Go to homepage

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Last updated: 1 May 2026

Table of Contents

Controller

Rieke Ehlers
Hal över Bremer Fahrgastschifffahrt GmbH
Schlachte 2
28195 Bremen

Data Protection Officer
Marcel Felgenhauer
Mprotect365 GmbH

Email: datenschutz@hal-oever.de

Phone: +49 (0)421 33 89 89

Imprint: https://www.hal-oever.de

Overview of Processing Activities

The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of Data Processed

  • Master data.
  • Employee data.
  • Payment data.
  • Location data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and process data.
  • Social data.
  • Applicant data.
  • Images and/or video recordings.
  • Log data.
  • Performance and behavioural data.
  • Working time data.
  • Credit rating data.
  • Salary data.

Special Categories of Data

  • Health data.
  • Religious or philosophical beliefs.
  • Trade union membership.

Categories of Data Subjects

  • Service recipients and clients.
  • Employees.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Applicants.
  • Competition and prize draw participants.
  • Business and contractual partners.
  • Participants.
  • Third parties.
  • Customers.

Purposes of Processing

  • Provision of contractual services and fulfilment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organisational procedures.
  • Conversion measurement.
  • Click tracking.
  • Audience targeting.
  • A/B testing.
  • Organisational and administrative procedures.
  • Application procedures.
  • Conducting competitions and prize draws.
  • Feedback.
  • Heatmaps.
  • Surveys and questionnaires.
  • Marketing.
  • Profiles containing user-related information.
  • Provision of our online offering and user experience.
  • Assessment of creditworthiness.
  • Establishment and conduct of employment relationships.
  • IT infrastructure.
  • Financial and payment management.
  • Public relations.
  • Sales promotion.
  • Business processes and commercial procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Where more specific legal bases are applicable in individual cases, we will inform you of these in this privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
  • Application procedures as pre-contractual or contractual relationships (Art. 6(1)(b) GDPR) – Where special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants during the application process, their processing is carried out in accordance with Art. 9(2)(b) GDPR, or in the case of protecting the vital interests of applicants or other persons pursuant to Art. 9(2)(c) GDPR, or for purposes of preventive health care, occupational medicine, assessment of working capacity, medical diagnosis, or provision of health or social care pursuant to Art. 9(2)(h) GDPR. Where special categories of data are disclosed on the basis of voluntary consent, processing is carried out on the basis of Art. 9(2)(a) GDPR.
  • Processing of special categories of personal data relating to health, occupation and social security (Art. 9(2)(h) GDPR) – Processing is necessary for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated individual decision-making, including profiling. The data protection laws of the individual German federal states may also apply.

Note on the applicability of the GDPR and the Swiss DPA: These privacy notices serve both to provide information pursuant to the Swiss Federal Act on Data Protection (DSG) and pursuant to the General Data Protection Regulation (GDPR). For this reason, please note that the terminology used is that of the GDPR, given its broader geographical scope and comprehensibility. In particular, instead of the terms used in the Swiss DSG such as "processing" of "personal data", "overriding interest" and "particularly sensitive personal data", the GDPR terms "processing" of "personal data", "legitimate interest" and "special categories of data" are used. The legal meaning of these terms will, however, continue to be determined in accordance with the Swiss DSG where it applies.

Security Measures

We implement appropriate technical and organisational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include in particular securing the confidentiality, integrity and availability of data by controlling physical and electronic access to data, as well as access, input, transmission, ensuring availability and separation thereof. We have also established procedures to ensure the exercise of data subject rights, deletion of data and responses to data security incidents. Furthermore, we take the protection of personal data into account from the outset when developing or selecting hardware, software and procedures, in accordance with the principle of data protection by design and by default.

TLS/SSL encryption for online connections (HTTPS): To protect data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt information transmitted between the website or app and the user's browser (or between two servers), protecting data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions comply with the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, serving as an indicator to users that their data is being transmitted securely and in encrypted form.

Transmission of Personal Data

In the course of processing personal data, it may be transmitted to or disclosed to other entities, companies, legally independent organisational units or persons. Recipients of such data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and in particular conclude appropriate contracts or agreements serving to protect your data with the recipients thereof.

Intra-organisational data transfers: We may transfer personal data to other companies within our corporate group or grant them access thereto. Where such transfers are made for administrative purposes, they are based on our legitimate business interests, or where necessary for the fulfilment of our contractual obligations, or where the data subjects have consented or there is a statutory permission.

International Data Transfers

Data processing in third countries: Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where processing takes place in the context of using third-party services or disclosure or transfer of data to other persons, entities or companies, this is done only in accordance with legal requirements. Where the level of data protection in the third country has been recognised by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers take place only where the level of data protection is otherwise safeguarded, in particular by standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractually or legally required transfers (Art. 49(1) GDPR). We will additionally inform you of the basis for third-country transfers for the individual providers in third countries, with adequacy decisions taking precedence as a basis. Information on third-country transfers and applicable adequacy decisions can be found in the EU Commission's information portal: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognised the level of data protection for certain companies from the USA as adequate under the adequacy decision of 10 July 2023. The list of certified companies and further information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. We will inform you in our privacy notices which of the service providers we use are certified under the Data Privacy Framework.

General Information on Data Retention and Deletion

We delete personal data that we process in accordance with statutory provisions as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions to this apply where statutory obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose retention is necessary for the pursuit of legal claims or for the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that applies specifically to certain processing activities.

Where multiple retention or deletion periods are specified for a piece of data, the longest period shall always prevail.

Where a period does not expressly begin on a specific date and is at least one year in length, it shall automatically commence at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the triggering event is the date on which termination or other ending of the legal relationship takes effect.

Data that is no longer retained for its original purpose but is kept due to statutory requirements or other reasons is processed exclusively for the reasons justifying its retention.

Further notes on processing activities, procedures and services:

  • Retention and deletion of data: The following general retention and archiving periods apply under German law:
    • 10 years – Books and records, annual financial statements, inventories, management reports, opening balance sheets, working instructions and other organisational documents, accounting records and invoices (§ 147(3) in conjunction with (1) nos. 1, 4 and 4a AO; § 14b(1) UStG; § 257(1) nos. 1 and 4, (4) HGB).
    • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for tax purposes (§ 147(3) in conjunction with (1) nos. 2, 3 and 5 AO; § 257(1) nos. 2 and 3, (4) HGB).
    • 3 years – Data required to account for potential warranty and damages claims or similar contractual claims and rights, and to deal with related enquiries, based on past business experience and common industry practice, are retained for the duration of the standard statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Arts. 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent given at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain access to such data and further information, as well as a copy of the data, in accordance with statutory requirements.
  • Right to rectification: You have the right, in accordance with statutory requirements, to request the completion or rectification of inaccurate data concerning you.
  • Right to erasure and restriction of processing: You have the right, in accordance with statutory requirements, to request the immediate erasure of data concerning you, or alternatively, to request restriction of the processing of such data.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us, in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with statutory requirements.
  • Right to lodge a complaint with a supervisory authority: You also have the right, in accordance with statutory requirements and without prejudice to any other administrative or judicial remedy, to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services

We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as "contractual partners"), in the context of contractual and comparable legal relationships and related measures, and in connection with communication with contractual partners (or pre-contractually), for example to respond to enquiries.

We use this data to fulfil our contractual obligations. These include in particular the obligations to provide the agreed services, any update obligations, and remedies in the event of defects and other service disruptions. We also use the data to protect our rights and for the purposes of the administrative tasks associated with these obligations and the organisation of the business. We additionally process the data on the basis of our legitimate interests in proper and commercially sound business management and in security measures to protect our contractual partners and our business operations from misuse, jeopardisation of their data, trade secrets, information and rights (e.g. involving the engagement of telecommunications, transport and other auxiliary services and sub-contractors, banks, tax and legal advisors, payment service providers or financial authorities). Within the scope of applicable law, we only disclose contractual partners' data to third parties to the extent necessary for the aforementioned purposes or to fulfil statutory obligations. Contractual partners will be informed of any further forms of processing, e.g. for marketing purposes, in this privacy policy.

We notify contractual partners of which data is required for the aforementioned purposes prior to or during data collection, e.g. in online forms, by means of specific markings (e.g. colours) or symbols (e.g. asterisks), or in person.

We delete data upon expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. for as long as it must be retained for legal archiving purposes (typically ten years for tax purposes). Data disclosed to us by a contractual partner in the context of an order is deleted in accordance with the specifications of the order and generally at the end of the order.

  • Types of data processed: Master data; payment data; contact data; contract data; usage data; meta, communication and process data.
  • Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures; communication; office and organisational procedures; organisational and administrative procedures; business processes and commercial procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Online shop, order forms, e-commerce and fulfilment: We process customer data to enable them to select, purchase or order chosen products, goods and related services, as well as to arrange payment and delivery or execution. Where necessary to fulfil an order, we use service providers, in particular postal, freight and delivery companies. For the processing of payment transactions, we use the services of banks and payment service providers. The required information is identified as such in the course of the ordering or comparable purchasing process. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).
  • Event management: We process data of participants in events, activities and similar offerings organised or hosted by us (referred to collectively as "participants" and "events"), to enable them to participate and to make use of associated services or activities.

    Where we process health-related data, religious, political or other special categories of data in this context, this is done on the basis of its being manifest (e.g. in the case of thematically oriented events), or for purposes of health care or safety, or with the consent of the data subjects.

    The required information is identified as such in the course of the order, booking or comparable contractual process. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Business Processes and Procedures

Personal data of service recipients and clients – including customers, clients, and in specific cases principals, patients or business partners, as well as other third parties – is processed in the context of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates operational workflows in areas such as customer management, sales, payment processing, accounting and project management.

The data collected serves to fulfil contractual obligations and to manage business processes efficiently. This includes processing business transactions, managing customer relationships, optimising sales strategies and ensuring internal invoicing and financial processes. In addition, data supports the enforcement of the controller's rights and facilitates administrative tasks and the organisation of the business.

Personal data may be transferred to third parties where necessary to fulfil the stated purposes or comply with legal obligations. Data will be deleted once statutory retention periods have expired or the purpose of processing no longer applies.

  • Types of data processed: Master data; payment data; contact data; content data; contract data; usage data; meta, communication and process data; log data; credit rating data.
  • Data subjects: Service recipients and clients; prospective customers; communication partners; business and contractual partners; customers; third parties; users; employees.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and commercial procedures; security measures; provision of our online offering and user experience; communication; marketing; sales promotion; public relations; creditworthiness assessment; financial and payment management; IT infrastructure.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR); legal obligation (Art. 6(1)(c) GDPR).

Further notes on processing activities, procedures and services:

  • Customer management and CRM: Procedures required in the context of customer management and customer relationship management (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer loyalty, effective customer communication, complaints management and customer service with data protection considerations, data management and analysis in support of customer relationships, management of CRM systems, secure account management, customer segmentation and audience targeting). Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Contact management: Procedures required for the organisation, maintenance and security of contact information (e.g. setting up and maintaining a central contact database, regular updates, monitoring data integrity, implementing data protection measures, ensuring access controls, conducting backups, training staff in the use of contact management software, reviewing communication history). Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Customer account: Customers may create an account within our online offering. We store IP addresses and access timestamps during registration and use to prove registration and prevent misuse. Customer account data is deleted upon cancellation of the account unless retained for other purposes or due to legal requirements. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • General payment transactions: Procedures required for the processing of payment transactions, monitoring of bank accounts and control of payment flows. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Accounting, accounts payable, accounts receivable: Procedures required for recording, processing and monitoring business transactions in accounts payable and receivable. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Financial accounting and taxes: Procedures required for recording, managing and controlling financially relevant business transactions and for calculating, reporting and paying taxes. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Marketing, advertising and sales promotion: Procedures required in the context of marketing, advertising and sales promotion. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Public relations: Procedures required in the context of public relations and communications. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Use of Online Platforms for Offerings and Sales

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our own privacy notices. This applies in particular with regard to payment processing and the procedures used on the platforms for reach measurement and interest-based marketing.

  • Types of data processed: Master data; payment data; contact data; contract data; usage data; meta, communication and process data.
  • Data subjects: Service recipients and clients; business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; marketing; business processes and commercial procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • FareHarbor: Online ticket sales, event management, ticket personalisation, payment processing, customer support, dispatch of e-tickets and print tickets, provision of statistics and reports for event organisers. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Service provider: FareHarbor B.V., Vijzelstraat 66-80, 1017 HL Amsterdam, Netherlands. Website: https://fareharbor.com/. Privacy policy: https://fareharbor.com/legal/privacy/.

Provision of the Online Offering and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data; meta, communication and process data; log data.
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user experience; IT infrastructure; security measures.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Provision of the online offering on rented server space: For the provision of our online offering, we use storage space, computing capacity and software rented from or otherwise obtained from a server provider (also referred to as a "web host"). Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of "server log files". Server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes (e.g. to avoid server overload in the event of abusive attacks, so-called DDoS attacks) and to ensure server load and stability. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further retention is required for evidential purposes is exempt from deletion until the relevant incident is definitively resolved.
  • Mittwald: Services in the area of the provision of IT infrastructure and related services (e.g. storage space and/or computing capacity). Service provider: Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.mittwald.de. Privacy policy: https://www.mittwald.de/datenschutz. Data processing agreement: https://www.mittwald.de/faq/service-informationen/faq/datenschutz-alles-wichtige-zur-dsgvo.

Use of Cookies

Cookies are small text files or other storage entries that store and read information on end devices – for example, to save login status in a user account, the contents of a shopping basket in an online shop, or the content accessed or functions used within an online offering. Cookies may also be used for various other purposes, such as functionality, security, convenience and the analysis of visitor flows.

Notes on consent: We use cookies in accordance with legal requirements. We therefore obtain prior consent from users unless it is not required by law. Consent is not necessary in particular where storing and reading information, including cookies, is strictly necessary in order to provide users with a telemedia service (i.e. our online offering) that they have expressly requested. Revocable consent is clearly communicated to users and includes information on the respective cookie use.

Notes on legal bases: The legal basis on which we process users' personal data using cookies depends on whether we ask users for consent. Where users consent, the legal basis is the consent given. Otherwise, data processed by means of cookies is processed on the basis of our legitimate interests (e.g. in the commercially sound operation of our online offering and improvement of its usability), or where the use of cookies is necessary for the fulfilment of our contractual obligations.

Storage duration: The following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left the online offering and closed their device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, login status can be saved and preferred content can be displayed directly when the user revisits a website. User data collected by means of cookies may also be used for reach measurement. Unless we provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that the storage duration may be up to two years.

General notes on withdrawal and objection (opt-out): Users may withdraw their consent at any time and also object to processing in accordance with legal requirements, including by means of the privacy settings in their browser.

  • Types of data processed: Meta, communication and process data.
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Further notes on processing activities, procedures and services:

  • Processing of cookie data on the basis of consent: We use a consent management solution by which users' consent to the use of cookies or the procedures and providers referred to in the consent management solution is obtained. This procedure serves to obtain, record, manage and revoke consents, in particular with regard to the use of cookies and comparable technologies for storing, reading and processing information on users' devices. Users may also manage and revoke their consents. Consent declarations are stored to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage is carried out server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies to enable consent to be attributed to a specific user or their device. Unless specific information is provided on the providers of consent management services, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created and stored together with the time of consent, information on the scope of consent (e.g. categories of cookies and/or service providers) and information on the browser, system and device used. Legal bases: Consent (Art. 6(1)(a) GDPR).
  • Cookiebot: Consent management: procedures for obtaining, recording, managing and revoking consents, in particular for the use of cookies and similar technologies for storing, reading and processing information on users' devices. Service provider: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. Website: https://www.cookiebot.com. Privacy policy: https://www.cookiebot.com/en/privacy-policy/. Data processing agreement: Provided by the service provider. Further information: Data stored on the service provider's server: anonymised IP address (last three digits set to 0), date and time of consent, browser information, URL from which consent was sent, an anonymous random encrypted key value, the user's consent status.

Special Notes on Applications (Apps)

We process the data of users of our application to the extent necessary to provide users with the application and its functionalities, to monitor its security and to further develop it. We may also contact users in accordance with legal requirements where communication is necessary for administrative or operational purposes. Otherwise, we refer to the information in this privacy policy with regard to the processing of users' data.

Legal bases: Processing of data necessary for the provision of the application's functionalities serves the fulfilment of contractual obligations. This also applies where the provision of functionalities requires user authorisation (e.g. device permissions). Where processing is not necessary for the provision of functionalities but serves the security of the application or our commercial interests (e.g. collection of data for optimisation purposes), it is carried out on the basis of our legitimate interests. Where users are expressly asked for consent, processing is carried out on the basis of that consent.

  • Types of data processed: Master data; usage data; meta, communication and process data.
  • Data subjects: Users.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures; provision of our online offering and user experience.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Device permissions for access to functions and data: The use of our application or its functionalities may require permissions for access to certain device functions or data stored on or accessible via the device. By default, these permissions must be granted by users and can be revoked at any time in the device settings. The exact procedure for controlling app permissions may vary depending on the user's device and software. Users may contact us if clarification is needed. Please note that revoking permissions may affect the functionality of our application.

Registration, Login and User Accounts

Users may create a user account. In the course of registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account on the basis of contractual obligation. The data processed includes in particular login information (username, password and email address).

In the context of use of our registration and login functions and the user account, we store IP addresses and the time of each user action. This is stored on the basis of our legitimate interests and those of users in protection against misuse and other unauthorised use. Data is not generally passed on to third parties unless this is necessary for the pursuit of our claims or there is a statutory obligation to do so.

Users may be notified by email of events relevant to their user account, such as technical changes.

  • Types of data processed: Master data; contact data; content data; usage data; log data.
  • Data subjects: Users.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; security measures; organisational and administrative procedures; provision of our online offering and user experience.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion"; deletion upon account cancellation.
  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Deletion of data upon account cancellation: Where users have cancelled their account, their data relating to the account will be deleted, subject to statutory permission, obligation or consent. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).
  • No obligation to retain data: It is the responsibility of users to back up their data before the end of the contract upon cancellation. We are entitled to irreversibly delete all data stored during the term of the contract. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Contact and Enquiry Management

When you contact us (e.g. by post, contact form, email, telephone or via social media) and in the context of existing user and business relationships, the information provided by the person making the enquiry is processed to the extent necessary to respond to contact requests and any requested measures.

  • Types of data processed: Master data; contact data; content data; usage data; meta, communication and process data.
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; organisational and administrative procedures; feedback; provision of our online offering and user experience.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Further notes on processing activities, procedures and services:

  • Contact form: When contact is made via our contact form, by email or other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective request. This generally includes name, contact details and, where applicable, further information communicated to us. We use this data exclusively for the stated purpose of contact and communication. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • TrustCaptcha: Protection of forms against automated access and spam (CAPTCHA solution). When forms on our website are used, technical data such as IP address, device information and behavioural data (e.g. mouse movements) are processed in order to distinguish between human users and automated access. TrustCaptcha does not use cookies and does not store personal data in user profiles. All processing takes place exclusively on EU-based servers. Service provider: Trustcaptcha GmbH, Hans-Böckler-Straße 32, 80995 München, Germany. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.trustcomponent.com. Privacy policy: https://www.trustcomponent.com/de/legal/privacy-policy.

Cloud Services

We use software services accessible via the internet and run on the servers of their providers (so-called "cloud services", also referred to as "software as a service") for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients, publication of content and information).

In this context, personal data may be processed and stored on providers' servers to the extent that it forms part of communications with us or is otherwise processed as described in this privacy policy. This data may include in particular users' master data and contact data, data relating to transactions, contracts and other processes and their content. Cloud service providers also process usage data and metadata, which they use for security purposes and service optimisation.

  • Types of data processed: Master data; contact data; content data; usage data.
  • Data subjects: Prospective customers; communication partners; business and contractual partners.
  • Purposes of processing: Office and organisational procedures; IT infrastructure.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Nextcloud: Cloud storage, cloud infrastructure services and cloud-based application software. Service provider: Nextcloud GmbH, Hauptmannsreute 44a, 70192 Stuttgart, Germany. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://nextcloud.com. Privacy policy: https://nextcloud.com/privacy/.

Newsletters and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter "newsletters") only with the recipients' consent or on the basis of a statutory legal basis. Where the contents of the newsletter are specifically described in the course of signing up, they are decisive for users' consent. Signing up to our newsletter normally requires only the provision of an email address. Where we wish to offer a personalised service, we may ask for a name for personal salutation in the newsletter, or for further information if required for the newsletter's purpose.

Deletion and restriction of processing: We may retain unsubscribed email addresses for up to three years on the basis of our legitimate interests before deletion, in order to be able to demonstrate previously given consent. Processing of this data is restricted to the purpose of potential defence against claims. An individual deletion request is possible at any time, provided the former existence of consent is simultaneously confirmed. Where there is a permanent obligation to observe objections, we reserve the right to store the email address for this purpose alone in a blocklist.

Newsletter contents: Information about us, our services, promotions and offers.

  • Types of data processed: Master data; contact data; meta, communication and process data; usage data.
  • Data subjects: Communication partners.
  • Purposes of processing: Direct marketing (e.g. by email or post).
  • Legal bases: Consent (Art. 6(1)(a) GDPR).
  • Opt-out: You may cancel your newsletter subscription at any time, i.e. withdraw your consent or object to further receipt. A link to unsubscribe from the newsletter can be found at the end of each newsletter, or you may use one of the contact methods listed above, preferably by email.

Further notes on processing activities, procedures and services:

  • Measurement of open and click rates: Newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened. As part of this retrieval, technical information such as browser and system details, IP address and time of retrieval is initially collected. This information is used for the technical improvement of our newsletter based on technical data or the target groups and their reading behaviour based on retrieval locations or access times. The analysis also determines whether newsletters are opened and which links are clicked. A separate withdrawal of the performance measurement is unfortunately not possible; in this case, the entire newsletter subscription must be cancelled. Legal bases: Consent (Art. 6(1)(a) GDPR).

Competitions and Prize Draws

We process the personal data of participants in competitions and prize draws only in compliance with applicable data protection provisions, where processing is contractually necessary for the provision, organisation and handling of the competition, where participants have consented to processing, or where processing serves our legitimate interests (e.g. in the security of the competition or protection of our interests against misuse).

Where participants' contributions are published in the context of the competition (e.g. as part of a vote or presentation of entries or winners), we note that participants' names may also be published in this context. Participants may object to this at any time.

Participant data is deleted once the competition or prize draw has ended and the data is no longer required to notify winners or because no further queries about the competition are expected. In general, participants' data is deleted no later than six months after the end of the competition.

  • Types of data processed: Master data; contact data; content data.
  • Data subjects: Competition and prize draw participants.
  • Purposes of processing: Conducting competitions and prize draws.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Surveys and Questionnaires

We conduct surveys and questionnaires to gather information for the purpose communicated in each case. The surveys and questionnaires we conduct (hereinafter "surveys") are evaluated anonymously. Personal data is processed only to the extent necessary for the provision and technical implementation of the surveys.

  • Types of data processed: Master data; contact data; content data; usage data.
  • Data subjects: Participants.
  • Purposes of processing: Feedback; surveys and questionnaires; tracking; click tracking; A/B testing; heatmaps; profiles with user-related information; provision of our online offering and user experience.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

Web Analytics, Monitoring and Optimisation

Web analytics (also referred to as "reach measurement") serves to evaluate visitor flows to our online offering and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With reach analysis, we can recognise, for example, at what time our online offering or its functions or content are most frequently used, or to identify areas for optimisation.

In addition to web analytics, we may also use testing procedures to test and optimise different versions of our online offering or its components.

User data is pseudonymised for these purposes. No clear-text data (such as email addresses or names) is stored. IP addresses are pseudonymised using IP masking.

Notes on legal bases: Where we ask users for consent to the use of third-party providers, the legal basis is consent. Otherwise, user data is processed on the basis of our legitimate interests. Reference is also made to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data; meta, communication and process data.
  • Data subjects: Users.
  • Purposes of processing: Reach measurement; profiles with user-related information; provision of our online offering and user experience.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion"; storage of cookies for up to 2 years.
  • Security measures: IP masking (pseudonymisation of IP addresses).
  • Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Google Analytics: We use Google Analytics to measure and analyse the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. Google Analytics does not log or store individual IP addresses for EU users. Analytics does, however, provide coarse geographic location data by deriving the following metadata from IP addresses: city, continent, country, region, sub-continent. For EU traffic, IP address data is used solely for this derivation of geolocation data before being immediately deleted. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com/about/analytics/. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms/. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en; ad personalisation settings: https://myadcenter.google.com/personalizationoff.
  • Google Tag Manager: We use Google Tag Manager, a Google software that enables us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that serve to capture and analyse visitor activity. The Google Tag Manager itself does not create user profiles, does not store cookies with user profiles, and does not conduct independent analyses. Its function is limited to simplifying and managing the integration of tools and services we use on our website. Despite this, the user's IP address is transmitted to Google when using the Tag Manager for technical reasons, and cookies may be set. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Data processing agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF).

Online Marketing

We process personal data for the purposes of online marketing, which includes in particular the marketing of advertising space or the display of promotional and other content (collectively "content") based on potential user interests, and the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called "cookie") or similar procedures are used, by means of which the information relevant to the display of the aforementioned content is stored. This may include content viewed, websites visited, online networks used, as well as communication partners and technical information such as the browser used, the computer system used, and information on usage times and functions used.

IP addresses are also stored, but we use available IP masking procedures for user protection. No clear-text data is stored as part of online marketing procedures.

Notes on legal bases: Where we ask users for consent to the use of third-party providers, the legal basis is consent. Otherwise, user data is processed on the basis of our legitimate interests.

Notes on withdrawal and objection: We refer to the privacy notices of the respective providers and the opt-out options indicated for those providers. The following opt-out options are also available:

a) Europe: https://www.youronlinechoices.eu

b) Canada: https://www.youradchoices.ca/choices

c) USA: https://www.aboutads.info/choices

d) Cross-regional: https://optout.aboutads.info

  • Types of data processed: Usage data; meta, communication and process data.
  • Data subjects: Users.
  • Purposes of processing: Reach measurement; tracking; audience targeting; marketing; profiles with user-related information; conversion measurement.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion"; storage of cookies for up to 2 years.
  • Security measures: IP masking.
  • Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Google Ads and conversion measurement: Online marketing procedure for placing content and ads within the service provider's advertising network (e.g. in search results, in videos, on websites), so that they are displayed to users who have a presumed interest in the ads. We also measure the conversion of ads. We only receive anonymous information and no personal information about individual users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Customer Reviews and Rating Processes

We participate in review and rating procedures to evaluate, optimise and promote our services. The general terms and conditions and privacy notices of the respective review platforms apply in addition to our own. Registration with the respective provider is generally required to submit a review.

To ensure that reviewing persons have actually used our services, we transmit – with customers' consent – the relevant data regarding the customer and the service used to the respective review platform (including name, email address and order or item number). This data is used solely to verify the authenticity of the user.

  • Types of data processed: Contract data; usage data; meta, communication and process data.
  • Data subjects: Service recipients and clients; users.
  • Purposes of processing: Feedback; marketing.
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Google Customer Reviews: Service for obtaining and/or displaying customer satisfaction and opinions. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

We note that user data may be processed outside the area of the European Union in this context. This may entail risks for users, for example because the enforcement of users' rights may be made more difficult.

For a detailed description of the respective processing forms and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

  • Types of data processed: Contact data; content data; usage data.
  • Data subjects: Users.
  • Purposes of processing: Communication; feedback; public relations.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Instagram: Social network enabling the sharing of photos and videos, commenting and favouriting posts, sending messages, and following profiles and pages. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.instagram.com. Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
  • Facebook pages: Profiles within the Facebook social network. We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or the actions they take, as well as information about the devices used by users. We have entered into a specific agreement with Facebook ("Page Controller Addendum", https://www.facebook.com/legal/terms/page_controller_addendum), which governs in particular the security measures Facebook must observe and in which Facebook has agreed to fulfil data subject rights. Users' rights (in particular to access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited. Further processing is the sole responsibility of Meta Platforms Ireland Limited, including the transfer of data to the parent company Meta Platforms, Inc. in the USA. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter "third-party providers"). These may include, for example, graphics, videos or maps (hereinafter collectively "content").

Integration always requires third-party providers of such content to process users' IP addresses, as without an IP address they would be unable to send content to the user's browser. The IP address is therefore required for the display of such content or functions. We endeavour to use only those content providers that use the IP address solely for the delivery of content.

Notes on legal bases: Where we ask users for consent to the use of third-party providers, the legal basis is consent. Otherwise, user data is processed on the basis of our legitimate interests.

  • Types of data processed: Usage data; meta, communication and process data; location data.
  • Data subjects: Users.
  • Purposes of processing: Provision of our online offering and user experience.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion"; storage of cookies for up to 2 years.
  • Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

  • Google Fonts (self-hosted): Provision of font files for user-friendly display of our online offering. Google Fonts are hosted on our own server; no data is transmitted to Google. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Google Maps: We embed maps from the "Google Maps" service provided by Google. Data processed may include in particular users' IP addresses and location data. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://mapsplatform.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
  • YouTube videos: Video content. YouTube videos are embedded via a special domain (recognisable by the element "youtube-nocookie") in so-called "enhanced privacy mode", whereby no cookies to personalise video playback are collected from user activity. However, information about users' interaction with the video (e.g. remembering the last playback position) may still be stored. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal bases: Consent (Art. 6(1)(a) GDPR). Website: https://www.youtube.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Processing of Data in the Context of Employment Relationships

In the context of employment relationships, personal data is processed with the aim of effectively establishing, conducting and terminating such relationships. This data processing supports various operational and administrative functions required for the management of employee relations.

Data processing encompasses various aspects ranging from the initiation of employment to its termination, including the organisation and management of daily working hours, the management of access rights and authorisations, and the handling of personnel development measures and employee appraisals. Processing also serves payroll and the management of wages and salaries.

In addition, data processing takes into account the legitimate interests of the responsible employer, such as ensuring workplace safety or recording performance data for the evaluation and optimisation of operational processes. Data processing also involves the disclosure of employee data in the context of external communication and publication processes where this is required for operational or legal purposes.

The processing of this data always takes place in compliance with the applicable legal framework, with the aim of creating and maintaining a fair and efficient working environment. This also includes consideration of the data protection rights of the employees concerned, and the anonymisation or deletion of data once the processing purpose has been fulfilled or in accordance with statutory retention periods.

  • Types of data processed: Employee data; payment data; contract data; master data; contact data; content data; social data; log data; performance and behavioural data; working time data; salary data; images and/or video recordings; usage data; meta, communication and process data.
  • Special categories of personal data: Health data; religious or philosophical beliefs; trade union membership.
  • Data subjects: Employees (e.g. permanent staff, applicants, casual workers and other personnel).
  • Purposes of processing: Establishment and conduct of employment relationships; business processes and commercial procedures; provision of contractual services and fulfilment of contractual obligations; public relations; security measures; office and organisational procedures.
  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); processing of special categories of personal data relating to health, occupation and social security (Art. 9(2)(h) GDPR); consent (Art. 6(1)(a) GDPR).

Further notes on processing activities, procedures and services:

  • Working time recording: Procedures for recording employees' working hours, including both manual and automated methods such as time clocks, time tracking software or mobile apps. Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Authorisation management: Procedures for defining, managing and controlling access rights and user roles within a system or organisation. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Special categories of personal data: Special categories of personal data are processed in the context of employment or to fulfil legal obligations, including health data, trade union membership and religious affiliation. This data may be passed on to health insurance funds, for example, or processed for the purpose of assessing employees' fitness for work, for occupational health management, or for reporting to the tax authorities. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Sources of data processed: Personal data processed is obtained in the context of the application and/or employment relationship of employees. Where required by law, personal data is also collected from other sources, such as tax authorities, health insurance funds, employment agencies or publicly accessible professional social networks. Legal bases: Legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Purposes of data processing: Employee data is processed primarily for the establishment, conduct and termination of the employment relationship, and to fulfil legal obligations under tax and social security law. It may also be processed for regulatory and supervisory requirements, process optimisation and the assertion or defence of legal claims. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Transfer of employee data to third countries: Employee data is only transferred to third countries (outside the EU/EEA) where necessary for the fulfilment of the employment relationship, required by law, or where employees have given their consent. Employees are informed of the details where required by law. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Transfer of employee data: Employee data is processed internally only by those departments that require it for the fulfilment of operational, contractual and legal obligations. External disclosure takes place only where legally required or where employees have consented. Recipients may include banks, health insurance funds, pension funds, social security authorities, tax and legal advisors, and third-party creditors in the event of wage garnishment. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Business travel and expense reimbursement: Procedures required for the planning, execution and settlement of business travel. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); Art. 9(2)(h) GDPR.
  • Payroll and salary accounting: Procedures required for the calculation, payment and documentation of wages, salaries and other remuneration. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR).
  • Deletion of employee data: Employee data is deleted under German law once it is no longer required for the purpose for which it was collected, subject to statutory retention obligations. The following retention periods apply:
    • General personnel files: up to 3 years after termination of employment (§ 195 BGB). Tax-relevant documents: 6 years (§ 147 AO, § 257 HGB). Wage/salary information for insured employees: 5 years (§ 165 SGB VII).
    • Salary lists including special payments (where a booking record exists): 10 years (§ 147 AO, § 257 HGB).
    • Payroll lists for interim, final and special payments: 6 years (§ 147 AO, § 257 HGB).
    • Documents relating to employee pension insurance (where booking records exist): 10 years.
    • Social security contribution statements: 10 years (§ 165 SGB VII). Payroll accounts: 6 years (§ 41(1)(9) EStG).
    • Applicant data: up to 6 months from receipt of rejection.
    • Working time records (where daily working time exceeds 8 hours): 2 years (§ 16(2) ArbZG).
    • Application documents (following online job posting): 3 to max. 6 months after receipt of rejection (§ 26 BDSG, § 15(4) AGG).
    • Certificates of incapacity for work: up to 5 years (§ 6 AAG).
    • Documents relating to occupational pension schemes: 30 years (§ 18a BetrAVG).
    • Employee illness data: 12 months from the onset of illness where absences do not exceed 6 weeks in a year.
    • Documents relating to maternity protection: 2 years (§ 27(5) MuSchG).
    Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); Art. 9(2)(h) GDPR.
  • Personnel file management: Procedures required for the organisation, updating and management of employee data and records. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); Art. 9(2)(h) GDPR.
  • Personnel development, performance appraisal and employee meetings: Procedures required in the area of employee development, performance evaluation and appraisal meetings. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); Art. 9(2)(h) GDPR.
  • Obligation to provide data: The controller informs employees that the provision of their data is required where necessary for the establishment and conduct of the employment relationship or where required by law. The provision of data may also be required where employees assert or are entitled to claims. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
  • Publication and disclosure of employee data: Employee data is published or disclosed to third parties only where required for the performance of work duties in accordance with the employment contract, or where employees have consented, or on the basis of the employer's legitimate interests (e.g. group photographs at public events). Legal bases: Consent (Art. 6(1)(a) GDPR); performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Application Procedures

The application procedure requires applicants to provide us with the data necessary for their assessment and selection. The required information is set out in the job description or, in the case of online forms, in the information provided therein.

The required information generally includes personal details such as name, address, contact details and evidence of the qualifications required for the position. Upon request, we are happy to provide additional information on what is required.

Applications submitted by email should note that emails are generally not transmitted in encrypted form over the internet, and we cannot therefore accept responsibility for the security of the application during transmission.

Deletion of data: Data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application is unsuccessful, the data is deleted. Applicant data is also deleted if an application is withdrawn. Deletion takes place no later than six months after the end of the process, subject to justified withdrawal by the applicant, in order to enable us to answer any follow-up questions and to fulfil our obligations under equal treatment legislation.

Inclusion in an applicant pool: Inclusion in an applicant pool, where offered, takes place on the basis of consent. Applicants are informed that their consent to inclusion is voluntary, has no bearing on the current application process, and may be withdrawn at any time with future effect.

  • Types of data processed: Master data; contact data; content data; applicant data.
  • Data subjects: Applicants.
  • Purposes of processing: Application procedures.
  • Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Retention and Deletion".
  • Legal bases: Application procedures as pre-contractual or contractual relationships (Art. 6(1)(b) GDPR).

Changes and Updates

We ask you to regularly check the content of this privacy policy. We update the privacy policy as soon as changes to the data processing activities we carry out make this necessary. We will notify you as soon as a change requires an action on your part (e.g. consent) or other individual notification.

Where we provide addresses and contact information of companies and organisations in this privacy policy, please note that addresses may change over time and we ask you to verify information before making contact.

Definitions

  • A/B testing: A/B tests serve to improve the usability and performance of online offerings. Users are shown different versions of a website or its elements, and user behaviour (e.g. longer dwell time or increased interaction) is used to determine which version better meets users' needs.
  • Applicant data: Data relating to applicants, including personal and contact details, application documents and the information contained therein (covering letter, CV, certificates and other information voluntarily provided by applicants).
  • Click tracking: Click tracking enables monitoring of users' movements throughout an entire online offering. Cookies are generally stored on users' devices for this testing purpose in order to track interaction over a period of time.
  • Content data: Content data encompasses information generated in the course of creating, editing and publishing content of all kinds. This category may include texts, images, videos, audio files and other multimedia content, as well as metadata.
  • Contract data: Contract data includes specific information relating to the formalisation of an agreement between two or more parties, such as the subject matter of the contract, term, customer category, start and end dates, pricing arrangements, payment terms and cancellation rights.
  • Conversion measurement: Conversion measurement (also referred to as "visit action evaluation") is a procedure for determining the effectiveness of marketing measures. A cookie is typically stored on users' devices within websites where the marketing measures are displayed, and retrieved again on the target website.
  • Employees: Employees are persons in an employment relationship, whether as workers, salaried employees or in similar positions. Employee data encompasses all information relating to these persons in the context of their employment, including personal identification data, salary and bank data, working hours, holiday entitlements, health data and performance appraisals.
  • Heatmaps: Heatmaps are visualisations of users' mouse movements compiled into an overall picture, which can be used to identify, for example, which website elements are preferred and which are less favoured.
  • IP masking: IP masking is a method of pseudonymising IP addresses by shortening them, used to protect users. When IP masking is used, the IP address is truncated so that it can no longer be attributed to a specific person.
  • Log data: Log data is information about events or activities recorded in a system or network, typically including timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system.
  • Master data: Master data encompasses essential information required for the identification and management of contractual partners, user accounts, profiles and similar assignments, including names, contact details, dates of birth and specific identifiers such as user IDs.
  • Meta, communication and process data: Meta, communication and process data are categories containing information about how data is processed, transmitted and managed, including metadata (data about data), communication data (exchange of information between users across various channels) and process data (descriptions of processes and procedures within systems or organisations).
  • Payment data: Payment data encompasses all information required for the processing of payment transactions, including credit card numbers, bank details, payment amounts, transaction data, verification numbers and billing information.
  • Performance and behavioural data: Performance and behavioural data relates to information about how persons perform tasks or behave in a specific context, such as productivity, efficiency, quality of work, attendance and compliance with policies or procedures.
  • Personal data: "Personal data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Profiles with user-related information: The processing of "profiles with user-related information", or "profiles" for short, includes any automated processing of personal data that involves using such data to analyse, evaluate or predict certain personal aspects relating to a natural person (such as interests, behaviour and interactions with websites and content).
  • Reach measurement: Reach measurement (also referred to as web analytics) serves to evaluate visitor flows to an online offering and may encompass visitors' behaviour or interests in certain information, such as website content. Pseudonymous cookies and web beacons are frequently used for reach measurement purposes.
  • Salary data: Salary data includes information about an employee's financial remuneration, such as basic salary, bonus payments, tax class information, deductions, social security contributions and net payment amounts.
  • Tracking: "Tracking" refers to the ability to track users' behaviour across multiple online offerings. Behavioural and interest information is typically stored in cookies or on the servers of the providers of the tracking technologies (so-called profiling). This information may then be used to display advertisements presumed to correspond to users' interests.
  • Usage data: Usage data refers to information that captures how users interact with digital products, services or platforms, including page views, dwell times, click paths, frequency of use, device information and location data.
  • Audience targeting (Custom Audiences): Audience targeting refers to the determination of target groups for advertising purposes, e.g. displaying adverts. Based on a user's interest in certain products or topics online, it can be inferred that the user is interested in similar products or the online shop where they viewed those products.
  • Controller: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, including collection, analysis, storage, transmission and deletion.
  • Working time data: Working time data includes information on the start and end of working time, actual and target working hours, break times, overtime, holiday days, sick days, absences, home office days and business trips.

Cookie Policy