Data Protection
The following data protection statement, i.e. privacy policy, is intended to inform you about which types of personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. This data protection statement applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications and within external online services, such as our social media profiles (hereinafter collectively referred to as “online services”).
The terms used are not gender-specific.
As of 13 February 2020
Entity responsible (so-called “controller”)
RCS Entsorgung GmbH
Capeller Straße 147
59368 Werne
Deutschland
RCS Entsorgung GmbH
Capeller Straße 147
59368 Werne
RCS Plastics GmbH
Capeller Straße 147
59368 Werne
Deutschland
E-mail address: datenschutz(at)rcs-entsorgung.de
Phone: 02389/9826-0
Legal Notice: rcs-entsorgung.de/de/legal-notice
Contact data protection officer
RCS Entsorgung GmbH
Capeller Straße 147
59368 Werne
Deutschland
RCS Entsorgung GmbH
Capeller Straße 147
59368 Werne
RCS Plastics GmbH
Capeller Straße 147
59368 Werne
Deutschland
E-mail address: datenschutz(at)rcs-entsorgung.de
Summary of processing
The following overview summarises the types of data processed and the purpose of such processing, in addition to providing details of the data subjects.
Types of data processed
- Inventory data (e.g. names, addresses).
- Job applicant data (e.g. details relating to the person, postal and contact addresses, documents associated with the application, such as cover letter, CV/résumé, reports/report cards and other information pertaining to the person or qualifications in the context of a specific job opening or any such information that is provided on a voluntary basis).
- Content data (e.g. text input, photographs, videos).
- Contact data (e.g. e-mail, telephone numbers).
- Metadata/communication data (e.g. device details, IP addresses).
- Usage data (e.g. websites visited, interest in content, access times).
- Personal social security data (data subject to provisions regarding confidentiality of social security data (Section 35 SGB I) and processed by entities such as social security institutions, social welfare agencies or benefit offices).
- Location data (data indicating the location of an end user’s device).
Categories of data subjects
- Personnel (e.g. employees, job applicants, former staff members).
- Job applicants.
- Interested parties.
- Communication partners.
- Customers.
- Users (e.g. website visitors, users of online services).
Purpose of processing
- Provision of our online service and usability.
- Visitor action analysis.
- Application procedures (conclusion and potential subsequent implementation as well as potential subsequent termination of an employment relationship).
- Cross-device tracking (cross-device processing of user data for marketing purposes).
- Interest-based and behavioural marketing.
- Contact enquiries and communication.
- Conversion analysis (assessing the effectiveness of marketing measures).
- Profiling (creating user profiles).
- Remarketing.
- Reach analysis (e.g. access statistics, identifying returning visitors).
- Security measures.
- Tracking (e.g. interest-based and behavioural profiling, use of cookies).
- Contractual performance and service.
- Handling of and response to enquiries.
- Target group definition (determination of target groups relevant for marketing purposes or other output of content).
Applicable legal basis
The following section outlines the legal fundamentals of the General Data Protection Regulation (GDPR) that form the basis for the processing of personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence and domicile. If, in addition, other specific legal bases are applicable in individual cases, we will inform you of these in the data protection statement.
- Consent (Art. 6 paragraph 1 sentence 1 point (a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Performance of a contract and requests prior to entering into a contract (Art. 6 paragraph 1 sentence 1 point (b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legitimate interests (Art. 6 paragraph 1 sentence 1 (f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- Art. 9 paragraph 1 sentence 1 point (b) GDPR (application procedure as pre-contractual or contractual relationship) (If, in the course of the application procedure, special categories of personal data within the meaning of Art. 9 paragraph 1 GDPR (e.g. health-related data such as status of severe disability or ethnic origin) are requested from applicants so that the controller or the data subject can exercise the rights associated with labour law and social security and social protection law and fulfil his or her obligations in this respect, processing is carried out in accordance with Art. 9 paragraph 2 point (b) GDPR, in the case of protection of essential interests of applicants or other persons according to Art. 9 paragraph 2 point (c) GDPR or for the purposes of health care or occupational medicine, for the assessment of the employee’s working capacity, for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to Art. 9 paragraph 2 point (h) GDPR.
- If the data subject has given explicit consent to the processing of special categories of personal data, the processing of such data is conducted on the basis of Art. 9 paragraph 2 point (a) GDPR.) .
National data protection regulations in Germany: In addition to the data protection provisions set out in the General Data Protection Regulation, specific national regulations on data protection apply in Germany. They include in particular the Federal Act on Protection Against Misuse of Personal Data in Data Processing (Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)). In particular, the BDSG contains special regulations on the right of access to information, the right of erasure/deletion, the right of objection, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for purposes of the employment relationship (Section 26 BDSG), in particular with regard to the conclusion, implementation or termination of employment and the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.
Security measures
We take appropriate technical and organisational measures in accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying degrees of probability of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection commensurate with the risk.
These measures shall include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding of availability and segregation thereof. In addition, we have established procedures to ensure that the rights of data subjects are exercised, that data is deleted and that we are able to respond to any threats to the data. Furthermore, we take the protection of personal data into account as early as the stage of development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly presettings.
Truncation of IP address: If it is possible or not necessary for us to save your IP address, we will shorten or have your IP address shortened (truncation). In the case of IP address truncation, also known as IP masking, the last octet, i.e. the last two numbers of an IP address, is deleted (the IP address in this context is an identifier individually assigned to an Internet connection by the online access provider). The purpose of shortening the IP address is to prevent or make it considerably more difficult to identify a person on the basis of their IP address.
SSL encryption (https): We use SSL encryption to protect your data transmitted via our online service. You can recognise encrypted connections such as these by the prefix https:// in the address line of your browser.
In the course of our processing of personal data, data may be transferred or disclosed to other bodies, companies, legally independent organisational units or persons. The recipients of this data may include, for example, financial institutions in the context of payment transactions, service providers commissioned with the performance of IT-related tasks or providers of services and content integrated into a website. In such cases we observe the legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
Data transfer within the organisation: We may transfer or grant access to personal information to other entities within our organisation. If this transfer is for administrative purposes, the transfer of the data is based on our justified entrepreneurial and business interests or is necessary to fulfil our contractual obligations. It may also occur in those cases in which the consent of the person concerned has been given or a legal authorisation exists.
Data processing in third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this is only conducted in accordance with the legal requirements.
Subject to express consent or transfer required by contract or by law, we process or allow the data to be processed only in third countries with a recognised level of data protection, including the US processors certified under the privacy shield, or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ).
Use of cookies
Cookies are text files that contain data from websites or domains visited by the user; they are stored by a browser on the user’s computer. A cookie is primarily used to store information about a user during or after his visit relating to an online service. The stored information may include, for example, the language settings on a website, the login status, a shopping cart or the location where a video was viewed. The term “cookies” also includes other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also referred to as “user IDs”)
We distinguish between the following types of cookie and function:
- Temporary cookies (also referred to as session cookies): Temporary cookies are deleted at the latest after a user has left a site and closed his browser.
- Permanent cookies: Permanent cookies remain stored even after closing the browser. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, details of user interests required for reach analysis or marketing purposes can be stored in such a cookie.
- First-party cookies: First-party cookies are set by us.
- Third-party cookies: Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
- Essential cookies: Cookies may be absolutely necessary for the operation of a website (e.g. to store logins or other user entries or for security reasons).
- Statistical, marketing and personalisation cookies: Furthermore, cookies are generally also used in the context of reach analysis and when the interests of a user or his behaviour (e.g. viewing certain content, using specific functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to display specific content to users that corresponds to their potential interests. This process is also known as “tracking”, i.e. following the potential interests of users. In those cases in which we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or when you give your consent.
Information on legal bases: The legal basis on which we process your personal data using cookies depends on whether we ask you for your consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is the consent given. Otherwise, the data processed with the aid of cookies will be processed on the basis of our legitimate interests (e.g. relating to the business operation of our online service and its improvement) or, if the use of cookies is necessary to fulfil our contractual obligations.
General information on withdrawal of consent and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you may at any time withdraw any consent you have given or object to the processing of your data by cookie technologies (collectively referred to as “opt-out”). You can initially declare your objection using the settings of your browser, e.g. by deactivating the use of cookies (although this may also restrict the functionality of our online service). An objection to the use of cookies for online marketing purposes can also be declared by means of a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further notices of objection in the context of the information on the service providers and cookies used.
Processing of cookie data based on consent: Before we process data or have data processed in the context of the use of cookies, we ask users for their consent, which can be revoked at any time. Before consent has not been given, cookies are only used in those cases in which they are deemed necessary for the operation of our online service. Their use is based on our interest and the interest of the users in the expected functionality of our online service.
- Processed data types: Usage data (e.g. websites visited, interest in content, access times), metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Legal basis: Consent (Art. 6 paragraph 1 sentence 1 point (a) GDPR), legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
Contacting us
When contacting us (e.g. via contact form, e-mail, telephone or via social media), the data of the enquiring persons will be processed to the extent necessary to answer the contact enquiries and any requested measures.
Our response to contact enquiries within the scope of contractual or pre-contractual relations is to be seen in the context of the fulfilment of our contractual obligations or for answering (pre-)contractual enquiries and, beyond this, on the basis of the legitimate interest in responding to enquiries.
- Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photographs, videos).
- Data subjects: communication partners.
- Purposes of processing: contact requests and communication.
- Legal basis: Contractual performance and pre-contractual enquiries (Art. 6 paragraph 1 sentence 1 point (b) GDPR), legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
Provision of the online service and web hosting
In order to provide our online service securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online service can be accessed. For these purposes we may use infrastructure and platform services, computing capacity, storage space and database services as well as security and technical maintenance services.
The data processed as part of the provision of the hosting service may include all information relating to the users of our online service that is generated in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the contents of online services to browsers, and all entries made in the context of our online service or from websites.
Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, date and time of access, data volume transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
The server log files can be used on the one hand for security purposes, e.g. to avoid overloading the servers (especially in the case of malicious attacks, so-called DDoS attacks), and on the other hand to ensure the utilisation of the servers and their stability.
- Processed data types: Content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Legal bases: legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
Application procedure
The application procedure requires applicants to provide us with the data necessary for their assessment and selection. Which information is required can be found in the job description or, in the case of online forms, in the information provided therein.
Fundamentally, the required data includes personal information such as name, address, contact details and proof of the qualifications required for a position. On request, we will also be happy to inform you which information is required.
If provided, applicants can send us their applications using an online form. The data are encrypted and transmitted to us according to the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form via the Internet. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission route of the application between the sender and the reception on our server.
For the purposes of applicant search, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services of third parties, subject to the legal requirements.
Applicants are welcome to contact us regarding the method of submitting their application or to send us their application by post.
VProcessing of special categories of data: If special categories of personal data within the meaning of Article 9 paragraph 1 GDPR (e.g. health-related data such as status of severe disability or ethnic origin) are requested from applicants in the context of the application procedure so that the controller or the data subject can exercise the rights associated with labour law and social security and social protection law and fulfil his or her obligations in this respect, processing is carried out in accordance with Art. 9 paragraph 2 point (b) GDPR, in the case of protection of essential interests of applicants or other persons according to Art. 9 paragraph 2 point (c) GDPR or for the purposes of health care or occupational medicine, for the assessment of the employee’s working capacity, for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to Art. 9 paragraph 2 point (h) GDPR. If the data subject has given explicit consent to the processing of special categories of personal data, the processing of such data is conducted on the basis of Art. 9 paragraph 2 point (a) GDPR.)
Erasure of data: In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of employment. By contrast, if the application for a job offer is not successful, applicants’ data will be erased. Applicants’ data is also erased if an application is withdrawn, which applicants are entitled to do at any time. Subject to the justified revocation by applicants, the data will be erased after a period of six months at the latest so that we can answer any follow-up questions about the application and comply with our obligations to provide evidence under the regulations on the equal treatment of applicants. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.
Admission to a pool of applicants: Admission to a pool of applicants, insofar as this is offered, is based on the provision of consent. Applicants are informed that their consent regarding the inclusion in the talent pool is voluntary, has no influence on the current application procedure, and that they can withdraw their consent at any time in the future.
- Types of data processed: Applicant data (e.g. personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, CV/résumé, reports/report cards and other information relating to the applicant’s person or qualifications provided by the applicant with regard to a specific job or voluntarily).
- Data subjects: Applicants.
- Purposes of processing: Application procedure (conclusion and potential subsequent implementation and termination of employment).
- Legal bases: Art. 9 paragraph 1 sentence 1 point (b) GDPR (application procedure as pre-contractual or contractual relationship). (If, in the course of the application procedure, special categories of personal data within the meaning of Art. 9 paragraph 1 GDPR (e.g. health-related data such as status of severe disability or ethnic origin) are requested from applicants so that the controller or the data subject can exercise the rights associated with labour law and social security and social protection law and fulfil his or her obligations in this respect, processing is carried out in accordance with Art. 9 paragraph 2 point (b) GDPR, in the case of protection of essential interests of applicants or other persons according to Art. 9 paragraph 2 point (c) GDPR or for the purposes of health care or occupational medicine, for the assessment of the employee’s working capacity, for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to Art. 9 paragraph 2 point (h) GDPR. If the data subject has given explicit consent to the processing of special categories of personal data, the processing of such data is conducted on the basis of Art. 9 paragraph 2 point (a) GDPR.)
Web analysis and optimisation
Web analysis (also known as “reach analysis”) is used to evaluate visitor streams associated with our online service and may include visitor information about behaviour, interests or demographics, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online service or its functions or contents are most frequently used or invite visitors to use them again. This also helps us understand which areas require optimisation.
In addition to web analysis, we can also use test procedures, e.g. to test and optimise different versions of our online service or its components.
For these purposes, so-called user profiles can be created and stored in a file (so-called “cookie”) or similar procedures with the same purpose can be used. This information may include, for example, content viewed, web pages visited and elements used on those pages as well as technical details such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this data may also be processed, depending on the provider.
The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymisation by means of IP address truncation) to protect the users. In general, in the context of web analysis, A/B testing and optimization, no clear user data (such as e-mail addresses or names) are stored, only pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.
Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is the provision of consent. Otherwise, users’ data will be processed on the basis of our legitimate interests (i.e. interest in efficient, cost-effective and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
- Processed data types: Usage data (e.g. websites visited, interest in content, access times).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Reach analysis (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavioural profiling, use of cookies), visitor action evaluation, profiling (creation of user profiles), interest-based and behaviour-based marketing.
- Security measures: IP masking (pseudonymisation of IP address).
- Legal basis: Consent (Art. 6 paragraph 1 sentence 1 point (a) GDPR), legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
Services and service providers used:
- Google Optimize: Use of Google Analytics data for the purpose of improving areas of our online service and better aligning our marketing measures with the potential interests of users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://optimize.google.com; privacy policy: https://policies.google.com/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; right of objection (opt-out): opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://adssettings.google.com/authenticated.
Online marketing
We process personal data for online marketing purposes, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on the potential interests of users and the measurement of its effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar procedures are used, by means of which the user data relevant to the presentation of the aforementioned content are stored. This information may include, for example, the content viewed, web pages visited and online networks used, but also communication partners and technical details such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this data may also be processed.
The IP addresses of users are also stored. However, we use available IP masking procedures (i.e., pseudonymisation by means of IP address truncation) to protect the users. In general, the online marketing process does not store any clear user data (such as e-mail addresses or names), only pseudonyms. This means that we as well as the providers of the online marketing procedures do not know the actual identity of the users, but only the information stored in their profiles.
As a rule, the information in the profiles is stored in the cookies or by means of similar procedures. These cookies can later be extracted and analysed for the purpose of presenting content on other websites that use the same online marketing procedure; they can also be supplemented with additional data and stored on the server of the online marketing procedure provider.
As an exception, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing procedure we use and the network connects the profiles of the users in the aforementioned data. Please note that users can make additional agreements with the providers, e.g. by giving their consent during registration.
As a matter of principle, we only obtain access to summarised information on the performance of our advertisements. However, in the context of so-called conversion measurements, we can check which of our online marketing procedures have led to a so-called conversion, for example, to the conclusion of a contract with us. The conversion measurement is used solely to analyse the performance of our marketing measures.
Unless otherwise stated, we ask you to assume that cookies used are stored for a period of two years.
Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is the provision of consent. Otherwise, users’ data will be processed on the basis of our legitimate interests (i.e. interest in efficient, cost-effective and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
Definition of target groups with Google Analytics:We use Google Analytics in order to display the ads placed within the advertising services of Google and its partners only to those users who have also shown an interest in our online service or who exhibit certain characteristics (e.g. interests in certain topics or products determined by the websites visited), which we transmit to Google (so-called “remarketing” or “Google Analytics audiences”). With the help of remarketing audiences, we would also like to ensure that our ads match the potential interest of users.
Google Universal Analytics: We use Google Analytics in the form of Universal Analytics (https://support.google.com/analytics/answer/2790010?hl=de&ref_topic=6010376).”Universal Analytics” refers to a Google Analytics method in which user analysis is based on a pseudonymous user ID, thus creating a pseudonymous profile of the user with information from various devices (so-called “cross-device tracking”).
Facebook Pixel: Facebook Pixel is designed to enable Facebook to determine the visitors of our online service as a target group for the presentation of ads (so-called “Facebook ads”). Accordingly, we use Facebook Pixel to display the Facebook ads placed by us only to those users on Facebook and within the services of partners cooperating with Facebook (so-called “Audience Network” https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online services or who exhibit certain characteristics (e.g. interest in certain topics or products that can be seen from the websites visited) that we transmit to Facebook (so-called “Custom Audiences”). With the help of Facebook Pixel, we also want to make sure that our Facebook ads match the potential interests of users and are not annoying. Facebook Pixel also allows us to track the effectiveness of Facebook ads for statistical and market research purposes by establishing whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion measurement”).
- Types of data processed: Usage data (e.g. web pages visited, interest in content, access times), metadata/communication data (e.g. device information, IP addresses), location data (data indicating the location of an end user’s device), personal social security data (data subject to provisions regarding confidentiality of social security data (Section 35 SGB I) and processed by entities such as social security institutions, social welfare agencies or benefit offices).
- Purposes of processing: Tracking (e.g. interest/behavioural profiling, use of cookies), remarketing, visitor action evaluation, interest-based and behaviour-based marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach analysis (e.g. access statistics, recognition of recurring visitors), cross-device tracking (cross-device processing of user data for marketing purposes), target group definition (determination of target groups relevant for marketing purposes or other output of content).
- Security measures: IP masking (pseudonymisation of IP address).
- Legal basis: Consent (Art. 6 paragraph 1 sentence 1 point (a) GDPR), legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
- Right of objection (opt-out): We hereby refer to the data protection statements of the respective providers and the possibilities of objection (so-called \”opt-out\”) specified with regard to the providers. If no explicit opt-out option has been specified, it is possible to switch off cookies in the settings of your browser. However, this may restrict the functions of our online service. We therefore recommend the following additional opt-out options, which are offered in summary form for the respective areas: a) Europe:
a) Europe: https://www.youronlinechoices.eu.
b) Canada: https://www.youradchoices.ca/choices.
c) USA: https://www.aboutads.info/choices.
d) Transnational: https://optout.aboutads.info.
Services and service providers used:
- Google Tag Manager: Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus integrate e.g. Google Analytics and other Google marketing services into our online service). The Tag Manager itself (which implements the tags) does not process any personal data of the users. With regard to the processing of users’ personal data, please refer to the following information about Google’s services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
- Google Analytics: Online marketing and web analysis; service providers: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://policies.google.com/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; right of objection (opt-out): opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://adssettings.google.com/authenticated.
- Google Ads and conversion measurement: We use the online marketing service Google Ads to place ads in the Google advertising network (e.g. in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in the ads. We also measure the conversion of the ads. However, we are only given information about the anonymous total number of users who clicked on our ad and were redirected to a page with a so-called “conversion tracking tag”. We do not receive any information that can be used to identify users.
- Dienstanbieter: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com; ; privacy policy: https://policies.google.com/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
- Facebook-Pixel: Facebook Pixel; service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; right of objection (opt-out): https://www.facebook.com/settings?tab=ads.
Social network activities
We maintain an online presence within social networks in order to communicate with the users active in such networks or to offer information about our company.
Please note that user data may be processed outside the European Union. This can result in risks for the users, because the enforcement of users’ rights could be made more difficult. With regard to US providers that are certified under the privacy shield or offer comparable guarantees of a secure level of data protection, we would like to point out that they thereby undertake to comply with the data protection standards of the EU.
Furthermore, user data within social networks is generally processed for market research and advertising purposes. Thus, for example, user profiles can be created on the basis of user behaviour and the resulting interests of the users. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on users’ computers, in which the usage behaviour and interests of the users are stored. Furthermore, data may also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
For a detailed description of the respective forms of processing and the possibilities of objection (opt-out), we hereby refer to the data protection statements and information provided by the operators of the respective networks.
Also as regards requests for information and the assertion of data subject rights, we would like to point out that these can most effectively be asserted with the providers. Only the providers have access to the data of the users in each case and can directly take appropriate measures and provide information. Should you nevertheless require assistance, you can contact us.
- Processed data types: Inventory data (e.g. names, addresses), contact data (e.g., e-mail, phone numbers), content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Contact enquiries and communication, tracking (e.g. interest-based/behavioural profiling, use of cookies), remarketing, reach analysis (e.g. access statistics, recognition of returning visitors).
- Legal bases: legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
Services and service providers used:
- Instagram: social network; service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; website: https://www.instagram.com; privacy policy: https://instagram.com/about/legal/privacy.
- Facebook: social network; service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; right of objections (opt-out): settings for advertisements: https://www.facebook.com/settings?tab=ads; additional information on data protection: agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum, privacy notices for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.
- YouTube: social network; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy: https://policies.google.com/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; right of objection (opt-out): https://adssettings.google.com/authenticated.
Plugins and embedded functions as well as content
We integrate into our online service both functional and content-related elements that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These can be, for example, graphics, videos or social media buttons as well as contributions (hereinafter uniformly referred to as “content”).
Such integration always requires that the third-party providers of this content process the IP address of the users, as without the IP address they would not be able to send the content to their browser. The IP address is therefore required to display content or functions. We make every effort to use only such content for which the IP address is used by the respective providers solely for the purpose of delivering content. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” allow information such as visitor traffic on the pages of this website to be evaluated. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information on the browser and operating system, websites to be referred to, the time of visit and other details on the use of our online service, as well as being linked to such information from other sources.
Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is the provision of consent. Otherwise, users’ data will be processed on the basis of our legitimate interests (i.e. interest in efficient, cost-effective and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
- Types of data processed: Usage data (e.g. web pages visited, interest in content, access times), metadata/communication data (e.g. device information, IP addresses), inventory data (e.g. names, addresses), contact data (e.g. e-mail, phone numbers), content data (e.g. text input, photographs, videos).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of processing: Provision of our online service and user-friendliness, contractual benefits and service, security measures, administration and response to enquiries.
- Legal basis: Consent (Art. 6 paragraph 1 sentence 1 point (a) GDPR), contractual performance and pre-contractual enquiries (Art. 6 paragraph 1 sentence 1 point (b) GDPR), legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
Services and service providers used:
- YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.youtube.com; privacy policy: https://policies.google.com/privacy; privacy shield (ensuring the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; right of objection (opt-out): opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://adssettings.google.com/authenticated.
Planning, organisation and tools
We use the services, platforms and software of other providers (hereinafter referred to as “third-party providers”) for the purposes of organising, managing, planning and providing our services. When selecting third-party providers and their services, we observe the legal requirements.
In this context, personal data may be processed and stored on the servers of the third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of users, data on procedures, contracts, other processes and their contents.
If users are referred to the third-party providers or their software or platforms in the course of communication, business or other relations with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore request that you observe the data protection notices of the respective third-party providers.
Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is the provision of consent. Furthermore, their use can be a component of our
(pre-)contractual services, provided that the use of third-party providers has been agreed in this context. Otherwise, users’ data will be processed on the basis of our legitimate interests (i.e. interest in efficient, cost-effective and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
- Processed data types: Inventory data (e.g. names, addresses), contact data (e.g., e-mail, phone numbers), content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), metadata/communication data (e.g. device information, IP addresses).
- Data subjects: Communication partners, users (e.g. website visitors, users of online services).
- Legal basis: Consent (Art. 6 paragraph 1 sentence 1 point (a) GDPR), contractual performance and pre-contractual enquiries (Art. 6 paragraph 1 sentence 1 point (b) GDPR), legitimate interests (Art. 6 paragraph 1 sentence 1 point (f) GDPR).
Erasure of data
The data processed by us will be deleted, i.e. erased, in accordance with legal requirements as soon as consent given for processing is withdrawn or other permissions cease to apply (e.g. if the purpose for which the data was processed ceases to apply or if they are not necessary for the purpose).
Unless the data is erased because it is required for other and legally permissible purposes, its processing is limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or that must be stored for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person.
Further information on the erasure of personal data can also be provided in the individual privacy policies of this data protection statement.
Amendment and update of the data protection statement
You are kindly requested to inform yourself regularly about the content of our data protection statement. We will adapt the data protection statement as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes make it necessary for you to take action (e.g. to give your consent) or if any other form of individual notification is needed.
If we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.
Rights of data subject
As data subjects, you have various rights under the GDPR, arising in particular from Articles 15 to 18 and 21 GDPR:
- Right to object: You have the right to object, on grounds relating to your particular situation, to the processing of personal data relating to you that is collected pursuant to Article 6 paragraph 1 points (e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct advertising/marketing, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling, insofar as it is related to such direct advertising/marketing.
- Right of withdrawal of consent: You have the right to withdraw consent at any time.
- Right of access to information: You have the right to obtain confirmation as to whether or not data in question is being processed and to obtain information on such data, as well as further information and a copy of the data in accordance with legal requirements.
- Right to rectification: You have the right to request the completion of the data concerning you or the correction of incorrect data concerning you in accordance with the law.
- Right of erasure and right to restriction of processing: In accordance with the statutory provisions, you have the right to demand that data concerning you be erased immediately, or alternatively, in accordance with the statutory provisions, to demand that the processing of the data be restricted.
- Right to data portability: You have the right, in accordance with legal requirements, to receive data concerning you which you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another responsible party.
- Complaint to supervisory authority: You also have the right, in accordance with the statutory provisions, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of suspected infringement, if you believe that the processing of personal data relating to you is in breach of the GDPR.
Definition of specific terms
This section provides an overview of the terms used in this data protection statement. Many of the terms are taken from the law and are defined above all in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to help you understand them.
- Conversion tracking: Conversion tracking refers to a procedure that can be used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the user’s devices within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can use this to track whether the ads we have placed on other websites have been successful.
- Cross-device tracking: Cross-device tracking is a form of tracking in which users’ behavioural and interest-related information is recorded across devices in so-called profiles by assigning the users an online identifier. This allows user information to be analysed for marketing purposes, regardless of the browser or device used (e.g. mobile phones or desktop computers). With the majority of providers, online identification is not linked to clear data, such as names, postal or e-mail addresses.
- IP masking: IP masking is a method in which the last octet, i.e. the last two numbers of an IP address, are deleted so that the IP address can no longer be used to uniquely identify a person. IP masking is therefore a means of pseudonymising processing methods, especially in online marketing.
- Interest-based and behavioural marketing: We speak of interest-based and/or behavioural marketing when the potential interests of users in ads and other content are predetermined as precisely as possible. This is done on the basis of information about their previous behaviour (e.g. visiting and staying on certain websites, buying behaviour or interaction with other users), which is stored in a so-called profile. As a rule, cookies are used for these purposes.
- Conversion measurement: Conversion measurement is a procedure to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the user’s devices within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can track whether the ads we placed on other websites were successful.
- Personal data: Personal data means any information relating to an identified or identifiable natural person (referred to hereinafter as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse, assess or predict aspects concerning that natural person (depending on the type of profiling, this includes information regarding age, gender, location and movement data, interaction with websites and their content, shopping behaviour, social interactions with other people) (e.g. interests in certain content or products, the click behaviour on a website or the location). Cookies and web beacons are often used for profiling purposes.
- Reach analysis: Reach analysis (also known as web analytics) is used to evaluate the flow of visitors to an online service and can include the behaviour or interests of visitors in certain information, such as the content of websites. With the help of reach analysis, website owners can, for example, identify at what time visitors visit their website and what content they are interested in. This enables them to better adapt the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis purposes in order to recognise returning visitors and thus obtain more precise analyses of the use of an online service.
- Remarketing: The term “remarketing” or “retargeting” is used when, for example for advertising purposes, it is noted which products a user was interested in on a website in order to remind the user of these products on other websites, e.g. in advertisements.
- Tracking: One speaks of “tracking” when the behaviour of users can be traced across several online services. As a rule, behavioural and interest-related information regarding the online services used is stored in cookies or on servers of the providers of the tracking technologies (so-called profiling). This information can then be used, for example, to display advertisements to users that are likely to match their interests.
- Controller: Controller refers to the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- Processing: Processing means any operation or set of operations which is performed on personal data or on sets of personal data. The term has a broad meaning and covers practically every handling of data, be it collection, evaluation, storage, transmission or deletion.
- Target group definition: One speaks of target group definition (or “custom audiences”) when target groups are defined for advertising purposes, e.g. insertion of advertisements. For example, based on a user’s interest in certain products or topics on the Internet, it can be inferred that the user is interested in advertisements for similar products or the online shop where the user viewed the products. Lookalike audiences (i.e. similar target groups) refers to those cases in which the content deemed suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used to create custom audiences and lookalike audiences.