Search

Privacy policy

Data protection information pursuant to Art. 13, 14 and 21 GDPR for the website, external sites and other processing operations of Schlüter-Systems KG.

Schlüter-Systems Privacy policy

I. General information

Scope

This privacy policy applies to the following processes:

  • All websites that refer to this privacy policy, external sites (social media), job applicant management

Controller

We take the protection of your personal data and the legal obligations to ensure this protection very seriously. The relevant statutory requirements demand extensive transparency concerning the processing of personal data. Only if you are sufficiently informed about the purpose, type and scope of processing can you, as the data subject, fully understand the processing.

The controller in the definition of the European General Data Protection Regulation (GDPR) is

Schlüter-Systems KG
Schmölestraße 7
58640 Iserlohn
Germany
T: +49 2371 971-0
E: info@schlueter.de

Hereinafter referred to as "controller" or "we".

Information on joint controllers can be found under "Information on joint controllers".

The data protection officer can be reached at:

Data protection officer - personal
Schmölestraße 7
58640 Iserlohn
E-Mail: datenschutz@schlueter.de

Definitions

The terms used in this privacy policy (e.g. data categories, purposes and legitimate interests as well as terms from the GDPR) are explained in the section "Definitions".

General information about data processing

We will only process personal data to the extent permissible by law. We will exclusively disclose personal data in the cases described below. Personal data will be protected with appropriate technical and organisational measures (e.g. pseudonymisation, encryption). 

Unless we are legally obliged to store or disclose data to third parties (in particular law enforcement authorities), the decision as to which personal data we collect, how long it is stored and to what extent we disclose it depends on the purpose for which we process your data and which of our service offerings you use in individual cases.

Storage duration

Personal data will be erased as soon as the purpose of processing no longer applies or any other reason for erasure applies in accordance with Art. 17 (1) of the GDPR (e.g. you have withdrawn the consent you gave to us). In exceptional cases, we are still permitted to process your personal data if an exception to the obligation to deletion applies, in particular in accordance with Art. 17 (3) of the GDPR or other legislation (e.g. a statutory storage obligation exists).

Processing activities based on consent: The data processed on the basis of your consent will be stored by us until you withdraw your consent. After any withdrawal, we will store the data for a period of three years as proof of the consent previously given.

Personal data that we process in the context of an application (see below) will be stored for a period of six months after completion of the application process. 

If we are required to provide information about the storage duration of cookies that require consent and similar technologies, you will find the details for this in our consent tool.

Storage duration with regard to data subject requests: After completion of processing, we will store and retain the data relating to your request in accordance with the applicable regulations. We do this to provide proof of the implementation of the data subject's request for a duration of three years.

Automated decisions in individual cases, including profiling

There will be no automated decisions in individual cases, including profiling.

Data subject rights

As the data subject, you have the right to information pursuant to Art. 15 of the GDPR, the right to rectification pursuant to Art. 16 of the GDPR, the right to erasure pursuant to Art. 17 of the GDPR, the right to restriction of processing pursuant to Art. 18 of the GDPR as well as the right to data portability pursuant to Art. 20 of the GDPR. You have the right to complain to a data protection supervisory authority (Art. 77 of the GDPR).
The data protection supervisory authority responsible for us is: 

State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia
Kavalleriestr. 2
440213 Düsseldorf

However, you are free to complain to another data protection supervisory authority.

Controller's notification duties

We will notify all recipients to whom we disclose your personal data of any rectification or erasure of your personal data or restriction of processing pursuant to Art. 16, Art 17 (1) and Art. 18 of the GDPR, unless such notification is impossible or associated with a disproportional effort. We will notify you of recipients at your request.

Obligation to provide information

Unless otherwise explained in the information on the legal basis, you are not obliged to provide personal data. If we support the processing on Art. 6 (1) Para. 1 lit. b of the GDPR, your personal data is required for the fulfillment or conclusion of a contract. If you do not provide the personal data, it is not possible to fulfil or conclude the contract. If you do not provide the data in the cases of Art. 6 (1) Para. 1 lit. a, f of the GDPR, it is not possible to use the service offerings concerned.
With regard to our events and seminars you are not obliged to provide personal data, but participation in the events is not possible without this data.

Data transfer to third countries

Data transfers to third countries outside the European Union (EU) and the European Economic Area (EEA) are only permissible in accordance with the specific requirements of Art. 44 ff. of the GDPR. Insofar as such a transfer to a third country occurs during the processing of your personal data, we refer hereinafter to the transfer to third countries and the basis for transfer in each case.

General information on the basis for transfer:

  • If the transfer is based on a derogation under Art. 49 of the GDPR, the details can be found in the relevant section.
  • If the transfer is based on an adequacy decision in accordance with Art. 45 of the GDPR, an overview of the adequacy decisions can be found here: Overview of adequacy decisions
  • If the transfer is based on what is known as the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 (2) lit. c of the GDPR, Implementing Decision 2021/914 of the EU Commission, which contains the contractual clauses, can be found here: Standard data protection clauses of the EU Commission
  • If the transfer is based on the Binding Corporate Rules ("BCR" for short) in accordance with Art. 46 (2) lit. b) of the GDPR, the overview of the published BCR here: Overview of the Binding Corporate Rules

Right to object

In accordance with Art. 21 (1) of the GDPR, you have the right to object on grounds relating from your particular situation to the processing of your personal data that is based on Art. 6 (1), Para. 1 lit. e or f of the GDPR. This also applies to profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right in accordance with Art. 21 (2) of the GDPR to object at any time to the processing of your personal data for such purposes, which also applies to profiling to the extent that it is related to such direct marketing. Your informal objections may be directed to:

Schlüter-Systems KG
Schmölestraße 7
58640 Iserlohn
widerspruch@schlueter.de

Withdrawal of consent(s)

You have the right to withdraw your consent(s) at any time pursuant to Art. 7 (3) Para. 1 of the GDPR with effect for the future without formal requirements (e.g. by post or E-Mail). This will not affect the lawfulness of the processing carried out on the basis of the consent(s) until it/they are withdrawn. In the event of your withdrawal, we will erase the personal data processed on the basis of the consent(s) if there is no other legal basis for its processing. Your informal withdrawals may be directed to:

Schlüter-Systems KG
Schmölestraße 7
58640 Iserlohn
widerspruch@schlueter.de

II. Interaction between the privacy policy, cookie policy and consent tool

The privacy policy provides you with information about the processing of data based on the provisions of the GDPR and, where applicable, the Federal German Data Protection Act (BDSG). If the provisions of the German Telecommunications Digital Services Data Protection Act (TDDDG) are relevant to individual circumstances, the relevant information can be found in the Consent Management Tool. This also applies to the information on storing or reading out data on your terminal device. 

 

III. Use of our website(s)

The use of our website(s) and their functions requires the regular processing of personal data. Unless otherwise indicated, the following statements apply to all websites that we operate and that refer to this privacy policy.
Please note that you may access other websites via links on our website that are not operated by us, but by third parties. Such links are either clearly identified by us or are recognisable by a change of the address line in your browser. We are not responsible for compliance with data protection regulations and the secure handling of your personal data in such websites operated by third parties.

Provision of the website

Purpose of processing: Information security as well as advertising and personalised marketing measures

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Operation, integrity and security of digital products, promotion of sales activities, design, operation and availability of digital products as well as customer acquisition, customer retention and customer recovery

Data categories: Usage data and connection data

Data recipients: IT service providers

Intended third country transfer: A transfer to a third country is not intended.

Contact

Purpose of processing: User, prospective customer and/or customer service

Legal basis: Art. 6 (1) Para. 1 lit. b of the GDPR (Steps prior to entering into a contract/Fulfilment of a contract) and Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Incorporation of desired or necessary functionalities, promotion of sales activities, promotion of economic interests and customer acquisition, customer retention and customer recovery

Data categories: Content data, contact data, usage data and master data

Data recipients: IT service providers

Intended third country transfer: A transfer to a third country is not intended.

Participation in sweepstakes

Purpose of processing: Order fulfilment and contract management as well as advertising and personalised marketing measures

Legal basis: Art. 6 (1) Para. 1 lit. a of the GDPR (Consent), Art. 6 (1) Para. 1 lit. b of the GDPR (Steps prior to entering into a contract/Fulfilment of a contract) and Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Incorporation of desired or necessary functionalities, customer acquisition, customer retention and customer recovery and prevention of criminal offences, administrative offences and other adverse actions

Data categories: Content data, contact data, master data, connection data and usage data

Data recipients: IT service providers

Intended third country transfer: A transfer to a third country is not intended.

External fonts

Purpose of processing: Advertising and personalised marketing measures

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Design, operation and availability of digital products

Data categories: Connection data

Data recipients: IT service providers

Intended third country transfer: Data may be transferred to third countries in individual cases. (Adequacy decision(s) and standard data protection clauses of the EU Commission)

External contents (Facebook, Instagram, YouTube, LinkedIn, Pinterest, X (formerly Twitter), Google Maps, Vimeo, Xing, WhatsApp, TikTok)

Purpose of processing: Advertising and personalised marketing measures

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Incorporation of desired or necessary functionalities, promotion of sales activities, promotion of economic interests, design, operation and availability of digital products, customer acquisition, customer retention, customer recovery as well as advertising and image enhancement, market and opinion research

Data categories: Usage data and connection data

Data recipients: IT service providers and platform operators and media

Intended third country transfer: Data may be transferred to third countries in individual cases. (Adequacy decision(s) and standard data protection clauses of the EU Commission)

Newsletters

Purpose of processing: User, prospective customer and/or customer service as well as advertising and personalised marketing measures

Legal basis: Art. 6 (1) Para. 1 lit. a of the GDPR (Consent) and Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Promotion of sales activities, promotion of economic interests, customer acquisition, customer retention, customer recovery as well as advertising and image enhancement, market and opinion research

Data categories: Contact data, master data, connection data, content data and usage data
Data recipients: IT service providers

Intended third country transfer: A transfer to a third country is not intended.

Consent management

Purpose of processing: Information security as well as legislative matters and compliance measures
Legal basis: Art. 6 (1) Para. 1 lit. c of the GDPR (Legal obligation) and Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Prevention of criminal offences, administrative offences and other adverse actions

Data categories: Content data, usage data and connection data

Data recipients: IT service providers

Intended third country transfer: A transfer to a third country is not intended.

CAPTCHA service

Purpose of processing: Information security

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Operation, integrity and security of digital products as well as design, operation and availability of digital products

Data categories: Usage data and connection data

Data recipients: IT service providers

Intended third country transfer: Data may be transferred to third countries in individual cases. (Adequacy decision(s) and standard data protection clauses of the EU Commission)

Request of promotional materials or price offers

Purpose of processing: User, prospective customer and/or customer service as well as advertising and personalised marketing measures

Legal basis: Where applicable, Art. 6 (1) Para. 1 lit. a of the GDPR (Consent), Art. 6 (1) Para. 1 lit. b of the GDPR (Steps prior to entering into a contract/Fulfilment of a contract) and Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Promotion of sales activities, promotion of economic interests, customer acquisition, customer retention, customer recovery as well as advertising and image enhancement, market and opinion research

Data categories: Content data, contact data, master data, usage data and connection data

Data recipients: IT service providers

Intended third country transfer: A transfer to a third country is not intended.

Analysis and performance measurement

Purpose of processing: Analysis, performance measurement and optimisation of products and/or services as well as advertising and personalised marketing measures

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Analysis and optimisation of our own service offerings, services and advertising measures, promotion of sales activities, promotion of economic interests as well as advertising and image enhancement, market and opinion research

Data categories: Content data, usage data and connection data

Data recipients: IT service providers

Intended third country transfer: Data may be transferred to third countries in individual cases. (Adequacy decision(s) and standard data protection clauses of the EU Commission)

IV. Job applicant management

Purpose of processing: Job applicant management

Legal basis: Art. 6 (1) Para. 1 lit. a of the GDPR (Consent) and Art. 6 (1) Para. 1 lit. b of the GDPR (Steps prior to entering into a contract/Fulfilment of a contract)

Data categories: Job applicant and employees’ data

Data recipients: Group subsidiaries and other affiliated companies, IT service providers where applicable

Intended third country transfer: In individual cases, data is transferred to third countries if the job application is relevant for affiliated companies (lawful for the implementation of pre-contractual measures, Art. 49 (1) lit. b of the GDPR)

V. Registration and implementation of face-to-face seminars (Schlüter workbox) and webinars (GoTo meeting)

Purpose of processing: Registration for our face-to-face seminars via the Schlüter workbox and webinars via GoTo meeting; preparation and implementation of the seminars and webinars. Proof of your registration; ensuring the security of our information technology systems

Legal basis: Art. 6 (1) Para. 1 lit. b of the GDPR (Steps prior to entering into a contract/Fulfilment of a contract) and Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Operation, integrity and security of digital products, promotion of sales activities, design, operation and availability of digital products, customer acquisition, customer retention and customer recovery

Data categories: Master data, contact data, content data, contract data, connection data

Data recipients: Recipients, if applicable, in connection with registering for and conducting the seminars where disclosure is required (e.g. to book hotel rooms at the request of seminar participants); LogMeIn Ireland Limited Bloodstone Building Block C 70 Sir John Rogerson's Quay Dublin 2, Ireland (for webinars via GoTo meeting)

Intended third country transfer: A transfer to a third country during face-to-face seminars is not intended. During webinars, data may be transferred to third countries in individual cases (adequacy decision(s) and standard data protection clauses of the EU Commission).

VI. Registration for participation at our events

Purpose of processing: Registration, preparation and implementation of our events. Proof of your registration; ensuring the security of our information technology systems

Legal basis: Art. 6 (1) Para. 1 lit. b of the GDPR (Steps prior to entering into a contract/Fulfilment of a contract) and Art. 6 (1) Para. 1 lit. f of the GDPR (Balancing of interests)

Legitimate interests: Operation, integrity and security of digital products, promotion of sales activities, design, operation and availability of digital products, customer acquisition, customer retention and customer recovery

Data categories: Master data, contact data, content data, contract data, connection data

Data recipients: If applicable, recipients in connection with the registration and implementation of the events, insofar as disclosure is required for this purpose (e.g. cooperation partners who provide the premises).

Intended third country transfer: A transfer to a third country is not intended.

VII. Customer account

Purpose of processing: Order fulfilment and contract management, advertising and personalised marketing measures

Legal basis: Art. 6 (1) Para. 1 lit. b of the GDPR (Steps prior to entering into a contract/Fulfilment of a contract)

Data categories: Content data, contact data, master data, connection data, contract data, access data

Data recipients: IT service providers

Intended third country transfer: A transfer to a third country is not intended.

VIII. Internal reporting office in accordance with the German Whistleblower Protection Act (HinSchG)

Our company has established an internal reporting office in the context of the German Whistleblower Protection Act (HinSchG). Employees can use this reporting office to raise concerns about matters that fall under the German Whistleblower Protection Act (HinSchG) (e.g. violations that are punishable by law). Its use is voluntary and can be carried out anonymously. In the context of submitting and processing reports to the internal reporting office, it is possible that your personal data may be processed.

Purpose of processing: Legislative matters and compliance measures

Legal basis: Art. 6 (1) Para. 1 lit. c of the GDPR in conjunction with § 10 (1) Para. 1 of the German Whistleblower Protection Act (HinSchG) (Legal obligation); in the case of sensitive data: Art. 9 (2) lit. c of the GDPR in conjunction with § 10 (1) Para. 2 of the German Whistleblower Protection Act (HinSchG) (Legal obligation)

Data categories: Employees’ data, content data, contact data, usage data, master data, connection data, contract data; sensitive data: personal data, data revealing racial or ethnic origin, religious or philosophical beliefs, data concerning health, data concerning a natural person’s sex life or sexual orientation

Data recipients: IT service providers, authorities and other public bodies

Intended third country transfer: A transfer to a third country is not intended.

IX. External sites

Facebook

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta")

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

Instagram

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta")

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

LinkedIn (profile)

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"))

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

Pinterest (profile)

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (Pinterest Europe Ltd., Palmerston House, 2nd Floor Fenian Street, Dublin 2, Ireland ("Pinterest"))

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

X

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland ("Twitter"))

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

XING (profile)

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany ("XING"))

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

YouTube channel

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (Google Ireland Ltd., Gordon House, Barrow Street Dublin 4, Ireland ("Google"))

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

WhatsApp channel

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: Platform operators and media (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta")

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

TikTok

Purpose of processing: Advertising and personalised marketing measures, analysis and performance measurement as well as optimisation of products and/or services

Legal basis: Art. 6 (1) Para. 1 lit. f of the GDPR

Legitimate interests: Design, operation and availability of digital products, advertising and image enhancement, market and opinion research, customer acquisition, customer retention, customer recovery

Data categories: Master data, contact data, content data, usage data, connection data and possibly location data

Data recipients: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

Intended third country transfer: In individual cases USA and other third countries (standard data protection clauses and adequacy decisions)

X. Information on joint controllers

In the cases listed below, we are jointly responsible with another body in accordance with Art. 4 (7), Art. 26 of the GDPR. If you have any questions, you are free to contact any of the joint controllers directly. Depending on the specific agreement on data subject rights with the other body, we will pass on your request to the other body.

Operation of our Facebook page(s):

In the context of operating our Facebook page(s), we share joint responsibility with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").

The main points of the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum

Facebook is responsible for implementing your affected data subject rights. You can find out about your data subject rights on Facebook at: https://www.facebook.com/legal/terms/information_about_page_insights_data 

Operation of our Instagram page(s):

In the context of operating our Instagram page(s), we share joint responsibility with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").

The main points of the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum

Facebook is responsible for implementing your affected data subject rights. You can find out about your data subject rights on Facebook at: https://www.facebook.com/legal/terms/information_about_page_insights_data 

Operation of the LinkedIn page(s): 

In the context of operating our LinkedIn page, we share joint responsibility with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland).

The main points of the agreement can be found here:
https://legal.linkedin.com/pages-joint-controller-addendum

LinkedIn is responsible for implementing your affected data subject rights. You can find out about your data subject rights on LinkedIn at:
https://www.linkedin.com/legal/privacy-policy

XI.    Definitions

The terms used in this privacy policy (e.g. data categories, purposes and legitimate interests as well as terms from the GDPR) are explained in the section "Definitions".

From the GDPR

This privacy policy uses the legal terms established in the GDPR. Further information about the definition of these terms (Art. 4 of the GDPR) can be found, for example, at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679. The definition of "data concerning health" can be found in Art. 4 (15) of the GDPR. Where other special categories of personal data are processed, the explanations can be found in Art. 4, 9 (1) of the GDPR. If the processed data is personal data relating to criminal convictions and offences, the relevant information can be found in Art. 10 of the GDPR.

Additional definitions

Data categories

When we specify the categories of data processed, this includes the following data in particular: 

  • Master data (e.g. name, address, date of birth)
  • Contact data (e.g. E-Mail addresses, phone number, Messenger services)
  • Content data (e.g. text entries, photographs, videos, contents of documents/files)
  • Contract data (e.g. subject matter of the contract, terms of the contract, customer category)
  • Payment data (e.g. bank details, payment history, use of other payment service providers)
  • Usage data (e.g. browsing history on our website, usage of certain content, access times, contact or order history)
  • Connection data (e.g. device information, IP addresses, URL referrers)
  • Location data (e.g. GPS data, IP geolocation, access points)
  • Diagnostic data (e.g. crash logs, website/app performance data, other technical data for analysing malfunctions and errors)
  • Job applicant and employee data (e.g. employment history, working hours, holiday periods, periods of absence due to illness, appraisals, training and further education, social data, bank details, social security number, health insurance/health insurance number, expected salary and salary data, tax identification number, certificates and documents, working hours, positions held in public office, social security data, data relating to professional integration management)

The data categories listed above could be considered social data as defined in Section 67 (2) of the German SGB X.

Purposes of the data processing

The following sections list the purposes pursued as categories of purposes to improve comprehensibility and
readability. Some of these may overlap with our "legitimate interests" (see also the definitions further below). This lies in the nature of things.
Unless otherwise specified, the purposes of the data collection can be understood as follows:

  • Advertising and personalised marketing measures: For example, this includes the establishment of public and (where applicable) restricted-access websites, apps and/or external pages for general information regarding our products/services (e.g. general website about our company, press pages, social media pages), personalised communication with users, prospective customers and/or customers (e.g. newsletters), presentation of (personalised) recommendations and advertising measures (e.g. personalised newsletters, presentation of advertising on other websites, search engines, social media pages and/or apps as well as generally in advertising networks), consolidation and linking of data (if necessary, involving other parties such as publishers in advertising networks) to ensure commission entitlements for advertising material.
  • Safety and emergency management: This includes all processes that serve to ensure compliance with the applicable safety requirements and the prevention and/or dealing with accidents and emergencies, such as access controls, video surveillance, logging, evacuation, rescue of persons and limitation of damage
  • Analysis and performance measurement as well as optimisation of products and/or services: For example, this includes opinion polls and voting, comparative tests (known as A/B testing), analysis and (usually aggregated) evaluation of user, prospective customer and/or customer behaviour in the online and/or offline area (e.g. based on click paths, mouse movements and heat maps), analysis and evaluation of the success of general and (where applicable) personalised marketing measures, needs-based design of our (digital) products and services on the basis of the analysed demand and/or usage behaviour.
  • Order fulfilment and contract management: This includes all processing operations necessary for the fulfilment of the applicable orders/contracts, such as the processing of master data and contact data for the fulfilment of customer orders, the processing of payments, including any necessary transfer of data to payment service providers, the processing of returns and licence verification.
  • Operation and further development of internal IT systems: This also includes user management, authentication and technical logging as well as IT support, the further development and adaptation of systems and the related processing of personal data. This applies regardless of whether the IT systems are operated for the controller by the controller themselves or by a service provider (order processor).
  • Job applicant management: This also includes personnel marketing and processes in the context of the job application process, such as the processing of job applications (digital and analogue), communication with the job applicants, conducting job interviews, assessment centre procedures and probationary work, the establishment of talent pools as well as the documentation of the outcome of job applications.
  • Business partner management: This includes all processes that are used to analyse and select suitable business partners as well as to maintain existing business relationships.
  • Warranty, guarantee, discretionary service and general service: In particular, this includes the processing of warranty, guarantee and discretionary service cases as well as any information on updates, improvements and recall campaigns.
  • Identity and/or creditworthiness check: The purpose of processing is to verify the identity of the data subject if this is necessary for the respective process and/or to check the creditworthiness and/or solvency of a prospective customer or contractual partner.
  • Information security: This includes processing procedures that serve to protect against danger and safeguard IT systems as well as to achieve the protection goals of confidentiality, availability and integrity of data, systems and processes (e.g. distinguishing between human access and bot access, detection and defence against malicious access, security-related analysis of the usage of digital products and services).
  • Logistics and vehicle fleet management: This also includes the planning, control and monitoring of our logistics, including external logistics service providers and the administration of our vehicle fleet including the fulfilment of legal obligations
  • User, prospective customer and/or customer support: For example, this includes contact forms, chat systems including chatbots and recall options as well as the general processing of various enquiries (e.g. advice, service, complaints).
  • Human resources and personnel management: This includes all processes for the implementation of employment or processes that are closely related to employment, such as onboarding, personnel administration, the fulfilment of employer obligations, personnel development including training and further education, voluntary employment benefits, personnel planning and controlling, workplace health management, workplace social welfare, employee participation, measures for termination of employment, investigative and disciplinary measures, and offboarding.
  • Project management including collaboration on projects: Coordination and implementation of projects, project planning, project scheduling, information exchange within projects, cooperation within projects
  • Legislative matters and compliance measures: For example, this includes the assertion, exercise and enforcement of legal claims and procedures for compliance with legal provisions (e.g. in the context of data protection consent management) and for the prevention and/or investigation and prosecution of infringements of the law.
  • Event management: This includes all processes that are necessary for the implementation of offline and online activities and events (e.g. registration, participant management, implementation of the event, processing of personal preferences and requirements, data processing in the context of video conferences and/or instant messaging services), photo, audio and/or video documentation of events and the issuing of participation certificates.
  • Administration: This includes processes that cover basic functions of business operations in particular, such as communication, accounting, invoicing and reporting, documentation and archiving, knowledge and contact management.

Legitimate interests

The following sections list our legitimate interests in accordance with Art. 6 (1), Para. 1 lit. f DSGVO as categories to improve comprehensibility and readability. Some of these may overlap with our "purposes" (see also the definitions further above). This lies in the nature of things.
Unless otherwise specified, the specified legitimate interests can be understood as follows:

  • Promotion of sales activities: For example, promotion of our sales by evaluating the demand of our customers, analysing the interests and the purchasing and demand behaviour of our prospective customers, users and/or customers.
  • Promotion of economic interests: For example, measures to reduce costs and make cost savings, to avoid/reduce significant additional costs, to increase revenue in general (in particular through outsourcing to service providers) and to avoid competitive disadvantages.
  • Advertising and image enhancement, market and opinion research: For example, this includes opinion polls, voting, product and/or service ratings and other reviews as well as the integration of these results.
  • Analysis and optimisation of our own service offerings, services and advertising measures: For example, this includes the analysis of the behaviour of users, prospective customers and/or customers to optimise procedures, services and products, the needs-based design of our products, services and marketing measures as well as direct customer contact.
  • Design, operation and availability of digital products: For example, this includes the integration of general functions of websites, apps and other digital products.
  • Operation, integrity and safety of digital products: In particular, defence against service-overloading requests (denial of service attacks) or excessive use of bots to destabilise a platform, IT security measures such as the storage of log files and, in particular, IP addresses for a prolonged period of time in order to detect and prevent misuse, even beyond the extent required by law.
  • Direct marketing (personalised marketing): In particular, direct contact with prospective customers and customers, which is not based on consent, such as product recommendations based on previous demand behaviour, including the processing of data for the preparation of direct marketing (e.g. customer segmentation, affinity ratings).
  • Integration of desired or necessary functionalities: Integration of functionalities that are of interest to the customer, are activated at the customer's request and/or are necessary for providing the service (e.g. integration of contact options on websites or in apps, or the option for users to save configurations (e.g. selected language)).
  • Assertion, exercise or defence of legal claims: For example, preservation of evidence to clarify the facts in the event of a foreseeable legal dispute.
  • Customer acquisition, customer retention, customer recovery: For example, operation of a customer relationship management (CRM) system for prospective customer and customer support.
  • Freedom of expression, press and media: In particular, processing that was previously covered by what is known as media privilege.
  • Protection of the physical well-being and health of the data subjects concerned 
  • Promotion of legitimate interests within a group of companies: Carrying out organisational, procedural or commercial tasks that come from the collaboration of several affiliated companies (see also the explanations in Recital 48 of the GDPR).
  • Prevention of criminal offences, administrative offences and other actions that may cause harm: in particular, fraud prevention, preventive measures in the context of an internal control system, measures to investigate risks arising from corresponding cases of suspicion or other indications of possible actions that may cause harm to the controller or other persons
  • Reduction of risks of failure: Identification of economic, technical, procedural or organisational risks for the company that could lead to a total or partial failure of the company, parts of the company or of the company's products or services
  • Employee support: Integration and implementation of services and activities that are in the interests of employees, such as satisfaction questionnaires, voluntary events and activities, birthday lists, sending greetings cards, etc.
  • Employee retention: Integration or implementation of services and activities to achieve long-term employee loyalty to the employer, such as the promotion of personal development, birthday lists, and the sending of birthday gifts
  • Other legitimate interests: Where relevant, these interests are explained separately in the respective sections.

Recipient categories

The following section lists the recipient categories that we use in our privacy policy:

  • Banks and other financial service providers
  • Authorities and other public bodies
  • Persons bound by professional confidentiality and their companies/institutions
  • IT service providers (this also includes providers of AI systems (artificial intelligence) where applicable) 
  • Adversaries in legal disputes
  • Group subsidiaries and other affiliated companies
  • Customers and interested customers
  • Suppliers
  • Recruitment agency
  • Platform operators and media
  • Associations, organisations and interest groups
  • Landlords
  • Insurance companies
  • Contractual partners (excluding customers)