In order to comply with our obligations in accordance with Art. 13 GDPR, you will be informed by means of this data protection declaration about the type and scope as well as the purpose of the processing of personal data (hereinafter referred to as “data”) that is incurred in the provision of our services and within our online offer. This online offer includes in particular the websites required for this purpose as well as associated functions and contents and external online presences, such as profiles of social networks and media.
With regard to the terms used, reference is made to the definitions in Art. 4 of the Basic Data Protection Regulation (GDPR).
1. Responsible person
The person responsible for data processing within the meaning of Art. 13 Para. 1 GDPR is:
Rechtsanwälte Lintl, Renger Partnerschaft mbB
Nymphenburger Str. 20a
Link to the imprint: https://www.lr-ip.de/en/imprint/
RA Gregor Lintl, RA Christian Renger
2. Affected persons
Visitors and users of our online offer are affected by the data processing carried out by us.
3. Types of data processed
In the case of a mere call up of our online offer, i.e. without registration or indication of other information, only the data transmitted to our server by the browser of the respective user (so-called “server log files”) are collected. The following data are affected by this:
- Date and time of access
- Amount of data sent in bytes
- Source/reference from which you reached the site
- IP address used (if necessary: in anonymized form)
- Usage data (e.g. so-called cookies, websites visited, interest in content, access times),
- Meta/communication data (e.g. software information, IP/MAC addresses, operating system used and browser).
Should the respective user also complete a registration or provide other information, the following data will also be processed:
- Personal data (e.g. names or addresses),
- Contact details (e.g. e-mail addresses, telephone numbers),
- Content data (e.g. text input, photo and video materials).
4. Purpose of the processing
The processing of the data takes place
- to provide the online offer including its functions and contents,
- to answer contact requests and communicate with users,
- to ensure security measures,
- for range measurement and
- for marketing purposes
5. Used terms
According to Art. 4 No. 1 GDPR, “personal data” is defined as “any information relating to an identified or identifiable natural person (hereinafter referred to as “affected person”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
According to Art. 4 No. 2 GDPR, “processing” is defined in Art. 4 No. 2 GDPR as “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
According to Art. 4 No. 4 GDPR, “profiling” is understood to mean “any automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, conduct, whereabouts or movements of that natural person”.
According to Art. 4 No. 5 GDPR, “pseudonymisation” means “processing of personal data in such a way that the personal data cannot be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organizational measures which ensure that the personal data is not attributed to an identified or identifiable natural person”.
According to Art. 4 No. 6 GDPR, a “file system” is “any structured collection of personal data which is accessible according to specific criteria, regardless of whether this collection is managed centrally, decentrally or in an orderly manner according to functional or geographical criteria”.
According to Art. 4 No. 7 GDPR, “responsible person” means “the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are laid down by Union law or by the law of the Member States, the controller or the specific criteria for its designation may be laid down by Union law or by the law of the Member States”.
According to Art. 4 No. 8, “processor” shall mean “any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”.
According to Art. 4 No. 9 GDPR, “recipient” is “a natural or legal person, authority, institution or other body to whom personal data are disclosed, regardless of whether it is a third party or not. However, authorities which may receive personal data in the context of a specific investigation mandate under Union law or the law of the Member States shall not be regarded as recipients; the processing of such data by those authorities shall be carried out in accordance with the applicable data protection provisions and in accordance with the purposes of the processing”.
“IP address” means a combination of numbers assigned to a device by an Internet service provider to give that device access to the Internet.
6. Legal basis
In accordance with Art. 13 Para. 1 lit. c GDPR we are obliged to inform you of the legal basis of our data processing.
The following applies to users within the scope of the Basic Data Protection Regulation (GDPR), which covers the European Union (EU) and the European Economic Community (EEC), with the proviso that no other legal basis is mentioned in the data protection declaration:
- 6 Para. 1 lit. a und Art. 7 GDPR ist die Rechtsgrundlage für die Verarbeitung von Daten, die von einer Einwilligung gedeckt ist.
- 6 Para. 1 lit. b GDPR ist die Rechtsgrundlage für die Verarbeitung der Daten zur Erfüllung unserer geschuldeten Leistungen, zur Durchführung vorvertraglicher Maßnahmen sowie Beantwortung von Anfragen.
- 6 Para. 1 lit. c GDPR ist die Rechtsgrundlage für die Verarbeitung zur Erfüllung unserer rechtlichen Verpflichtungen.
- 6 Para. 1 lit. d GDPR ist die Rechtsgrundlage für eine Verarbeitung personenbezogener Daten, die aufgrund lebenswichtiger Interessen der betroffenen Person oder einer anderen natürlichen Person erforderlich ist.
- 6 Para. 1 lit. e GDPR ist die Rechtsgrundlage für die Verarbeitung zur Wahrnehmung einer Aufgabe, die im öffentlichen Interesse liegt oder in Ausübung öffentlicher Gewalt erfolgt, die dem Verantwortlichen übertragen wurde, soweit diese hierfür erforderlich ist.
- 6 Para. 1 lit. f GDPR ist die Rechtsgrundlage für die Verarbeitung zur Wahrung unserer berechtigten Interessen.
- 6 Para. 4 GDPR betrifft die Verarbeitung von Daten zu anderen Zwecken als denen, zu denen sie erhoben wurden. Eine solche Verarbeitung ist nur unter den hier genannten Voraussetzungen möglich.
- 9 Para. 2 GDPR stellt besondere Anforderungen an die Verarbeitung von besonderen Kategorien von Daten (entsprechend Art. 9 Para. 1 GDPR).
7. Security measures
In order to ensure a level of protection appropriate to the risk, we ensure the following in accordance with
- the legal requirements, considering the state of the art,
- the implementation costs, the nature, scope, circumstances and purposes of the processing, and
- the varying degrees of probability and seriousness of the risk to the rights and freedoms of natural persons
for appropriate technical and organizational measures.
These measures shall include in particular ensuring the confidentiality, integrity and availability of data by
- Control physical access to the data,
- Control access to the data,
- Control of the inputs, transfers, securing the availability of the data and their separation.
In addition, we have created procedures that guarantee the exercise of data subject rights, deletion of data and reaction to data threats.
8. Cooperation with contract processors, jointly responsible parties and third parties
For certain services, in the course of our processing of the data, it is necessary to disclose the data to other persons (usually companies), i.e. to transfer the data to them or otherwise grant them access to the data. These companies are, on the one hand, processors or jointly responsible parties and, on the other hand, third parties such as payment service providers. Such disclosure will only be made on the basis of a legal permission or obligation, a consent by the user or on the basis of our legitimate interests, which may exist, for example, when using agents or web hosts. Such a legitimate interest exists in particular when processing the data for administrative purposes.
In the event that we make data available to other companies in our group of companies (by disclosing, transmitting or granting access in any other form), this is done in particular for administrative purposes. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR. In addition, making access available may also be based on a legal requirement.
9. Transfers of data to third countries
A disclosure, transmission or other access to the data to a person (this includes a company) in a third country (i.e. outside the EU, EEA or Swiss Confederation) takes place if the legal requirements are met. This is particularly the case if the data is processed to fulfil our contractual or pre-contractual obligations. Otherwise the processing must be based on your consent, a legal obligation or our legitimate interests. In addition, we are obliged to guarantee the necessary minimum standards in this constellation as well. We only process data or have data processed in third countries with a recognized level of data protection and the contractual obligation to do so by means of so-called standard contractual clauses of the EU Commission (SCC), in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
10. Rights of affected persons
You have the right to obtain, upon request, information as to whether data concerning you are being processed. In addition, you have the right to receive further information and to receive a copy of the data in accordance with legal requirements.
You have the right to have the data concerning you completed and to have incorrect data concerning you corrected.
You are entitled to the immediate deletion of data concerning you in accordance with the legal requirements. Alternatively, you have the right to limit the processing of the data within the limits of the law. (see also right of objection)
In accordance with legal requirements, you have a right to receive the data concerning you that you have provided us with and may also request that it be passed on to other responsible parties.
You have the right to lodge a complaint with the relevant supervisory authority.
11. Right of withdrawal
You can revoke your given consent at any time with effect for the future.
12. Right of objection
You have the right to object to the future processing of data concerning you in accordance with the legal requirements. The objection may in particular also be directed against processing for the purposes of direct marketing.
We offer the use of temporary and permanent cookies. If you do not agree with this use, please deactivate the corresponding option in the system settings of your browser. Stored cookies can be deleted in the system settings of your browser. The exclusion of cookies can lead to functional restrictions of this online offer.
Cookies are small files that are stored on your computer. These files contain different information. First and foremost, cookies serve to store information about a user of an online offer. In particular, login data, the contents of a shopping basket and the articles called up in an online shop or generally called up websites are stored.
A distinction must be made between temporary and permanent cookies. Temporary cookies are also called “session cookies” or “transient cookies”. These are cookies that are deleted after leaving the online offer. This usually happens when the browser is closed. Permanent cookies (or “persistent cookies”) are files that remain stored even after the browser is closed. This means that the above-mentioned data can remain stored beyond the respective browser session.
This is particularly relevant in the case of cookies that contain information on user interests. This data is often used for range measurement or marketing purposes.
Furthermore, a distinction must also be made between so-called “third party cookies”, which are offered by providers other than the person responsible for operating the online offering, and so-called “first-party cookies”, which are present in all other cases.
Furthermore, the storage of cookies can also be prevented by deactivating them in the browser settings. However, not all functions of this online offer can be used by this option.
14. Deletion of data
In accordance with the legal requirements, we delete the data collected by us or restrict its processing.
We delete the data stored by us as soon as the purpose on which the storage is based has ceased to exist and there are no statutory storage obligations to the contrary and no deviating provisions have been made in this data protection declaration.
Should the data not be deleted due to the necessity for other, legally permissible purposes (e.g. storage for commercial or tax law reasons), their processing will be restricted. In this case, the data will be processed exclusively for this purpose and will otherwise be blocked.
Legal innovations or changes in the data processing carried out by us may make it necessary to adapt this data protection declaration. For this reason, we ask you to regularly inquire about the content of our data protection declaration. Should a change make it necessary for you to cooperate (e.g. consent) or other individual notification, you will be informed by us in an appropriate form.
16. Processing for business purposes
In addition, we process contract data (e.g. subject matter of the contract, duration, date of conclusion) as well as payment data (e.g. account number) of our customers, interested parties and business partners in order to provide contractual services as well as other services. These include in particular services, customer care, marketing, advertising and market research.
17. External payment service providers
We use external payment service providers who have their own platform to process payment transactions.
PayPal: PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxemburg;
available at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
The use of payment service providers in the performance of contracts is based on Article 6(1)(b). GDPR. Otherwise, external payment service providers are appointed on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f. GDPR in order to offer our users effective and secure payment options.
The payment service provider primarily collects inventory data (such as name and address), bank data (such as account numbers or credit card numbers), passwords, TANs and checksums as well as contract, sum and recipient related data. This information is necessary for the execution of transactions. However, the data entered is processed exclusively by the payment service providers and stored by them. This means that we do not receive any account or credit card-related information, but only information on whether the payment was successfully completed. In order to check identity and creditworthiness, the payment service provider may transfer the data to credit agencies.
In this regard, we refer to the general terms and conditions and data protection notices of the respective payment service providers.
For payment transactions, the terms and conditions and the data protection information of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. There you will also find further information, in particular on the assertion of rights of revocation, information and other rights of affected persons.
18. Administration, financial accounting, office organization, contact management
We process data within the performance of administrative tasks and the organization of our operations, financial accounting and compliance with legal obligations, such as archiving.
This data is the same data that we process to provide our contractual services. This processing is carried out in accordance with Art. 6 paragraph 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR.
Clients, interested parties, business partners and website visitors are affected by the processing. The purpose of and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services. The deletion of the data with regard to contractual services and contractual communication corresponds to the data mentioned in these processing activities. We disclose or transfer data to the tax authorities and our tax advisor/ auditor.
Furthermore, we store information on suppliers, event organizers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. We store these mostly company-related data permanently.
19. Business analysis and market research
The data available to us, especially those concerning business transactions, contracts and enquiries, are analyzed by us in order to be able to operate our business economically. In doing so, we also try to identify market trends and the wishes of our contractual partners and users (marketing, market research). For these purposes, in particular inventory data, communication data, contract data, payment data, usage data and meta data are collected on the basis of Art. 6 Para. 1 lit. f. GDPR are processed by us. Within the scope of processing, we can, for example, compare the details of registered users within their profiles with the services they have used.
The analyses carried out are designed to increase user-friendliness and business efficiency and to optimize our services. The analyses are carried out exclusively for our own purposes and are not disclosed externally, unless they are anonymous analyses with summarized values.
The persons affected by these measures include our contractual partners, interested parties, customers, visitors and users of our online offer.
Insofar as such analyses or profiles are personal, they are deleted or made anonymous when the users terminate their contract. Otherwise this happens after two years from conclusion of the contract. Furthermore, the overall business analyses and general tendency determinations are made anonymously if possible.
20. Data protection notices for the application procedure
We process applicant data only for the purpose and within the application procedure within the framework of the legal requirements. The processing of applicant data is carried out to fulfil our contractual or pre-contractual obligations within the application procedure in accordance with Art. 6 Para. 1 lit. b. GDPR Art. 6 para. 1 lit. f. GDPR, if the data processing is necessary for us, e.g. within the framework of legal procedures, whereby § 26 BDSG must also be observed here.
The application procedure is only opened when the applicant informs us of all necessary applicant data. These are, if we offer an online form, explicitly marked. Otherwise they result from our job descriptions, whereby personal details, postal and contact addresses as well as the documents belonging to the application, such as cover letter, curriculum vitae and certificates, are always recorded. Furthermore, applicants can voluntarily provide us with additional information.
By submitting their application to us, applicants agree to the processing of their data for the purposes of the application procedure in accordance with the type and scope described in this data protection declaration.
If, during the application procedure, special categories of personal data are voluntarily communicated in accordance with Art. 9 Para. 1 GDPR, they will also be processed in accordance with Art. 9 Para. 2 letter b GDPR. This applies in particular to health data or information on ethnic origin.
Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants in the context of the application procedure, their processing is also carried out in accordance with Art. 9 para. 2 letter a GDPR. This is particularly the case with health data, insofar as this is necessary for the exercise of the profession.
If available, applicants can send us their applications by means of an online form on our website. This transmission is encrypted according to the state of the art.
Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and that the applicants themselves are responsible for the encryption. For this reason, we recommend that you use an online form or postal delivery, which is probably the safest way to protect your data.
The data provided by the applicants within their application can be processed by us for the purposes of the employment relationship if the application is successful. If, on the other hand, the application for a job offer was not successful, the applicants’ data is deleted. Applicants’ data is also deleted if an application is withdrawn, which applicants are entitled to do at any time.
Subject to a justified revocation by the applicants, the data will be deleted after a period of six months so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.
21. Contact form
Within the scope of contacting us, which is possible via contact form, e-mail, telephone, fax or social media, the user’s data is processed for the purpose of processing and handling the contact request. The legal basis with regard to contractual/pre-contractual relations is derived from Art. 6 para. 1 lit. b. GDPR. With regard to other enquiries, Art. 6 para. 1 lit. f. GDPR is relevant. The information provided by users is generally stored in a customer relationship management system (“CRM system”) or comparable enquiry organization.
We delete the data obtained with regard to the enquiry if it is no longer required. The necessity is checked every two years. Otherwise, the statutory archiving obligations apply.
22. Hosting and e-mail delivery
For the operation of our online offer we fall back on external hosting services. This concerns:
- infrastructure and platform services,
- computing capacity, storage space and database services,
- e-mail dispatch services and
- security and technical maintenance services.
In the context of safeguarding our legitimate interests in the efficient and secure provision of this online service in accordance with Art. 6 Para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of contract processing agreement), the following data in particular are processed by us or our hosting provider:
- inventory and contact data,
- content data and contract data and
- usage, meta and communication data.
This data processing concerns our customers as well as interested parties and visitors to our online offer.
Our webhosting provider is: 1&1 Internet SE, Elgendorfer Str. 57, 56410 Montabaur, Germany
23 Collection of access data and log files
On the basis of safeguarding our legitimate interests in accordance with Art. 6 Par. 1 lit. f. GDPR, we or our hosting provider collect data about every access to the server on which this service is located (so-called server log files). These data include
- Name of the web page accessed and, if applicable, of certain files,
- Date and time of retrieval,
- transferred data volume,
- Message about successful retrieval,
- Browser type and version of the user’s operating system,
- Referrer URL (the previously visited page),
- IP address and
- the requesting provider.
For security reasons, log file information is stored for up to seven days and then deleted. This serves in particular to clarify abuse or fraudulent actions. If data is suitable as evidence to clarify a situation, it will be excluded from deletion until the respective incident has been finally clarified.
24. Google Analytics
On the basis of safeguarding our legitimate interests in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR we use the web analysis service Google Analytics, which is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The information is processed on the basis of our interest in evaluating the use of our online offer and recording the activities within the scope of this offer. In addition, further services associated with the use of this online offer and the use of the Internet are provided. This enables Google to create pseudonymous user profiles of the users from the processed data.
We only use Google Analytics with activated IP anonymisation. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. The IP address transmitted by the user’s browser is not merged with other Google data.
In the event that users do not agree with such data processing, there is the option of deactivating the setting of any cookies via the browser settings.
Furthermore, users can prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Further information on the use of data by Google, setting and objection options, are contained in the Google data protection declaration (https://policies.google.com/privacy) and in the settings for the display of advertising by Google (https://adssettings.google.com/authenticated).
The personal data of users will be deleted or anonymised after 14 months.
25. Google Fonts
We use Google Fonts. These are fonts that are downloaded by Google Ireland Limited when you visit the website. This is technically necessary as otherwise no fonts could be displayed. During this process, data such as Ip address is forwarded to Google. The use of Google Fonts is based on our legitimate interests in a technically secure and maintenance-free use of fonts in accordance with Art. 6 para. 1 lit. f GDPR.
26.Google AdWords and conversion measurement
On the basis of safeguarding our legitimate interests in the analysis, optimisation and economic operation of our online offer in accordance with Art. 6 Para. 1 lit. f. GDPR we use the online marketing procedure Google “AdWords” of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, whereby personal data is processed.
This data is can be processed in the USA. The European Commission has not issued an adequacy finding for the USA. Our cooperation is based on standard contractual clauses of the European Commission (SCC).
Google “AdWords” enables us to place ads on the Google advertising network (e.g., in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in the ads. This allows us to better target ads for and within our online services in order to show users only ads that potentially match their interests. For example, if a user is shown ads for products that he or she has been interested in on other websites, this is called “remarketing”. For these purposes, when you visit our website and other websites on which the Google advertising network is active, Google will execute code directly by Google and incorporate so-called (re)marketing tags (invisible graphics or code, also known as “web beacons”) into the website. With their help, an individual cookie, i.e. a small file, is stored on the user’s device (instead of cookies, comparable technologies can also be used). This file records which websites the user has visited, what content he is interested in and which offers the user has clicked on, as well as technical information on the browser and operating system, referring websites, visiting time and other information on the use of the online offer.
We also receive an individual “conversion cookie”. The information obtained with the help of the cookie is used by Google to compile conversion statistics for us. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. We do not receive any information that personally identifies users.
User information is processed pseudonymously within the Google advertising network. This means that Google does not store and process, for example, the name or e-mail address of the user, but processes the relevant data cookie-related within pseudonymous user profiles. I.e. from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who that cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymisation. The information collected about users is transmitted to Google and stored on Google’s servers in the USA.
27. Chat function – Userlike
28. Social media online presence
We operate online presences within the framework of social networks and platforms in order to communicate with their users and to inform them about our offer.
In doing so, user data may be processed outside the area of the European Union. This may entail risks for the respective users. For example, the enforcement of users’ rights may be more difficult. In the event that the provider is based in the USA, the European Commission has not issued an adequacy finding for the USA. Our cooperation is based on standard contractual clauses of the European Commission (SCC).
In addition, user data is also generally processed for market research and advertising purposes. For example, user profiles are created from the user behaviour and the resulting interests of the users. These can then be used, for example, for personalised advertisements within and outside the platforms that correspond to the presumed interests of the users. The technical implementation is usually done by using cookies, which are stored on the users’ computers. These contain the surfing behaviour of the users, from which their interests can be inferred. It should be noted that data from other devices used by the user can also be stored in the user profiles. This is particularly the case if the users are logged in as members of the respective platforms.
The personal data of users is processed within the scope of our legitimate interests in effective information of users and communication with users in accordance with Art. 6 Para. 1 lit. f. GDPR. In the event that the respective platform providers request the users to give their consent to the aforementioned data processing, Art. 6 para. 1 lit. a., Art. 7 GDPR is the legal basis for the processing.
For a detailed presentation of the respective processing and the possibilities of objection (opt-out), we refer to the following linked information from the providers.
Requests for information and the assertion of user rights can also most effectively be asserted with the providers themselves, as only they have access to the users’ data and can directly take appropriate measures and provide information. Should you nevertheless need help, we are at your side to support you.