The protection of your private rights and freedoms is important to us; we only use your data for the purposes intended. Since it is important to us that you know at all times to what extent we collect, use and, if necessary, transfer your data to third parties, we will inform you in detail below about the processing of your personal data collected by us or stored by us. When processing personal data, we strictly adhere to the provisions of the EU General Data Protection Regulation (GDPR) and, if applicable, other data protection-relevant provisions.
Name and address of the controller
Cookiebox GmbH
Jörg ter Beek, Arthur Ott, Erich Panihin
Hafenweg 24
48155 Münster
Germany
Phone: +49 251 95 20 37 – 50
E-mail: post@cookiebox.pro
Website: https://www.cookiebox.pro
Martina Brinkmann
Germany
E-mail:
post@cortina-consult.deWebsite:
https://cortina-consult.comIf you have any questions regarding the processing of your personal data, if you wish to exercise your rights as a data subject (such as the right to information, correction, blocking or deletion of data) or if you wish to withdraw your consent, please contact our data protection officer directly.
Rights of data subjects
The EU General Data Protection Regulation (GDPR) provides for extensive rights for data subjects in Chapter III, which we explain to you accordingly below with regard to the processing of your personal data:
- Right to information
This requirement concerns in particular information on the following details of data processing:
- Processing purposes
- Data categories
- Recipients or categories of recipients, if applicable
- If applicable, the planned storage duration or the criteria for determining this duration.
- Note on the respective right of correction, deletion, restriction or objection
- Existence of the right to complain to a supervisory authority
- If applicable, origin of the data (if not collected from you)
- If applicable, existence of automated decision-making including profiling, including meaningful information about the logic involved, the scope and the effects to be expected
- If applicable, (planned) transfer to a third country or international organization
- Right to rectification
We will correct any erroneous data immediately, provided that you inform us of the circumstance accordingly.
- Right to erasure (right to be forgotten)
Provided that the processing is no longer necessary and one of the following conditions is met:
- Discontinuation of the purpose of processing
- Withdrawal of their consent and absence of any other legal basis for processing
- Objection to processing without an important reason to the contrary
- Unlawful processing
- Required to fulfill a legal obligation
- Data collection was carried out in accordance with Art. 8 (1) GDPR
Within the scope of the deletion request, we will, if necessary, pass on your request to those third parties to whom a transfer of your data had previously taken place.
- Right to restriction of processing
Provided that one of the following conditions is met:
- You dispute the accuracy of your data (restriction can be made for the duration of the review on our side)
- In the event of unlawful processing and if the data is not to be deleted, restriction of processing shall take the place of deletion
- If the processing purposes cease to apply, at the same time you need your data for the assertion, exercise or defense of legal claims
- After you have lodged an objection pursuant to Art. 21 (1) GDPR and for the duration of the examination as to whether our legitimate reasons outweigh yours.
- Right to data portability
If it is technically possible and does not affect the rights and freedoms of other persons, we will - at your request - transfer your data to another recipient (responsible party).
- Right to object
If we collect or have collected and process personal data from you (on the basis of Art. 6 (1) e or f or Art. 9 (2) a GDPR), you have the right to object to the data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be ineffective, e.g. if we can demonstrate compelling interests worthy of protection for the processing that outweigh your interests or processing serves the assertion, exercise or defense of legal claims. If we process your personal data for the purpose of direct marketing, you have the right to object to such processing at any time. This also applies to profiling, insofar as it is related to such direct advertising. You also have the right to object to processing of your data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
- Automated decisions in individual cases including profiling
If we collect or have collected and process personal data from you, you have the right not to be subject to any decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. Exceptions to this requirement apply if the decision is necessary for the conclusion or performance of a contract between you and us or you have expressly consented to the processing. In any case, we will take reasonable steps to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain the intervention of a person on our part, to express our own point of view and to contest the decision.
- Right to revoke consent under data protection law
You have the right to revoke consent to the processing of personal data at any time.
- Right to complain to a supervisory authority
A list of the supervisory authorities responsible in Germany can be found on the website of the Federal Commissioner for Data Protection or at the following link: https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.
Data security information
We protect your personal data processed by us against loss, destruction, access, alteration or distribution by unauthorized persons by means of appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.
Legal basis of processing
We process personal data in accordance with the requirements of the GDPR, depending on the type and purpose of the processing as follows:
| Permitted use | Specification of the GDPR |
| Informed consent | Art. 6 para. 1 a |
| Performance of a contract | Art. 6 para. 1 b |
| Implementation of pre-contractual measures | Art. 6 para. 1 b |
| Fulfillment of legal obligations | Art. 6 para. 1 c |
| Protection of vital interests | Art. 6 para. 1 d |
| Safeguarding our legitimate interest | Art. 6 para. 1 f |
Our legitimate interest
Our legitimate interest, as defined in Article 6 (1) f GDPR, is based on the performance of our business activities in order to maintain our ability to operate and secure the employment of our employees.
General deadlines for data deletion
After the purpose of storage has ceased, the retention periods are generally at least six or ten years. As a rule, data is deleted immediately in accordance with our deletion concept, provided that this does not conflict with any retention obligation, necessity for contract fulfillment or a legitimate interest.
We protect your personal data processed by us against loss, destruction, access, alteration or distribution by unauthorized persons by means of appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.
Depending on the processing, purposes, legal basis and other information may vary; you will find the exact allocation of information in the following chapter.
Customer documentation with Confluence
| Purpose of processing | Documentation of the status quo on the respective pillars of the data protection project of the respective customer. Internal coordination and management of sub-tasks. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c)Fulfillment of a contract (Art. 6 para. 1 b)Implementation of pre-contractual measures (Art. 6 para. 1 b) |
| Recipient (if applicable) | Atlassian Corporation plc, 341 George Street, Sydney, NSW 2000 Australia |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, IT usage data; various |
| Change of purpose if necessary | none |
Task management and helpdesk with Jira
| Purpose of processing | Coordination and management of various projects with Jira as helpdesk. Furthermore, Jira is used as a tool for internal communication regarding subtasks. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b) |
| Recipient (if applicable) | Atlassian Corporation plc, 341 George Street, Sydney, NSW 2000 Australia |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, IT usage data; various |
| Change of purpose if necessary | none |
General network protection
| Purpose of processing | Protection against unauthorized access and attacks as well as protection against electronic bulk mail and unwanted data inflow and outflow (DLP). Firewall / Antivirus / Spam Filter / Endpoint Security |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is required to ensure security. The data must be processed for authentication of authorized access to the network. |
| Consequences of non-compliance (in case of failure to provide the required data) | The data already exists and is required to ensure security. The data must be processed for authentication of authorized access to the network. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Username, IP addresses, timestamps, email addresses |
| Change of purpose if necessary | none |
Backup
| Purpose of processing | Data backup of company data to prevent data loss (encryption Trojans, etc.) Ensuring recovery of company processes in the event of system failures, system errors and emergencies |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure IT security processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure IT security processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, resume, name/first name/address/title, social security data, contract and contract master data, payment data, timekeeping data, wage/salary data, correspondence; miscellaneous). |
| Change of purpose if necessary | none |
User management
| Purpose of processing | Management of user accounts and administrative groups to provide authentication and support for authorization concepts in various systems |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is only managed to ensure IT security processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is only managed to ensure IT security processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, e-mail address, telephone number, department affiliation if applicable |
| Change of purpose if necessary | none |
Access control
| Purpose of processing | Access restrictions according to areas of responsibility, implementation of the authorization concept and ensuring the access authorizations of administrators and system users |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | To ensure only authorized access to company data in accordance with the need-to-know principle, the data subject must be provided with the authorizations required for the activities to be performed. |
| Consequences of non-compliance (in case of failure to provide the required data) | To ensure only authorized access to company data in accordance with the need-to-know principle, the data subject must be provided with the authorizations required for the activities to be performed. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | IT usage data/log data/log files, name/first name/address/title. |
| Change of purpose if necessary | none |
CRM
| Purpose of processing | Maintaining customer data and customer relationships; qualifying customers |
| Legal basis (according to Art. 6 / 9 GDPR) | Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Hubspot CRM; Operator: HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, United States of America |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Please note that this service may transfer data to a country that does not provide an adequate level of data protection. If the data is transferred to the U.S., there is a risk that your data may be processed by U.S. authorities for control and monitoring purposes, without you possibly having any legal remedies. Below is a list of the countries to which the data will be transferred. United States of America |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, communication data, contract master data, customer history, other data if applicable. |
| Change of purpose if necessary | none |
Data exchange portal
| Purpose of processing | Use of online solutions for data storage and exchange with suppliers, customers and third parties |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | If necessary, there are external recipients depending on the occasion |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Address data, bank data, contact data, payment data, wage and salary data, contract data, time recording data, correspondence; various |
| Change of purpose if necessary | none |
Print and copy jobs
| Purpose of processing | Duplicate information |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure business processes as well as legal requirements. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure business processes as well as legal requirements. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, IP address, print template with the information to be reproduced. |
| Change of purpose if necessary | none |
E-mail archiving
| Purpose of processing | Audit-proof archiving of business communication as well as accounting-relevant documents |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is processed to ensure IT security processes and legal requirements. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is processed to ensure IT security processes and legal requirements. |
| If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | All company data (billing data, address data, bank account/credit card data, credit rating data, date of birth, IT usage data/log data/log files, IP address, interests/preferences, contact data, resume, name/first name/address/title, social security data, contract and contract master data, payment data, timekeeping data, wage/salary data, correspondence; miscellaneous). |
| Change of purpose if necessary | none |
ERP
| Purpose of processing | Operation of the enterprise resource planning |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | IT service provider (if required) Tax advisor, authorities, if applicable |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, communication data, customer history, contract billing data, payment data, planning and control data, and other data as required. |
| Change of purpose if necessary | none |
Groupware system
| Purpose of processing | Execution of internal and external correspondence including documentation, office communication, especially team / collaboration across spatial distances (e-mail, contacts, tasks, calendar) |
| Legal basis (according to Art. 6 / 9 GDPR) | Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | If applicable: interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management, employees, trainees, applicants |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, it may not be possible to fulfill the tasks or contracts, in particular across spatial distances. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, e-mail addresses, appointment data |
| Change of purpose if necessary | none |
Hosting
| Purpose of processing | Provision of IT systems |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | If applicable, external service providers, if necessary for the processing |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to fulfill the tasks or contracts; this data is also required to ensure security. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, it may not be possible to fulfill the tasks or contracts; this data is also required to ensure security. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, title, address, e-mail address, telephone number, contract data, contact history, IT usage data, traffic data, log data, telecommunications data |
| Change of purpose if necessary | none |
Internet and telephone use
| Purpose of processing | (Office) communication and task management for human resources, employee management, customer management, financial accounting, controlling, marketing, etc. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | Applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management and employees |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, extension, address data, contact data, e-mail addresses, appointment data, traffic data (as defined by §96 TKG), IP addresses, web addresses, website retrieval data |
| Change of purpose if necessary | none |
IT Security
| Purpose of processing | Ensure the security, integrity, confidentiality, and availability of data by protecting it from unauthorized external and internal access. |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | IT service provider (if required) |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data is already available and is needed to ensure safety. |
| Consequences of non-compliance (in case of failure to provide the required data) | The data is already available and is needed to ensure safety. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | In this context, we do not use automated decision-making. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Change of purpose if necessary | none |
Communication systems (such as telephone system)
| Purpose of processing | Provision and performance of telecommunications services for own (internal) purposes (corporate communications internally and externally) Ensuring proper telecommunications operations within the company and for customers. Provision of log files, evaluations and statistics. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Traffic data is not passed on as a matter of principle, but is only used on an ad hoc basis to rectify faults or for billing audits |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | Traffic data is stored for a maximum of 6 months. Aggregated data may be stored and used beyond this period, provided that it is ensured that no personal reference can be derived from the data. See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for communication, the implementation and management of telecommunications is not possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for communication, the implementation and management of telecommunications is not possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Extension, telephone number, surname, first name, telephone number of the communication partner, duration of the call, date, time; traffic data (as defined in § 96 TKG), contact data |
| Change of purpose if necessary | none |
Internet usage control
| Purpose of processing | Random monitoring of Internet use to check for compliance with the rules on private use. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | IT service provider (if required), authorities if necessary |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
| Consequences of non-compliance (in case of failure to provide the required data) | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | User names, IP addresses, Internet URLs, e-mails, web pages, timestamps |
| Change of purpose if necessary | none |
Mobile / cell phone / smartphone use
| Purpose of processing | Mobile communication and task management for human resources, employee management, customer management, financial accounting, controlling, marketing, etc. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)If applicable, within the scope of the exception pursuant to Section 7 (3) of the German Unfair Competition Act (UWG)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | Applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management and employees |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, e-mail addresses, appointment data, traffic data (in the sense of §96 TKG), IP addresses, web addresses, web page retrieval data |
| Change of purpose if necessary | none |
Office 365
| Purpose of processing | Use of Office 365 |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Depending on the server location, the data is stored at Microsoft in the USA or in the EU. IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | No further data transfer to a third country takes place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Various |
| Change of purpose if necessary | none |
Electronic processing by e-mail
| Purpose of processing | Implementation of internal |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b) |
| Recipient (if applicable) | Occasion-related and transparent transmission within the scope of e-mail communication (e.g., in compliance with BCC and CC regulations); including customers, interested parties, suppliers, authorities, contractual partners, other third party IT service providers (if required), if applicable Hubspot CRM 25 First Street, 2nd Floor, Cambridge, MA 02141, United States of America |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Data is transferred to third countries if the respective communication partner is located in a third country. Furthermore, in the case of communication by e-mail via the Internet, it cannot be ruled out that e-mails are routed via communication systems in third countries. |
| If known: Duration of data storage | After the purpose of storage has ceased to apply: Retention period for e-mails, insofar as they qualify as business letters: 6 years; after expiry of this period, the data is routinely deleted, insofar as it is no longer required for the performance or termination of contracts Short-term deletion in special areas (e.g. applicant data: 6 months) See also General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the corresponding processing operation; including contact data (name, e-mail address), possibly others (depending on the content of the communication); possibly other header data; "content data" (contents of e-mails - "body"). |
| Change of purpose if necessary | none |
Contact form with Typeform
| Purpose of processing | Conduct external electronic communications including documentation, coordination with customers and prospects, requests for proposals, and more. |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b) |
| Recipient (if applicable) | TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona (Spain) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | Data transfer to third countries does not take place and is not planned. |
| If known: Duration of data storage | After the purpose of storage has ceased to apply: Retention period for e-mails, insofar as they qualify as business letters: 6 years; after expiry of this period, the data is routinely deleted, insofar as it is no longer required for the performance or termination of contracts Short-term deletion in special areas (e.g. applicant data: 6 months) See also General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the corresponding processing procedure; including contact data (name, e-mail address, telephone number), possibly other (depending on the content of the communication) |
| Change of purpose if necessary | none |
Contact form with Calendly
| Purpose of processing | Conduct external electronic communications including documentation, scheduling appointments with customers and prospects, requests for proposals, etc. |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b)Fulfillment of a contract (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Calendly LLC, 271 17th St NW, Ste 1000, Atlanta, Georgia, 30363, United States |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | After the purpose of storage has ceased to apply: Retention period for e-mails, insofar as they qualify as business letters: 6 years; after expiry of this period, the data is routinely deleted, insofar as it is no longer required for the performance or termination of contracts Short-term deletion in special areas (e.g. applicant data: 6 months) See also General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the corresponding processing operation; including contact data (name, e-mail address, phone number), possibly other (depending on the content of the communication) and control data by Calendly (IP address and possibly other - For details, see: https: //calendly.com/de/pages/privacy |
| Change of purpose if necessary | none |
Logging in IT systems
| Purpose of processing | Ensuring legally required and technically necessary logging: ensuring correct functioning of IT systems, error analysis, detection of resource bottlenecks, tracking of hacker attacks. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | IT service provider (if required), authorities if necessary |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
| Consequences of non-compliance (in case of failure to provide the required data) | The collection of data is done automatically in accordance with the company\'s legal obligation to ensure and maintain the security of the company\'s data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | User names, IP addresses, e-mail addresses, Internet urls, e-mails, web pages |
| Change of purpose if necessary | none |
Ticket system
| Purpose of processing | Ensuring IT support in own company and for customer systems. Recording of malfunctions, errors and requests, systematic processing of error messages by users. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | IT service provider (if required) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data in question, it may not be possible to fulfill the tasks or contracts (internal and external support and maintenance), especially across spatial distances. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, it may not be possible to fulfill the tasks or contracts (internal and external support and maintenance), especially across spatial distances. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Details of the processor (surname, first name, contact details), details of the requester (surname, first name, address details, contact details), error description |
| Change of purpose if necessary | none |
Dealing with passwords
| Purpose of processing | Task management for office communication for human resources, employee management, customer management, financial accounting, controlling, marketing. Ensuring administrator access in case of emergency. |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is only managed to ensure IT security processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data has already been collected and is only managed to ensure IT security processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, user name, password |
| Change of purpose if necessary | none |
Applications and application procedure
| Purpose of processing | Handling and implementation of application procedures, processing of unsolicited applications; selection of potential employees to fill suitable positions. |
| Legal basis (according to Art. 6 / 9 GDPR) | Implementation of pre-contractual measures (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | If necessary, external service providers (recruitment tests) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | Applications will only be stored for other positions with your consent, otherwise they will be deleted, returned or destroyed after 6 months if employment does not materialize See also General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | For a smooth application process, it is necessary that the requested information is provided truthfully. |
| Consequences of non-compliance (in case of failure to provide the required data) | Non-compliance (i.e. failure to provide the required data) may result in the inability to conclude an employment contract. |
| If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal data (name, address, date of birth, telephone number, information on religious affiliation, information on marital status / information on children, curriculum vitae, education, qualifications, application data, if applicable, information on severe disability) |
| Change of purpose if necessary | If we take you on as an employee after completion of the application process, the purpose for processing the relevant data changes: in this case, it will be used in the future to implement and maintain the employment relationship. |
E-Learning
| Purpose of processing | Web-based learning (IT environment, foreign languages, etc.) for employee training and development. Information transfer and training for external service providers |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | If applicable and if necessary, service providers involved in the processing |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data are necessarily processed for the implementation of the employment relationship. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data are necessarily processed for the implementation of the employment relationship. |
| If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, email address, department, learning outcomes |
| Change of purpose if necessary | none |
Personnel questionnaire
| Purpose of processing | In the application process for easier comparison of the applicant\'s details, in the case of new hires for registering the employee with the authorities, insurance companies and social security institutions. |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Implementation of pre-contractual measures (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Government agencies, insofar as there are legal obligations to transmit data (tax office); non-public agencies only if there is a legal basis for doing so (health insurance fund and social insurance carrier). |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data have already been collected and are necessarily processed for the performance of the employment relationship. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data have already been collected and are necessarily processed for the performance of the employment relationship. |
| If applicable, existence of an automated decision-making process | In this context, we do not use purely automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, address data, contact data, date of birth, religious affiliation (if tax-relevant), marital status, details of children, bank details, details of previous activities, details of education, social security details. |
| Change of purpose if necessary | none |
(Online) Banking
| Purpose of processing | Management and administration of bank accounts, financial management |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the person responsible and the data subject. Necessary for the processing of orders or similar. |
| Consequences of non-compliance (in case of failure to provide the required data) | A violation (i.e. the failure to provide the required data) would possibly result in the non-fulfillment of contractual obligations (e.g. delivery of goods and provision of services). |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, bank data, payment data, contract data, address, date of birth, if applicable further |
| Change of purpose if necessary | none |
Billing direct debit
| Purpose of processing | Billing by direct debit |
| Recipient (if applicable) | Contractor\'s bank |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for SEPA direct debit, direct debit collection is not possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for SEPA direct debit, direct debit collection is not possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | none |
Quotation, order and invoice preparation
| Purpose of processing | Preparation of offers, orders and invoices |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | Recipient of receipts; Depending on request, public authorities if applicable, tax advisor if applicable, insurer if applicable. |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the person responsible and the data subject. Necessary for the processing of orders or similar. |
| Consequences of non-compliance (in case of failure to provide the required data) | A violation (i.e. the failure to provide the required data) would possibly result in the non-fulfillment of contractual obligations (e.g. delivery of goods and provision of services). |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Billing data, address data, bank details (if applicable), personal master data, contact data, contract data, time recording data (if applicable), customer history (if applicable), payment data, communication data, contract master data, other data (if applicable). |
| Change of purpose if necessary | none |
Invoicing, dunning
| Purpose of processing | Preparation and dispatch of invoices; recording of open items and dunning (management and collection of outstanding receivables); recording and documentation of all financial transactions in the company (all sales as well as fixed assets); recording and payment of taxes and levies to the tax authorities and, if applicable, to other public authorities, control and processing of incoming/outgoing invoices, monitoring of payments, processing of account statements |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | As far as required by law: tax authorities; tax advisors and auditors Otherwise, if there is a legal basis for the data transfer |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There are legal obligations for the preparation of invoices and reminders. |
| Consequences of non-compliance (in case of failure to provide the required data) | Resulting from the respective legal regulation, if applicable |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address, contact data Contract data, insurance data, date of birth, data on purchased goods/DL, bank details, VAT identification number, patient data; invoice data, sales including invoice numbers, purposes of use, etc.; information on fixed assets |
| Change of purpose if necessary | none |
Record keeping
| Purpose of processing | Task management for office communication for e.g.: Human resources, employee management, customer management, financial accounting, controlling, marketing. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
| Recipient (if applicable) | If applicable, applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contacts |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for communication, it is not possible to carry out certain business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | none |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data originates from the data subject himself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the corresponding processing operation. |
| Change of purpose if necessary | none |
General management
| Purpose of processing | General administration (incl. processing incoming mail, etc.) |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for management, it is not possible to carry out certain business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for management, it is not possible to carry out certain business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, title, address, e-mail address, telephone number, position, contact data, contact history, contract data |
| Change of purpose if necessary | none |
Order management
| Purpose of processing | Creation, maintenance and management of orders |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | Hubspot CRM; Operator: HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, United States of America Zapier; Operator: Zapier Inc., 548 Market St. |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for management, it is not possible to carry out certain business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for management, it is not possible to carry out certain business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, title, address, date of birth, patient data, insurance data, data on purchased goods/services, contract data, telephone number, customer number, e-mail address, |
| Change of purpose if necessary | none |
Office Communication
| Purpose of processing | Task management for office communication for e.g.: Human resources, employee management, customer management, financial accounting, controlling, marketing. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | If applicable, applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contacts |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for communication, it is not possible to carry out certain business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data required for communication, it is not possible to carry out certain business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the corresponding processing operation. |
| Change of purpose if necessary | none |
Paper and document destruction
| Purpose of processing | Destruction of data carriers and documents no longer required as part of paper and file disposal (e.g. after expiry of the retention period), on which or in which personal data are located during ongoing operations and after expiry of the retention period. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | Ext disposal service provider |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations. |
| Consequences of non-compliance (in case of failure to provide the required data) | The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Customer data, contact data, billing data, contract data, employee data, payroll data; miscellaneous |
| Change of purpose if necessary | none |
Maintaining contacts, suppliers and customers
| Purpose of processing | Creation, maintenance and updating, management of contacts (creditors, debtors, interested parties and their contact persons) and central management of all addresses for the company and, if necessary, for provision to employees, ensuring order processing |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, adequate contact management and maintenance is not possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | Depends on the process by which the data entered the respective system; as a rule, the data originates from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data / contact data (first name, last name, date of birth, address, Internet address, e-mail address, telephone number, fax number, position, interests / preferences) Industry, customer number, customer type, contact data, contact history, appointment data, contract data, customer history, payment / billing data, bank details, creditworthiness data, possibly other depending on the content of the communication. |
| Change of purpose if necessary | none |
Key management
| Purpose of processing | Access management to office and plant areas |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data are necessarily processed to carry out the key management. |
| Consequences of non-compliance (in case of failure to provide the required data) | The data are necessarily processed to carry out the key management. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, issue date, key ID |
| Change of purpose if necessary | none |
Processing incoming mail
| Purpose of processing | Processing and forwarding of incoming mail |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for the subsequent processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | The data already exists and is necessarily processed for the subsequent processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address; depending on the content of the message: date of birth, title, customer number, insurance data, patient data, bank data, industry, position, communication data |
| Change of purpose if necessary | none |
Appointment management
| Purpose of processing | Scheduling and management of appointments |
| Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
| Recipient (if applicable) | If necessary, customers, suppliers / service providers or other third parties for coordination of appointments |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for appointment management, the planning, management and coordination of appointments is not possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | none |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data originates from the data subject himself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address if applicable, e-mail address, telephone number, position, contact data, appointment data |
| Change of purpose if necessary | none |
Contract management
| Purpose of processing | Administration for contracts with customers, affiliated companies, employees, interns, suppliers, service providers (electronic and paper) |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
| Recipient (if applicable) | If necessary, external legal advisors |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the responsible party and the data subject.Without the data, the performance of the agreed contractual service may not be possible. |
| Consequences of non-compliance (in case of failure to provide the required data) | none |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data originates from the data subject himself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, title, address, e-mail address, telephone number, date of birth, contract data |
| Change of purpose if necessary | none |
Order processing
| Purpose of processing | Commercial and technical processing of orders |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for the subsequent processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | The data already exists and is necessarily processed for the subsequent processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, communication data (e-mail, telephone), bank details, tax data (UST-ID) |
| Change of purpose if necessary | none |
Interest management
| Purpose of processing | Creation, maintenance and updating, management of contacts Data is managed in the prospect / customer database |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, adequate contact management and maintenance is not possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, interest status |
| Change of purpose if necessary | none |
Customer care and CRM
| Purpose of processing | Support and care of existing customers, acquisition of new customers, execution of statistical evaluations for internal purposes, contact by telephone, letter, e-mail, personal visit for product presentation and service offer, measures for customer loyalty and customer advice |
| Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, adequate contact management and maintenance is not possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data (telephone, cell phone, fax, e-mail), appointments, product data, contact reports, sales figures, contact history |
| Change of purpose if necessary | none |
Ordering
| Purpose of processing | Purchasing of goods for own purposes and for resale, ensuring availability of materials and resources by paper - e-mail - telephone - fax, identifying suitable suppliers, conducting price negotiations, handling of returns and incorrect deliveries |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the person responsible and the data subject. Necessary for the processing of orders or similar. |
| Consequences of non-compliance (in case of failure to provide the required data) | A violation (i.e. the failure to provide the required data) would possibly result in the non-fulfillment of contractual obligations (e.g. receipt of goods or services). |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data |
| Change of purpose if necessary | none |
Supplier Management
| Purpose of processing | Ensuring the processing of orders, ensuring the quality of the selected suppliers |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the person responsible and the data subject. Necessary for the processing of orders or similar. |
| Consequences of non-compliance (in case of failure to provide the required data) | In case of violation, the order processing and the quality of the suppliers cannot be ensured. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, address data, contact data, business activity data, ownership and history of the supplier company, management of the supplier companies, bank details, insurance data (public liability, assembly insurance, transport insurance). |
| Change of purpose if necessary | none |
Acquisition
| Purpose of processing | Acquiring new customers |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | No automated decision making takes place. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, title, address (business), address (private), billing address, e-mail address, telephone number, customer number, type of customer, contact data, contact history, appointment data, bank details, data on purchased goods or services, contract data, sales data, records of the health insurance company, patient data |
| Change of purpose if necessary | none |
Pictures and videos at events
| Purpose of processing | On- and offline marketing |
| Legal basis (according to Art. 6 / 9 GDPR) | Informed consent (Art. 6 para. 1 a)Safeguarding legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Photographer, Printer, Social Media |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | There is no obligation to provide personal data. |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | The data originates from the data subject himself; however, it may also originate from third parties. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data originates from the data subject himself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Images, videos, metadata |
| Change of purpose if necessary | none |
Customers - Photo and Film
| Purpose of processing | External presentation of the company, online / offline marketing |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Photographer if necessary, marketing agency if necessary |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | There is no automated decision making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Photo / film recordings; personal master data, contact data if required |
| Change of purpose if necessary | none |
Newsletter
| Purpose of processing | Management, organization and dispatch of personalized newsletters; provision of information |
| Legal basis (according to § 6 / 9 GDPR) | Informed consent (Art. 6 para. 1 a)If applicable, within the scope of the exception pursuant to Section 7 (3) of the German Unfair Competition Act (UWG) |
| Recipient (if applicable) | Mailchimp; Operator: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA; https://mailchimp.com/legal/ |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | No automated decision making takes place. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | none |
| Change of purpose if necessary | none |
Marketing
| Purpose of processing | Marketing for goods / services / companies; ordering and shipping of marketing items. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Advertising agencies, if applicable |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | No automated decision making takes place. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the type of processing; first name, last name, address, Internet address, e-mail address, telephone number, fax number, position, industry, customer number, type of customer, contact history, appointment data, data on interests, contract data, case data. |
| Change of purpose if necessary | none |
Online marketing
| Purpose of processing | External presentation of the company, online marketing; social media, website |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Photographer if necessary, marketing agency if necessary |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. If applicable, obligation to provide the data due to the contractual relationship between the person responsible and the data subject. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. If applicable, obligation to provide the data due to the contractual relationship between the person responsible and the data subject. |
| If applicable, existence of an automated decision-making process | No automated decision making takes place. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the type of processing / interaction; If applicable, personal master data, contact data, photo / film recordings, other |
| Change of purpose if necessary | none |
Customer survey (anonymous)
| Purpose of processing | Measurement of customer satisfaction (responses anonymous; participation (whether) insight possible). |
| Legal basis (according to Art. 6 / 9 GDPR) | Informed consent (Art. 6 para. 1 a)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Survey service provider, if applicable |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automatic decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Only personal data is processed to ensure the relevant processing operation; personal data is anonymized; additional header data, if applicable; "content data" (content of surveys - "body"). |
| Change of purpose if necessary | none |
Press
| Purpose of processing | Public relations / corporate presentation |
| Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | There is no automated decision making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Contact details (name, position, phone, email) |
| Change of purpose if necessary | none |
Print mailings
| Purpose of processing | Dispatch of print documents/infomail/invitations for events, presentation of the product and merchandise portfolio, maintaining contact with customers and suppliers, information about new products and discount campaigns, promotional presentation of the company |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Informed consent (Art. 6 para. 1 a) |
| Recipient (if applicable) | Lettershop, post office, advertising agency, possibly other service providers |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | No automated decision making takes place. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, contact data, supplier master data |
| Change of purpose if necessary | none |
Social Media Marketing
| Purpose of processing | Management of social media accounts and social media marketing; external presentation of the company; presentation of reference projects; use of social media for external presentation and communication with customers and suppliers |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | If applicable, publication online |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | In case of violation, the use of social media for the external presentation of the company and for communication cannot be used. |
| If applicable, existence of an automated decision-making process | No automated decision making takes place. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the type of processing; first name, last name, contact details, image material. |
| Change of purpose if necessary | none |
Events and functions
| Purpose of processing | Organization and implementation of events for customer retention, new customer acquisition and information |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Lettershop (invitation and information dispatch) |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | There is no obligation to provide personal data. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data comes from the data subject himself. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Surname, first name, address data, telephone, e-mail, information on nutrition (choice of meals), bank details |
| Change of purpose if necessary | none |
Analysis and reporting
| Purpose of processing | Reporting of company data to reveal hidden costs, market analysis, preparation of business reports |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Financial data, personnel data, production data |
| Change of purpose if necessary | none |
Lawyer and court documents
| Purpose of processing | Protection of legal interests of the company, for professional evaluation of contracts, documents, etc. |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of legal obligations (Art. 6 para. 1 c)Protection of legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | Specialist lawyer, public prosecutor, jurisdiction, EU conciliation body |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the individual case |
| Change of purpose if necessary | none |
Information procedure of the person concerned
| Purpose of processing | Administration on the information procedure of data subjects, by telephone, e-mail, letter post. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | If applicable, external data protection officer |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is a legal obligation to provide the personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | Non-compliance may result in sanctions. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, personal data of the data subject, data on recipients |
| Change of purpose if necessary | none |
Tenders
| Purpose of processing | Submitting suitable offers to potential customers in public tender procedures. Successful participation in tenders and awarding of contracts. |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Implementation of pre-contractual measures (Art. 6 para. 1 b) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, communication data, contract master data, planning and control data, other data if necessary; information on the company, on previous projects, on the qualification of the employees, on the fulfillment of legal obligations (e.g. compliance with the minimum wage), etc. |
| Change of purpose if necessary | none |
Controlling
| Purpose of processing | Planning, management and control of all corporate divisions |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address, e-mail address, telephone number, customer number, customer type, contact data, contract data, inventory data, usage data, sales data |
| Change of purpose if necessary | none |
Data to StB, WP, customs authorities
| Purpose of processing | Data transfer regarding BWA, account assignment, tax data / tax closing / customs clearance, etc. |
| Legal basis (according to Art. 6 / 9 GDPR) | Safeguarding legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | Authorities, tax advisors, auditors, service providers and their contacts |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is a legal obligation to provide the personal data. |
| Consequences of non-compliance (in case of failure to provide the required data) | Non-compliance may result in sanctions. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Name, first name, address data, contact data, bank data, insurance number, date of birth, ID data |
| Change of purpose if necessary | none |
Project Management
| Purpose of processing | Leading, controlling, coordinating projects of all kinds, such as generating new business, planning complex IT systems or optimizing business processes, managing any projects in the company |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | Customers, interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | As a rule, the data originates from the data subject him/herself; however, it may also originate from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | First name, last name, address, e-mail address, telephone number, fax number, industry, position, appointment data, contract data, communication data, sales data |
| Change of purpose if necessary | none |
Audit, Compliance
| Purpose of processing | Verification of the legal conformity of business processes in the company |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of legal obligations (Art. 6 para. 1 c) |
| Recipient (if applicable) | Auditor, if applicable |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the personal data in question, it is not possible to carry out this and any other business processes. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Depending on the case: first name, last name, e-mail address, telephone number, date of birth, marital status, position, contact data, contact history, appointment data, bank details, VAT registration number, contract data, inventory data, usage data, content data, communication data, social security data, working hours, wage/salary data, tax classes. |
| Change of purpose if necessary | none |
Service
| Purpose of processing | Providing versch. DL |
| Legal basis (according to Art. 6 / 9 GDPR) | Protection of legitimate interests (Art. 6 para. 1 f)Fulfillment of a contract (Art. 6 para. 1 b) |
| Recipient (if applicable) | Subcontractor if necessary |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data due to the contractual relationship between the person responsible and the data subject. |
| Consequences of non-compliance (in case of failure to provide the required data) | Without the data in question, the provision of various services is not possible. |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | Personal master data, address data, bank data, contact data, payment data, wage and salary data, contract data, time recording data, correspondence; various |
| Change of purpose if necessary | none |
Customer support
| Purpose of processing | Support for customers via remote desktop software |
| Legal basis (according to Art. 6 / 9 GDPR) | Fulfillment of a contract (Art. 6 para. 1 b)Safeguarding legitimate interests (Art. 6 para. 1 f) |
| Recipient (if applicable) | none |
| If applicable, intention of forwarding to a third country or int. organization (incl. info on adequacy decision of the Commission or suitable guarantees) | A data transfer to a third country does not take place and is not planned. |
| If known: Duration of data storage | See General deadlines for data deletion |
| Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | planned no processing of pb data, but due to the service access to pb data cannot be excluded |
| Consequences of non-compliance (in case of failure to provide the required data) | planned no processing of pb data, but due to the service access to pb data cannot be excluded |
| If applicable, existence of an automated decision-making process | In this context, we do not use automated decision-making. |
| If applicable, origin of the data (if not collected directly from the data subject) | The data usually originates from the data subject, but may also come from third parties. |
| Where applicable, categories of personal data (if not collected directly from the data subject). | planned no processing of pb data, however, due to the service, access to pb data cannot be excluded Also access to special categories cannot be excluded; these include: racial and ethnic origin, religious or philosophical beliefs, health |
| Change of purpose if necessary | none |