INTRODUCTION

With the following data privacy statement, we would like to inform you about which types of your personal data (hereinafter also referred to as “data”) we process, for which purposes and to what extent.

This data privacy statement applies to all personal data processing we carry out, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, e.g. our social media profiles (hereinafter collectively referred to as “online offer”).

We would like to point out that in the processing we carry out, data might also be processed outside the European Union and thus outside the scope of the GDPR; unfortunately, we have no influence on this. This can result in data protection risks for you, because e.g. the enforcement of your rights based on the GDPR could be made more difficult. However, we assure you that we will do everything in our power to guarantee you the best possible level of data protection.

The terms used are not gender specific.

Last updated November 11, 2024

CONTENTS OVERVIEW

  • Responsible person & contact data protection officer
  • Processing overview
  • Relevant legal bases
  • Safety measures
  • Rights, in particular to information and revocation
  • Transmission and disclosure of personal data
  • Use of cookies
  • Commercial and business services (customer account)
  • Contact
  • Communication via messenger
  • Online conferences and meetings
  • Polls and surveys
  • Provision of the online offer and web hosting
  • Application process
  • Cloud services
  • Advertising communication via e-mail, post, fax or telephone
  • Online marketing
  • Web tracking – Google Analytics
  • Use of the Google Tag Manager
  • Social network presence
  • Social media plug-ins
  • PLUGIN: YouTube
  • PLUGIN: Google Web Fonts
  • Google reCAPTCHA
  • Deletion of data
  • Change and update to the data privacy statement
  • Responsible supervisory authority for us
  • Definitions of terms

RESPONSIBLE PERSON & CONTACT DATA PROTECTION OFFICER

FCF Holding GmbH
Hohenzollernring 31-35
50672 Cologne
Germany

Authorized Persons: Dr. Johannes Steegmann, Jan Fischer

E-mail Address: datenschutz@fcf-holding.com

Telephone: +49 221 6699360

Impressum: https://eathappygroup.com/

 

Contact data protection officer

ap-Datenschutz GmbH
Dr. iur. Andreas Pinheiro LL.M.
Hohenstaufenring 8
50674 Cologne

TEL: 0221 999 89 030
FAX: 0221 423 2785-9​​​​​​​

E-Mail: dsb@ap-datenschutz.de

 

PROCESSING OVERVIEW

The following overview summarizes the types of data processed and the purposes of their processing and refers to the affected data subjects.

TYPES OF DATA PROCESSED

  • Inventory data (e.g. names, addresses).
  • Applicant data (e.g. personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, curriculum vitae, certificates and other information about a specific position or voluntarily provided by applicants about their person or qualification).
  • Content data (e.g. text input, photographs, videos).
  • Contact details (e.g. e-mail, phone numbers).
  • Meta/communication data (e.g. device information, IP addresses).
  • Usage data (e.g. websites visited, interest in content, access times).
  • Location data (data indicating the location of an end user’s device).
  • Contract data (e.g. subject of the contract, duration, customer category).
  • Payment data (e.g. bank details, invoices, payment history).

SPECIAL CATEGORIES OF DATA

  • Health data (Art. 9 Para. 1 GDPR) (e.g. when querying allergies when ordering a meal)

CATEGORIES OF DATA SUBJECTS

  • Employees (e.g. employees, applicants, former employees).
  • Applicants
  • Business and contractual partners.
  • Interested persons.
  • Communication partner.
  • Customers
  • Users (e.g., website visitors, users of online services).

PURPOSES OF PROCESSING

  • Provision of our online offer and user-friendliness.
  • Visit action evaluation.
  • Application process (justification and possible subsequent implementation as well as possible subsequent termination of the employment relationship).
  • Office and organizational procedures.
  • Cross-device tracking (cross-device processing of user data for marketing purposes).
  • Direct marketing (e.g. by e-mail or post).
  • Feedback (e.g. collecting feedback via the online form).
  • Interest-based and behavioural marketing.
  • Contact requests and communication.
  • Conversion measurement (measures the effectiveness of marketing measures).
  • Profiling (creation of user profiles).
  • Remarketing
  • reach measurement (e.g. access statistics, recognition of returning visitors).
  • Safety measures.
  • Tracking (e.g., interest/behaviour-based profiling, use of cookies).
  • Contractual services and services.
  • Management and answering of inquiries.
  • Target group formation (determination of target groups relevant for marketing purposes or other output of content).

RELEVANT LEGAL BASES

In the following section, we share the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process the personal data. Please note that in addition to the provisions of the GDPR, the national data protection requirements in your or our country of residence and domicile may apply. In addition, if more specific legal bases are relevant in individual cases, we will inform you of this in the data privacy statement.

  • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The person concerned has given their consent to the processing of their personal data for a specific purpose or for several specific purposes (e.g. when participating in a competition).
  • Processing and pre-contractual inquiries (Art. 6 Para. 1 sentence 1 lit. b. GDPR) – Processing is necessary to fulfil a contract to which the data subject is a party, or for the implementation of pre-contractual measures that take place at the request of the data subject (e.g. to deliver you an ordered product).
  • Legal obligation (Article 6 paragraph 1 page 1 lit. c. GDPR) – Processing is necessary to fulfil a legal obligation to which the person responsible is subject (e.g. storage according to the provisions of the Commercial Code).
  • Legitimate interests (Article 6 paragraph 1 page 1 lit. f. GDPR) – Processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh this. (e.g. when data for safeguarding our IT is being processed)
  • 88 para. 2 GDPR in conjunction with Section 26 Paragraph 1, Paragraph 3 Sentence 1 Federal Data Protection Act (application process as a pre-contractual or contractual relationship) (Insofar as special categories of personal data within the meaning of Art. 9 Paragraph 1 GDPR (e.g. health data, such as a severely disabled status or ethnic origin) are requested from applicants so that the person responsible or the data subject can exercise his or her rights arising from labour law and social security and the social protection law and fulfil his or her obligations in this regard, their processing shall take place in accordance with § 26 para. 1, para. 3 sentence 1 Federal Data Protection Act.

National data protection regulations in Germany: National data protection regulations apply in Germany in addition to the data protection regulations stated in the General Data Protection Regulation. This includes in particular the law regarding the protection against misuse of personal data during data processing (Federal Data Protection Act – GDPR). The GDPR contains in particular special regulations regarding the right to information, the right to deletion, the right of objection, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. It also regulates data processing for the purposes of the employment relationship (Section 26 GDPR), in particular with regard to establishing, implementing or terminating employment relationships and the consent of employees. And state data protection laws of the individual federal states can be applied.

SAFETY MEASURES

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, implementation costs and the type, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons to ensure a level of protection appropriate to the risk.

The measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transfer, securing of availability and their separation. We have also set up procedures that ensure the exercise of data subject rights, the deletion of data and reactions to the threat to the data. Furthermore, we take the protection of personal data into account when developing or selecting hardware, software and procedures in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

Abbreviating IP addresses: We will shorten or have your IP address shortened if it is possible for us or if we don’t need to store your IP address. If the IP address is shortened, also known as “IP masking”, the last octet, i.e. the last two digits of an IP address, is deleted (the IP address in this context is an Internet connection through the online Access provider individually assigned identifier). Shortening an IP address is intended to prevent or make it much more difficult to identify a person using their IP address.

SSL encryption (https): We use SSL encryption to protect your data that has been transmitted via our online offer. You can recognize such encrypted connections by the prefix https: // in your browser’s address line.

RIGHTS, IN PARTICULAR TO INFORMATION AND REVOCATION

You have the following rights vis-à-vis us with regard to your personal data:

  • The right to information,
  • The right to correction or deletion,
  • The right to restriction of processing,
  • The right to object to processing,
  • The right to data portability.

You can revoke use of your data at any time. If the lawfulness of the processing is based on consent, this remains valid until and unless you revoke your consent.

Please send all information requests, requests for information or objections to data processing by e-mail to datenschutz@fcf-holding.com or to the address given in Section 1 (2).

You can ask us to delete your data at any time. There may be statutory retention periods that allow us to keep your data until the deadline has expired.

If your data is incorrect, you have the right to ask us to correct it. We will comply with this request immediately.

You have the right to receive the personal data you have made available to us in a readable format, as far as technically possible, in order to make it available to another company (right to data portability).

You have the right to complain to the proper responsible supervisory authority. Please click on the following link for the list of data protection officers, including their contact details: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

TRANSMISSION AND DISCLOSURE OF PERSONAL DATA

As part of our processing of personal data, it may happen that the data is transmitted to other locations, companies, legally independent organizational units or persons, or they can be disclosed to them. The recipients of this data can D, for example payment institutions involved in payment transactions, service providers commissioned with IT tasks or providers of services and content that are in integral part of a website. In such a case, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data transmission within the group of companies: We can transmit your personal data to other companies within our group of companies or grant you access to this data. If this transfer takes place for administrative purposes, the transfer of the data is based on our legitimate entrepreneurial and business interests or takes place if it is necessary to fulfil our contractual obligations or if the consent of the person concerned or a legal permission is available.

Data transfer within the organization: We can transfer personal data to other locations within our organization or grant them access to this data. If this transfer takes place for administrative purposes, the transfer of the data is based on our legitimate entrepreneurial and business interests or takes place if it is necessary to fulfil our contractual obligations or if the consent of the person concerned or a legal permission is available.

USE OF COOKIES

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive that are assigned to the browser you are using and through which certain information flows to the place that sets the cookie (in this case to us). Cookies cannot run programs or transmit viruses to your computer. They serve to make the Internet offer more user-friendly and effective overall.

We use cookies on our website. Cookies are necessary so that you can navigate freely about the website and use its features, including accessing secure areas on the website. Cookies allow us to understand who has visited website page(s) and, from this, helps us deduce how often certain pages are visited, and which parts of the page are particularly popular. Session cookies store information about your activities on our website.

A distinction is made between the following types of cookies and functions:

  • Temporary cookies (also: session or session cookies): The latest point at which temporary cookies are deleted are after a user has left an online offer on a website and has closed out his browser.
  • Permanent Cookies: Permanent cookies remains stored on a person’s computer even after the browser has been closed. For example, the log-in status can be saved or preferred content can be displayed immediately as soon as the user revisits the website. The interests of users who are used to measure reach or are used for marketing purposes can also be stored in such a cookie.
  • First-party cookies: We set these cookies ourselves.
  • Third-party cookies (also referred to as third-party offerer cookies): Third-party offerer cookies are usually used by advertisers (referred to as third parties) in order to process user information.
  • Required cookies (also referred to as essential or indispensable cookies): Cookies can be absolutely necessary for operating a website (e.g., to save log-ins or other user input or for security reasons).
  • Statistical, marketing and personalization cookies: In addition, cookies are usually also used in the context of reach measurement and when a user’s interests or his behaviour (e.g., viewing certain content, using functions, etc.) on individual websites in a user profile get saved. These types of profiles are used to provide users with display content that matches their potential interests. This process is also known as “tracking”, i.e., tracking the potential interests of users. If we use cookies or “tracking” technologies, we will inform you separately in our data privacy statement or as part of our obtaining your consent.

You can configure your browser settings according to your wishes and reject the acceptance of third-party cookies or all cookies. We would like to point out that if you do so, you may not be able to use all of a website’s functions.

We use cookies to identify you for subsequent visits if you have an account with us. Otherwise, you would have to log in again each time you visit that website.

The following cookies are used:

 

Name Persistence Description
borlabs-cookie 1year Consent for cookies to be set
1P_JAR 1 month
__Secure-3PAPISID 2 years
__Secure-3PSIDCC 1 year
__Secure-3PSID 1 year
_pgar 6 months
ANID 1 week
APISID 2 years
CGIC 6 months
CONSENT 6 months
CONSISTENCY 15 years
DV SESSION
HSID 1 year
OGPC
OGPIC
OTZ 1 month
PAIDCONTENT 6 months
SAPISID 1 year
SEARCH_SAMESITE 18 months
SIDCC 1 year
SID 2 years
SNID 18 months
SSID 2 years
_gcl_au, DSID, IDE 3 months Cookies Google uses for ad targeting and measuring ad displays. Produces statistical data regarding how the visitor uses the website.
_ga, _gat, _gid 2 years Cookies Google uses for website analysis. Produces statistical data regarding how the visitor uses the website.
rc::c Google reCAPTCHA. Google cookie used to distinguish between humans and bots.

Legal basis: Consent Before we process or have data processed as part of using cookies, we ask the user for consent, which the user can revoke at any time. Before the consent has been given, however, cookies may be used that are necessary for operating our online offer. They are used based on our interest and the interest of users in the expected functionality of our online offer.

COMMERCIAL AND BUSINESS SERVICES (CUSTOMER ACCOUNT)

We process data from our contractual and business partners, e.g., customers and interested parties (collectively referred to as “contractual partners”) as part of contractual and comparable legal relationships as well as related measures and as part of communication with the contractual partners (or pre-contractual), e.g., to answer inquiries.

We inform the contractual partners beforehand or as part of the data collection, e.g. in online forms, by special labelling (e.g. colours) or symbols (e.g. asterisks or similar), or personally We process this data to fulfil our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as the business organization.

Art. 6 Paragraph 1 lit. b GDPR (fulfilment of the contract) is our legal basis for the processing mentioned in para. 1 and para. 2.

We only pass on the data belonging to contractual partners to third parties within the framework of the applicable law to the extent that this is necessary for the aforementioned purposes or to fulfil legal obligations (e.g. In terms of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities). The contractual partners will be informed as part of this data privacy statement if any other forms of processing, e.g. for marketing purposes, is used.

The terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between users and providers if we use third-party providers or platforms to provide our services.

At this point we obligate the contractors, in accordance with Art. 28 GDPR, to meet our high data protection requirements. Control and instruction rights on our part help to enforce this obligation.

We delete this data after the statutory warranty and comparable obligations expire, which is basically after four years, unless the data is stored in a customer account, e.g. as long as it has to be kept for archiving reasons for legal reasons (e.g. usually for 10 years for tax purposes ). We delete data disclosed to us by the contractual partner what it is part of an order as they apply to an order’s specifications, which generally occurs at the end of an order. For the last-mentioned processing, Art. 6 Para. 1 lit. c GDPR (fulfilment of legal obligations) is our legal basis.

CONTACT

When you contact us (e.g. via the contact form, e-mail, phone or via social media), the details of the inquiring person are processed, insofar as this is necessary to answer the contact inquiries and any requested measures.

Responding to contact inquiries as part of contractual or pre-contractual relationships takes place in order to fulfil our contractual obligations or to answer (pre-) contractual inquiries and otherwise as based on legitimate interests in responding to the inquiries.

Art. 6 Paragraph 1 lit. b GDPR (order fulfilment) is our legal basis for the processing mentioned in para. 1 and para. 2.

  • Processed types of data: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos).
  • Persons affected: Communication partners.
  • Purposes for carrying out processing: context queries and communication.

COMMUNICATION VIA MESSENGER

We use messenger services for communication purposes and therefore ask you to comply with the following information regarding the functionality of the messenger, encryption, and regarding the use of the communication metadata and in terms of your options for lodging any objections.

You can also contact us in alternative ways, e.g. by phone or e-mail. Please use the contact options provided to you or the contact options specified within our online offer.

In the case of end-to-end encryption of content (i.e. the content of your message and attachments), we point out that the communication content (i.e. the content of the message and attached images) is encrypted from end to end. This means that the content of the messages cannot be viewed by anyone except the sender and the receiver, not even by the messenger providers themselves. You should always use a current version of the messenger with activated encryption, so that the encryption of the message content is ensured.

However, we would also like to point out to our communication partners that the messenger providers cannot see the content, but can find out what was sent and when communication partners communicated with us, as well as technical information about the device used by the communication partner and, depending on the settings of your device, the location information as well (i.e. metadata).

Notes on legal bases: If we ask communication partners for permission before communicating with you via messenger, the legal basis for our processing of your data is their consent (Art. 6 Para. 1 lit. a GDPR). Incidentally, if we do not ask for consent and if you, for example, contact us, then we use Messenger in relation to our contractual partners as well as part of contract initiation as a contractual measure and in the case of other interested parties and communication partners on the basis of our legitimate interests in fast and efficient communication (Art. 6 Para. 1 lit.f GDPR) and to meet the needs of our communication partner for communication via messenger apps. Furthermore, we would like to point out that we do not transmit the contact details provided to us to the messenger without your consent.

We refer to our legitimate interest in promoting our own products in accordance with. Art. 6 para. 1 lit. f GDPR in terms of collecting metadata for reach measurement and advertising. The interests of those affected do not outweigh this, since we take measures to anonymise/pseudonymise the reach measurement, for example, and only simple data (e-mail addresses) are used in a legally permitted context for applications.

Revocation, objection and deletion: Revocation, objection and deletion: You can revoke your consent at any time and object to communication with us via Messenger at any time. In the event of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e. for example, as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any information from the communication partner, if no reference to a previous conversation is to be expected and the deletion does not conflict with any statutory retention requirements.

We reserve the right to refer to other communication channels: To conclude, we would like to point out that, for reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case when, for example, contractual internal matters require special secrecy or an answer via Messenger does not meet formal requirements. In such cases, we refer you to more adequate communication channels.

Skype: Skype’s end-to-end encryption requires activation (if it is not activated by default).

  • Types of data processed: contact data (e.g. e-mail, telephone numbers), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), content data (e.g. text entries, photographs, videos).
  • Persons affected: Communication partners.
  • Purpose of processing: contact inquiries and communication, direct marketing (e.g. by e-mail or post).

Services and service providers that are used:

Skype: Skype Messenger with and-to-and encryption; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://www.skype.com/de/; data privacy statement: https://privacy.microsoft.com/de-de/privacystatement, safety notes: https://www.microsoft.com/de-de/trustcenter.

Microsoft provides standard contractual clauses (SVK) in accordance with Art. 46 (2) GDPR to ensure a comparable level of data protection when transferring data to the parent company in the USA. Furthermore, Microsoft undertakes not to merely comply with inquiries from authorities and to only grant access after exhausting the legal process in the USA. For more information, please visit:

https://www.microsoft.com/en-us/licensing/product-licensing/products#OST

 

ONLINE CONFERENCES AND MEETINGS

We use platforms and applications from other providers (hereinafter referred to as “third-party providers”) for the purpose of holding video and audio conferences, webinars and other types of video and audio meetings. We follow all legal requirements when selecting third-party providers and their services.

In this context, data from the communication participants are processed and stored on third-party provider servers if they are part of communication processes with us. This data can include, in particular, registration and contact details, visual and vocal contributions as well as entries in chats and shared screen content.

If users are referred to the third-party providers or their software or platforms during the course of communication, business or other relationships with us, then third-party providers can process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to comply with the data protection information of the respective third-party provider.

Regarding collecting metadata for reach measurement and advertising, we refer to our legitimate interest in the further development and improvement of our own products in accordance with. Art. 6 para. 1 lit. f GDPR. The interests of those affected do not outweigh this because we take measures to anonymise/pseudonymise the reach measurement, for example.

Notes on legal bases: The legal basis for processing is the consent Art. 6 Para. 1 lit. a GDPR) whenever we ask users for their consent regarding the use of third-party providers. Their use can also be part of our (pre-) contractual services, provided that the use of third-party providers has been agreed in this context (Art. 6 Para. 1 lit. b GDPR).

At this point we obligate the contractors, in accordance with Art. 28 GDPR, to meet our high data protection requirements. Control and instruction rights on our part help to enforce this obligation.

  • Processed types of data: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Affected persons: communications partner(s), users (e.g. website visitors, users of online services).
  • Purpose of processing: contractual services and performance, contact queries and communication, office and organizational procedures.

Services and service providers that are used:

 

Microsoft Teams: Messenger and conference software; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://products.office.com; data privacy statement: https://privacy.microsoft.com/de-de/privacystatement, safety notes: https://www.microsoft.com/de-de/trustcenter.

Skype: Messenger and conference software; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://www.skype.com/de/; data privacy statement: https://privacy.microsoft.com/de-de/privacystatement, safety notes: https://www.microsoft.com/de-de/trustcenter.

Microsoft provides standard contractual clauses (SVK) in accordance with Art. 46 (2) GDPR to ensure a comparable level of data protection when transferring data to the parent company in the USA. Furthermore, Microsoft undertakes not to merely comply with inquiries from authorities and to only grant access after exhausting the legal process in the USA. For more information, please visit:

https://www.microsoft.com/en-us/licensing/product-licensing/products#OST

 

 

 

 

POLLS AND SURVEYS

The surveys and surveys we carry out (hereinafter referred to as “surveys”) are evaluated anonymously. Personal data is only processed to the extent that it is necessary for providing and technically implementing the surveys (e.g. processing of the IP address in order to display the survey in the user’s browser or to allow the survey to be resumed using a temporary cookie (session cookie) or users have consented.

 

Notes on legal bases: By participating in the survey, you are giving us your consent to the processing in accordance with Art. 6 Paragraph 1 lit. a GDPR. We refer to our legitimate interest in the further development and improvement of our own products in accordance with. Art. 6 para. 1 lit. f GDPR regarding any collection of metadata for each measurement and advertising. The interests of those affected do not outweigh this because we take measures to anonymise/pseudonymise the reach measurement, for example.

 

At this point we obligate the contractors, in accordance with Art. 28 GDPR, to meet our high data protection requirements. Control and instruction rights on our part help to enforce this obligation.

 

  • Processed types of data: contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Affected persons: communications partner(s), users (e.g. website visitors, users of online services).
  • Purpose of processing: Feedback (e.g. Collecting feedback via an online form).

 

Services and service providers that are used:

 

  • Microsoft Forms (Pro): Microsoft Cloud forms; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Website: https://forms.office.com/; data privacy statement: https://privacy.microsoft.com/de-de/privacystatement; safety notes: https://www.microsoft.com/de-de/trustcenter. Microsoft provides standard contractual clauses (SVK) in accordance with Art. 46 (2) GDPR to ensure a comparable level of data protection when transferring data to the parent company in the USA. Furthermore, Microsoft undertakes not to merely comply with inquiries from authorities and to only grant access after exhausting the legal process in the USA. For more information, please visit: https://www.microsoft.com/en-us/licensing/product-licensing/products#OST

 

 

 

 

 

 

PROVISION OF THE ONLINE OFFER AND WEB HOSTING

In order to be able to provide our online offer safely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we can use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.

The data processed as part of providing the hosting offer can include all information relating to the users of our online offer that is generated in the context of use and communication. This regularly includes the IP address that is necessary in order to be able to deliver the content of online offers to browsers, and all entries made within our online offer or from websites.

E-mail dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of e-mails. The addresses of the recipients and senders as well as other information regarding the sending of e-mails (e.g. the providers involved) and the content of the respective e-mails are processed for these purposes. The aforementioned data can also be processed for the purpose of recognizing SPAM. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted on the transport route, but (if no end-to-end encryption method is used) not on the servers from which they are sent and received. We cannot therefore assume any responsibility for the e-mail transmission path between the sender and receipt on our server.

Collection of access data and log files: We ourselves (or our web hosting provider or our delivery service platform for catering services) collect data on every access to the server (i.e. server log files). The address and name of the websites and files accessed, the date and time of the access, the amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and usually IP Addresses and the requesting provider are part of the server log files.

The server log files can be used for security purposes, e.g. to avoid overloading the server (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the load on the servers and their stability.

For the processing mentioned here, we refer to our legitimate interest in an efficient and functioning business operation and in a functioning IT in accordance with. Art. 6 para. 1 lit. f GDPR. The interests of those affected do not predominate here, as they could count on measures in the area of IT security and this did not come as a surprise.

At this point we obligate the contractors, in accordance with Art. 28 GDPR, to meet our high data protection requirements. Control and instruction rights on our part help to enforce this obligation.

  • Processed types of data: content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purpose of processing: contractual service and performance.

Services and service providers that are used:

 

APPLICATION PROCESS

Purpose of processing:

The application process requires that applicants provide us with the data required for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information provided there.

In principle, the information required includes personal information such as name, address, a contact option and evidence of the qualifications required for a particular position. On request, we will also be happy to provide you with information about what information is required. This includes the data categories of the personal data (personal details, social information, accounting data (bank details) and other data that are usually taken into account when hiring, such as the documents belonging to the application and the information contained therein, such as cover letter, curriculum vitae, certificates and others with regard to a specific position or information provided voluntarily by applicants about their person or qualification).

This can also include special types of personal data (e.g. degree to which a person is severely disabled, religious affiliation, etc.)

Processing the data:

If made available, applicants can send us their applications using an online form. The data is encrypted and transmitted to our HR hub in accordance with the latest technology. The HR Hub manages the applications received on the basis of the MS Dynamics software. The software is hosted in our data centre, which is operated by Microsoft Germany exclusively on servers in the European Union. Further information on data processing in the MS environment is available here:

https://privacy.microsoft.com/de-DE/privacystatement?culture=de-de&country=DE

Applicants can also send us their applications via e-mail. Please note, however, that e-mails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted while they are being transported, but not on the servers from which they are sent and received. We cannot therefore accept any responsibility for the transmission path of the application between the sender and receipt on our server.

Applicants are welcome to contact us about the method of submitting their application or to send us the application by post.

Legal basis of processing:

In principle, we can base the processing of your data on Art 88 Paragraph 2 GDPR in conjunction with Section 26 Paragraph 1 BDSG, as this is necessary to establish the employment relationship in the context of personnel selection.

We can process special categories of personal data in accordance with. Section 26 (3) BDSG in conjunction with Section 22 BDSG if it is necessary to fulfil legal obligations under labour law, social security law and social protection. For example, depending on the advertisement, the degree to which you are severely disabled is critical for your application. The permission to process this data is based on the law (in this case § 2 SGB IX in conjunction with § 80 SGB X).

Deleting data:

  • If the application is successful, we can process the data provided by applicants for the purposes of the employment relationship.
  • Otherwise, if the application for a job offer is unsuccessful, the applicant’s data will be deleted no later than 4 months after the application deadline.
  • The applicant’s data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. The deletion takes place, subject to a justified revocation of the applicants, at the latest after the expiry of a period of six months, so that we can answer any follow-up questions about the application and meet our obligations to provide evidence from the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.

Admission to an applicant pool:

Admission to an applicant pool, if offered, is based on voluntary consent. Applicants are instructed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke their consent at any time for the future.

The storage takes place to enable a “long-term application” for later application procedures (justification and possible later implementation as well as possible later termination of the employment relationship).

Regarding processing of the data, the processing methods mentioned under 1.1.3 apply (use of MS Dynamics).

The data will be deleted from the applicant pool after the storage has been revoked, but at the latest after we have not been able to offer you a position for 3 years.

Inclusion in the applicant pool is based on your consent in accordance with. Art. 6 para. 1 lit. a GDPR. In the case of sensitive data, upon your express consent in accordance with. Art. 9 para. 1 lit. a GDPR, which we obtain before admitting you to the pool of applicants.

CLOUD SERVICES

We use software services (i.e. “cloud services”, also known as “software as a service”) that are accessible via the Internet and run on their providers’ servers for the following purposes: document storage and administration, calendar management, sending e-mails, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information as well as chats and participation in audio and video conferences.

In this context, personal data can be processed and stored on the servers of the provider if they are part of communication processes with us or otherwise processed by us, as set out in this data privacy statement. This data can in particular include master data and contact details of the users, data on transactions, contracts, other processes and their content. The cloud service providers also process usage data and metadata, which they use for security purposes and for service optimization.

If we use the cloud services for other users or publicly accessible websites to provide forms or similar documents and content, the providers can save cookies on the users’ devices for web analysis purposes or to remember user settings (e.g. in the case of media control).

The cloud service provider(s) we use as a contractor in Art. 28 GDPR obligates us to meet our high data protection requirements. Control and instruction rights on our part help to enforce this obligation.

Regarding the processing mentioned here, and in terms of processing metadata and cloud functions in the context of the SaaS, we also refer to our legitimate interest in efficient and functioning business operations and functioning IT as well as in advertising our own products in accordance with. Art. 6 para. 1 lit. f GDPR. The interests of those affected do not predominate here, since they could expect an external contract in the area of IT provision and this did not come as a surprise. Metadata are processed anonymously.

  • Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. Device information, IP addresses), contract data (e.g. subject of the contract, term, customer category).
  • Affected persons: customers, employees (e.g. employees, applicants, former employees), interested parties, communication partners.
  • Purposes of processing: office and organizational procedures.

Services and service providers that are used:

In exceptional cases where personal data is transferred to the USA, Google Ireland has concluded standard contractual clauses (SVK) in accordance with Art. 46 para. 2 GDPR to ensure that a comparable level of data protection is ensured when data is transferred to your third country.  Please visit: https://privacy.google.com/businesses/compliance/#!#gdpr for more information

Microsoft provides standard contractual clauses (SVK) in accordance with Art. 46 (2) GDPR to ensure a comparable level of data protection when transferring data to the parent company in the USA. Furthermore, Microsoft undertakes not to merely comply with inquiries from authorities and to only grant access after exhausting the legal process in the USA. For more information, please visit:

https://www.microsoft.com/en-us/licensing/product-licensing/products#OST

ADVERTISING COMMUNICATION VIA E-MAIL, POST, FAX OR TELEPHONE

We process personal data for the purposes of advertising communication via various channels, such as e-mail, telephone, post or fax, according to the legal requirements.

For advertising, we rely on our legitimate interest in promoting our own products in accordance with. Art. 6 para. 1 lit. f GDPR. The interests of those affected do not outweigh this, since we take measures to anonymise/pseudonymise the reach measurement, for example, and only simple data (e-mail addresses) are used in a legally permitted context for applications.

If we are not entitled to apply in the exceptional case according to Paragraph 2, we will give your consent to the application in accordance with Art. 6 Paragraph 1 lit. a GDPR.

The recipients have the right to revoke their consent at any time or to object to advertising communication at any time.

After revocation or objection, we can store the data required to prove consent for up to three years on the basis of our legitimate interests before we delete them. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for deletion is possible at any time, provided that the previous existence of consent is confirmed at the same time.

  • Processed types of data: Processed data types refers to inventory data, such as names, addresses, contact details, e.g. e-mail, telephone numbers.
  • Persons affected: Communication partners.
  • Purpose of processing: direct marketing (for example, by e-mail or post).

ONLINE MARKETING

We process personal data for online marketing purposes, which can include, in particular, marketing advertising space or presenting advertising and other content (collectively referred to as “content”) based on the potential user interests and measuring their effectiveness.

User profiles are created and stored in a file referred to as a “cookie”) or similar processes are used that save user information relevant to the presentation of the aforementioned content. This information can include the viewed content, websites visited and the online networks that are used, as well as communication partners and technical information, such as the browser used, the computer system used and information on usage times. Location data can also be processed if users consent.

Users’ IP addresses are also saved. We do, however, use available IP masking procedures (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) are stored in the online marketing process, only pseudonyms are. This means that we and the providers of online marketing processes do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or by means of similar processes. These cookies can later generally also be read out on other websites that use the same online marketing process, can be analysed for the purpose of displaying content and supplemented with additional data and stored on the online marketing process provider’s server.

As an exception, clear data can be assigned to the profiles. This can occur when, for example, uses are members of a social network whose online marketing process we use and the network connects the profiles of the users in the aforementioned information. We ask you to note that users may make additional agreements with the providers, for example, by giving their consent when registering.

In principle, we only get access to summarised information about the success of our advertisements. As part of the conversion measurements, however, we can check which of our online marketing processes have led to a conversion, for example, when user concludes a contract with us. The conversion measurement is used solely to analyse the success of our marketing measures.

Unless otherwise stated, we ask you to assume that the cookies used will be stored for two years.

WEB TRACKING – GOOGLE ANALYTICS

If you have given your consent, this website uses Google Analytics, a web analysis service provided by Google Ireland Limited. (“Google”). GoogleAnalytics uses “cookies”, which are text files that are stored on your computer and that enable your use of the website to be analysed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. If IP anonymisation is activated on this website, Google will first shorten your IP address within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. It is only in exceptional cases that the full IP address is transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website to compile reports on website activity and to provide the website operator with other services related to website and Internet usage.

The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

You can prevent your cookies from being stored by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. You can also prevent Google from collecting your data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by using the browser plug-in available under the following link. Download and install it from: http://tools.google.com/dlpage/gaoptout?hl=de.

This website uses Google Analytics with the extension “_anonymizeIp ()”. As a result, IP addresses are processed in abbreviated form, so that personal references can be excluded. If the data collected about you can be linked to a person, then this will be excluded immediately and the personal data will be deleted immediately.

We use Google Analytics to analyse the use of our website and to improve it regularly. We can use the statistics obtained to improve our offer and make it more interesting for you as a user.

In exceptional cases where personal data is transferred to the USA, Google Ireland has concluded standard contractual clauses (SVK) in accordance with Art. 46 para. 2 GDPR to ensure that a comparable level of data protection is ensured when data is transferred to your third country. Please visit: https://privacy.google.com/businesses/compliance/#!#gdpr for more information

Your consent is the legal basis for using Google Analytics – Art. 6 Para. 1 sentence 1 lit. a GDPR.

Third-party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions: http://www.google.com/analytics/terms/de.html, overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, as well as the data privacy statement: http://www.google.de/intl/de/policies/privacy.

This website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID. You can deactivate cross-device analysis of your usage in your customer account under “My data”, “Personal data”.

USE OF THE GOOGLE TAG MANAGER

Google Tag Manager is a solution from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), with which marketers can manage website tags via an interface.

The Tag Manager tool itself (which implements the tags) is a cookie-free domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it will remain in effect for all tracking tags implemented with Google Tag Manager. http://www.google.de/tagmanager/use-policy.html

Your consent serves as the legal basis for transferring personal data to Google, i.e. Art. 6 Para. 1 sentence 1 lit. a GDPR. Click here to opt out of being recorded by Google Tag Manager.

In exceptional cases where personal data is transferred to the USA, Google Ireland has concluded standard contractual clauses (SVK) in accordance with Art. 46 para. 2 GDPR to ensure that a comparable level of data protection is ensured when data is transferred to your third country. Please visit: https://privacy.google.com/businesses/compliance/#!#gdpr for more information.

SOCIAL NETWORK PRESENCE

We maintain an online presence within social networks in order to communicate with the users active there or to offer information about us there. We would like to point out that user data can be processed outside of the European Union. This can result in risks for the user, because it could be more difficult to enforce user rights.

As well, user data within social networks are usually processed for market research and advertising purposes. User profiles are created based on the usage behaviour and the resulting user interests. Usage profiles can in turn be used to to place advertisements inside and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user’s computer, where the usage behaviour and user interests of the are stored. Data can also be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them). Please refer to the data privacy statements and information provided by the operators of the respective networks for a detailed description of the respective forms of processing and the options for objection (opt-out).

In the event of requests for information and the assertion of rights of data subjects, we point out that these can be most effectively asserted with the providers. Only the providers have access to user data and only they can take appropriate action and provide information. If you still need help, you can contact us.

Processed types of data: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication, tracking (e.g. interest/behaviour-related profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).

SOCIAL MEDIA PLUG-INS

We currently use the following social media plug-ins: Xing, LinkedIn. We use the two-click solution. This means that when you visit our site, no personal data is initially passed on to the plug-in providers. You can recognize the provider of the plug-in by the marking on the box above its initial letter or the logo. We give you the opportunity to communicate directly with the provider of the plug-in by clicking on the button. Only if you click on the marked field and thereby activate it will the plug-in provider receive the information that you have accessed the corresponding website for our online offer. In addition, the data mentioned under Section 4 of this statement will be transmitted. In the case of Facebook and Xing, according to the respective providers in Germany, the IP address is anonymised immediately after it is collected. By activating the plug-in, personal data will be transmitted from you to the respective plug-in provider and stored there (for US providers in the USA). Since the plug-in provider collects data in particular via cookies, we recommend that you delete all cookies using the security settings of your browser before clicking on the greyed-out box.

We have no influence on the data collected and the data processing procedures, nor are we aware of the full scope of data collection, the purposes of processing or the storage periods. We also have no information on the deletion of the data collected by the plug-in provider.

The plug-in provider saves the data collected about you as a user profile and uses this for advertising, market research and/or needs-based design of its website. This kind of an evaluation takes place in particular (also for users who are not logged in) to display needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles; you must contact the respective plug-in provider to do so. These plug-ins offer you the opportunity to interact with social networks and other users, so that we can improve our offer and make it more interesting to you as a user. The legal basis for using the plug-ins is Art. 6 Para. 1 sentence 1 lit. f GDPR.

The data is passed on regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in with the plug-in provider, your data collected by us will be assigned directly to your existing account with the plug-in provider. If you click on the activated button and, for example, if you link the page, the plug-in provider will also save this information in your user account and share it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this allows you to avoid being assigned to your profile with the plug-in provider.

Further information on the purpose and scope of the data collection and its processing by the plug-in provider can be found in the data privacy statements of these providers, which are provided below. There you will also find further information about your rights in this regard and setting options to protect your privacy.

Addresses for the respective plug-in providers and URL with their data protection information:

 

Xing AG, Gänsemarkt 43, 20354 Hamburg, DE; http://www.xing.com/privacy.

LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn provides standard contractual clauses (SVK) in accordance with Art. 46 (2) GDPR to ensure a comparable level of data protection when transferring data to the parent company in the USA. Please visit: https://www.linkedin.com/help/linkedin/answer/62533/eu-eea-and-swiss-data-transfers?lang=en

PLUGIN: YOUTUBE

We have integrated YouTube videos from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), into our online offer, and they are stored on http://www.YouTube.com and can be played directly from our website. These are all integrated in the “extended data protection mode”, i.e. no data about you as a user will be transmitted to YouTube if you do not play the videos. The data mentioned in Paragraph 2 be transmitted only when you play the videos. We have no influence on this data transfer.

When you visit the website, YouTube (Google) receives the information that you have accessed our website’s corresponding sub-page. In addition, the data mentioned under Section 4 of this declaration will be transmitted. This happens regardless of whether YouTube provides a user account that you are logged in to or whether there is no user account. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish to be assigned to your profile on YouTube, you must log out before activating the button. YouTube saves your data as a user profile and uses it for advertising, market research and/or needs-based design of its website. At this kind of an evaluation takes place in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, although you must contact YouTube to exercise this right.

The legal basis for the transfer of personal data to YouTube (Google) is your consent, thus Art. 6 Para. 1 sentence 1 lit. a GDPR.

Further information on the purpose and scope of data collection and its processing by YouTube can be found in the privacy statement. You will also find further information there about your rights and setting options to protect your privacy: https://www.google.de/intl/de/policies/privacy.

In exceptional cases where personal data is transferred to the USA, Google Ireland has concluded standard contractual clauses (SVK) in accordance with Art. 46 para. 2 GDPR to ensure that a comparable level of data protection is ensured when data is transferred to your third country. For more information, please visit: https://privacy.google.com/businesses/compliance/#!#gdpr

PLUGIN: GOOGLE WEB FONTS

This site uses web fonts to assure that fonts are uniformly represented; these fonts are provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). When you excess a page, your browser loads the required web fonts into your browser cache in order to display text and fonts correctly.

This means that the browser you are using must connect to the Google servers. This alerts Google that your IP address has accessed our website. Google Web Fonts ensures a uniform and appealing presentation of our online offers. This represents a legitimate interest as defined in Art. 6 Para. 1 lit. f GDPR.

A standard font will be used by your computer if your browser does not support web fonts.

To find out more information about Google web fonts, please visit: https://developers.google.com/fonts/faq and Google’s data privacy statement: https://www.google.com/policies/privacy/.

In exceptional cases where personal data is transferred to the USA, Google Ireland has concluded standard contractual clauses (SVK) in accordance with Art. 46 para. 2 GDPR to ensure that a comparable level of data protection is ensured when data is transferred to your third country. Please visit: https://privacy.google.com/businesses/compliance/#!#gdpr for more information.

GOOGLE RECAPTCHA

We use the Google reCAPTCHA service from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) on our website. This service is intended to serve natural persons from so-called BOTS (machine and automated processing) when logging in. The IP address will be passed on to Google. This means that personal data is transmitted to Google Ltd.

Your consent serves as the legal basis for transferring personal data to Google, i.e. Art. 6 Para. 1 sentence 1 lit. a GDPR.

In the event that personal data is transmitted by Google Ltd. to the parent company based in the USA (Google LLC), Google Ireland has signed standard contractual clauses (SVK) in accordance with Art. 46 para. 2 GDPR to ensure that a comparable level of data protection is ensured when data is transferred to your third country. Please visit: https://privacy.google.com/businesses/compliance/#!#gdpr for more information

You can find further information on Google reCAPTCHA and Google’s data protection declaration at: https://www.google.com/intl/de/policies/privacy/

DELETION OF DATA

The data processed by us will be deleted in accordance with the legal requirements as soon as the consent allowed for processing is revoked or other permissions are no longer applicable (e.g. if the purpose of processing this data is no longer applicable or is not required for that purpose).

If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies e.g. for data that must be kept for commercial or tax law reasons or the storage of which is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Further information on deleting personal data can also be found in the individual data protection information in this data privacy statement.

CHANGE AND UPDATE TO THE DATA PRIVACY STATEMENT

We ask you to inform yourself regularly about the content of our data privacy statement. We will adapt the data privacy statement as soon as the changes we make to the data processing make this necessary.

We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this data privacy statement, please note that the addresses can change over time and we ask you to check the information before contacting us.

RESPONSIBLE SUPERVISORY AUTHORITY FOR US

State Commissioner for data protection and Freedom of Information North Rhine Westphalia

Helga Block
Postfach 20 04 44
40102 Düsseldorf

Kavalleriestraße 2-4
40213 Düsseldorf

Telephone: +49 211 384240
Telefax: +49 211 3842410

E-mail: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de

DEFINITIONS OF TERMS

This section provides an overview of the terms used in this data privacy statement. Many of the terms are taken from the law and primarily defined in Art. 4 GDPR. The legal definitions are binding. The following explanations, however, are primarily intended to aid understanding. The terms are sorted alphabetically.

  • Conversion tracking: describes a procedure that determines how effective the marketing measures being used are. To do this, a cookie is usually stored on the users’ devices within the websites where the marketing measures are carried out and are then retrieved once again on the target website. (This lets us see, for example, whether the advertisements we placed on other websites were successful).
  • Cross-device tracking: Cross-device tracking is a type of tracking wherein the user’s behaviour and information regarding their interests are recorded across devices in so-called profiles by assigning an online identifier to each user. As a result, this user information can usually be analysed for marketing purposes regardless of the browser or device used (e.g. mobile phones or desktop computers). Most providers do not link the online identification with clear data such as names, postal addresses or e-mail addresses.
  • IP masking: “IP masking” is a method in which the last octet, i.e. the last two digits of an IP address, is deleted so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymising processing methods, especially in online marketing
  • Interest-based and behaviour-based marketing: Interest-based and/or behaviour-related marketing is when users’ potential interests in advertisements and other content are predetermined as precisely as possible. This is done based on information about their previous behaviour (e.g. visiting certain websites and lingering there, their buying behaviour or interaction with other users), which are stored in a profile. Cookies are usually used for these purposes.
  • Conversion measurement: Conversion measurement is a procedure that determines the effectiveness of marketing measures. To do this, a cookie is usually stored on the users’ devices within the websites where the marketing measures are carried out and are then retrieved once again on the target website. This lets us see, for example, whether the advertisements we placed on other websites were successful.
  • Personal data: “Personal data” refers to all information that relates to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable if they can be identified directly or indirectly, in particular, by being assigned to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
  • Profiling: “Profiling” is any type of automated processing of personal data that consists of using this personal data to identify certain personal aspects that relate to a natural person (depending on the type of profiling, this includes information on age, to analyse, evaluate or predict the gender, location data and movement data, interaction with websites and their content, shopping behaviour, social interactions with other people (e.g. the interests in certain content or products, the click behaviour on a website or those whereabouts). Cookies and web beacons are often used for profiling purposes.
  • Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to an online offer and can measure visitor behaviour or interests in certain information, such as web page content. Using reach analysis, website owners can, for example, recognize at what time visitors visit your website and what content they are interested in. This means they can, for example, better adapt the content of the website to the needs of its visitors. In reach analysis, pseudonymous cookies and web beacons are often used in order to recognize returning visitors and thus obtain more precise analyses of the use of an online offer.
  • Remarketing: “Remarketing” or “retargeting” is when, for example, for advertising purposes, it is noted which products a user was interested in on a website in order to alert the user of these products on other websites, for example, by placing these products in advertisements.
  • Tracking: “Tracking” is when user behaviour can be tracked across several online offers. As a rule, behavioural and interest information with regard to the online offers used is stored in cookies or on servers of the providers of tracking technologies (this is referred to as “profiling”). This information can then, for example, be used to show users advertisements that are likely to correspond to their interests.
  • Responsibles: A “responsible” is a natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data.
  • Processing: “Processing” refers to any process carried out with or without the help of automated processes or any such series of processes in connection with personal data. This term is broad and encompasses practically every way the data is handled, whether this refers to how it is collected, evaluated, stored, transmitted or deleted.

Target group formation: Target group formation (or “custom audiences”) refers to using target groups for advertising purposes, for example, for displaying advertisements. For example, based on a user’s interest in certain products or topics on the Internet, it can be concluded that this user is interested in advertisements for similar products or the online shop in which the user viewed the products. “Lookalike audiences” (or similar target groups) refers to content deemed suitable for display to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for creating custom audiences and lookalike audiences.