1. Definitions

The data protection information of HERMOS AG and HERMOS Schaltanlagen GmbH (hereinafter referred to as HERMOS) is based on the terms used by the European Directive and Regulation Maker when issuing the General Data Protection Regulation (DSGVO). Our data protection information should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.

We use the following terms, among others, in this data protection notice:

a) Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data subject

Data subject means any identified or identifiable natural person whose personal data are processed by the controller.

c) Processing

Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

e) Profiling

Profiling is any form of automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.

f) Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.

g) Controller or person responsible for processing

The controller or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

h) Processors

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient

A recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.

j) Third

Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor.

k) Consent

Consent shall mean any freely given specific and informed indication of the data subject’s wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

2. Name and address of the persons responsible and of the data protection officers

The persons responsible within the meaning of the DSGVO, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature are the:

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e. g. names, E-mail addresses, etc.).

Data Protection Officer:

We have appointed an external data protection officer for our companies.

Dr Marion Herrmann
Datenschutz Symbiose GmbH
Hundingstraße 12
95445 Bayreuth
Germany

E-mail: datenschutz[at]hermos.com

Internal information security officer
We have an internal information security officer for our company.

Alexander Genser
Gartenstraße 19
95490 Mistelgau
Germany
E-mail: iso-hag@hermos.com

3. External hosting

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster’s servers. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contractual data, contact details, names, website accesses and other data generated via a website.

The hosting service provider used is:
TMT GmbH & Co. KG
Nürnberger Str. 42
95448 Bayreuth, Germany

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6, 1b DSGVO) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6, 1f DSGVO).

Our hoster will only process your data insofar as this is necessary for the fulfilment of its service obligations and will follow our instructions with regard to this data. The processing of the data takes place within the EU/ EEC.

Order processing:
To ensure data protection-compliant processing, we have concluded an order processing contract with our hoster.

4. General information on data processing

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this data protection notice.

When you use this website, various personal data are collected. Personal data is data that can be used to identify you personally. This privacy notice explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission on the Internet (e. g. communication by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.

Relevant legal bases

In accordance with Art. 13 DSGVO, we inform you of the legal basis for our data processing. If the legal basis is not stated in the data protection information, the following applies: The legal basis for obtaining consent is Art. 6 (1a) and Art. 7 DSGVO, the legal basis for processing for the fulfilment of our services and implementation of contractual measures as well as answering enquiries is Art. 6, 1b) DSGVO, the legal basis for processing for the fulfilment of our legal obligations is Art. 6, 1c) DSGVO, and the legal basis for processing for the protection of our legitimate interests is Art. 6, 1f) DSGVO.

Changes and updates to the data protection notice

We ask you to regularly inform yourself about the content of our data protection declaration. We will adapt the data protection notice as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e. g. consent) or other individual notification.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Objection to advertising e-mails

The use of contact data published within the framework of the imprint obligation to send advertising and information material that has not been expressly requested is hereby prohibited. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

Data deletion

The data processed by us will be deleted or its processing restricted in accordance with Articles 17 and 18 DSGVO. Unless expressly stated within the scope of this data protection notice, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I. e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

According to legal requirements, storage is carried out in particular for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

Storage period

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is routinely deleted if it is no longer required for the fulfilment or initiation of the contract.

5. Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e. g. if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 (1b) DSGVO), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e. g. when using agents, web hosts, etc.).

If we commission third parties with the processing of data on the basis of a so-called “order processing agreement”, this is done on the basis of Art. 28 DSGVO.

Transfers to third countries

If we process data in a third country (i. e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using third-party services or disclosing or transferring data to third parties, this is only done if it is done in order to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 ff. DSGVO are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

6. Your rights as a data subject

a) Right to confirmation

Every data subject shall have the right, granted by the European Directive and the Regulation, to obtain confirmation from the controller as to whether personal data concerning him or her are being processed. If a data subject wishes to exercise this right, he or she may, at any time, contact any employee of the controller.

b) Right to information

Any person concerned by the processing of personal data has the right, granted by the European Directive and Regulation, to obtain from the controller, at any time and free of charge, information about the personal data stored about him or her and a copy of that information. Furthermore, the European Directive and Regulation has granted the data subject access to the following information:

• the purposes of the processing
• the categories of personal data that are processed
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations
• if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
• the existence of a right to obtain the rectification or erasure of personal data concerning them or to obtain the restriction of processing by the controller or a right to object to such processing
• the existence of a right of appeal to a supervisory authority
• if the personal data are not collected from the data subject: All available information on the origin of the data

the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject

Furthermore, the data subject has the right to be informed whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to obtain information on the appropriate safeguards in connection with the transfer. If a data subject wishes to exercise this right of access, he or she may contact an employee of the controller at any time.

c) Right of rectification

Any person concerned by the processing of personal data shall have the right granted by the European Directive and the Regulation to obtain the rectification without delay of inaccurate personal data relating to him or her. Furthermore, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration, taking into account the purposes of the processing. If a data subject wishes to exercise this right of rectification, he or she may, at any time, contact any employee of the controller.

d) Right to erasure (“right to be forgotten”)

Any person concerned by the processing of personal data shall have the right, granted by the European Directive and the Regulation, to obtain from the controller the erasure without delay of personal data concerning him or her, where one of the following grounds applies and insofar as the processing is not necessary:

• The personal data were collected or otherwise processed for purposes for which they are no longer necessary.
• The data subject revokes the consent on which the processing was based pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
• The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
• The personal data have been processed unlawfully.
• The deletion of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
• The personal data was collected in relation to information society services offered pursuant to Art. 8(1) DSGVO.

If one of the aforementioned reasons applies, and a data subject wishes to arrange for the deletion of personal data stored by HERMOS, he or she may, at any time, contact any employee of the controller. The employee of HERMOS will arrange for the deletion request to be complied with immediately. If the personal data have been made public by HERMOS and our enterprise as the controller is obliged to erase the personal data pursuant to Article 17 (1) of the Data Protection Regulation, HERMOS shall, taking into account the available technology and the cost of implementation, implement reasonable measures, including those of a technical nature, to inform other data controllers which process the published personal data, that the data subject has requested from those other data controllers to erase all links to or copies or replications of the personal data, unless the processing is necessary. The employee of HERMOS will arrange the necessary in individual cases.

e) Right to restriction of processing

Any person concerned by the processing of personal data has the right, granted by the European Directive and the Regulation, to obtain from the controller the restriction of processing where one of the following conditions is met:

• The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful, the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data.
• The controller no longer needs the personal data for the purposes of processing, but the data subject needs it for the establishment, exercise or defence of legal claims.
• The data subject has objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of personal data stored by HERMOS, he or she may, at any time, contact any employee of the controller. The employee of HERMOS will arrange the restriction of the processing.

f) Right to data portability

Any person concerned by the processing of personal data shall have the right, granted by the European Directive and the Regulation, to receive the personal data concerning him or her, which have been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, when exercising the right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to obtain the direct transfer of personal data from one controller to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of other persons. In order to assert the right to data portability, the data subject may at any time contact any employee of HERMOS.

g) Right to object

Any person affected by the processing of personal data shall have the right granted by the European Directive and Regulation to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) DSGVO. This also applies to profiling based on these provisions. HERMOS shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defence of legal claims. If HERMOS processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data processed for such marketing. This also applies to profiling insofar as it is related to such direct marketing. If the data subject objects to HERMOS to the processing for direct marketing purposes, HERMOS will no longer process the personal data for these purposes. In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by HERMOS for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the Data Protection Regulation, unless such processing is necessary for the performance of a task carried out for reasons of public interest. In order to exercise the right to object, the data subject may directly contact any employee of HERMOS or another employee. The data subject is also free to exercise his/her right to object in relation to the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

h) Automated decisions in individual cases including profiling

Any person concerned by the processing of personal data shall have the right, granted by the European Directive and the Regulation, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, provided that the decision (1) is not necessary for entering into, or the performance of, a contract between the data subject and the controller, or (2) is authorised by Union or Member State law to which the controller is subject and that such law lays down appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is made with the data subject’s explicit consent. If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the data controller, or (2) it is made with the data subject’s explicit consent, HERMOS shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, which include, at least, the right to obtain the data subject’s involvement on the part of the controller, to express his or her point of view and contest the decision. If the data subject wishes to exercise the rights concerning automated decisions, he or she may, at any time, contact any employee of the controller.

i) Right to revoke a data protection consent

Every person affected by the processing of personal data has the right granted by the European Directive and Regulation to withdraw consent to the processing of personal data at any time. If the data subject wishes to exercise the right to withdraw consent, he or she may, at any time, contact any employee of the controller.

j) Right of appeal to the supervisory authority (complaints office)

If you have any complaints, suggestions or questions, please contact our data protection officer. In the event of violations of data protection law, the person concerned has the right to lodge a complaint with a supervisory authority.

Our competent data protection supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18,
91522 Ansbach

Phone: +49 (0) 981 180093-0
E-mail: poststelle@lda.bayern.de

7. Data collection on our website

Server log files

The website of HERMOS collects a series of general data and information every time a data subject or automated system calls up the website. This general data and information is stored in the log files of the server. The following can be recorded:

• the browser types and versions used,
• the operating system used by the accessing system,
• the website from which an accessing system arrives at our website (so-called referrer),
• the sub-websites that are accessed via an accessing system on our website,
• the date and time of access to the website,
• an internet protocol (IP) address,
• the Internet service provider of the accessing system and
• other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using these general data and information, HERMOS does not draw any conclusions about the data subject. This information is rather required in order to

• to deliver the contents of our website correctly,
• optimise the content of our website and the advertising for it,
• to ensure the permanent functionality of our information technology systems and the technology of our website, and
• to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

Therefore, the HERMOS analyzes anonymously collected data and information on one hand for statistical purposes and on the other hand for the purpose of increasing the data protection and data security of our enterprise, and ultimately to ensure an optimal level of protection for the personal data we process. The legal basis for this data processing is therefore the legitimate interest of HERMOS in fulfilling and achieving the purposes described above (Art. 6 (1f) DSGVO). The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

Cookies

The HERMOS website uses cookies. Cookies are text files that are stored on a computer system via an internet browser.

Technically necessary cookies, are stored in accordance with § 25 TTDSG on the basis of Art. 6, 1f DSGVO, unless another legal basis is specified. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services.

 

Contact us / Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on Art. 6, 1b DSGVO if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6, 1f DSGVO) or on your consent (Art. 6, 1a DSGVO) if this has been requested.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e. g. after we have completed processing your enquiry). Mandatory legal provisions – in particular retention periods – remain unaffected.

Request by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry including all resulting personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

The processing of this data is based on Art. 6 (1b) DSGVO if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6, 1f DSGVO) or on your consent (Art. 6, 1a DSGVO) if this has been requested.

The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e. g. after we have completed processing your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Registration on this website

You can register on this website to use additional functions on the site. We will only use the data entered for this purpose for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise, we will reject the registration.

For important changes, for example in the scope of the offer or in the case of technically necessary changes, we use the e-mail address provided during registration to inform you in this way.

The data entered during registration is processed for the purpose of implementing the user relationship established by registration and, if necessary, for initiating further contracts (Art. 6, 1b DSGVO).

The data collected during registration will be stored by us for as long as you are registered on this website and will then be deleted. Legal retention periods remain unaffected.

Raffles

In the case of competitions, personal data is also only collected to the extent necessary. In order to be able to participate in our raffle, we need your e-mail address and your postal address in order to be able to notify you in the event of a win or to send you the prize. If you win the main prize, we will usually publish a photo with your name, place and the prize. Other winners will be indicated with their title, first letter of their first name and place of residence. By participating in the competition, you agree to the storage of this data. The legal basis for this is Art. 6, 1b DSGVO (processing for the implementation of the competition) and, in the case of the participant’s consent, Art. 6, 1a DSGVO. You can revoke your consent to the processing of your data at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation. The data you entered in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e. g. after a competition has been completed). Mandatory legal provisions – in particular retention periods – remain unaffected.

Processing data (customer and contract data)

We collect, process and use personal data only insofar as they are necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of Art. 6 (1b) DSGVO, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We collect, process and use personal data about the use of our internet pages (usage data) only insofar as this is necessary to enable the user to use the service or to bill the user.

The collected customer data will be deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.

8. Analysis tools and advertising

WP Statistics

This website uses the WP Statistics analysis tool to statistically evaluate visitor traffic. Provider is Veronalabs, ARENCO Tower, 27th Floor, Dubai Media City, Dubai, Dubai 23816, UAE (https://veronalabs.com).

WP Statistics allows us to analyse the use of our website. WP Statistics collects log files (referrer, browser used, user origin (country), search engine used) and actions that website visitors have taken on the page (e. g. clicks and views).

IP address

When using WP Statistics, we do not store the IP address. Recorded IP addresses are stored anonymously as hash values and can no longer be assigned.

The data collected with WP Statistics is stored exclusively on our own server.

The use of this analysis tool is based on Art. 6, 1f DSGVO. We have a legitimate interest in the anonymised analysis of user behaviour in order to optimise both our website and our advertising.

Wordfence

We have integrated Wordfence on this website. The provider is Defiant Inc, Defiant, Inc, 800 5th Ave Ste 4100, Seattle, WA 98104, USA (hereinafter “Wordfence”).

Wordfence is used to protect our website from unwanted access or malicious cyberattacks. For this purpose, our website establishes a permanent connection to Wordfence’s servers so that Wordfence can check its databases against the accesses made to our website and block them if necessary.

The use of Wordfence is based on Art. 6, 1f and 1b DSGVO. The website operator has a legitimate interest in protecting its website as effectively as possible against cyberattacks. This protection also prevents attacks on the visitors to our website and therefore acts as a support for the implementation of pre-contractual measures and protection obligations.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.wordfence.com/help/general-data-protection-regulation/.

9. Subscription to our newsletter

On the website of HERMOS, users are given the opportunity to subscribe to our enterprise’s newsletter. The personal data transmitted to the controller when the newsletter is ordered is specified in the input mask used for this purpose.

The processing of this personal data is based on your consent pursuant to Art. 6 (1a) DSGVO.

HERMOS informs its customers and business partners at regular intervals by means of a newsletter about offers of the company. The newsletter of our company can basically only be received by the data subject if

(1) the data subject has a valid e-mail address and
(2) the data subject registers for the newsletter mailing.

For legal reasons, a confirmation email is sent to the email address entered by a data subject for the first time for the newsletter dispatch using the double opt-in procedure. This confirmation email serves to check whether the owner of the email address as the data subject has authorised receipt of the newsletter.

When registering for the newsletter, we also store the IP address of the computer system used by the data subject at the time of registration as well as the date and time of registration, which is assigned by the Internet service provider (ISP). The collection of this data is necessary in order to be able to trace the (possible) misuse of the e-mail address of a data subject at a later point in time and therefore serves as a legal safeguard for the controller.

The personal data collected in the context of a registration for the newsletter is used exclusively for sending our newsletter. Furthermore, subscribers to the newsletter could be informed by e-mail if this is necessary for the operation of the newsletter service or a related registration, as could be the case in the event of changes to the newsletter offer or changes in the technical circumstances.

The subscription to our newsletter can be cancelled by the data subject at any time. The consent to the storage of personal data, which the data subject has given us for the newsletter dispatch, can be revoked at any time. For the purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is also possible to unsubscribe from the newsletter mailing directly on the website of the controller at any time or to inform the controller of this in another way.

10. Handling of applicant data

We offer you the opportunity to apply to us (e. g. by e-mail, post or via online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other legal provisions and that your data will be treated in strict confidence.

a) Scope and purpose of the data collection

If you send us an application, we process your associated personal data (e. g. contact and communication data, application documents, notes in the context of job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG according to German law (initiation of an employment relationship) in conjunction with Art. 6, 1b) DSGVO (general contract initiation) and – if you have given your consent – Art. 6, 1a) DSGVO. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Section 26 BDSG-neu and Article 6 (1b) DSGVO for the purpose of implementing the employment relationship.

b) Retention period of the data

If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6, 1f) DSGVO) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e. g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for continued storage no longer applies.

Longer storage may also take place if you have given your consent (Art. 6, 1a) DSGVO) or if legal storage obligations prevent deletion.

c) Inclusion in the applicant pool

If we do not make you a job offer, it may be possible to include you in our applicant pool. In the event of inclusion, all documents and details from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.

Inclusion in the applicant pool takes place exclusively on the basis of your express consent (Art. 6, 1a) DSGVO). Giving your consent is voluntary and is not related to the current application process. The person concerned can revoke his/her consent at any time. In this case, the data will be irrevocably deleted from the applicant pool, unless there are legal reasons for retention.

The data from the applicant pool will be irrevocably deleted no later than two years after consent has been given.

11. Our social media presences

Data processing by social networks

We maintain publicly accessible profiles on social networks. The individual social networks we use can be found below.

Social networks such as Facebook, Twitter, etc. can usually comprehensively analyse your user behaviour when you visit their website or a website with integrated social media content (e. g. like buttons or advertising banners). By visiting our social media presences, numerous data protection-relevant processing operations are triggered. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing procedures may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

Legal basis

Our social media presences are intended to ensure the most comprehensive presence possible on the internet. This is a legitimate interest within the meaning of Art. 6 (1f) DSGVO. The analysis processes initiated by the social networks may be based on different legal grounds, which are to be stated by the operators of the social networks (e. g. consent within the meaning of Art. 6 (1a) DSGVO).

Responsible person and assertion of rights

If you visit one of our social media sites (e. g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e. g. against Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as the purpose for storing it no longer applies, you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e. g. in their data protection notices, see below).

 

Social networks in detail

Facebook

We have a profile on Facebook. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. According to Facebook, the data collected is also transferred to the USA and other third countries.

We have entered into a Joint Processing Agreement (Controller Addendum) with Facebook. This agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings independently in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

For details, please refer to Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

Instagram

We have a profile on Instagram. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: www.facebook.com/legal/EU_data_transfer_addendum, help.instagram.com/519522125107875 and en-de.facebook.com/help/566994660333381.

For details of how they handle your personal data, please see Instagram’s privacy notice: help.instagram.com/519522125107875.

XING

We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. For details on how they handle your personal data, please refer to XING’s privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you would like to deactivate LinkedIn advertising cookies, please use the following link: www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: www.linkedin.com/legal/l/dpa and www.linkedin.com/legal/l/eu-sccs

For details on how they handle your personal data, please refer to LinkedIn’s privacy policy: www.linkedin.com/legal/privacy-policy.

YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how they handle your personal data, please refer to YouTube’s privacy policy: policies.google.com/privacy.