Data protection

Introduction

This data protection declaration clarifies the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) in the context of the provision of our services and within our online offer and the websites, functions and content associated with it as well as external online presences, such as e.g. our social media profile (hereinafter jointly referred to as “online offer”):

  • In the first section of the data protection declaration you will find information on the person responsible for processing and an overview of our processing operations.
  • In the second section you will find information on your rights, the relevant legal norms and general information on our processing of data.
  • The third section contains information on the individual processing operations. This section is divided into other areas, such as our core services, range measurement or marketing.
  • The fourth and last section contains explanations and descriptions of the terms used in the data protection declaration. This means that if you are unfamiliar with the terms used (such as “personal reference” or “cookie”), please look them up in the last section. Otherwise, all terms used (e.g. “person responsible” or “user”) are to be understood as gender-neutral.

Table of contents

Section I – Person in charge and overview of data processing operations

  • Responsible
  • Description of our services on tasks
  • Types of data processed:
  • Processing of special categories of data (Article 9 (1) GDPR)
  • Categories of persons affected by the processing:
  • purpose of processing

Section II – Data subject rights, legal bases and general information

  • Rights of data subjects
  • right of withdrawal
  • Right to object
  • Cookies and the right to object in direct marketing
  • Exclusively automated data processing
  • Deletion of data and archiving obligations
  • Changes and updates to the privacy policy
  • Relevant legal bases
  • security of data processing
  • Disclosure and Transfer of Data
  • Transfers to third countries

Section III – Processing operations

Core area of data processing

  • Agency services
  • Renting hardware
  • Recruiting & Consulting
  • Answering inquiries and customer service
  • Administration, financial accounting, office organization, archiving
  • Business analyses and market research

Data protection information for applicants

  • Application procedure
  • Application procedure – applicant pool

External online presences

  • Online presence in social media

Web server and security

  • Hosting
  • Server logs

Embedded content and functions

  • Google services and content
  • Typekit- External fonts
  • Twitter functions and content
  • Videos from Vimeo

Optimization and safety

  • Mouseflow

Marketing

  • Newsletter distribution and success measurement
  • Communication via mail, e-mail, fax or telephone
  • Sweepstakes and contests

Reach measurement, online marketing and technology partners

  • Google Tag Manager
  • Google Analytics
  • Google AdWords

Section IV – Definitions

Section I – Person in charge and overview of data processing operations

Responsible

Mangold & Mangold Corporate Communications GmbH & Co. KG

Prinzenstrasse 5, 55218 Ingelheim on the Rhine

Personally liable partner: Mangold & Mangold Verwaltungs-GmbH with the managing directors

Matthias Mangold & Horst Mangold

Phone: +49 61 32 / 8990 4210

E-mail: info@mangold-mangold.com

Complete imprint: http://mangold-mangold.com/impressum-2/

The person responsible is also referred to below as “we” or “us”. Note: The data protection officer must be specified if a data protection officer has to be appointed. Otherwise this passage can be removed. According to the current legal view, the specification of the email address is sufficient as a contact option. Other information such as name, address or phone number. are recommended but optional.

Description of our services on tasks

Advertising agency services, consulting services, hardware rental.

Types of data processed:

  • Inventory data (e.g., names, addresses).
  • Contact information (e.g., email addresses, phone numbers).
  • Content data (e.g., text input, photographs, videos).
  • Contract data (e.g., subject matter of the contract, term, customer category).
  • Payment data (e.g., bank details, payment history).
  • Usage data (e.g., web pages visited, interest in content, access times).
  • Meta/communication data (e.g., device information, IP addresses).
  • Applicant data (e.g., names, contact information, qualifications, application materials).

Processing of special categories of data (Article 9 (1) GDPR)

As a matter of principle, no special categories of data are processed unless they are supplied for processing by the users, e.g. entered in online forms.

Categories of persons affected by the processing:

  • Customers / prospects / business partners.
  • Visitors and users of the online offer.
  • Applicant

In the following, we also refer to the affected parties collectively as “users”.

purpose of processing

  • Provision of the online offer, its contents and functions.
  • Provision of contractual services, service and customer care.
  • Respond to contact requests and communicate with users.
  • Marketing, advertising and market research.
  • Safety measures.

Automated decision in individual cases (Art. 22 DSGVO):

We inform that we do not carry out exclusively automated data processing.

Status: May 2018

Section II – Data subject rights, legal bases and general information

Rights of data subjects

You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with Art. 15 GDPR.

You have accordingly. Art. 16 DSGVO the right to request the completion of the data concerning you or the correction of incorrect data concerning you.

In accordance with Art. 17 GDPR, you have the right to demand that the data in question be deleted immediately, or alternatively, in accordance with Art. 18 GDPR, to demand a restriction of the processing of the data.

You have the right to request to receive the data concerning you that you have provided to us in accordance with Article 20 of the GDPR and to request its transfer to other data controllers.

Furthermore, they have pursuant to Article 77 DSGVO the right to lodge a complaint with the competent supervisory authority.

right of withdrawal

You have the right to withdraw consent granted pursuant to. Art. 7 par. 3 DSGVO with effect for the future.

Right to object

You may object to the future processing of data relating to you in accordance with Art. 21 DSGVO at any time. The objection can be made in particular against the processing for purposes of direct advertising.

Cookies and the right to object in direct marketing

We use temporary and permanent cookies, i.e. small files that are stored on users’ devices (for an explanation of the term and its function, see the last section of this Privacy Policy). In part, the cookies serve security purposes or are necessary for the operation of our online offer (e.g., for the display of the website) or to store the user decision when confirming the cookie banner. In addition, we or our technology partners use cookies for reach measurement and marketing purposes, about which users are informed in the course of the privacy policy.

If users do not want cookies to be stored on their computer, they are asked to disable the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

A general objection to the use of cookies used for online marketing purposes can be declared for a large number of the services, especially in the case of tracking, via the U.S. site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by means of their deactivation in the browser settings. Please note that then not all functions of this online offer can be used.

Exclusively automated data processing

In accordance with Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing – including profiling – which has legal effect on you or significantly affects you in a similar way.

We inform that we do not carry out exclusively automated data processing.

Deletion of data and archiving obligations

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 DSGVO. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

Note text: The information applies to Germany. Please change this information if other retention requirements apply to you:

According to legal requirements, the storage takes place in particular for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

Changes and updates to the privacy policy

We ask you to regularly inform yourself about the content of our privacy policy. We will adapt the privacy policy as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Relevant legal bases

In accordance with Art. 13 DSGVO, we inform you about the legal basis of our data processing. If the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 DSGVO, the legal basis for processing for the fulfillment of our services and implementation of contractual measures as well as answering inquiries is Art. 6 para. 1 lit. b DSGVO, the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c DSGVO, and the legal basis for processing to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d DSGVO as the legal basis.

The basis for commercial communications outside of business relationships, in particular via mail, telephone, fax and e-mail are contained in § 7 UWG.

security of data processing

In accordance with Art. 32 GDPR, we take appropriate technical measures, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons and organizational measures to ensure a level of protection appropriate to the risk; The measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access, input, transfer, securing availability and their separation. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, deletion of data, and response to data compromise. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Article 25 of the GDPR).

The security measures include, in particular, the encrypted transmission of data between your browser and our server.

Employees are bound to secrecy with regard to data protection, are instructed and briefed, and are made aware of possible liability consequences.

Disclosure and Transfer of Data

If, as part of our processing, we disclose data to other people and companies (contract processors or third parties), transmit it to them or otherwise grant them access to the data, this is only done on the basis of legal permission (e.g. if the data is transmitted to third parties, as to payment service providers, pursuant to Art. 6 Para. 1 lit. b GDPR is required for the fulfillment of the contract), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we commission third parties to process data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 DSGVO.

If we disclose or transfer data to other companies in our group of companies or otherwise grant them access, this is done in particular for administrative purposes as a legitimate interest and, moreover, on the basis of an order processing contract.

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this happens as part of the use of third-party services or disclosure or transmission of data to third parties, this will only take place if it is to fulfill our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means that the processing takes place e.g. on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to that of the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

Section III – Processing operations

The following presentation provides you with an overview of the processing activities we perform, which we have subdivided into further areas of activity. Please note that the areas of activity are for guidance only and that processing activities may overlap (e.g., the same data may be processed in more than one procedure).

For the sake of clarity and comprehensibility, you will find the frequently repeated terminology in Section IV of this Privacy Policy.

Core area of data processing

This section provides you with information on our core services and tasks, such as responding to inquiries and providing our contractual services as well as the ancillary tasks associated with them.

Agency services

We process our customers’ data as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.

  • Processed data: Inventory data (e.g., names, addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos, content of application procedures), contract data (e.g., subject matter of contract, term), payment data (e.g., bank details, payment history), employee and applicant data.
  • Special categories of personal data: Basically no, unless these are components of a commissioned processing.
  • Data subjects: customers, prospective customers, website visitors, employees (freelancers, employees, applicants) , business partners and their employees, customers or users.
  • Purpose of processing: provision of contractual services, billing, customer service.
  • Legal basis: 6 para. 1 lit. b DSGVO (contractual services), Art. 6 para. 1 lit. f DSGVO (analysis, statistics, optimization).
  • Necessity / interest in processing: We process data that are necessary for the justification and fulfillment of the contractual services and point out the necessity of their indication.
  • Disclosure external and purpose: No, only if required within the scope of the order.
  • Processing in third countries: No, only on in the context of an entry.
  • Deletion of the data:
  • Deletion takes place after statutory warranty and comparable obligations have expired; the need to keep the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (6 years, according to § 257 paragraph 1 HGB, 10 years, according to § 147 paragraph 1 AO); With regard to data processed in the order, the deletion takes place in accordance with the specifications of the order.

Renting hardware

Rental and distribution of hardware (e.g. displays) and related consulting.

  • Processed data: Inventory data (e.g., names, addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., content of displays), contract data (e.g., subject matter of contract, term), payment data (e.g., bank details, payment history)….
  • Special categories of personal data:
  • Purpose of processing: provision of contractual services, billing, customer service.
  • Necessity / interest in processing: We process data that are necessary for the justification and fulfillment of the contractual services and point out the necessity of their indication.
  • Legal basis: 6 para. 1 lit. b DSGVO (performance of contract), Art. 6 para. 1 lit. f DSGVO (analysis, statistics, optimization).
  • Affected parties: customers, prospects, business partners.
  • Necessity / interest in processing: We process data that are necessary for the justification and fulfillment of the contractual services and point out the necessity of their indication.
  • Deletion of the data: Deletion takes place after the expiry of legal warranty and comparable obligations; the necessity of keeping the data is reviewed every three years; in the case of legal archiving obligations, deletion takes place after their expiry (6 years, in accordance with § 257 para. 1 HGB, 10 years, in accordance with § 147 para. 1 AO).

Recruiting & Consulting

Consulting and placement services in the recruiting field; collection of applicant data and forwarding to clients.

  • Processed data: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photographs, videos, content of application procedures), contract data (e.g. subject of the contract, term), payment data (e.g. , bank details, payment history), employee and applicant data, usage data (access times, IP), metadata (information on devices used, operating system).
  • Special categories of personal data: No, except subject of the order (data Concerning health, religious affiliation, ethnicity – if required for application procedures)….
  • Legal basis: 6 para. 1 lit. b DSGVO (contractual services), Art. 6 para. 1 lit. f DSGVO (analysis, statistics, optimization).
  • Affected parties: customers, prospects, business partners, applicants.
  • Purpose of processing: provision of contractual services, billing, customer service.
  • Nature, scope, mode of operation of the processing and specific safeguards: We offer an online form, the input of which is transmitted in encrypted form; in the context of commissioned activities, we act on the basis of commissioned processing contracts….
  • Necessity / interest in processing: We process data that are necessary for the justification and fulfillment of the contractual services and point out the necessity of their indication.
  • Disclosure external and purpose: Web hosting, on the basis of a contract processing based on legitimate interests in security and efficiency.
  • Processing in third countries: no.
  • Warranty for processing in third countries:
  • Deletion of the data: With regard to the data of the contractual partners, the deletion takes place after the expiry of statutory warranty and comparable obligations; the need to keep the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (6 years, according to § 257 paragraph 1 HGB, 10 years, according to § 147 paragraph 1 AO); With regard to the data of the applicants, the deletion takes place in accordance with the specifications in the order and the legal requirements, i.e. that deletion generally expires 6 months after the end of the application process.

Answering inquiries and customer service

We process the information in the inquiries we receive via our contact form and in other ways, e.g. via e-mail, in order to respond to the inquiries. For these purposes, the requests may be stored in our customer relationship management (CRM) system or in similar procedures that serve us to manage requests.

  • Processed data: Inventory data, contact data, content data, contract data, payment data, usage data, metadata.
  • Affected parties: customers, prospects, business partners, website visitors.
  • Purpose of the processing: answering requests.
  • Legal basis: Art. 6 para. 1 lit. b. DSGVO in the case of (pre)contractual relationships, otherwise Art. 6 para. 1 lit. f. GDPR.
  • Necessity / interest in processing: Necessary to respond to the requests.
  • Disclosure external and purpose: No.
  • Processing in third countries: No.
  • Deletion of data: We delete the requests if they are no longer necessary. We review the necessity every two years; we store requests from customers who have a customer account permanently and refer to the customer account details for deletion. In the case of legal archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation);

Administration, financial accounting, office organization, archiving

We process data within the scope of administrative tasks as well as organization of our company, financial accounting and compliance with legal obligations, such as archiving.

Furthermore, we store information on suppliers, event organizers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. We store this data, which is mostly company-related, permanently.

  • Processed data: Data that we process as part of our contractual services.
  • Special categories of personal data: no.
  • Legal basis: Art. 6 para. 1 lit. c. DSGVO, Art. 6 para. 1 lit. f. GDPR.
  • Affected parties: customers, prospects, business partners, website visitors.
  • Purpose of processing: administration, financial accounting, office organization, archiving.
  • Necessity / interest in processing: The processing is necessary for the maintenance of our company and our services.
  • Deletion of data: The cancellation of the data with regard to contractual services and contractual communication corresponds to the indications mentioned in these processing activities.

Business analyses and market research

In order to operate our business economically and to be able to identify market trends, customer and user requirements, we analyze the data available to us on business transactions, contracts, inquiries, etc. This data is then used for the purpose of calculating the cost of sales.

  • Processed data: Inventory data, communication data, contract data, payment data, usage data, metadata.
  • Legal basis: Art. 6 para. 1 lit. f. GDPR.
  • Data subjects: customers, interested parties, business partners, visitors and users of the online offer.
  • Purpose of processing: business analysis, marketing, advertising, market research.
  • Nature, scope, operation of the processing: profiling, first party cookies, anonymous analysis.
  • Necessity / interest in processing: increase in user-friendliness, optimization of the offer, business management.
  • Processing in third countries: No.
  • Deletion of data: If this data is personal, upon termination, otherwise after two years from the conclusion of the contract. In other respects, the macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.

Data protection information for applicants

This section informs applicants about the processing of your data as part of the application process.

Application procedure

Applicants can submit their applications to us using an online form on our website. The data is transmitted to us encrypted according to the state of the art. Alternatively, applicants can send us their applications via e-mail. Please note, however, that e-mails are generally not encrypted and applicants must ensure that they are encrypted themselves. Therefore, we cannot take responsibility for the transmission path of the application between the sender and the reception on our server and therefore recommend to use the online form.

Instead of applying via the online form and e-mail, applicants still have the option of sending us their application by mail.

  • Processed data: Inventory data, contact data, content data (content of application folder, correspondence, internal comments).
  • Special categories of personal data: Yes, to the extent necessary for the application process or brought forward by applicants (e.g. health data).
  • Legal basis: Art. 6 para. 1 lit. b. DSGVO, § 26 BDSG.
  • Affected parties: Applicants
  • Purpose of the processing: implementation of application procedure, selection of applicants.
  • Special protective measures: Restriction of access to application documents to bodies involved in the application process; Encrypted transmission option.
  • Necessity / interest in processing: prerequisite of a selection of applicants.
  • Disclosure external and purpose: PME – Personal- und Managemententwicklung, Horst Mangold, Prinzenstraße 5, 55218 Ingelheim am Rhein (consulting, implementation online application procedure)
  • Privacy Policy: http://mangold-mangold.com/datenschutz/.
  • Processing in third countries: no.
  • Deletion of data: The data provided by the applicants, may be further processed by us for the purposes of the employment relationship in the event of a successful application; Otherwise, if the application for a job offer is not successful, the data of the applicants will be deleted or anonymized. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicant, the data will be deleted after the expiration of a period of six months so that we can answer any follow-up questions about the application and satisfy our obligations to provide evidence under the General Equal Treatment Act (AGG).

Application procedure – applicant pool

If, as part of the application process, we offer applicants the opportunity to be included in our “talent pool” for a period of two years, we will also inform them about the processing relating to the applicant pool:

Applicants are informed that their consent to inclusion in the applicant pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future and declare their objection within the meaning of Art. 21 DSGVO.

  • Legal basis: 6 para. 1 lit. b. and Art. 7 DSGVO, § 26 BDSG.
  • Purpose of the processing: preregistration applicants for future application procedures.
  • Special safeguards: The application documents in the talent pool are processed solely in the context of future job postings and employee searches.
  • Deletion of the data: After the expiration of the period of two years.

External online presences

In this section, you will find information on our data processing in the context of operating external online presences, e.g. in social media.

Online presence in social media

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply. Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send us messages.

The links/buttons to social networks and platforms (hereinafter referred to as “social media”) used within our online offer generally only establish contact between social networks and users when users click on the links/buttons and the respective networks or their websites are called up. This function corresponds to the way a regular online link works.

  • Social networks/platforms used by us: LinkedIn, Twitter, Xing, YouTube.
  • Processed data: Inventory data, communication data, content data, usage data, metadata.
  • Special categories of personal data: Basically no, unless specified by users.
  • Legal basis: 6 para. 1 lit f. DSGVO.
  • Affected parties: users of the social media presences (this may include customers and prospects).
  • Purpose of processing: information and
  • Type, scope, mode of processing: By operators of the respective platforms usually: permanent cookies, tracking, targeting, remarketing, content and behavioral advertising.
  • Necessity / interest in processing: expectations of users who are active on the platforms, business interests.
  • Disclosure external and purpose: To social networks/platforms.
  • Processing in third countries: USA.
  • Guarantee for processing in third countries: Privacy Shield.
  • Deletion of data: The deletion rules of the respective platforms apply.

Web server and security

Hosting

The hosting services used by us serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services, technical maintenance services.

  • Processed data: Inventory data, contact data, content data, contract data, usage data, meta/communication data.
  • Special categories of personal data:
  • Legal basis: 6 para. 1 lit. f., 28 DSGVO.
  • Data subjects: customers, interested parties, visitors to the online offer.
  • Special protective measures:
  • Processing in third countries: USA.
  • Disclosure external and purpose: 1&1 Internet SE, Eigendorfer Str. 57, 56410 Montabaur (web hosting); Deutsche Telekom AG, Friedrich-Ebert-Allee 140, 53113 Bonn (data storage).
  • Necessity / interest in processing: security, business interests.
  • Deletion: Corresponds to processing within the scope of our core services.

Server logs

The server on which this online offer is located collects so-called log files each time the online offer is accessed, in which user data is stored. The data is used for statistical analysis to maintain and optimize server operation and for security purposes, e.g. to detect potential unauthorized access attempts.

  • Processed data: Usage data and metadata (name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider).
  • Special categories of personal data:
  • Legal basis: 6 para. 1 lit. f GDPR.
  • Data subjects: customers, interested parties, visitors to the online offer.
  • Purpose of processing: optimization server operation and security monitoring.
  • Necessity / interest in processing: security, business interests.
  • Processing in third countries: no.
  • Deletion of data: After 7 days from collection.

Embedded content and functions

In this section we inform you which contents, software or functions (in short “contents”) of other providers we use within the scope of our online offer on the basis of Art. 6 para. 1 lit. f DSGVO (so-called “embedding”). The embedding is done to make our online offer more interesting for our users or for legal reasons, e.g. to be able to present videos or social media posts within our online offer at all. The embedding may also serve to improve the speed or security of the online offer, e.g. when software elements or fonts are obtained from other sources. The processed data includes in all cases, the usage data and the metadata of the users and also the IP address necessarily transmitted to the provider for embedding the content, the data subjects are the visitors of our online offer. The categories of data subjects include the users of our online offer, customers and interested parties. Further explanations can be found in the definitions of terms, in particular the modes of operation and protective measures, are at the end of this privacy policy. The deletion of the data is determined by the data protection conditions of the providers of the embedded content.

Google services and content

We use the following services and content of the provider Google: YouTube – videos; Google Maps – maps; Google Fonts – fonts; Google – Recaptcha (detection of bots during form input).

Typekit- External fonts

Twitter functions and content

Within our online offer, functions and contents of the service Twitter can be integrated. This may include, for example, content such as images, videos, or text and buttons that allow users to express their liking of the content, subscribe to the content creators, or subscribe to our posts.

  • Processed data: Usage data, metadata; if Users are registered with the Service, the above data may be linked to their profiles and to such data stored by the Service (in particular inventory data).
  • Nature, scope, functioning of the processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, remarketing.
  • Disclosure external: Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
  • Privacy Policy: https://twitter.com/de/privacy.
  • Processing in third countries: USA.
  • Guarantee for processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active).
  • Deletion of data: The data will be deleted in accordance with the provisions of Twitter.

Videos from Vimeo

  • Processed data: Usage data, metadata; if Users are registered with the Service, the above data may be linked to their profiles and to such data stored by the Service (in particular inventory data).
  • Nature, scope, functioning of the processing: permanent cookies, third-party cookies, tracking, interest-based marketing, profiling, remarketing.
  • Opt-Out: For Google services used: http://tools.google.com/dlpage/gaoptout?hl=de,(Advertising setting: http://www.google.com/ads/preferences).
  • External Disclosure: Vimeo Inc, Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA.
  • Privacy Policy: https://vimeo.com/privacy.
  • Processing in third countries: USA.
  • Deletion of data: The data will be deleted in accordance with the provisions of Vimeo.

Optimization and safety

This section provides you with information on the data processing we perform for purposes of optimizing our online offering. It serves us primarily to improve the user-friendliness and functionality of our online offer.

Mouseflow

Mouseflow allows us to track the effects of various changes to a website (e.g. changes to input fields, design, etc.) as part of so-called “A/B testing” and with pseudonymous observation of user behavior.

Marketing

This section provides you with information on the data processing we perform for purposes of optimizing our marketing and market research services.

Newsletter distribution and success measurement

We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. Subscriber data is logged, as we are required to provide proof of registrations. We also track whether newsletters have been opened and whether links have been clicked. This information is stored on a per-user basis for technical reasons, but is not used to monitor individual users, but rather to adapt content and offers to users, for example. Information that we should collect in addition to the e-mail address (e.g. name) is used to address the user personally or to adapt the content of the newsletter to the user.

  • Content of the newsletter: As indicated in the registration form, otherwise information about our services and our company.
  • Processed data: Inventory data (e-mail address), usage data (registration time, confirmation time double opt-in, IP address, opening of the e-mail, time and place, time and click on a link in the newsletter).
  • Special categories of personal data:
  • Legal basis: 6 para. 1 lit. a, Art. 7 DSGVO and § 7 para. 2 No. 3 UWG, para. 3 (Shipping), Art. 6 para. 1 lit. c in connection with. Art. 7 para. 1 DSGVO (logging), Art. 6 para. 1 lit. f DSGVO (analysis).
  • Concerned: e-mail recipients
  • Purpose of processing: newsletter mailing, optimization, proof of consent.
  • Nature, scope, functioning of the processing: web beacon.
  • Necessity / interest in processing: Only the e-mail is required for sending, the other information is voluntary and is used to personalize and optimize the content based on the interests of the user; the obligation to prove consent is the reason for logging; Success is measured on the basis of legitimate interests in optimizing the content for users and on the basis of business interests
  • Opt-Out: A cancellation link is included in every newsletter.
  • Disclosure external and purpose: Newsletter2Go GmbH, Nürnberger Straße 8, 10787 Berlin (sending newsletters, security).
  • Privacy Policy: https://www.cleverreach.com/de/datenschutz/.
  • Special safeguards: Order processing contract with Mailchimp.
  • Processing in third countries: no.
  • Deletion of data: After unsubscribing from the newsletter, the e-mail addresses are stored for two years for the purpose of proving the previous subscription together with log data on the subscription (time, IP address) and then deleted. We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them for newsletter mailing purposes in order to be able to prove consent formerly given. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.

Communication via mail, e-mail, fax or telephone

Dispatch of information material, contact by telephone.

  • Processed data: Inventory data, address and contact data, contract data.
  • Special categories of personal data:
  • Legal basis: 6 para. 1 lit. a, Art. 7 DSGVO, Art. 6 para. 1 lit. f DSGVO in connection with legal requirements for promotional communications.
  • Affected parties: customers, participants, interested parties, communication partners.
  • Purpose of processing: promotional communication.
  • Nature, scope, functioning of the processing: Contact is made only with the consent of the contact partners or within the scope of legal permissions.
  • Necessity / interest in processing: information and business interests.
  • Disclosure external and purpose: N
  • Processing in third countries: No.
  • Deletion of data: With objection/ revocation or discontinuation of the authorization basis, provided that no legitimate purposes oppose this; in the case of revoked consent, we may store the data required to prove consent for up to three years on the basis of our legitimate interests before deleting it in order to be able to prove consent formerly given. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.

Sweepstakes and contests

In the context of sweepstakes and contests (in short, “sweepstakes”), we processed the data of the participants to carry out the sweepstakes. Users will receive further information on the processing of their data within the scope of the individual competitions as well as any consent to the publication of their names or competition entries within the conditions of participation of the respective competitions.

  • Processed data: Inventory data, communication data, content data (e.g. entries to competitions).
  • Special categories of personal data:
  • Legal basis: 6 para. 1 lit. b GDPR.
  • Affected persons: Participants
  • Purpose of the processing: implementation of the sweepstakes, notification of winners, dispatch of prizes, possibly presentation of winners.
  • Disclosure external and purpose: forwarding company for the purpose of shipping the winnings, possibly sponsors of winnings.
  • Processing in third countries: No, except for shipment of profits abroad.
  • Deletion of data: As soon as the data is not required for the implementation of the competition (e.g. in the event of queries about prizes); when winners or competition entries are published, these generally remain online permanently; otherwise archiving in the event of a legal obligation (end of commercial law (6 years) and tax law (10 years) retention obligation).

Reach measurement, online marketing and technology partners

In this section, we inform you which services of technology partners we use for reach measurement and online marketing purposes. Their use takes place on the basis of Art. 6 para. 1 lit. f DSGVO and our interest in increasing user-friendliness, optimizing our offer and its operational efficiency. In all cases, the processed data includes the usage data and the metadata. Further explanations can be found in the definitions of terms, in particular the modes of operation and protective measures, at the end of this privacy policy. Unless otherwise stated, the deletion of data is determined according to the privacy statements of the technology partners.

Google Tag Manager

Google Tag Manager is a solution that allows us to manage so-called website tags via an interface (and thus, for example, integrate Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal data of the users. With regard to the processing of users’ personal data, reference is made to the following information on Google services. Usage Guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.

Google Analytics

We use Google Analytics for the purposes of range measurement and target group formation.

Google AdWords

We use Google AdWords to measure the success of the advertisements we place on Google.

  • Processed data: Usage data, metadata, customer ID with us (Google receives the customer ID only as a pseudonymous date without the associated inventory data, such as name, address or email of the customer).
  • Nature, scope, functioning of the processing: permanent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling.
  • Special protective measures: Pseudonymization, IP masking, conclusion of order processing contract, opt-out.
  • Opt-Out: https://adssettings.google.com/.
  • External disclosure: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
  • Privacy Policy: https://policies.google.com/privacy.
  • Processing in third countries: USA.
  • Guarantee for processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
  • Deletion of data: The data may be processed by Google for up to two years before being anonymized or deleted.

Section IV – Definitions

This section provides you with an overview of the terms used in this privacy statement. Many of the terms are taken from the law and defined especially in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily to aid understanding. The terms are sorted alphabetically.

  • A/B Testing – A/B testing is used to improve the usability and performance of online offerings. For example, users are presented with different versions of a website or its elements, such as input forms, on which the placement of content or labels of navigation elements may differ. Subsequently, based on the behavior of the users, e.g. longer stay on the website or more frequent interaction with the elements, it can be determined which of these websites or elements are more likely to meet the needs of the users.
  • Affiliate links – “Affiliate links” are links with the help of which the linking websites refer users to websites with product or other offers. The operators of the respective linking websites may receive a commission if users follow the affiliate links and subsequently take advantage of the offers. For this purpose, it is necessary for the providers to be able to track whether users who are interested in certain offers subsequently take advantage of the affiliate links. Therefore, for affiliate links to work, they need to be supplemented with certain values that become a part of the link or are otherwise stored, for example, in a cookie. The values include, in particular, the source website (referrer), time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offer, an online identifier of the user, as well as tracking-specific values such as, for example, ad media ID, affiliate ID and categorizations.
  • After-sales – “After sales” are marketing procedures in which, for example, customers of an online store are presented with promotional offers from other providers (which are usually based on the services or products purchased in the online store). In all other respects, the way after-sales works is the same as the way affiliate links work.
  • Aggregated data – Aggregated data is data that cannot be traced back to an individual and is therefore not personal. For example, visit times on a website can be stored as average values.
  • Anonymous data – Anonymity exists when a person is not at least identifiable on the basis of a data by the responsible person with the means available to him. In particular, aggregated data may be anonymous.
  • Processing/processor – A “processor” is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
  • Special Categories of Personal Data – This refers to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation.
  • Data subject/ person concerned – See “personal data”.
  • Click tracking – “Click tracking” allows to overview the movements of users within an entire online offer. Since the results of these tests are more accurate if user interaction can be tracked over time (e.g., see if a user likes to return), cookies are usually stored on users’ computers for these testing purposes.
  • Conversion – “Conversion “, or “conversion measurement”, refers to a method used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users’ devices within the websites on which the marketing activities take place and then retrieved again on the target website (e.g., this allows us to track whether the ads we placed on other websites were successful).
  • Cookies – “Cookies” are small files that are stored on users’ computers. Different information can be stored within the cookies. The primary purpose of a cookie is to store information about a user (or the device on which the cookie is stored) during or after his visit within an online offer. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online offer and closes his browser. In such a cookie, for example, the contents of a shopping cart in an online store or a login jam within a community can be stored. Permanent” or “persistent” cookies are those that remain stored even after the browser is closed. For example, the login status in a community can be saved if users visit it after several days. Likewise, the interests of users can be stored in such a cookie, which is used for reach measurement or marketing purposes (see e.g. remarketing). Third-party cookies” are cookies offered by providers other than the responsible party that operates the online offering (otherwise, if they are only its cookies, they are referred to as “first-party cookies”).
  • Cross-device tracking – cookies and fingerprints are device-based. Cross-device tracking is required to evaluate users’ interests in the context of smartphone usage for ads on desktop PCs. Logins to social networks such as Facebook can serve this purpose, for example. Alternatively, location data, IP addresses and user behavior are used to achieve up to 98% more accurate user containment. Cookies and web beacons are generally used for cross-device tracking purposes.
  • Custom Aud iences – Custom Audiences are defined for advertising purposes, e.g. the display of advertisements. For example, based on a user’s interest in certain products or topics on the Internet, it can be inferred that this user is interested in advertisements for similar products or the online store where he viewed the products. Lookalike audiences” (or similar target groups) are when the content deemed suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purposes of creating Custom Audiences and Lookalike Audiences. “Custom Audiences from Website” means that the target groups are formed on the basis of the visitors to one’s own website. “Custom Audiences from File” means that, for example, a list of email addresses are uploaded to the respective advertising network or platform to form the target groups.
  • Demographic data – Demographic data is general information about groups of people or individuals, e.g., characteristics such as age, gender, place of residence, and social characteristics such as occupation, marital status, or income. Demographic data is collected as part of reach measurement and in online marketing for the purposes of interest-based marketing or for business analyses that are used, for example, to determine target groups.
  • Third Party – “Third Party” means any natural or legal person, public authority, agency or other body, other than the Data Subject, the Controller, the Processor and the persons who are authorized to process the Personal Data under the direct responsibility of the Controller or the Processor.
  • Third country – Third countries are states in which the GDPR is not directly applicable law, i.e. basically states that do not belong to the European Union (EU) or the European Economic Area (EEA).
  • Consent – Consent” of the data subject means any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
  • Embedding – See “Embedding”.
  • Embedding – Embedding is the process of integrating third-party content or software functions (see plugins) into your own online presence in such a way that they are displayed or executed on this online presence. This does not create a copy of the content as it is accessed from the original server (e.g. videos, images, posts on social networks, widgets with ratings). When embedding, it is technically necessary for the content provider to collect the IP address of the user in order to output the embedded content in the user’s browser. Furthermore, the content provider may store cookies on the user’s devices, for example.
  • Advanced matching – “Advanced matching” is an option of the Facebook Pixel that means that inventory data such as users’ phone numbers, email addresses, or Facebook IDs are transmitted to Facebook in encrypted form for the purpose of building target groups for Facebook ads and are only used for this purpose.
  • Error tracking – Error tracking is used, for example, to detect incorrectly executed program code in order to eliminate it and thus ensure the functionality and security of online offerings.
  • Fingerprints and other online identifiers – “Fingerprints” are equivalent in function to cookies, with no need to store a file on the user’s device. These digital fingerprints can, for example, be created individually as cross sums from individual factors of devices, such as computing power or browser plugins for devices, and thus be used for reach measurement, profiling, remarketing, interest-based and behavioral advertising.
  • First-party cookies – See “Cookies”.
  • Heatmaps – “Heatmaps” are mouse movements of the users, which are summarized to an overall picture, with whose assistance e.g. can be recognized, which web page elements are preferentially accessed and which web page elements users prefer less.
  • IP Address – The IP address (“IP” stands for Internet Protocol) is a sequence of numbers that can be used to identify devices connected to the Internet. When a user accesses a website on a server, he communicates his IP address to the server. The server then knows that it must send the data packets with the website content to this address.
  • IP masking – IP masking is a method of deleting the last octet, i.e., the last two numbers of an IP address, so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing processing methods, especially in online marketing.
  • Interest-based marketing or interest and behavioral advertising Interest and/or behavioral advertising is when profiling is used to determine users’ potential interest in advertisements (online behavioral advertising, or OBA for short). Cookies and web beacons are generally used for these purposes.
  • Lookalike Audiences – See Custom Audiences.
  • Opt-in – The term “opt-in” means something like registration or consent, depending on the context. If a registration is confirmed (e.g. by entering an e-mail address in an online form field) by sending a confirmation e-mail to the owner of the e-mail address, this is referred to as a double opt-in (DOI).
  • Opt-Out – The term opt-out means as much as unsubscribe and can represent, for example, an objection (e.g. against tracking) or a cancellation (e.g. for newsletter subscriptions).
  • Opt-out cookie – An “opt-out cookie” is a small file (see “Cookies”) that is stored in your browser and notes that you do not want a tracking service, for example, to process your data. The “opt-out cookie” is only valid for the browser in which it was saved, i.e. in which you clicked the opt-out link. If cookies are deleted in this browser, then you must click the opt-out link again. Further, an opt-out link may be limited only to the domain on which the opt-out link was clicked.
  • Permanent cookies – See “Cookies”.
  • Personal date/ personal reference – “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Plugins/ Social Plug ins – Plugins (or “social plugins” in the case of social functions) are third-party software functions that are integrated into the online offering. They can be used, for example, to output interaction elements (e.g., a “Like” button) or content (e.g., external comment function or posts on social networks).
  • Profiling – Profiling” is any type of automated processing of personal data that consists of using such personal data to analyze, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include information concerning age, gender, location data and movement data, interaction with websites and their content, shopping behavior, social interactions with other people) (e.g., interests in certain content or products, click behavior on a website or location). Cookies and web beacons are often used for profiling purposes.
  • Privacy Shield – The EU-US Privacy Shield is an informal agreement in the field of data protection law negotiated between the European Union and the United States of America. It consists of a series of assurances from the U.S. government and a decision by the EU Commission. Companies certified under the Privacy Shield provides a guarantee of compliance with European data protection law(https://www.privacyshield.gov).
  • Pseudonymization/ Pseudonyms – Pseudonymization” is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and it is ensured that the personal data is not attributed to an identified or identifiable natural person; i.e. if a cookie stores an exact interest profile of the computer user (a “marketing avatar”, as it were), but not the name of the user, then the data is processed pseudonymously. If his name is stored, e.g. as part of his e-mail address or his IP address, then the processing is basically no longer pseudonymous.
  • Reach measurement – Reach measurement is used to evaluate the flow of visitors to an online offering and may include their behavior, interests or demographic information, such as age or gender. With the help of reach analysis, for example, website owners can see what types of people visit their website at what time and what content they are interested in. This allows them, for example, to better optimize the content of the website to the needs of their visitors. Cookies and web beacons are often used for reach analysis purposes.
  • Remarketing/ Retargeting – “Remarketing” or “Retargeting” is when, for example, a user’s interest in a product on a website is noted for advertising purposes in order to remind the user of these products on other websites, e.g. in advertisements. Cookies are generally used for profiling purposes.
  • Session cookies – See “Cookies”.
  • Single sign-on – “Single sign-on” or “single sign-on authentication” is the term used to describe a procedure that allows users to log on to an online offering, including other online offerings, with the help of a user account. The prerequisite for single sign-on authentication is that users are registered with the respective single sign-on provider and enter the required access data on the web form provided for this purpose. Authentication takes place directly with the respective single sign-on provider. In the course of such authentication, we receive a user ID with the information that the user is logged in under this user ID at the respective single sign-on provider and an ID that is not further usable for us (so-called “user handle”). Whether we receive further data depends solely on the single sign-on procedure used, the data releases selected as part of the authentication process, and also which data users have released in the privacy or other settings of the user account with the single sign-on provider. It can be different data depending on the single sign-on provider and the choice of users, usually it is the email address and the username. The password entered as part of the single sign-on process is neither visible to us nor stored by us. Users are asked to note that their details stored with us may be automatically matched with their user account with the single sign-on provider, but this is not always possible or actually occurs. If, for example, users’ email addresses change, users must change them manually in their user account with us. Should users ever decide that they no longer wish to use the link of their user account with the single sign-on provider for the single sign-on procedure, they must remove this link within their user account with the single sign-on provider. If users wish to delete their data from us, they must cancel their registration with us.
  • Third-party cookies – See “Cookies”.
  • Tracking – We speak of “tracking” when the behavior of users can be traced across several online offerings, e.g. for remarketing purposes. The behavioral and interest information collected with regard to the online offers used is stored as user profiles in cookies or on servers of the marketing service providers (e.g. Google or Facebook).
  • Universal Analytics – “Universal Analytics” refers to a Google Analytics procedure in which user analysis is based on a pseudonymous user ID, thus creating a pseudonymous profile of the user with information from the use of different devices (“cross-device tracking”).
  • Controller – A “controller” is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processing – Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means. The term is broad and encompasses virtually any handling of data.
  • Web beacons – “Web beacons” (or “pixels,” “measurement pixels,” or “tracking pixels”) are small, pixel-sized graphics that are embedded in web pages or HTML emails. In this way, they allow, for example, to determine whether an e-mail has been opened (at least if image display in e-mails is activated) or how often a website is accessed by a user.
  • Widgets – See Embedding.
  • Tracking pixel – See web beacons.
Scroll to Top