Privacy policy
Preamble
With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”).
The terms used are not gender-specific.
Status: February 25, 2025
Responsible Party
HW Brauerei-Service GmbH & Co. KG
Am Wiesenweg 29
97262 Erbshausen
Authorized Representatives: Ines Sterling (née Bergauer)
Email Address: info@hw-bs.de
Phone: +49 (0) 93 67 / 98 87 84-0
Imprint: https://www.hw-bs.de/impressum/
Data Protection Officer Contact
Dirk J. Raab
Corvo GmbH
Frankenstraße 23
97276 Margetshöchheim
Phone: +49 931 46 099 64
Email: datenschutz@corvo.de
Website: www.corvo.de
Overview of Processing Activities
The following overview summarizes the types of data processed and the purposes of processing and refers to the affected persons.
Types of Processed Data:
- Master data
- Payment data
- Contact data
- Content data
- Contract data
- Usage data
- Meta, communication, and procedural data
- Applicant data
- Log data
Categories of Affected Persons:
- Service recipients and clients
- Interested parties
- Communication partners
- Users
- Business and contractual partners
- Applicants
Purposes of Processing:
- Provision of contractual services and fulfillment of contractual obligations
- Communication
- Security measures
- Reach measurement
- Office and organizational procedures
- Organizational and administrative procedures
- Feedback
- Profiles with user-related information
- Provision of our online offering and user-friendliness
- Information technology infrastructure
- Public relations
- Business processes and economic procedures
- Application procedures
Applicable Legal Bases
Applicable Legal Bases under the GDPR:
The following is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the GDPR regulations, national data protection regulations may apply in your or our country of residence or registered office. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party, or to carry out pre-contractual measures taken at the data subject’s request.
- Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) – The processing is necessary to fulfill a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – The processing is necessary to safeguard the legitimate interests of the controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not override.
- Application procedures as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b GDPR) – Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data, such as disability status or ethnic origin) are requested from applicants during the application process, so that the controller or the data subject can exercise rights arising from labor law and social security and social protection law and fulfill related obligations, the processing takes place in accordance with Art. 9 para. 2 lit. b GDPR. In cases where the protection of vital interests of applicants or other persons is necessary, processing is carried out in accordance with Art. 9 para. 2 lit. c GDPR or for purposes of health care or occupational medicine, for the assessment of the employee’s working capacity, medical diagnostics, health or social care or treatment, or for the administration of systems and services in the health or social sector pursuant to Art. 9 para. 2 lit. h GDPR. In the case of voluntary consent to the processing of special categories of data, processing is based on Art. 9 para. 2 lit. a GDPR.
National Data Protection Regulations in Germany:
In addition to the GDPR, national data protection regulations apply in Germany. This particularly includes the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making on a case-by-case basis, including profiling. Furthermore, data protection laws of the individual federal states may apply.
Security Measures
We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities and severity of risks to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.
These measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, entry, transmission, availability protection, and separation of data. In addition, we have established procedures to ensure the exercise of data subject rights, data deletion, and responses to data risks. Furthermore, we take data protection into account in the development and selection of hardware, software, and processes in accordance with the principle of data protection by design and by default.
IP Address Anonymization:
If IP addresses are processed by us or by the service providers and technologies used, and the processing of a full IP address is not required, the IP address will be shortened (also known as “IP masking”). In this process, the last two digits or the last part of the IP address after a period are removed or replaced with placeholders. The purpose of shortening the IP address is to prevent or significantly hinder the identification of a person based on their IP address.
Securing Online Connections with TLS/SSL Encryption Technology (HTTPS):
To protect users’ data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, signaling to users that their data is securely and encryptedly transmitted.
Transfer of Personal Data
In the context of our processing of personal data, it may happen that this data is transferred to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include service providers tasked with IT functions or providers of services and content integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.
International Data Transfers
Data Processing in Third Countries:
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies, this only occurs in compliance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if the data protection level is otherwise ensured, particularly through standard contractual clauses (Art. 46 para. 2 lit. c GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49 para. 1 GDPR). We will also inform you about the legal basis of third-country transfers for each provider from the third country, with adequacy decisions taking precedence.
Information on third-country transfers and existing adequacy decisions can be found on the EU Commission’s website:
EU Commission – International Dimension of Data Protection
EU-US Trans-Atlantic Data Privacy Framework:
Within the scope of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the data protection level of certain companies from the USA as secure within the framework of the adequacy decision of July 10, 2023. The list of certified companies and further information about the DPF can be found on the website of the U.S. Department of Commerce:
Data Privacy Framework (DPF) – U.S. Department of Commerce
https://www.dataprivacyframework.gov
We will inform you in our privacy notices about which service providers used by us are certified under the Data Privacy Framework.
General Information on Data Storage and Deletion
We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or no further legal basis for processing exists. This applies to cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.
In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, will be archived accordingly.
Our data protection notices contain additional information on data retention and deletion, which are specifically relevant to certain processing operations.
If multiple retention periods or deletion deadlines are specified for a piece of data, the longest period always applies.
If a period does not explicitly start on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships where data is stored, the event triggering the period is the effective date of termination or other end of the legal relationship.
Data that is no longer needed for the original purpose but is kept for legal reasons or other justified purposes will only be processed for the reasons that justify its retention.
Further Information on Processing Operations, Procedures, and Services:
Retention and Deletion of Data: The following general periods apply to retention and archiving under German law:
- 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the necessary work instructions and other organizational documents for understanding them, booking vouchers, and invoices (§ 147 (3) in conjunction with (1) No. 1, 4 and 4a AO, § 14b (1) UStG, § 257 (1) No. 1 and 4, (4) HGB).
- 6 years – Other business documents: received commercial or business letters, copies of dispatched commercial or business letters, other documents relevant for taxation, such as hourly wage sheets, operational accounting records, calculation documents, price labels, and payroll records, as long as they are not booking vouchers and cash register strips (§ 147 (3) in conjunction with (1) No. 2, 3, 5 AO, § 257 (1) No. 2 and 3, (4) HGB).
- 3 years – Data necessary to take potential warranty and compensation claims or similar contractual claims and rights into account, as well as related inquiries, based on previous business experience and common industry practices, will be stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).
Rights of Data Subjects
Rights of data subjects under the GDPR: As a data subject under the GDPR, you have various rights, particularly as outlined in Articles 15 to 21 of the GDPR:
Right to Object: You have the right to object at any time to the processing of your personal data based on Article 6(1)(e) or (f) GDPR for reasons arising from your particular situation; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling to the extent it is related to such direct marketing.
Right to Withdraw Consent: You have the right to withdraw consent granted at any time.
Right of Access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data as per legal requirements.
Right to Rectification: You have the right, as per legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to Erasure and Restriction of Processing: You have the right, as per legal requirements, to demand that data concerning you be deleted immediately or, alternatively, to demand restriction of the processing of your data as per legal requirements.
Right to Data Portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request the transmission to another controller, in accordance with legal requirements.
Right to Lodge a Complaint with a Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, workplace, or the place of the alleged infringement if you believe that the processing of personal data relating to you infringes the GDPR.
Business Services
We process data from our contractual and business partners, such as customers and interested parties (collectively referred to as “contractual partners”), within the context of contractual and similar legal relationships, as well as related measures and for communication with the contractual partners (or pre-contractually), such as to respond to inquiries.
We use this data to fulfill our contractual obligations, including, in particular, the obligations to provide the agreed services, any update obligations, and remedies in the event of warranty or other performance issues. Additionally, we use the data to protect our rights and for purposes related to the administrative tasks and organizational management associated with these obligations. We also process the data based on our legitimate interests in proper and economically sound business management and in implementing security measures to protect our contractual partners and business operations from misuse and threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). In compliance with applicable laws, we only disclose contractual partners’ data to third parties as necessary for the aforementioned purposes or to meet legal obligations. Contractual partners are informed of additional processing, such as for marketing purposes, within this privacy notice.
We inform contractual partners of the data required for the aforementioned purposes before or during data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks or similar), or personally.
We delete the data after the expiry of statutory warranty and comparable obligations, generally after four years, unless the data is stored in a customer account, e.g., as long as it must be kept for archiving purposes for legal reasons (usually for tax purposes for ten years). Data disclosed to us by the contractual partner as part of an assignment will be deleted as per legal requirements and generally upon completion of the assignment.
Processed Data Types:
- Inventory Data: Full name, residential address, contact information, customer number, etc.
- Payment Data: Bank details, invoices, payment history.
- Contact Data: Postal and email addresses, phone numbers.
- Contract Data: Contract subject, duration, customer category.
Data Subjects: Service recipients and clients; prospective customers; business and contractual partners.
Purposes of Processing: Fulfillment of contractual services and obligations; communication; office and organizational procedures; business processes and economic management.
Retention and Deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion.”
Legal Basis: Fulfillment of contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Further Information on Processing Operations, Procedures, and Services:
Craft Services: We process the data of our customers and clients (collectively referred to as “customers”) to enable the selection, purchase, or commissioning of the chosen services or works, as well as related activities, including payment and delivery or performance.
The required information is marked as such within the order, purchase, or similar contract conclusion and includes the data necessary for delivery and billing, as well as contact information for potential follow-ups;
Legal Basis: Fulfillment of contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Provision of Online Services and Web Hosting
We process user data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to deliver the content and functionalities of our online services to the user’s browser or device.
Processed Data Types: Usage data (e.g., page views, duration of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons); Log data (e.g., log files related to logins or data retrieval or access times).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures.
Storage and Deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
Legal Bases: Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR).
Further Information on Processing Activities, Procedures, and Services:
Provision of Online Service on Rented Storage Space: To provide our online services, we use storage space, computing power, and software that we rent or obtain from a server provider (also called “web host”).
Legal basis: Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR).
Collection of Access Data and Log Files: Access to our online services is logged in the form of “server log files”. Server log files may include the address and name of the requested webpages and files, the date and time of retrieval, transmitted data volumes, messages about successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. The server log files can be used for security purposes, for example, to avoid server overload (especially in the case of malicious attacks, such as DDoS attacks), and to ensure the load and stability of the servers.
Legal basis: Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR).
Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidence purposes is exempt from deletion until the respective incident is fully clarified.
Mittwald: Services in the field of information technology infrastructure and related services (e.g., storage space and/or computing capacity);
Service provider: Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany;
Legal basis: Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR);
Website: https://www.mittwald.de;
Privacy policy: https://www.mittwald.de/datenschutz.
Data processing agreement: https://www.mittwald.de/faq/service-informationen/faq/datenschutz-alles-wichtige-zur-dsgvo.
Use of Cookies
Cookies are small text files or other storage markers that store and read information on devices. For example, they are used to store login status in a user account, shopping cart contents in an online store, viewed content, or functions used on an online service. Cookies can also be used for various purposes, such as ensuring the functionality, security, and comfort of online services and creating visitor traffic analyses.
Consent Information: We use cookies in compliance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Permission is not necessary, particularly when storing and reading information, including cookies, is essential to provide the user with a telemedia service they explicitly requested (i.e., our online service). The revocable consent is clearly communicated to users and includes information on the specific cookie usage.
Information on Data Protection Legal Basis: The legal basis for processing personal data through cookies depends on whether we ask for user consent. If users accept, the legal basis for processing their data is the given consent. Otherwise, the data processed through cookies will be handled based on our legitimate interests (e.g., for the business operation of our online service and improving its usability) or, if this is necessary to fulfill our contractual obligations, when the use of cookies is required to meet our contractual duties. The purposes for which cookies are used are explained in this privacy policy or in our consent and processing procedures.
Storage Duration: The following types of cookies are distinguished based on their storage duration:
Temporary Cookies (also called session cookies): Temporary cookies are deleted once a user leaves an online service and closes their device (e.g., browser or mobile application).
Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, login status can be saved, and preferred content can be displayed directly when the user revisits a website. The data collected via cookies can also be used for reach measurement. If we do not provide explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that these cookies are permanent, and the storage duration can be up to two years.
General Information on Revocation and Objection (Opt-out): Users can withdraw their consent at any time and also object to processing in accordance with legal regulations, including via their browser’s privacy settings.
Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons).
Affected Persons: Users (e.g., website visitors, users of online services).
Legal Bases: Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR). Consent (Art. 6 (1) Sentence 1 lit. a) GDPR).
Further Information on Processing Activities, Procedures, and Services:
Processing Cookie Data Based on Consent: We use a consent management solution to obtain users’ consent for the use of cookies or to processes and providers mentioned in the consent management solution. This procedure serves to obtain, record, manage, and withdraw consent, particularly regarding the use of cookies and similar technologies for storing, reading, and processing information on users’ devices. In this process, users’ consents for cookie usage and related information processing, including the specific processing and providers mentioned in the consent management process, are obtained. Users also have the option to manage and withdraw their consents. The consent declarations are stored to avoid repeated inquiries and to provide proof of consent in accordance with legal requirements. The data is stored on the server and/or in a cookie (so-called opt-in cookie) or using similar technologies to associate the consent with a specific user or their device. If no specific details are provided regarding the providers of consent management services, the following general information applies: The consent storage duration is up to two years. A pseudonymous user identifier is created, along with the time of consent, the scope of consent (e.g., relevant cookie categories and/or service providers), and information about the browser, system, and used device;
Legal Bases: Consent (Art. 6 (1) Sentence 1 lit. a) GDPR).
BorlabsCookie:
Consent Management: Process for obtaining, recording, managing, and withdrawing consent, particularly for the use of cookies and similar technologies for storing, reading, and processing information on users’ devices and their processing.
Service Provider: Execution on servers and/or computers under its own data protection responsibility;
Website: https://de.borlabs.io/borlabs-cookie/.
Further Information: An individual user ID, language, consent types, and the time of consent are stored server-side and in the cookie on the users’ device.
Contact and Inquiry Management
When contacting us (e.g., by post, contact form, email, phone, or social media) or in the context of existing user and business relationships, the details of the inquiring individuals are processed to the extent necessary to respond to inquiries and requested actions.
Processed Data Types: Personal data (e.g., full name, address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts, and related information, such as authorship or creation time); Usage data (e.g., page views, duration of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons).
Affected Persons: Communication partners.
Purposes of Processing: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online forms). Provision of our online service and user-friendliness.
Storage and Deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion”.
Legal Bases: Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6 (1) Sentence 1 lit. b) GDPR).
Further Information on Processing Activities, Procedures, and Services:
Contact Form:
When contacting us via our contact form, email, or other communication methods, we process the personal data provided to respond and handle the respective concern. This generally includes details such as name, contact information, and any additional information shared with us and necessary for appropriate processing. We use this data exclusively for the purpose of contact and communication.
Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) Sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 (1) Sentence 1 lit. f) GDPR).
Presences on Social Media
We maintain online presences within social networks and process user data in this context to communicate with users active there or to provide information about ourselves.
We would like to point out that user data may be processed outside the European Union. This can pose risks for users, as the enforcement of user rights might be more difficult.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage behavior and interests derived from this behavior can be used to create user profiles. These profiles may be used to display advertisements both within and outside the networks that are likely to match the users’ interests. For this reason, cookies are generally stored on users’ devices, which store their usage behavior and interests. Additionally, data in the user profiles can be stored independently of the devices used by the users (especially if they are members of the respective platforms and logged in).
For a detailed description of the respective processing methods and the opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.
Even in the case of requests for information and the assertion of rights by the data subjects, we would like to point out that these can most effectively be made to the providers. Only they have access to the user data and can directly take appropriate actions and provide information. However, if you still need assistance, you can contact us.
Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, and related information, such as author information or creation time); Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
Affected Persons: Users (e.g., website visitors, users of online services).
Purpose of Processing: Communication; Feedback (e.g., collecting feedback via online forms); Public relations.
Retention and Deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion.”
Legal Basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).
Additional Notes on Processing Processes, Procedures, and Services:
- Instagram: Social network enabling sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to profiles and pages;
- Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
- Legal basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR);
- Website: https://www.instagram.com;
- Privacy Policy: https://privacycenter.instagram.com/policy.
- Basis for third-country transfers: Data Privacy Framework (DPF).
- Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors of our Facebook page (so-called “Fanpage”). This data includes information about the types of content users view or interact with or actions they perform (see under “Things You and Others Do and Provide” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under “Device Information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As described in the Facebook Data Policy under “How Do We Use This Information?”, Facebook also collects and uses information to provide analytics services, so-called “Page Insights,” for page operators, so that they can gain insights into how people interact with their pages and associated content. We have entered into a specific agreement with Facebook (“Page Insights Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which particularly regulates the security measures Facebook must follow and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can request information or deletion directly from Facebook). The rights of users (particularly the right to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Page Insights Information” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to the transmission of data to the parent company Meta Platforms, Inc. in the USA;
- Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
- Legal basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR);
- Website: https://www.facebook.com;
- Privacy Policy: https://www.facebook.com/privacy/policy/.
- Basis for third-country transfers: Data Privacy Framework (DPF).
- LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors, which is used for creating “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with or actions they perform, as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data), and profile information such as job function, country, industry, hierarchy level, company size, and employment status. Data protection information regarding the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy. We have entered into a specific agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum (the ‘Addendum’)”, https://legal.linkedin.com/pages-joint-controller-addendum), which particularly regulates the security measures LinkedIn must follow and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e., users can request information or deletion directly from LinkedIn). The rights of users (particularly the right to access, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection of data by and the transmission to LinkedIn Ireland Unlimited Company, a company based in the EU. The further processing of the data is solely the responsibility of LinkedIn Ireland Unlimited Company, particularly with regard to the transmission of data to the parent company LinkedIn Corporation in the USA;
- Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
- Legal basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR);
- Website: https://www.linkedin.com;
- Privacy Policy: https://www.linkedin.com/legal/privacy-policy;
- Basis for third-country transfers: Data Privacy Framework (DPF).
- Opt-out possibility: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Plug-ins and Embedded Functions as well as Content
We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as “content”).
The integration always requires that the third-party providers of these contents process the users’ IP addresses, as they would not be able to send the content to their browsers without the IP address. The IP address is therefore required for the display of these contents or functions. We strive to use only such content where the respective providers apply the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the users’ device, containing technical details about the browser and operating system, referring websites, visit times, and additional information regarding the usage of our online offering. This data may also be combined with information from other sources.
Notes on Legal Grounds: If we ask the users for their consent to use third-party providers, the legal basis for the data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to point out the information regarding the use of cookies in this privacy statement.
Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta-, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of our online offering and user-friendliness.
Retention and Deletion: Deletion according to the information in the section “General Information on Data Storage and Deletion.” Storage of cookies for up to 2 years (unless stated otherwise, cookies and similar storage methods may be stored on users’ devices for up to two years).
Legal Grounds: Consent (Art. 6 (1) sentence 1 lit. a GDPR). Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).
Further Notes on Processing Processes, Procedures, and Services:
- reCAPTCHA: We integrate the “reCAPTCHA” function to determine whether inputs (e.g., in online forms) are made by humans or by automatically acting machines (so-called “bots”). The processed data may include IP addresses, information about operating systems, devices, or browsers used, language settings, location, mouse movements, keyboard strokes, time spent on web pages, previously visited websites, interactions with reCAPTCHA on other websites, and, possibly, cookies and results from manual detection procedures (e.g., answering questions or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offering from abusive automated crawling and spam;
- Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
- Legal grounds: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR);
- Website: https://www.google.com/recaptcha/;
- Privacy policy: https://policies.google.com/privacy;
- Basis for third-country transfers: Data Privacy Framework (DPF);
- Opt-out possibility: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en,
Settings for ad display: https://myadcenter.google.com/personalizationoff.
- Google Hosted Libraries: Google Hosted Libraries is a globally available Content Delivery Network (CDN) for the most popular open-source JavaScript libraries. These libraries serve to deliver web libraries to optimize website loading times, reduce bandwidth usage, and improve performance by utilizing shared, public resources;
- Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
- Legal grounds: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR);
- Website: https://developers.google.com/speed/libraries/;
- Privacy policy: https://policies.google.com/privacy.
Application Process
The application process requires applicants to provide the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, from the details provided there.
In general, the required information includes personal data such as name, address, contact details, and evidence of qualifications necessary for a position. Upon request, we are happy to provide further details on which information is required.
If available, applicants are welcome to submit their applications through our online form, which is encrypted according to the latest technology. Alternatively, applications can also be sent by email. However, we would like to point out that emails are generally not encrypted when sent over the internet. Although emails are usually encrypted during transmission, this is not done on the servers from which they are sent and received. Therefore, we cannot take responsibility for the security of the application during its transmission between the sender and our server.
For the purpose of candidate search, submission of applications, and selection of applicants, we may, in compliance with legal regulations, use applicant management or recruitment software and platforms, as well as services from third-party providers.
Applicants can contact us for information about the type of submission or send their application by mail.
Processing Special Categories of Data: In cases where special categories of personal data (Art. 9 (1) GDPR, such as health data, e.g., disability status or ethnic origin) are requested or provided by applicants during the application process, their processing is carried out so that the responsible party or the affected person can exercise the rights arising from labor law and social security and social protection law, in case of protecting vital interests of the applicants or other persons, or for purposes related to health care or occupational medicine, for assessing the ability to work, for medical diagnosis, for care or treatment in the health or social sector, or for the management of systems and services in the health or social sector.
Data Deletion: The data provided by applicants may be further processed for the purposes of the employment relationship in the case of a successful application. Otherwise, if the application for a position is unsuccessful, the applicant’s data will be deleted. Applicant data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion will take place, subject to a legitimate revocation by the applicants, no later than six months after the application process, in order to answer any follow-up questions regarding the application and to comply with our documentation obligations under anti-discrimination laws. Invoices for travel expense reimbursements will be archived according to tax law requirements.
Inclusion in an Applicant Pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants will be informed that their consent to be included in the talent pool is voluntary, has no impact on the ongoing application process, and can be withdrawn at any time for the future.
Processed Data Types: Personal data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses, or phone numbers); content data (e.g., textual or pictorial messages and posts, as well as related information such as authorship or creation time). Applicant data (e.g., personal details, postal and contact addresses, application documents and the information contained therein, such as cover letter, resume, certificates, and any further voluntarily provided information about the applicant’s person or qualifications regarding a specific position).
Affected Persons: Applicants.
Purpose of Processing: Application process (establishment and possible subsequent execution or termination of the employment relationship).
Retention and Deletion: Deletion according to the details provided in the section “General Information on Data Storage and Deletion.”
Legal Grounds: Application process as a pre-contractual or contractual relationship (Art. 6 (1) sentence 1 lit. b GDPR).
Communication via WhatsApp
We use the instant messaging service WhatsApp for communication with our customers and other third parties. The provider is WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Communication is encrypted end-to-end (peer-to-peer), which prevents WhatsApp or any other third parties from accessing the content of the communication. However, WhatsApp does have access to metadata generated during the communication process (e.g., sender, recipient, and time). We further note that, according to WhatsApp, it shares personal data of its users with its parent company Meta, based in the USA. For more details on data processing, you can refer to WhatsApp’s privacy policy at: https://www.whatsapp.com/legal/#privacy-policy.
The use of WhatsApp is based on our legitimate interest in providing fast and effective communication with customers, prospects, and other business and contractual partners (Art. 6(1)(f) GDPR). If explicit consent has been requested, data processing is carried out solely on the basis of this consent, which can be withdrawn at any time with effect for the future.
The communication contents exchanged between you and us on WhatsApp will be stored with us until you request deletion, withdraw your consent to storage, or the purpose for the data storage no longer applies (e.g., after processing your request). Mandatory legal provisions, in particular retention periods, remain unaffected.
The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States, which aims to ensure compliance with European data protection standards when processing data in the USA. Any company certified under the DPF commits to adhering to these data protection standards. More information on this is available from the provider at the following link: https://www.dataprivacyframework.gov/participant/7735.
We use WhatsApp in the “WhatsApp Business” version.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.whatsapp.com/legal/business-data-transfer-addendum.
We have configured our WhatsApp accounts so that there is no automatic data synchronization with the address book on the smartphones in use.
We have concluded a data processing agreement (DPA) with the above-mentioned provider.
Changes and Updates
We ask you to regularly review the content of our privacy policy. We will adjust the privacy policy as soon as changes in the data processing we carry out make this necessary. We will inform you when changes require your participation (e.g., consent) or any other individual notification.
If we provide addresses and contact information for companies and organizations in this privacy policy, please note that the addresses may change over time and we kindly ask you to verify the details before contacting them.
Definition of Terms
This section provides an overview of the terms used in this privacy policy. Where terms are legally defined, their legal definitions apply. The following explanations primarily serve to aid understanding.
- Master Data: Master data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This can include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs). Master data forms the basis for formal interactions between individuals and services, institutions, or systems, enabling unique identification and communication.
- Content Data: Content data includes information generated during the creation, editing, and publishing of content of any kind. This category of data can include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not only limited to the content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.
- Contact Data: Contact data includes essential information that allows communication with individuals or organizations. This includes phone numbers, postal addresses, and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
- Meta, Communication, and Procedural Data: Meta, communication, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Meta-data, also known as data about data, includes information describing the context, origin, and structure of other data. This can include file size, creation dates, document authors, and revision histories. Communication data captures the exchange of information between users via various channels, such as email correspondence, call logs, messages in social networks, and chat histories, including the participants, timestamps, and transmission paths. Procedural data describes processes and workflows within systems or organizations, including transaction logs, activity logs, and audit logs used for tracking and verifying operations.
- Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes a wide range of information that shows how users use applications, which features they prefer, how long they stay on certain pages, and how they navigate through an application. Usage data can also include usage frequency, activity timestamps, IP addresses, device information, and location data. It is especially valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services.
- Personal Data: “Personal data” refers to all information related to an identified or identifiable natural person (hereinafter “data subject”); a natural person is considered identifiable if they can be directly or indirectly identified, particularly by reference to an identifier such as a name, identification number, location data, an online identifier (e.g., cookie), or one or more specific factors expressing the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
- Profiles with User-Related Information: The processing of “profiles with user-related information,” or simply “profiles,” refers to any automated processing of personal data, where such data is used to analyze, evaluate, or predict specific personal aspects related to a natural person (depending on the type of profiling, this can include various information about demographics, behavior, and interests, such as interactions with websites and their content). Profiling often uses cookies and web beacons.
- Log Data: Log data refers to information about events or activities that have been logged in a system or network. These data typically include timestamps, IP addresses, user actions, error messages, and other details about the usage or operation of a system. Log data is often used for analyzing system issues, monitoring security, or creating performance reports.
- Reach Measurement: Reach measurement (also known as web analytics) is used to evaluate visitor traffic to an online offering and may include behavior or interests of visitors regarding specific information, such as content on websites. Reach analysis allows operators of online offerings to see, for example, when users visit their websites and which content they are interested in. It helps them better align website content with visitors’ needs. Pseudonymous cookies and web beacons are often used for reach analysis to recognize returning visitors and obtain more accurate usage analytics for an online offering.
- Tracking: “Tracking” refers to the ability to track a user’s behavior across multiple online offerings. Typically, behavioral and interest information is stored in cookies or on the servers of the tracking technology providers for the online offerings used (known as profiling). This information can be used, for example, to display advertisements to users that are likely to match their interests.
- Data Controller: The “data controller” refers to the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of processing personal data.
- Processing: “Processing” refers to any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses almost any handling of data, including collection, evaluation, storage, transmission, or deletion.
- Contractual Data: Contractual data includes specific information related to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged, or sold. This data category is essential for managing and fulfilling contractual obligations and includes details such as contract start and end dates, the nature of the agreed services or products, price agreements, payment conditions, termination rights, renewal options, and specific clauses or conditions. It serves as the legal foundation for the relationship between the parties and is crucial for clarifying rights and duties, enforcing claims, and resolving disputes.
- Payment Data: Payment data includes all information necessary for processing payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction data, verification numbers, and invoicing information. Payment data may also include information about the payment status, chargebacks, authorizations, and fees.