimate interests within the meaning of Art. 6 (1) lit. f. GDPR, we collect data on each access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider. 7.2. Log file information is stored for security reasons (e.g. to clarify misuse or fraud) for a maximum period of twelve months and then deleted. Access data includes: name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, user’s operating system, referrer URL (previously visited page), IP address and requesting provider. The provider uses the log data only for statistical evaluation purposes to enable the offering to be operated, rendered secure and optimised. However, the provider reserves the right to subsequently check the log data if there is a justified suspicion of illegal use on the basis of concrete indications. Data that needs to be further stored for evidence purposes is excluded from deletion until the respective incident has been finally clarified.
8. COOKIES & RANGE MEASUREMENT
9. GOOGLE ANALYTICS
11. INTEGRATING SERVICES AND CONTENTS OF THIRD PARTIES
11.1. As part of our online offering, we use content or service offerings of third parties on the basis of our legitimate interests (i.e. interest in analysing, optimising and efficiently operating our online offering within the meaning of Art. 6 (1) lit. f. GDPR) in order to integrate their content and services, such as videos or fonts (hereinafter jointly referred to as “content”). This always presupposes that the third-party providers of this content can note the user’s IP address, otherwise they would not be able to send the content to the browsers of the aforesaid users without the IP address. The IP address is therefore required for presenting this content. We endeavour to only use the content of providers that use the IP address solely for the distribution of content. Third parties can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user’s device and can include technical information about the browser and operating system, referring websites, visiting times and other information about the use of our website, and can also be linked to such information from other sources. 11.2. Below is a list of the third-party providers and their contents, along with links to their privacy statements which contain further information on how data is processed and on the opt-out possibilities, some of which have already been named here:
12. USER RIGHTS
12.1. Users have the right, upon request and free of charge, to obtain information about the personal data we have stored about them. 12.2. Users also have the right to demand correction of their incorrect data, to have the processing of their personal data restricted or have it deleted, and are entitled, where applicable, to exercise their rights in respect of data portability and, in the event of suspicion of unlawful data processing, to file a complaint at the competent supervisory authority. 12.3. Users can also revoke their consent, in all cases with effect for the future.
13. DELETION OF DATA
13.1. The data stored by us will be deleted as soon as it is no longer required for the intended purpose and provided no legal obligations exist to retain said data. If the user’s data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be stored for commercial or tax reasons. 13.2. In accordance with legal requirements, the storage period for commercial accounts, inventories, opening balance sheets, annual financial statements, business letters, accounting vouchers etc. under section 257 (1) HGB (German Commercial Code) is 6 years and for accounts, records, management reports, accounting vouchers, commercial and business letters, taxation-relevant documents etc. under section 147 (1) AO (German Fiscal Code) 10 years.
14. REVOCATION RIGHT
Users may at any time object to the future processing of their personal data in accordance with the statutory provisions. The objection may in particular be lodged against processing for the purposes of direct marketing.
15. CHANGES TO THE PRIVACY STATEMENT
15.1. We reserve the right to change our privacy statement in order to adapt it to altered legal situations or in the event of changes to the service or data processing. However, this only applies to declarations regarding data processing. If users are required to give consent or components of the privacy statement contain provisions concerning the contractual relationship with the users, the changes will only be made with the consent of the users. 15.2. Users are requested to inform themselves regularly about the content of the privacy statement.