This privacy policy explains the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) in the context of the provision of our services and within our online offering and the associated websites, functions, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”). With regard to the terms used, such as “processing” or “controller,” we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Quadrium Consulting LTD
13 Tepeleniou Str.
Tepelenio Court, 2nd floor
CY-8010 Paphos
Cyprus
info@quadrium-consulting.com
CY +357 – 26 030 121
– Inventory data (e.g., personal master data, names or addresses).
– Contact details (e.g., email, telephone numbers).
– Content data (e.g., text entries, photographs, videos).
– Usage data (e.g., websites visited, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses).
– Meta-/Kommunikationsdaten (z.B., Geräte-Informationen, IP-Adressen).
Visitors and users of the online offering (hereinafter we collectively refer to these individuals as “users”).
Providing the online offering, its functions and its content.
Responding to contact requests and communicating with users.
Security measures.
Reach measurement / marketing.
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A “processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In accordance with Article 13 GDPR, we inform you of the legal bases on which we process personal data. For users within the scope of the General Data Protection Regulation (GDPR), i.e. the EU and the EEA, the following applies if the specific legal basis is not stated in this Privacy Policy:
The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR.
The legal basis for processing for the performance of our services, the performance of contractual or pre-contractual measures, and the handling of enquiries is Article 6(1)(b) GDPR.
The legal basis for processing in order to comply with our legal obligations is Article 6(1)(c) GDPR.
If the processing of personal data is necessary in order to protect the vital interests of the data subject or another natural person, the legal basis is Article 6(1)(d) GDPR.
The legal basis for processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Article 6(1)(e) GDPR.
The legal basis for processing in order to safeguard our legitimate interests is Article 6(1)(f) GDPR.
Processing of data for purposes other than those for which the data were collected is governed by Article 6(4) GDPR.
The processing of special categories of personal data (within the meaning of Article 9(1) GDPR) is carried out in accordance with Article 9(2) GDPR.
We take appropriate technical and organisational measures, in accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to the data itself, input, transfer, availability and separation. We have also implemented procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data incidents. In addition, we take the protection of personal data into account as early as the selection and development of hardware, software and procedures, in line with the principles of data protection by design and by default.
If, in the course of our processing, we disclose data to other persons or companies (processors, joint controllers or third parties), transmit such data to them, or otherwise grant them access to the data, this is done only on the basis of a legal permission (for example, where the transfer of data to third parties such as payment service providers is required for contract performance), where users have given their consent, where we are under a legal obligation to do so, or on the basis of our legitimate interests (for example, when we use agents, web hosting providers, etc.).
If we disclose or transmit data to other companies within our group of undertakings, or otherwise grant them access to such data, this is done in particular for administrative purposes as a legitimate interest and, where necessary, on a legal basis that complies with statutory requirements.
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation), or if this occurs in the context of using services of third parties or disclosing or transferring data to other persons or companies, this will only take place if it is necessary for the performance of our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests.
Unless there is explicit consent or a contractually required transfer, we process data – or have data processed – only in third countries that have a recognised level of data protection. This includes U.S. providers that are/were certified under the “Privacy Shield”, or recipients that offer specific safeguards such as standard contractual clauses approved by the EU Commission, existing certifications, or binding corporate rules (Articles 44 to 49 GDPR), Informationsseite der EU-Kommission).
Right of access:
You have the right to request confirmation as to whether personal data concerning you is being processed, and to obtain access to this data, as well as further information and a copy of the data, in accordance with legal requirements.
Right to rectification:
You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of inaccurate data concerning you.
Right to erasure and restriction of processing:
You have the right, in accordance with legal requirements, to request that personal data concerning you be deleted without undue delay, or alternatively to request restriction of processing of such data in accordance with legal requirements.
Right to data portability:
You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, or to request that this data be transmitted to another controller, in accordance with legal requirements.
Right to lodge a complaint with a supervisory authority:
You also have the right, in accordance with legal requirements, to lodge a complaint with the competent data protection supervisory authority.
Sie haben das Recht, erteilte Einwilligungen mit Wirkung für die Zukunft zu widerrufen.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) or (f) GDPR, including profiling based on those provisions.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
“Cookies” are small files that are stored on users’ devices. Various types of information can be stored within a cookie. A cookie primarily serves to store information relating to a user (or the device on which the cookie is stored) during or after their visit to an online service.
“Session cookies” (also called “transient cookies”) are temporary cookies that are deleted once a user leaves the online service and closes their browser. For example, a shopping cart’s contents in an online shop or a login status can be stored in such a cookie.
“Persistent cookies” remain stored even after the browser is closed. For example, the login status can be retained when users return to a website. User interests may also be stored in such cookies and used for reach measurement or marketing purposes.
“Third-party cookies” are cookies offered by providers other than the controller who operates the online service (otherwise, if it is only that controller’s cookies, they are referred to as “first-party cookies”).
We may use both temporary and persistent cookies and we inform users about this within this Privacy Policy.
Where we ask users for consent to the use of cookies (for example in a cookie consent banner), the legal basis for such processing is Article 6(1)(a) GDPR. Otherwise, the processing of personal data in connection with cookies is based on our legitimate interests (i.e. our interest in the analysis, optimisation and economic operation of our online offering within the meaning of Article 6(1)(f) GDPR), or where the use of cookies is necessary for the performance of our contractual services, Article 6(1)(b) GDPR, or, where cookies are required for the performance of a task carried out in the public interest or in the exercise of official authority, Article 6(1)(e) GDPR.
If users do not want cookies to be stored on their device, they can disable this option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Please note that disabling cookies may result in certain functions of this online offering being limited.
A general objection to the use of cookies for online marketing purposes (in particular tracking) can also be declared via many service providers by using the U.S. page
https://www.aboutads.info/choices/
or the EU page
https://www.youronlinechoices.com/ .
Furthermore, users can prevent cookies from being stored by disabling them in their browser settings. Please note that, if you do so, not all functions of this online offering may be fully available.
We delete personal data in accordance with legal requirements, or we restrict its processing. Unless expressly stated otherwise in this Privacy Policy, data stored by us will be deleted as soon as it is no longer required for its intended purpose and there are no statutory retention obligations preventing deletion.
If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
Data is deleted after the expiry of statutory warranty obligations and comparable obligations. Where statutory archiving obligations apply, data is deleted after those periods expire. Under applicable commercial, financial, and tax regulations, certain business records (e.g. advisory documentation, contractual information, accounting and tax records) must be retained for a number of years before deletion is permitted.
We kindly ask you to review the content of this Privacy Policy on a regular basis. We will update this Privacy Policy whenever changes in our data processing activities make this necessary. We will inform you if such changes require an action from you (for example, renewed consent) or any other form of individual notification.
We process our clients’ data in the context of our contractual services. These services include, in particular: conceptual and strategic consulting, campaign planning, software and design development / consulting / maintenance, implementation of campaigns and processes / handling, server administration, data analysis / advisory services, and training services.
In doing so, we process master data (e.g. client master data such as names or addresses), contact data (e.g. e-mail addresses, telephone numbers), content data (e.g. text entries, photographs, videos), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history), usage data and metadata (e.g. as part of the evaluation and measurement of marketing performance). We generally do not process special categories of personal data unless such data is part of an expressly commissioned processing activity.
Data subjects include our clients, prospects, and their clients, users, website visitors, employees and other third parties. The purpose of processing is to provide contractual services, billing, and customer support. The legal bases for processing are Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (analysis, statistics, optimisation, security measures).
We process data that is required to establish and fulfil the contractual services and we indicate where the provision of such data is necessary (if this is not obvious to the data subjects). Disclosure to external parties takes place only where it is required in the context of an engagement. When processing data provided to us as part of an engagement, we act in accordance with the client’s instructions and the legal requirements of commissioned processing pursuant to Article 28 GDPR, and we do not process the data for any purposes other than those defined in the engagement.
We delete the data after expiry of statutory warranty obligations and comparable obligations. We review the necessity of data retention every three years; in the case of statutory archiving obligations, deletion takes place after those retention periods expire (e.g. 6 years under § 257(1) HGB and 10 years under § 147(1) AO under German law). In the case of data provided to us by a client in the course of an engagement, we delete such data in accordance with the contractual instructions, generally after the end of the engagement.
We process the data of our customers, clients and prospects (collectively referred to as “customers”) in accordance with Article 6(1)(b) GDPR in order to provide our contractual or pre-contractual services to them. The type of data processed, the nature, scope and purpose of processing, and the necessity of such processing are determined by the underlying mandate. This generally includes inventory and master data of the customers (name, address, etc.), as well as contact details (e-mail address, telephone number, etc.), contract data (content of the assignment, fees, terms, details regarding the intermediated companies / insurers / services), and payment data (commissions, payment history, etc.). We may also process information about the characteristics and circumstances of persons or objects belonging to them, where this is part of the assignment. This may include, for example, information on personal living circumstances or on movable or immovable assets.
In the course of our engagement, it may also be necessary for us to process special categories of personal data within the meaning of Article 9(1) GDPR, in particular information about a person’s health. Where required, we obtain the customer’s explicit consent pursuant to Article 6(1)(a), Article 7, and Article 9(2)(a) GDPR.
Where required for the performance of the contract or by law, we disclose or transmit customer data, in the context of coverage requests, contract initiation, conclusion and administration, to providers of the services / objects being placed, insurers, reinsurers, broker pools, technical service providers, other service providers such as cooperating associations, as well as financial service providers, credit institutions and investment companies, and also to social insurance institutions, tax authorities, tax advisers, legal advisers, auditors, insurance ombudsmen, and supervisory authorities such as the German Federal Financial Supervisory Authority (BaFin). We may also engage subcontractors such as sub-brokers. We obtain consent from customers where this is legally required for such disclosure or transfer (which may be the case, for example, when special categories of data under Article 9 GDPR are involved).
Data is deleted after the expiry of statutory warranty and comparable obligations, and we review the necessity of retention every three years. Statutory retention obligations continue to apply. Where legal archiving obligations exist, data is deleted after these periods expire. Under German law, in the insurance and finance sector in particular, advisory documentation must generally be retained for 5 years, broker closing notes for 7 years, and brokerage agreements for 5 years. In commercial and tax law, general business records must typically be retained for 6 years (commercial law) and tax-relevant records for 10 years (tax law).
We process the data of our clients and prospects and other commissioning parties or contractual partners (collectively referred to as “clients”) in accordance with Article 6(1)(b) GDPR in order to provide our contractual or pre-contractual services to them. The type of data processed, the nature, scope and purpose of processing, and the necessity of such processing are determined by the underlying contractual relationship. The data processed generally includes basic and master data of the clients (e.g. name, address, etc.), contact details (e.g. e-mail address, phone number, etc.), contract data (e.g. services used, fees, names of contact persons, etc.) and payment data (e.g. bank details, payment history, etc.).
In the course of providing our services, we may also process special categories of personal data within the meaning of Article 9(1) GDPR, in particular information about a client’s health, and in some cases information relating to sexual life or sexual orientation, ethnic origin, or religious or philosophical beliefs. Where required, we obtain explicit consent pursuant to Article 6(1)(a), Article 7, and Article 9(2)(a) GDPR, and otherwise we process such special categories of data for purposes of health care and preventive care on the basis of Article 9(2)(h) GDPR and § 22(1) no. 1(b) BDSG (German Federal Data Protection Act).
Where required for contract performance or by law, we disclose or transmit client data in the context of communication with other professionals and with third parties who are necessarily or typically involved in performance of the contract, such as billing service providers or comparable service providers, insofar as this serves the provision of our services pursuant to Article 6(1)(b) GDPR, is required by law pursuant to Article 6(1)(c) GDPR, serves our legitimate interests or the legitimate interests of our clients in an efficient and cost-effective provision of care pursuant to Article 6(1)(f) GDPR, or is necessary pursuant to Article 6(1)(d) GDPR in order to protect vital interests of the client or another natural person, or takes place on the basis of consent pursuant to Article 6(1)(a) and Article 7 GDPR.
Data is deleted when it is no longer required for the fulfilment of contractual or statutory duties of care and for handling any warranty or comparable obligations. We review the necessity of retention every three years; statutory retention obligations otherwise apply.
We process the data of our contractual partners and prospects, as well as other commissioning parties, customers, clients or other contractual partners (collectively referred to as “contractual partners”), in accordance with Article 6(1)(b) GDPR in order to provide our contractual or pre-contractual services to them. The type of data processed, the nature, scope and purpose of processing, and the necessity of such processing are determined by the underlying contractual relationship.
The data processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers), and contract data (e.g. services used, contract contents, contractual communication, names of contact persons), as well as payment data (e.g. bank details, payment history).
We generally do not process special categories of personal data unless they are part of an expressly commissioned or contractually required processing activity.
We process data that is necessary to establish and fulfil the contractual services, and we indicate where the provision of such data is required (where this is not already obvious). Disclosure to external persons or companies only takes place if it is required in the context of a contract. When processing data provided to us in the context of an engagement, we act in accordance with the commissioning party’s instructions and legal requirements.
In the context of the use of our online services, we may store the IP address and the time of the relevant user action. This storage is based on our legitimate interests, as well as the users’ legitimate interests, in protection against misuse and other unauthorised use. This data is generally not passed on to third parties unless this is necessary to pursue our claims pursuant to Article 6(1)(f) GDPR or there is a legal obligation to do so pursuant to Article 6(1)(c) GDPR.
Data is deleted when it is no longer required for the fulfilment of contractual or statutory duties of care and for handling any warranty or comparable obligations. We review the necessity of retention every three years; statutory retention obligations otherwise apply.
We process data in the context of administrative tasks, the organisation of our business operations, financial accounting, and compliance with legal obligations (e.g. archiving). In doing so, we process the same data that we process in the course of providing our contractual services. The legal bases for processing are Article 6(1)(c) GDPR and Article 6(1)(f) GDPR. The data subjects affected by this processing are customers, prospects, business partners and website visitors. Our interest in processing lies in administration, financial accounting, office organisation and archiving of data, i.e. tasks that serve to maintain our business activities, fulfil our duties and provide our services. Deletion of the data with regard to contractual services and contractual communication follows the rules set out for those processing activities.
In this context, we disclose or transmit data to the tax authorities, consultants such as tax advisers or auditors, and other fee offices and payment service providers.
We also store, on the basis of our legitimate business interests, information relating to suppliers, event organisers and other business partners, e.g. for the purpose of future contact. This data, which is primarily business-related, is generally stored permanently.
In order to run our business economically and to identify market trends and the wishes of contractual partners and users, we analyse the data available to us relating to business transactions, contracts, enquiries, etc. In doing so, we process inventory data, communication data, contract data, payment data, usage data and metadata on the basis of Article 6(1)(f) GDPR. The data subjects include contractual partners, prospects, customers, visitors and users of our online offering.
The analyses are carried out for the purpose of business evaluations, marketing and market research. We may take into account the profiles of registered users together with information such as the services they have used. The analyses help us improve user-friendliness, optimise our offering and improve our business efficiency. These analyses are for our internal use only and are not disclosed externally, unless they are anonymous analyses with aggregated values.
Where these analyses or profiles relate to identifiable individuals, they are deleted or anonymised upon termination of the user relationship; otherwise after two years from the conclusion of the contract. In all other cases, overall business analyses and general trend assessments are produced anonymously wherever possible.
When users contact us (e.g. via contact form, e-mail, telephone or via social media), the information provided by the user is processed for the purpose of handling and responding to the contact request in accordance with Article 6(1)(b) GDPR (in the context of contractual / pre-contractual relationships) and Article 6(1)(f) GDPR (for other enquiries). The information provided by users may be stored in a customer relationship management system (“CRM system”) or comparable request management system.
We delete enquiries when they are no longer required. We review the necessity every two years; statutory archiving obligations also apply.
We use WhatsApp Messenger for communication purposes and ask you to note the following information regarding functionality, encryption, WhatsApp-related risks, the use of metadata within the Meta/Facebook group of companies, and your options to object.
You do not have to use WhatsApp. You can contact us via alternative channels such as telephone or e-mail. Please use the contact options provided to you or those listed on our website. WhatsApp (WhatsApp Inc., WhatsApp Legal, 1601 Willow Road, Menlo Park, California 94025, USA) is a US-based service. This means that data you send via WhatsApp may first be transmitted to WhatsApp in the USA before being forwarded to us.
However, WhatsApp states that it complies with European and Swiss data protection law, including via frameworks such as Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status=Active
WhatsApp also states that communication content (i.e. the content of your message and attached images) is end-to-end encrypted. This means that message content is not visible, not even to WhatsApp itself. You should always use an up-to-date version of WhatsApp to ensure that message encryption is active.
We inform our communication partners that although WhatsApp cannot read message content, it can learn that and when communication partners are talking to us, as well as technical information about the device used and, depending on device settings, location information (so-called metadata). With the exception of encrypted content, such metadata may be shared within the Meta/Facebook group of companies, in particular for the optimisation and security of services. Unless they have objected, communication partners should also assume that data processed by WhatsApp may be used for marketing purposes or for displaying user-targeted advertising.
If we ask communication partners for consent before communicating with them via WhatsApp, the legal basis for processing their data is Article 6(1)(a) GDPR. Otherwise, if we do not ask for consent and, for example, you contact us on your own initiative, we use WhatsApp in relation to our contractual partners and in the context of contract initiation as a contractual measure pursuant to Article 6(1)(b) GDPR, and in the case of other interested parties and communication partners on the basis of our legitimate interests in fast and efficient communication and in meeting the communication needs of our partners via messenger services pursuant to Article 6(1)(f) GDPR. In urgent cases, processing may also be based on Article 6(1)(d) GDPR in order to protect vital interests.
Further information on the purposes, types and scope of WhatsApp’s data processing, as well as your rights and settings options to protect your privacy, can be found in WhatsApp’s Privacy Policy:
https://www.whatsapp.com/legal
You may object to communication with us via WhatsApp at any time. If you have subscribed to messages from us (so-called “broadcasts”) via WhatsApp, you can remove our number from your contacts and ask us to remove you from our distribution list. In the case of ongoing individual enquiries or conversations, you can ask us to discontinue WhatsApp communication and to delete the conversation content.
In the case of communication via WhatsApp, we delete WhatsApp messages once we can assume that your enquiry has been answered, provided that no statutory retention obligations prevent deletion and no follow-up reference to the previous conversation is expected.
We also point out that we do not transfer your contact details to WhatsApp without your consent (for example by proactively messaging you first).
Finally, for security reasons, we reserve the right not to answer certain enquiries via WhatsApp. This applies, for example, where contractual matters require particular confidentiality or where a response via messenger does not meet formal requirements. In such cases, we will refer you to more appropriate communication channels.
We use Facebook Messenger for communication purposes and ask you to note the following information regarding functionality, encryption, risks associated with Facebook Messenger, the use of metadata within the Meta/Facebook group of companies, and your options to object.
You do not have to use Facebook Messenger. You can contact us via alternative channels such as telephone or e-mail. Please use the contact options provided to you or those listed on our website.
Facebook Messenger is provided by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The data entered and otherwise collected during communication may be processed in the USA by Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.
Facebook states that it complies with European and Swiss data protection law, including via frameworks such as Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active
Facebook also states that the communication content (i.e. the content of your message and attached images) is not readable by Facebook if end-to-end encryption is enabled, and offers end-to-end encryption for content. This means the content of the messages is not visible, not even to Facebook itself. End-to-end encryption must, however, be activated by you in the Messenger settings under “Secret Conversations”. You should always use an up-to-date version of Facebook Messenger to ensure encryption is active.
We inform our communication partners that, even if encryption is enabled, Facebook may still learn that and when communication partners are talking to us, as well as technical information about the device used and, depending on device settings, location information (so-called metadata). With the exception of encrypted content, such metadata may be shared within the Meta/Facebook group of companies, in particular for the optimisation and security of services. Unless they have objected, communication partners should assume that data processed by Facebook Messenger may be used for marketing purposes or for displaying user-targeted advertising.
If we ask communication partners for consent before communicating with them via Facebook Messenger, the legal basis for processing their data is Article 6(1)(a) GDPR. Otherwise, if we do not ask for consent and, for example, you contact us on your own initiative, we use Facebook Messenger in relation to our contractual partners and in the context of contract initiation as a contractual measure pursuant to Article 6(1)(b) GDPR, and in the case of other interested parties and communication partners on the basis of our legitimate interests in fast and efficient communication and in meeting the communication needs of our partners via messenger services pursuant to Article 6(1)(f) GDPR. In urgent cases, processing may also be based on Article 6(1)(d) GDPR in order to protect vital interests.
Further information on the purposes, types and scope of Facebook’s data processing, as well as your rights and settings options to protect your privacy, can be found in Facebook’s Privacy Policy:
https://www.facebook.com/about/privacy/
You may object to communication with us via Facebook Messenger at any time and ask us to discontinue communication via Messenger and to delete the conversation content. We delete Facebook messages once we can assume that your enquiry has been answered, provided that no statutory retention obligations prevent deletion and no follow-up reference to the previous conversation is expected.
Finally, for security reasons, we reserve the right not to answer certain enquiries via Facebook Messenger. This applies, for example, where contractual matters require particular confidentiality or where a response via Messenger does not meet formal requirements. In such cases, we will refer you to more appropriate communication channels.
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail delivery, security services, and technical maintenance services which we use for the purpose of operating this online offering.
In this context, we and/or our hosting provider process inventory data, contact data, content data, contract data, usage data, and meta/communication data relating to customers, prospects and visitors to this online offering, on the basis of our legitimate interests in the efficient and secure provision of this online offering pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).
We, and/or our hosting provider, collect data on the basis of our legitimate interests within the meaning of Article 6(1)(f) GDPR about every access to the server on which this service is hosted (so-called server log files). The access data includes: the name of the website accessed, file accessed, date and time of access, data volume transferred, report of successful retrieval, browser type and version, the user’s operating system, referrer URL (the page visited previously), IP address, and the requesting provider.
Log file information is stored for security reasons (e.g. for the investigation of misuse or fraudulent activity) for a maximum period of 7 days and then deleted. Data which must be retained for evidential purposes is excluded from deletion until the respective incident is finally clarified.
We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google uses cookies. The information generated by the cookie about users’ use of the online offering is generally transmitted to a server of Google in the USA and stored there.
Google processes this information on our behalf in order to evaluate the use of our online offering by users, to compile reports on activities within this online offering, and to provide us with other services associated with the use of this online offering and internet usage. Pseudonymous user profiles may be created from the processed data.
We use Google Analytics only with IP anonymisation enabled. This means that the IP address of users is shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
The IP address transmitted by the user’s browser will not be merged with other Google data. Users can prevent the storage of cookies by adjusting their browser software settings accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offering, as well as the processing of this data by Google, by downloading and installing the browser plug-in available at:
https://tools.google.com/dlpage/gaoptout?hl=de
Where we ask users for consent (e.g. in the context of a cookie consent banner), the legal basis for this processing is Article 6(1)(a) GDPR. Otherwise, the processing of users’ personal data is based on our legitimate interests (i.e. our interest in the analysis, optimisation and efficient operation of our online offering within the meaning of Article 6(1)(f) GDPR).
Where data is processed in the USA, we note that Google states that it complies with EU data protection requirements, including via mechanisms such as standard contractual clauses approved by the EU Commission.
Further information on Google’s use of data, as well as settings and opt-out options, can be found in Google’s Privacy Policy:
https://policies.google.com/privacy
and in the settings for the display of advertising by Google:
https://adssettings.google.com/authenticated
Personal data relating to Google Analytics is deleted or anonymised after 14 months.
Jetpack (WordPress Stats)
We use the Jetpack plugin (specifically the “WordPress Stats” function), which is a tool for statistical analysis of visitor access, provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Jetpack uses so-called “cookies”, text files that are stored on your computer and allow an analysis of your use of the website.
The information generated by the cookie about your use of this online offering is stored on a server in the USA. Usage profiles of users may be created from the processed data, although these are used only for analysis and not for advertising purposes. Further information can be found in Automattic’s privacy notices:
https://automattic.com/privacy/
and in Jetpack’s cookie information:
https://jetpack.com/support/cookies/
Where we ask users for consent (e.g. in the context of a cookie consent banner), the legal basis for this processing is Article 6(1)(a) GDPR. Otherwise, the processing of users’ personal data is based on our legitimate interests (i.e. our interest in the analysis, optimisation and efficient operation of our online offering within the meaning of Article 6(1)(f) GDPR).
We maintain online presences within social networks and platforms in order to communicate with customers, prospects and users active there and to inform them about our services.
We point out that users’ data may be processed outside the territory of the European Union. This may pose risks for users because, for example, it could make it more difficult to enforce users’ rights. With respect to US providers that state they comply with EU data protection standards, they have committed to adhering to European data protection requirements.
Furthermore, users’ data is generally processed for market research and advertising purposes. For example, usage profiles may be created from user behaviour and the interests derived from it. These usage profiles can in turn be used to display advertisements to users, both within and outside the platforms, that are presumably aligned with their interests. For these purposes, cookies are usually stored on users’ devices, in which the usage behaviour and interests of users are stored. In addition, such usage profiles may also store data independently of the devices used by a given user (in particular if users are members of the respective platforms and are logged in there).
The processing of users’ personal data is carried out on the basis of our legitimate interests in effectively informing users and communicating with users pursuant to Article 6(1)(f) GDPR. If users are asked by the respective platform providers for consent to the processing described above, the legal basis of the processing is Article 6(1)(a) GDPR in conjunction with Article 7 GDPR.
For detailed information about the respective processing activities and opt-out options, please consult the privacy notices of the respective providers:
Facebook pages / groups (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), based on a joint controller agreement for processing of personal data. Privacy Policy:
https://www.facebook.com/about/privacy/
Page Insights information:
https://www.facebook.com/legal/terms/information_about_page_insights_data
Opt-out / Ad settings:
https://www.facebook.com/settings?tab=ads
and
https://www.youronlinechoices.com/
Google / YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy:
https://policies.google.com/privacy
Opt-out / Ad settings:
https://adssettings.google.com/authenticated
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA) – Privacy / Opt-out:
https://instagram.com/about/legal/privacy/
X / Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy Policy:
https://twitter.com/privacy
Opt-out / Personalisation:
https://twitter.com/personalization
Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA 94301, USA) – Privacy / Opt-out:
https://about.pinterest.com/privacy-policy
LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – Privacy Policy:
https://www.linkedin.com/legal/privacy-policy
Opt-out (ad personalisation):
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
Xing (New Work SE, Dammtorstraße 29-32, 20354 Hamburg, Germany) – Privacy / Opt-out:
https://privacy.xing.com/de/datenschutzerklaerung
Wakelet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom) – Privacy / Opt-out:
https://wakelet.com/privacy.html
SoundCloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany) – Privacy / Opt-out:
https://soundcloud.com/pages/privacy
In the case of access requests or the exercise of user rights, we note that such rights can be asserted most effectively with the respective providers. Only the providers have direct access to user data and can take appropriate measures and provide information. If you nevertheless require assistance, you may contact us.
Within our online offering, and on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and economic operation of our online offering within the meaning of Article 6(1)(f) GDPR), we use content and service offerings from third-party providers in order to integrate their content and services, such as videos or fonts (hereinafter collectively referred to as “content”).
This always requires that the providers of such content perceive users’ IP addresses, since they would not be able to send the content to the user’s browser without the IP address. The IP address is therefore required for the display of this content. We endeavour to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, visit time and other information about the use of our online offering, and may also be combined with such information from other sources.
We integrate the fonts (“Google Fonts”) of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. According to Google, user data is used solely for the purpose of displaying the fonts in the user’s browser. The integration is based on our legitimate interests in a technically secure, maintenance-free and efficient use of fonts, their uniform presentation, and the consideration of possible licensing restrictions for their use. Privacy Policy:
https://www.google.com/policies/privacy/
We integrate the “reCAPTCHA” function for the detection of bots (e.g. input in online forms) of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy:
https://www.google.com/policies/privacy/
Opt-out / Ad settings:
https://adssettings.google.com/authenticated
We integrate maps provided by the “Google Maps” service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The data processed may include, in particular, IP addresses and location data of users, which, however, are not collected without users’ consent (this is typically managed via the settings on their mobile devices). The data may be processed in the USA. Privacy Policy:
https://www.google.com/policies/privacy/
Opt-out / Ad settings:
https://adssettings.google.com/authenticated
We integrate the maps of the “OpenStreetMap” service (https://www.openstreetmap.de), which is offered on the basis of the Open Data Commons Open Database License (ODbL) by the OpenStreetMap Foundation (OSMF). Privacy Policy:
https://wiki.openstreetmap.org/wiki/Privacy_Policy
To our knowledge, user data is used by OpenStreetMap solely for the purpose of displaying the map functions and for temporarily caching the selected settings. The data processed may include, in particular, IP addresses and location data of users, which, however, are not collected without users’ consent (this is typically managed via the settings on their mobile devices).
The data may be processed in the USA. Further information can be found in the privacy policy of OpenStreetMap:
https://wiki.openstreetmap.org/wiki/Privacy_Policy
Generated with the privacy policy generator provided by attorney Dr. Thomas Schwenke.
Newsletter and Contact Forms
When you subscribe to our newsletter or use one of our contact forms, we process the personal data you provide (in particular your first and last name, email address, and any additional voluntary information such as selected areas of interest).
The processing of your data is carried out for the purpose of sending our newsletter, contacting you, and providing company-related and project-related information.
For the distribution and management of our newsletter, we use the service provider Brevo (Brevo GmbH, Sendlinger Straße 7, 80331 Munich, Germany). The data you enter is transmitted to and stored by Brevo. We have concluded a Data Processing Agreement (DPA) with Brevo in accordance with Art. 28 GDPR.
Subscription to our newsletter takes place using the so‑called double opt‑in procedure. This means that after registering, you will receive an email asking you to confirm your subscription. This confirmation is necessary to prevent misuse and to ensure that no one registers using someone else’s email address.
The legal basis for processing your data is your consent pursuant to Art. 6(1)(a) GDPR.
You may withdraw your consent at any time with future effect, for example by using the unsubscribe link provided in each newsletter email or by contacting us directly.