PRIVACY POLICY

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and, in particular, on our websites as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Last updated: February 21, 2024

 

Person in charge

Your contact person as a controller within the meaning of the European General Data Protection Regulation ("GDPR") and other national data protection laws of the member states as well as other data protection regulations is:

 

Bode – Die Tür GmbH

Ochshäuser Str. 14

34123 Kassel

Tel.: +49 561 5009-0

Fax: +49 561 54943

(hereinafter referred to as "we", "us" or "our")

Contact details of the data protection officer

You can reach our company data protection officer Mr. Blazy (https://gdpc.de/) by phone at +49 (0) 561 830 99 165, by post at the above address with the addition – Data Protection Officer / Confidential – or by e-mail at datenschutz@bode-global.com.

For further information on the processing of your personal data and for related questions, you can contact us at any time or directly to our company data protection officer.

Security Measures

In accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

The measures shall include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability and segregation of data. Furthermore, we have put in place procedures to ensure the exercise of data subject rights, the deletion of data and reactions to the risk of data being compromised. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes in accordance with the principle of data protection, through technical design and through privacy-friendly default settings.

TLS/SSL encryption (https): To protect users' data transmitted through our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology used to secure internet connections by encrypting data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) appears in the URL when a website is secured by an SSL/TLS certificate.

Transfer of personal data

In the course of our processing of personal data, it happens that the data is transmitted to other bodies, companies, legally independent organisational units or persons or that it is disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only be done in accordance with the legal requirements. If the level of data protection in the third country has been recognised by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the level of data protection is otherwise ensured, in particular by means of standard contractual clauses (Art. 46 (2) (c) GDPR), explicit consent or in the case of contractual or legally required transfer (Art. 49 (1) GDPR). In addition, we will inform you of the basis of the third-country transfer with the individual providers from the third country, whereby the adequacy decisions take precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA within the framework of the adequacy decision of 10.07.2023. The list of certified companies, as well as more information about the DPF, can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/. As part of the data protection notice, we inform you which service providers we use are certified under the Data Privacy Framework.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to request confirmation as to whether the data in question is being processed and to request access to this data, as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: In accordance with the law, you have the right to request the completion of the data concerning you or the correction of the inaccurate data concerning you.
  • Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand that  data concerning you be erased without undue delay or, alternatively, to demand that the processing of the data be restricted in accordance with the legal requirements.
  • Right to data portability: You have the      right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements, or to request that it be transmitted to another controller.
  • Complaint to a supervisory authority: In accordance with the      legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of your personal data violates the GDPR.

Use of cookies

Cookies are small text files or other storage notes that store information on end devices and read information from the end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the content accessed or functions used in an online offer. Cookies can also be used for various purposes, e.g. for the purposes of the functionality, security and convenience of online offers and the creation of analyses of visitor flows.

The following cookies are used on our website:

None

Notes on consent: We use cookies in accordance with the legal regulations. Therefore, we obtain prior consent from users, unless this is not required by law. In particular, consent is not required if the storage and reading of the information, including cookies, is absolutely necessary in order to provide the user with a telemedia service expressly requested by them (i.e. our online offering). Strictly necessary cookies usually include cookies with functions that serve the display and operability of the online offer, load balancing, security, the storage of users' preferences and choices, or similar purposes related to the provision of the main and secondary functions of the online offer requested by the users. The revocable consent is clearly communicated to the users and contains the information about the respective cookie usage.

Notes on data protection legal bases: The legal basis on which we process users' personal data with the help of cookies depends on whether we ask users for consent. If users give their consent, the legal basis for the processing of their data is their consent. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in the business operation of our online offer and improvement of its usability) or, if this is done in the context of the fulfilment of our contractual obligations, if the use of cookies is necessary to fulfil our contractual obligations. We explain the purposes for which the cookies are processed by us in the course of this privacy policy or as part of our consent and processing processes.

Storage  period: With regard to the storage period, a distinction is made between the following types of cookies:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his device (e.g. browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, user data collected with the help of cookies can be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. as part of obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.

General information on revocation and objection (so-called "opt-out"): Users can revoke their consent at any time and object to processing in accordance with the legal requirements. To this end, users can, among other things, restrict the use of cookies in the settings of their browser (whereby this may also limit the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Cookie settings/opt-out: 

Opt Out Cookie
  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offer and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures and services:

  • Processing of cookie data  on the basis of consent: We use a consent management procedure: procedures for obtaining, logging, managing and withdrawing consent, in particular for the use of cookies and similar technologies for the storage, reading and processing of information on users' end devices as well as their processing, within the framework of which the consent of the users to the use of cookies,  or in the context of consent management: procedures for obtaining, logging, managing and revoking consents, in particular for the use of cookies and similar technologies for the storage, reading and processing of information on users' end devices as well as their processing methods and providers referred to as processing and providers, as well as managed and revoked by the users. In this case, the declaration of consent is stored in order not to have to repeat its request again and to be able to prove the consent in accordance with the legal obligation. The data can be stored on the server side and/or in a cookie (so-called opt-in cookie, or with the help of comparable technologies) in order to be able to assign the consent to a user or their device. Subject to individual information on the providers of cookie management services, the following information applies: The duration of the storage of consent can be up to two years. In this case, a pseudonymous user identifier is formed and stored with the time of consent, information on the scope of the consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
  • Cookie opt-out: In the footer of our website, you will find a link to change your cookie settings and withdraw your consent; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • "Cookie Consent" (dp_cookieconsent): In order to give you as a user the opportunity to decide for yourself about the use of cookies that are not technically necessary, we work with a cookie banner. This is an open source cookie consent technology to store your consent to the storage of certain cookies in your browser. The source code can be downloaded from github. When you enter our website, a DP cookie is stored in your browser to store the consents you have given or the withdrawal of those consents. This data will not be shared. The collected data is stored in the browser until you delete the cookie yourself or have it automatically deleted by the browser. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Business Services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with the contractual partners (or pre-contractual), e.g. to answer enquiries.

We process this data in order to fulfil our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any updating obligations and remedies in the event of warranty and other service failures. In addition, we process the data in order to safeguard our rights and for the purpose of the administrative tasks associated with these obligations, as well as the organization of the company. In addition, we process the data on the basis of our legitimate interests in proper and business management as well as in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the scope of applicable law, we only pass on the data of contractual partners to third parties insofar as this is necessary for the aforementioned purposes or for the fulfilment of legal obligations. The contractual partners are informed about other forms of processing, e.g. for marketing purposes, within the framework of this data protection declaration.

We inform the contractual partners which data is required for the aforementioned purposes before or as part of the data collection, e.g. in online forms, by means of special markings (e.g. colours) or symbols (e.g. asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after the expiry of 4 years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal reasons of archiving. The statutory retention period is ten years for documents relevant to tax law as well as for trading books, inventories, opening balance sheets, annual financial statements, the work instructions and other organizational documents and accounting documents required to understand these documents, and six years for received commercial and business letters and reproductions of the sent commercial and business letters. The period begins at the end of the calendar year in which the last entry in the book was made, the inventory, the opening balance sheet, the annual financial statements or the management report were drawn up, the commercial or business letter was received or sent, or the accounting document was created, the record was made or the other documents were created.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

  • Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact details (e.g. email, phone numbers); Contract data (e.g. subject matter of the contract, duration, customer category); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
  • Data subjects: Customers; Interested parties. Business and contractual partners.
  • Purposes of processing: Provision of contractual  services and fulfilment of contractual obligations; security measures; contact requests and communication; Office and organizational procedures. Manage and respond to requests.
  • Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

  • Customer area: Customers can create an account within our online offering (e.g. customer or user account, or "customer account" for short). If the registration of a customer account is required, customers will be informed of this as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process as well as subsequent logins and use of the customer account, we store the IP addresses of the customers along with the access times in order to be able to prove the registration and prevent any misuse of the customer account. If the customer account has been terminated, the data of the customer account will be deleted after the date of termination, unless it is stored for purposes other than making it available in the customer account or must be kept for legal reasons (e.g. internal storage of customer data, order processes or invoices). It is the customer's responsibility to back up their data upon termination of the customer account; Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Automotive industry and vehicle technology: We process the data of our customers and clients in order to enable them to develop, produce and provide vehicle technologies and related services. The required information includes the information required for project implementation and billing, as well as contact information for necessary coordination. Insofar as we have access to information from end customers, employees or other persons, we process it in accordance with legal and contractual requirements;  Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR  ), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Provision of the online offer and web hosting

We process users' data in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.). Security Measures.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

  • Provision of our online offer on rented  storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also known as a "web host"); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of access data and  log files: Access to our online services is logged in the form of so-called "server log files". The server log files may include the address and name of the websites and files accessed, date and time of access, data volumes transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. On the one hand, the server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of the servers and their stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.
  • Profihost:   services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service Provider: Profihost AG, Expo Plaza 1, 30539 Hannover, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website:https://www.profihost.com/; Privacy Policy: https://www.profihost.com/unternehmen/datenschutzerklaerungData Processing Agreement: Provided by the Service Provider.

Contact & Enquiry Management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information provided by the enquiring persons will be processed insofar as this is necessary to answer the contact requests and any measures requested.

  • Types of data processed: contact details (e.g. e-mail, telephone numbers); Content data (e.g. submissions in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
  • Data subjects: Communication partners.
  • Purposes of processing: contact requests and communication; managing and responding to requests; Feedback (e.g. collecting feedback via online form). Provision of our online offer and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures and services:

  • Contact form: If users contact us via our contact form, e-mail or other means of communication, we process the data provided to us in this context in order to process the requested request; Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Video conferencing, online meetings, webinars and screen sharing

We use third-party platforms and applications (hereinafter referred to as "Conference Platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "Conference"). When selecting conference platforms and their services, we take into account the legal requirements.

Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of the participants mentioned below. The scope of the processing depends, on the one hand, on which data is requested in the context of a specific conference (e.g. provision of access data or real names) and which optional information is provided by the participants. In addition to processing for the implementation of the conference, the data of the participants may also be processed by the conference platforms for security purposes or service optimization. The processed data includes personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, details of professional position/function, the IP address of the Internet access, details of the participants' end devices, their operating system, the browser and its technical and linguistic settings, information on the content of the communication processes, i.e. entries in chats, as well as audio and video data, as well as the use of other available features (e.g. surveys). The content of the communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms, then further data may be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. of surveys) as well as video or audio recordings are logged, this will be communicated transparently to the participants in advance and they will be asked for consent if necessary.

Data protection measures of the participants: For the details of the processing of your data by the conference platforms, please note their data protection notices and select the optimal security and data protection settings for you within the settings of the conference platforms. Please also ensure that data and privacy are protected in the background of your recording for the duration of a video conference (e.g. by notifying roommates, locking doors and, as far as technically possible, using the function to make the background unrecognizable). Links to the conference rooms as well as access data may not be passed on to unauthorized third parties.

Notes on legal bases: If, in addition to the conference platforms  , we also process the data of the users and the users ask for their consent to the use of the conference platforms or certain functions (e.g. consent to a recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary for the fulfilment of our contractual obligations (e.g. in participant lists, in the case of processing of interview results, etc.). In addition, users' data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: inventory data (e.g. names, addresses); contact details (e.g. email, phone numbers); Content data (e.g. submissions in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
  • Data subjects: communication partners; Users (e.g. website visitors, users of online services). People depicted.
  • Purposes of processing: Provision of contractual  services and fulfilment of contractual obligations; Contact requests and communication. Office and organizational procedures.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

Application Procedure

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information provided therein.

Basically, the required information includes information about the person, such as name, address, a contact option and proof of the qualifications necessary for a job. On request, we will also be happy to provide you with information that is required.

If provided, applicants can submit their applications to us using an online form. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications via e-mail. However, please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. Therefore, we cannot assume any responsibility for the transmission path of the application between the sender and the receipt on our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may make use of applicant management or recruitment software and platforms and services of third-party providers in compliance with the legal requirements.

Applicants are welcome to contact us about the method of submitting the application or send us the application by post.

Processing of special categories of data: If, in the course of the application process, special categories of personal data (Art. 9 para. 1 GDPR, e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants or communicated by them, their processing is carried out by the controller or the data subject who is entitled to him or her under labour law and social security and social protection law. and to fulfil his or her obligations in this regard, in the case of the protection of the vital interests of candidates or other persons, or for the purposes of preventive health or occupational medicine, for the assessment of the employee's capacity for work, for medical diagnosis, for health or social care care or treatment, or for the management of health or social care systems and services.

Deletion of data:  In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicants, the deletion will take place at the latest after the expiry of a period of six months so that we can answer any follow-up questions about the application and comply with our obligations to provide evidence under the regulations on the equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with the tax regulations.

Inclusion in an applicant pool: Inclusion in an applicant pool,  if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process and that they can withdraw their consent at any time for the future. If you are included in the applicant pool, your data will be deleted after 12 months.

  • Types of data processed: inventory data (e.g. names, addresses); contact details (e.g. email, phone numbers); Content data (e.g. submissions in online forms); Applicant data (e.g. personal details, postal and contact addresses, the documents associated with the application and the information contained therein, such as . cover letter, curriculum vitae, certificates and other information about the person or qualifications of applicants with regard to a specific job or voluntarily provided by them).
  • Data subjects: Applicants.
  • Purposes of processing: Application procedure (justification and possible subsequent implementation as well as possible subsequent termination of the employment relationship).
  • Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures and services:

  • P&I HR Platform (LogaHR): services related to employee acquisition/recruitment (employee search, communication, application process, contract negotiations); Service provider: Personal & Informatik AG, Kreuzberger Ring 56, 65205 Wiesbaden, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.pi-ag.com/; Privacy Policy: https://www.pi-ag.com/datenschutz/; Data Processing Agreement: Provided by the Service Provider.

Whistleblower systems

As part of our whistleblowing process, we use external providers. In doing so, we act within the framework of the legal requirements and ensure that the technical and organizational requirements for the security measures that we comply with are also met by the external providers.

  • Types of data processed: inventory data (e.g. names, addresses); Employee data (e.g. employee master data, personnel file, job applications); contact details (e.g. email, phone numbers); Content data (e.g. submissions in online forms); Usage data (e.g. websites visited, interest in content, access times).
  • Data subjects: Employees (e.g. employees, job applicants, former employees); Third Parties. Whistleblowers.
  • Purposes of processing: Whistleblower protection.
  • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

BKMS: We make it possible to report reports via a whistleblower portal. The online tool "BKMS" (Business Keeper Monitoring System) offers web-based access to reporting reports. The communication between your computer and the whistleblowing system takes place via an encrypted connection (SSL). The IP address of your computer is not stored during the use of the whistleblower portal. In order to maintain the connection between your computer and BKMS Incident Reporting, a cookie is stored on your computer, which only contains the session ID (so-called null cookie). The cookie is only valid until the end of your session and becomes invalid when the browser is closed. An order processing agreement has been concluded with the service provider in accordance with Art. 28 GDPR. The legal basis for the use of the whistleblower portal is our legitimate interest (Art. 6 para. 1 sentence 1 lit. f) GDPR) in secure and structured communication and documentation with whistleblowers.

Web Analysis, Monitoring and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online offer and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of the reach analysis, we can, for example, identify at what time our online offer or its functions or content are most frequently used or invite them to be reused. We can also understand which areas need to be optimized.

In addition to web analysis, we can also use test procedures, e.g. to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, profiles, i.e. data aggregated for a usage process, can be created for these purposes and information can be stored in a browser or in a terminal device and read from it. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data vis-à-vis us or the providers of the services we use, location data may also be processed.

The IP addresses of the users are also stored. However, we do use IP masking (i.e., pseudonymization by shortening the IP address) to protect users. In general, in the context of web analysis, A/B testing and optimization, no clear user data (such as e-mail addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

  • Types of data processed: usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors). Profiles with user-related information (creating user profiles).
  • Security measures: IP  masking (pseudonymization of the IP address).
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures and services:

  • Matomo (  without cookies): Matomo is a privacy-friendly web analysis software that is used without cookies and in which the recognition of returning users is carried out with the help of a so-called "digital fingerprint", which is stored anonymously and changed every 24 hours; In the case of "digital fingerprinting", user movements within our online offer are recorded with the help of pseudonymised IP addresses in combination with user-side browser settings in such a way that it is not possible to draw conclusions about the identity of individual users. The user data collected in the context of the use of Matomo is only processed by us and not shared with third parties; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. a) GDPR). Website:https://matomo.org/.

Presence in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with users who are active there or to offer information about us.

We would like to point out that user data may be processed outside the area of the European Union. This may result in risks for users, for example because it could make it more difficult to enforce users' rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created on the basis of user behavior and the resulting interests of users. In turn, the user profiles can be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on users' computers, in which the user's usage behaviour and interests are stored. Furthermore, data may also be stored in the usage profiles, regardless of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be most effectively asserted with the providers. Only the providers have access to the user's data and can directly take appropriate measures and provide information. If you still need help, you can contact us.

  • Types of data processed: contact details (e.g. e-mail, telephone numbers); Content data (e.g. submissions in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: contact requests and communication; Feedback (e.g. collecting feedback via online form). Marketing.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

  • Instagram: Social network; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website:https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacyBasis for third-country transfers: Data Privacy Framework (DPF).
  • Facebook pages: profiles within the social network Facebook; Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further information: Together with Meta Platforms Ireland Limited, we are responsible for the collection (but not the further processing) of data of visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content that users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in Facebook's Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Page Insights", for Page operators to gain insights into how people interact with their Pages and with the content associated with them. We have concluded a special agreement with Facebook ("Information on Page Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can e.g. information or deletion requests directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. For more information, see "About Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transfer of the data to the parent company Meta Platforms, Inc. in the USA.
  • LinkedIn:  Social network; Service Providers: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website:https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF); Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out; Further information: We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of visitor data for the purposes of compiling the "page insights" (statistics) of our LinkedIn profiles. This data includes information about the types of content that users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and details from users' profiles, such as job function, country, industry, hierarchy level, company size, and employment status. Data protection information on the processing of user data by LinkedIn can be found  in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum (the 'Addendum)", https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfil the rights of data subjects (i.e. users can e.g. information or deletion requests directly to LinkedIn). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of the data by and the transfer to Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of Ireland Unlimited Company, in particular with regard to the transmission of the data to the parent company LinkedIn Corporation in the USA.
  • YouTube: social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy Policy:https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Possibility of objection (opt-out): https://myadcenter.google.com/personalizationoff.
  • Xing: Social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.xing.com/. Privacy Policy:https://privacy.xing.com/de/datenschutzerklaerung.

Management, Organization and Auxiliary Tools

We use services, platforms and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organizing, managing, planning and providing our services. When selecting third-party providers and their services, we comply with the legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of users, data on transactions, contracts, other processes and their contents.

If users are referred to the third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.

  • Types of data processed: content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
  • Data subjects: communication partners; Users (e.g. website visitors, users of online services). Business and contractual partners.
  • Purposes of processing: Provision of contractual  services and fulfilment of contractual obligations; Office and organizational procedures; Provision of our online offer and user-friendliness. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.).
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

Changes and updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We will amend the Privacy Policy as soon as the changes to the data processing we carry out make it necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and ask you to check the information before contacting you

Basic information on the legally compliant use of Matomo:

Matomo must be integrated into the cookie consent tool, as the tool may not be used without the user's consent.

Likewise, for the legally compliant use of Matomo, its plugin Privacy Manager must be configured accordingly (abbreviation IP address + in data protection settings, additionally set the button for "Also use anonymised IP when enriching visit" to "Yes").

A web analysis by Matomo can also be carried out if no cookies are set on the website visitor's device. This can also be done via the settings ("deactivate all tracking cookies"). We would prefer this if it does not (very) hinder the result from your point of view.