Privacy statement
This privacy policy explains to you the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the websites, functions and content associated with it, as well as external online presences, such as our social media profile (hereinafter collectively referred to as “online offer”). With regard to the terms used, such as “processing” or “responsible person”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Types of data processed:
- Inventory data (e.g. names, addresses)
- contact details (e.g. email, telephone numbers)
- Content data (e.g. text inputs, photographs, videos)
- usage data (e.g. websites visited, interest in content, access times)
- Meta/communication data (e.g. device information, IP addresses)
- Applicant data
Categories of affected persons
Visitors and users of the online offer (hereinafter, we also refer to the persons concerned collectively as “users”).
Purpose of processing
- Provision of the online offer, its functions and content
- Answering contact requests and communicating with users
- Safety measures
- Reach measurement/marketing
Terms used
“Personal data” is any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is a natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special characteristics that express the physical, physiological, genetic, mental, economic, are the cultural or social identity of that natural person.
“Processing” means any process carried out with or without the aid of automated procedures or any such series of processes in connection with personal data. The term is broad and covers virtually any handling of data.
“Pseudonymization” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not assigned to an identified or identifiable natural person.
“Profiling” means any type of automated processing of personal data that consists of using this personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, whereabouts or changes of location.
“Responsible person” is the natural or legal person, authority, agency or other body which, alone or together with others, decides on the purposes and means of processing personal data.
“Processor” means a natural or legal person, authority, agency or other body which processes personal data on behalf of the person responsible.
Relevant legal bases
In accordance with Article 13 GDPR, we inform you of the legal basis for our data processing. If the legal basis is not mentioned in the data protection declaration, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR, the legal basis for processing to fulfill our services and carry out contractual measures and answer inquiries is Art. 6 para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c GDPR, and the legal basis for processing to protect our rights Interests are Art. 6 para. 1 lit. f DSGVO. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
Safety measures
In accordance with Article 32 GDPR, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as access to, input, transfer, availability and separation of data. We have also set up procedures that ensure the exercise of data subject rights, deletion of data and response to data risks. Furthermore, we take the protection of personal data into account right from the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through privacy-friendly default settings (Art. 25 GDPR).
Cooperation with contract processors and third parties
If, as part of our processing, we disclose data to other persons and companies (contract processors or third parties), transfer it to them or otherwise grant them access to the data, this is only done on the basis of legal permission (e.g. if a transfer of the data to third parties, such as payment service providers, is necessary in accordance with Art. 6 para. 1 lit. b GDPR), you have given your consent, a legal obligation to do so, or on the basis of our legitimate Interests (e.g. when using agents, web hosts, etc.).
If we commission third parties to process data on the basis of a so-called “order processing contract,” this is done on the basis of Article 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this is done as part of the use of third-party services or disclosure or transfer of data to third parties, this is only done if it is done to fulfill our (pre) contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permits, we process or have the data processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
You have the right to request confirmation as to whether the relevant data is being processed and for information about this data as well as further information and a copy of the data in accordance with Article 15 GDPR.
They have accordingly. Art. 16 GDPR, the right to request the completion of data concerning you or the correction of incorrect data concerning you.
In accordance with Article 17 GDPR, you have the right to request that the relevant data be deleted immediately or, alternatively, to request that the processing of the data be restricted in accordance with Article 18 GDPR.
You have the right to request that the data concerning you that you have provided to us be received in accordance with Article 20 GDPR and to request that it be transmitted to other responsible persons.
In accordance with Article 77 GDPR, you also have the right to lodge a complaint with the competent supervisory authority.
Right of Withdrawal
You have the right to withdraw your consent in accordance with Article 7 (3) GDPR with effect for the future
Right to object
You can object to the future processing of data concerning you at any time in accordance with Article 21 GDPR. In particular, the objection may be made against processing for direct marketing purposes.
Cookies and right of objection in the case of direct advertising
“Cookies” are small files that are stored on users' computers. Various information can be stored within cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or even after their visit to an online offer. Temporary cookies, or “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves an online offer and closes his browser. Such a cookie can store, for example, the content of a shopping cart in an online shop or a login status. Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent”. For example, the login status can be saved if users visit it after several days. Such a cookie can also store the interests of users, which are used for audience measurement or marketing purposes. “Third party cookies” are cookies that are offered by providers other than the person responsible for operating the online offer (otherwise, if they are only their cookies, they are referred to as “first-party cookies”).
We can use temporary and permanent cookies and explain this as part of our privacy policy.
If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in their browser's system settings. Saved cookies can be deleted in the browser's system settings. The exclusion of cookies may result in functional restrictions of this online offer.
A general objection to the use of cookies used for online marketing purposes can be made on a variety of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ be explained. Cookies can also be saved by switching them off in the browser settings. Please note that you may then not be able to use all functions of this online offer.
Deletion of data
The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its purpose and the deletion does not conflict with any legal storage requirements. If the data is not deleted because it is necessary for other and legally permitted purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons.
According to legal requirements in Germany, storage takes place in particular for 10 years in accordance with Sections 147 Paragraph 1 AO, 257 Paragraph 1 No. 1 and 4, Paragraph 4 HGB (books, records, accounting documents, documents relevant to taxation, etc.) and 6 years in accordance with Section 257 Paragraph 1 No. 2 and 3, Paragraph 4 HGB (commercial letters).
According to legal requirements in Austria, storage is carried out in particular for 7 years in accordance with Section 132 (1 BAO (accounting documents, receipts/invoices, accounts, receipts, business papers, statement of income and expenditure, etc.), for 22 years in connection with land and for 10 years for documents relating to electronically provided services, telecommunications, radio and television services provided to non-contractors in EU Member States and for which the Mini one-stop shop (MOSS) is used.
agency services
We process our clients' data as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.
In doing so, we process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., contract subject, duration), payment data (e.g., bank details, payment history), usage and metadata (e.g. as part of the evaluation and performance measurement of marketing measures). As a matter of principle, we do not process special categories of personal data, unless these are part of commissioned processing. Those affected include our customers, interested parties and their customers, users, website visitors or employees as well as third parties. The purpose of processing is to provide contract services, billing and our customer service. The legal basis for processing results from Art. 6 para. 1 lit. b DSGVO (contractual services), Art. 6 para. 1 lit. f GDPR (analysis, statistics, optimization, security measures). We process data that is necessary to establish and fulfill the contractual services and point out the need to provide them. Disclosure to external parties only takes place if it is necessary as part of an assignment. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client and the legal requirements of order processing in accordance with Article 28 GDPR and do not process the data for any purposes other than those in accordance with the order.
We delete the data after expiry of legal warranty and comparable obligations. The need to store the data is reviewed every three years; in the case of legal archiving obligations, the deletion takes place after their expiry (6 years, in accordance with § 257 para. 1 HGB, 10 J, in accordance with § 147 para. 1 AO). In the case of data that has been disclosed to us as part of an order by the client, we delete the data in accordance with the requirements of the order, generally after the end of the order.
Contractual services
We process the data of our contractual partners and interested parties as well as other clients, customers, clients or contract partners (uniformly referred to as “contractual partners”) in accordance with Article 6 (1) lit. b. GDPR in order to provide them with our contractual or pre-contractual services. The data processed here, the type, scope and purpose and the necessity of their processing are determined by the underlying contractual relationship.
The processed data includes the master data of our contractual partners (e.g., names and addresses), contact details (e.g. email addresses and telephone numbers) as well as contract data (e.g., services used, contract content, contractual communication, names of contact persons) and payment data (e.g., bank details, payment history).
As a matter of principle, we do not process special categories of personal data, unless these are part of commissioned or contracted processing.
We process data that is necessary to establish and fulfill the contractual services and point out the need to provide them, unless this is obvious to the contractual partners. Disclosure to external persons or companies only takes place if required as part of a contract. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client and legal requirements.
When using our online services, we can save the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as the interests of users in protecting against misuse and other unauthorized use. In principle, this data will not be passed on to third parties unless it is necessary to pursue our claims in accordance with Art. 6 para. 1 lit. f. GDPR or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c. GDPR.
The data is deleted when the data is no longer required to fulfill contractual or legal duties of care and to deal with any warranty and comparable obligations, with the need to store the data being reviewed every three years; otherwise, the legal storage obligations apply.
Administration, financial accounting, office organization, contact management
We process data as part of administrative tasks, organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process as part of providing our contractual services. The processing bases are Art. 6 para. 1 lit. c DSGVO, Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in processing lies in administration, financial accounting, office organization, archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information provided for these processing activities.
In doing so, we disclose or transfer data to tax authorities, consultants, such as tax advisors or auditors, as well as other fee agencies and payment service providers.
On the basis of our business interests, we also store information about suppliers, organizers and other business partners, e.g. for the purpose of contacting you later. We generally store this mostly company-related data permanently.
Business analyses and market research
In order to operate our business economically, to be able to identify market trends, the wishes of contractual partners and users, we analyse the data available to us on business transactions, contracts, inquiries, etc. We process inventory data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR, with the persons concerned including contractual partners, interested parties, customers, visitors and users of our online offer.
The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we can take into account the profiles of registered users with information, e.g. about the services they use. The analyses help us to increase user-friendliness, optimize our offering and business efficiency. The analyses are for us alone and are not disclosed externally, unless they are anonymous analyses with summarized values.
If these analyses or profiles are personal, they will be deleted or anonymized upon termination by the users, otherwise after two years from the conclusion of the contract. In addition, macroeconomic analyses and general trend regulations are prepared anonymously whenever possible.
Provision of our statutory and business services
We process the data of our members, supporters, interested parties, customers or other persons in accordance with Art. 6 para. 1 lit. b. GDPR, provided that we offer them contractual services or act as part of an existing business relationship, e.g. with members, or are recipients of services and benefits ourselves. In addition, we process the data of data subjects in accordance with Article 6 (1) (f) GDPR on the basis of our legitimate interests, e.g. when it comes to administrative tasks or public relations.
The data processed here, the type, scope and purpose and the necessity of their processing are determined by the underlying contractual relationship. This generally includes inventory and master data of persons (e.g., name, address, etc.), as well as contact details (e.g. email address, telephone, etc.), contract data (e.g., services used, content and information provided, names of contact persons) and, if we offer services or products subject to payment, payment data (e.g., bank details, payment history, etc.).
We delete data that is no longer required to fulfill our statutory and commercial purposes. This is determined in accordance with the respective tasks and contractual relationships. In the case of business processing, we store the data for as long as it may be relevant for the transaction and with regard to any warranty or liability obligations. The need to store the data is reviewed every three years; otherwise, the legal storage obligations apply.
Data protection information in the application process
We process applicant data only for the purpose and as part of the application process in accordance with legal requirements. Applicant data is processed to fulfill our (pre) contractual obligations as part of the application process within the meaning of Art. 6 para. 1 lit. b. GDPR Art. 6 para. 1 lit. f. GDPR insofar as data processing is necessary for us, for example as part of legal proceedings (Section 26 BDSG also applies in Germany).
The application process requires that applicants provide us with the applicant data. If we offer an online form, the necessary applicant data is otherwise derived from the job descriptions and generally includes personal information, postal and contact addresses and the documents associated with the application, such as a cover letter, curriculum vitae and certificates. In addition, applicants can voluntarily provide us with additional information.
By submitting the application to us, applicants agree to the processing of their data for the purposes of the application process in accordance with the type and scope set out in this privacy policy.
Insofar as special categories of personal data within the meaning of Article 9 (1) GDPR are voluntarily provided as part of the application process, their processing is also carried out in accordance with Article 9 (2) lit. b GDPR (e.g. health data, such as status of disabled persons or ethnic origin). Insofar as special categories of personal data within the meaning of Article 9 (1) GDPR are requested from applicants as part of the application process, their processing is also carried out in accordance with Article 9 (2) lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession).
If provided, applicants can submit their applications to us using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.
Applicants can also send us their applications via email. However, please note that emails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We can therefore assume no responsibility for the transmission of the application between the sender and receipt on our server and therefore recommend using an online form or sending it by post. Because instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post.
In the event of a successful application, the data provided by applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.
Subject to justified revocation by applicants, the deletion will take place after a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any travel expenses reimbursement are archived in accordance with tax requirements.
contacting
When contacting us (e.g. via contact form, e-mail, telephone or via social media), the user's information is processed to process the contact request and process it in accordance with Art. 6 para. 1 lit. b) GDPR. User information can be stored in a customer relationship management system (“CRM system”) or comparable request organization.
We delete the requests if they are no longer required. We review the requirement every two years; the legal archiving obligations also apply.
hosting
The hosting services we use are intended to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this online offer.
In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data from customers, interested parties and visitors to this online offer on the basis of our legitimate interests in the efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of order processing agreement).
Collection of access data and log files
We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR. The access data includes the name of the retrieved website, file, date and time of retrieval, amount of data transferred, message of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for a maximum of 7 days for security reasons (e.g. to investigate abusive or fraudulent acts) and then deleted. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
Using web analysis tools
(1) Since data protection is important to us, refrain from using invasive web tracking tools such as Google Analytics.
(2) In order to understand the use of our website and to improve it, we use the web analysis tool Plausible Analytics. Plausible does not set cookies, does not store any information in the browser, and does not collect any personal data in general. Here you can find more information about Plausible and the Data protection of this tool. Service provider: OÜ Plausible Insights, Västriku tn 2, Tartu 50403, Estonia; website: https://plausible.io/, privacy: https://plausible.io/data-policy.
Google AdWords and conversion measurement
We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”) on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering within the meaning of Art. 6 para. 1 lit. f. GDPR).
Google is certified under the Privacy Shield Agreement and thus offers a guarantee that it complies with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the Google “AdWords” online marketing process to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads. This allows us to display ads for and within our online offering in a more targeted manner in order to only present users with ads that potentially match their interests. For example, if a user is shown ads for products that they have shown interest in on other online offerings, this is referred to as “remarketing.” For these purposes, when you visit our and other websites on which the Google advertising network is active, Google directly executes a code from Google and integrates so-called (re) marketing tags (invisible graphics or code, also known as “web beacons”) into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). This file records which websites the user has visited, which content they are interested in and which offers the user has clicked on, as well as technical information about the browser and operating system, referring websites, time of visit and further information on the use of the online offer.
We also receive an individual “conversion cookie”. The information collected using the cookie is used by Google to generate conversion statistics for us. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive any information that personally identifies users.
User data is processed pseudonymously as part of the Google advertising network. This means that Google does not store and process the user's name or email address, for example, but processes the relevant data on a cookie-related basis within pseudonymous user profiles. In other words, from Google's point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who that cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected about users is transmitted to Google and stored on Google's servers in the USA.
For more information on Google's use of data, settings and objection options, please see Google's privacy policy (https://policies.google.com/technologies/ads) and in the settings for displaying advertisements by Google (https://adssettings.google.com/authenticated).
Integration of third-party services and content
On the basis of our legitimate interests (i.e. interest in analyzing, optimizing and operating our online offering within the meaning of Article 6 (1) (f) GDPR), we use content or service offerings from third parties to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”).
This always requires that the third-party providers of this content recognize the users' IP addresses, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content. We make every effort to use only content whose respective providers only use the IP address to deliver the content. Third parties can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and include technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.
data protection officer
On the basis of Art. 37 GDPR, Mr. Wolfgang Mengel was appointed as Data Protection Officer (DPO) of 8.2 Consulting AG.
The contact details are:
Da.S advice
Beerentalweg 76, 21077 Hamburg
Phone: (040) 761 01 907
email: W.Mengel@daS-Beratung.de
On the basis of Art. 37 GDPR, Ms. Christina Dittmer was appointed as Data Protection Officer (DPO) of 8.2 Obst & Hamm GmbH.
The contact details are:
Christina Dittmer
8.2 Obst & Hamm GmbH
Brandstwiete 4, 20457 Hamburg
Phone: 040 1812604-15
email: christina.dittmer@8p2.de