Privacy
Policy

Version January 2024

As the controller, we hereby comply with our duty to provide information and inform you about the nature, scope, purposes, and other details regarding the processing of personal data. First of all, we provide general information on this, insofar as it relates to all processing or represents overriding regulations for this. This is followed by information on individual processing operations.

This privacy policy may be adapted on an ad hoc basis or on the basis of regular review. We therefore recommend that you read the information on this page regularly, but we will point out any significant changes.

A  General

1. Scope

This privacy policy applies to this website and our other online presences that refer to this privacy policy, including online presences with third-party providers. In addition, this privacy policy also applies to the further processing described here in the context of our activities. We refer to this privacy policy to simplify access and to comply with the transparency requirement.

For offers of other providers, which are referred to e.g. via links, their conditions and privacy policies apply.

2. Reference to explanations

Under the term ‘General explanations’ we have compiled information in order to avoid overloading the content with additional information and having to repeat it.

In particular, we would like to refer to the explanations on the data categories, which should enable a better understanding of the descriptions concerning the processing operations.

3. Controlling body

CoBenefit UG
Auf den Häfen 12-15
28203 Bremen, Germany

Shareholders: Florian Bonert, Dennis K. Njuguna, Leon P. Trippel

Contact email: privacy@cobenefit.co

4. Recipients and disclosure of data

a) Passing on data

In carrying out our activities, the transfer or disclosure may be necessary in the context of the processing of personal data, in particular if one of the following reasons based on the indicated legal basis applies:

• It is necessary for the fulfilment of a contract with the affected person or the implementation of pre-contractual measures upon their request (Art. 6 para. 1 lit. b DSGVO).
• There is a legal obligation (Art. 6 para. 1 lit. c DSGVO).
• We or a third party have a legitimate interest in the processing of the data and there is no reason to assume that the affected person has an overriding legitimate interest (Art. 6 (1) (f) DSGVO), e.g. in the case of the protection of commercial interests or the assertion, exercise or defence of legal claims.
• We have specific and valid consent (Art. 6 para. 1 lit. a DSGVO).

Categories of recipients in the context of our activities and operations may include in particular:

• Postal, telecommunication and transport service providers, internet providers.
• Payment and financial service providers.
• Sales and business partners and other persons and companies involved in the provision of a service.
• Affiliated companies in our group of companies if certain processes and processing are outsourced to them for economic or organisational reasons and being necessary for this purpose.
• Authorities, courts, claimants, other parties involved.

In addition, we point out in the individual processing operations if further recipients come into consideration.

b) Processing by service providers/suppliers

In order to carry out our activities, we also use service providers bound by instructions as processors within the scope of the processing of personal data, who are also considered recipients of the data within the meaning of data protection. A contract for commissioned processing ensures in particular that the processing is carried out on the basis of our instructions, that sufficient guarantees exist for compliance with suitable technical and organisational measures, and that the rights of the persons affected are guaranteed.

In general, we use service providers for the following processing purposes:

• Hosting of our online offers / websites with providers (infrastructure and platform services, computing capacity, storage space and database services).
• Care, maintenance, and upkeep of the online offers / websites.
• Implementation, care, maintenance and servicing of IT systems.
• Corporate platform with functions and services for collaboration, administration and organisation, document and information management.
• Communication, contact and conference systems (e-mail, contacts, appointments, messenger, web conference, etc.).
• File and data media destruction

In addition, we point out in the individual processing operations when processors are used.

5. General criteria for determining the storage period (deletion deadlines)

We store personal data as long as it is necessary for the purposes of the corresponding processing (Art. 5 para. 1 lit. c DSGVO), legal retention periods exist (Art. 6 para. 1 lit. c DSGVO) or we have a legitimate interest in the storage (Art. 6 para. 1 lit. f DSGVO) or a corresponding consent from the affected person exists (Art. 6 para. 1 lit. a DSGVO).

We store data in accordance with the following rules for the duration specified in each case and delete or destroy it after the specified storage period has expired:

• 3 months: connection data, usage data, protocol and log data
• 6 months: Applications from rejected applicants
• 3 years: Data and content relating to legal transactions or actions similar to legal transactions (including their preparation) as far as necessary for the ability to provide information and defence as well as for the assertion or defence of claims. This also includes data on marketing and customer care, unless they also fall under a category for a longer storage period.
• 6 years: commercial letters received and sent (section 257 (1) nos. 2 and 3, (4) HGB)
• 10 years: Documents relevant for taxation, accounting vouchers, commercial books (§§ 147 para. 1 AO, 257 para. 1 nos. 1 and 4, para. 4 HGB)
• 30 years: Data stored due to special circumstances in one’s own interest or in the interest of others, as there are corresponding limitation periods or special retention periods (e.g. enforcement orders, special limitation periods).

The beginning of a time limit is usually the end of the calendar year or the month in which the last event for the respective processing took place (e.g. enquiry, order, delivery, legal transaction, end of a contract through performance, expiry or termination, invoicing, receipt of payment).

After the storage period has expired, it is reviewed whether further storage is necessary. If circumstances arise during storage (e.g. conclusion of a contract, negotiations about claims, legal disputes, etc.) that make a longer storage period necessary, these periods are extended accordingly.

Special features regarding the storage period of certain processing operations are indicated at the appropriate place. If no information is provided for the corresponding processing, the storage period is based on the criteria mentioned above.

6. Use of automated decisions in individual cases or profiling

As a rule, no decision vis-a-vis persons based exclusively on automated processing or profiling within the meaning of Article 22 of the GDPR takes place. If such procedures are used in individual processing operations, we will point this out and provide meaningful information about the logic involved and the scope and intended effects.

B  Rights of affected persons, revocation and objection

1. General rights of the affected persons

If a person is affected by the processing of personal data by us (e.g. as a user of our online services, customer, contact person, employee or applicant, etc.), they have various rights vis-a-vis us:

• Right to information according to Art. 15 DSGVO.
• Right to rectification according to Art. 16 DSGVO.
• Right to erasure within the framework of Art. 17 DSGVO.
• Right to restriction of processing within the framework of Art. 18 DSGVO.
• Right to data portability according to Art. 20 DSGVO.

It may also make use of the right of appeal to a supervisory authority under data protection law in accordance with Art. 77 DSGVO.

We would like to point out that the claims are subject to the legal requirements and may also be restricted under certain circumstances (e.g. § 34 BDSG).

In order to exclude abuse, we must be certain of the identity of the persons concerned, depending on the form (e-mail / in writing), content and scope when exercising rights. Please note that we therefore require and, if necessary, request corresponding identification and verification documents.

To exercise your rights, please use the contact information above.

2. Revocation of consents

If processing takes place on the legal basis of consent, this can be revoked.

3. Right of objection

A right of objection can be considered for certain processing operations.

C  Provision of online offers and other media services

In the following, we explain the processing within the framework of the online offers and media services provided and offered by us.

1. Provision of online services and web hosting, log files

Our online offers serve the purpose of general communication, the offering and presentation of information about us as well as the provision of benefits and services within the scope of our contract fulfilment or pre-contractual measures. For the provision, the users’ page views are processed and the corresponding content data is provided and transmitted.

The resulting connection data is stored in a log file. The storage is pseudonymised by replacing the identifiable data (in particular the IP address) anonymised by removing the identifiable data (in particular the IP address). The connection data is stored to ensure the information security and functionality of the website. An evaluation may also be carried out for these purposes. The regular deletion of the log data takes place after 6 months of their collection at the latest.

In order to provide certain options for using the website, it is technically necessary to save a cookie (see below) in the browser to assign the user to a specific session. This includes, in particular, functions such as a login, user settings, shopping cart and selection options as well as forms, but also security functions to exclude spamming and misuse, etc.

We use service providers for the provision (hosting) of the online offer. For this purpose, we have concluded a data processing contract with the providers, insofar as personal data is processed in the process.

There is no possibility to object to the processing, as the collection and storage of the data is absolutely necessary for the provision. A deletion in the log file is disproportionately costly due to a hardly possible allocation and the data consistency of a log file.

The provision of the data takes place within the framework of the use of the offers. Use is not possible without the provision.

Persons concerned: Users of the online services.

Categories of data processed: Connection data.

Receiver: Service providers used (processors).

Legal basis for data processing in the context of provision is our legitimate interest resulting from this purpose (Art. 6 para. 1 lit. f DSGVO). Insofar as online offers are necessary for the fulfilment of a contract with the user or pre-contractual measures at the user’s request, the legal basis in this respect is also Art. 6 para. 1 lit. b DSGVO. If and insofar as we obtain consent for processing in the context of provision, this is the legal basis (Art. 6 para. 1 lit. a DSGVO).

2. Links to offers from other providers

We also use links to offers from other providers on our online offers in order to optimise functionality and increase user-friendliness. The respective provider or operator is controlling these linked offers. We have no influence on the processing. In this respect, we refer to the privacy policies of the providers of these offers in order to get an appropriate picture of the processing.

It is possible that these providers collect data about users, use cookies and also embed additional tracking services from other providers. In addition, it is possible that data can be linked to a user account that users have with the provider and are logged in there. Users who have concerns about this should refrain from using the links.

3. Integration and use of external services from third-party providers

We use external services and content from other providers for various functions and content on our online offers. When content is requested on our online offers, requests are sent by the user’s browser to the servers of the integrated web services in order to provide the corresponding functions or content.

This requires the processing of the usage data of the user’s request by the third-party provider. However, it is possible for the third-party providers to further process this data, e.g. to use the usage behaviour for statistical or marketing purposes.

It is possible that the providers collect and process data about users by using tracking techniques (e.g. cookies, web beacons, tracking pixels, etc.). In addition, it is possible that data can be linked to a user account if a registered user is logged in to the respective provider. We cannot check the processing of data at the third-party providers, but refer to the respective data protection notices of the providers.

The legal basis for the use of third-party services is our legitimate interest in optimising the functionalities and presentation, user-friendliness, defence against cyber attacks and protection against misuse of our website (Art. 6 para. 1 lit. f DSGVO). If and insofar as consent is obtained from the user, this is the sole legal basis (Art. 6 para. 1 lit. a DSGVO).

a) Plausible Analytics

We use Plausible Analytics to track the usage of our websites without collecting any personal data or personally identifiable information. Cookies are not set and all data is in aggregate only. Strored data: URL of each page view, HTTP referer, browser and browser version, operating system, device type (desktop, mobile or tablet), location (country, region, city). IP adresses are never stored in databases or logs.

• Provider: Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia
• Data policy of the provider: https://plausible.io/data-policy

D  Social media

We maintain an online presence on the platforms of social media providers for the purpose of communicating with customers, suppliers and those interested in our company as well as for public relations, presentation and information about our services.

The interest of social media providers regularly lies in comprehensively using the users' data for the creation of user profiles and evaluations of usage behaviour. These are in turn used for market research and advertising purposes. For this purpose, cookies are regularly stored on the end devices of the users. In addition, user data can be assigned to their respective profiles if they are also members of the platform and are regularly logged in there. If users maintain a profile/account on social media, we recommend selecting the safest possible settings and using revocation options within the framework of the data protection settings available there. As far as known, we provide links to the individual providers.

We are controlling data protection jointly with the social media providers for as long as our content is used on the platforms, in particular for the collection of data. However, we do not have direct access to the providers' data. We point out that the exercise of the affected person rights (see above) is possible both towards the provider and towards us. It is much more efficient to exercise the affected person rights vis-à-vis the individual providers listed below. Further links to information from the providers can also be found with the details, in particular the privacy policies on the processing of data by them.

In particular, the following categories of data are processed: Name, contact data, authentication information, content data (video, audio, text), usage data (e.g. web pages visited, interest in content, access times), technically related meta and log data (e.g. device information, IP addresses).

The legal basis for the processing is Art. 6 (1) lit. f DSGVO, whereby the interest results from the stated purposes. If and insofar as a necessary consent is obtained for processing on the platforms, the legal basis is Art. 6 para. 1 lit. a DSGVO.

The data processed by us will be deleted after criteria for the general storage period. Regarding the storage period of the data on the respective social networks, we refer to the respective privacy policies.

Most social media providers or their parent companies are not based in the EU, but in a third country, usually the USA. As a precaution, we would like to point out that this may entail certain risks, especially in the enforcement of the rights of affected persons (deletion, information, correction, etc.), but also in the use of the data.

1. Facebook (https://www.facebook.com)

• Provider EU: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• Privacy policy: https://www.facebook.com/about/privacy
• Settings and objection options: https://www.facebook.com/settings?tab=ads

2. Instagram (https://www.instagram.com)

• Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• Privacy policy: https://privacycenter.instagram.com/policy

3. LinkedIn (https://www.linkedin.com)

• Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• Ensuring the level of data protection for third country processing through EU standard contractual clauses and additional measures in the context of commissioned processing: https://legal.linkedin.com/dpa
• Privacy policy: https://www.linkedin.com/legal/privacy-policy
• Settings and objection options: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

E  Processing operations in the course of our business

In the following, we provide information on processing that we carry out in the course of our activities and to which we also refer at the appropriate point.

1. General communication, contacting, contact directory

For the purpose of general communication within the scope of our activities, we process the data required in connection with communication, e.g. when persons contact us (e.g. contact form, e-mail, telephone or also via social media), when information is provided to us at events, trade fairs or other opportunities to make contact (e.g. business card, entry in file of interested persons, verbal enquiry, etc.), or when we make contact for the purpose of initiating business, requesting information or for other operational reasons and also use publicly available information for this purpose.

Connection data and traffic data are stored in log files and possibly also history lists on end devices (e.g. telephones, e-mail transmission logs, etc.).

The master data required for communication is also stored in a central contact directory to ensure that it is up to date and to simplify processes, unless there are special reasons not to do so.

The provision of data is voluntary. Without provision, communication is not possible.

Affected persons: Employees; freelancers; customers, suppliers, service providers, interested persons, business partners, authorities or their contact persons; applicants.

Categories of data processed: Name, contact data, address data, content data, connection data, traffic data.

Recipients: We use processors (service providers, platform providers, service providers) as part of the processing.

The storage period of the data is determined by the general criteria (see above).
Data in the contact directory is checked regularly and on an ad hoc basis for up-to-dateness and relevance and deleted if necessary (e.g. termination of the contractual relationship, no feedback after contact requests).

Legal basis:
Contract fulfilment and pre-contractual measures in the case of enquiries by the affected person, Art. 6 para. 1 lit. b DSGVO.
Our legitimate interest (results from the purposes), Art. 6 para. 1 lit. f DSGVO.
Consent, insofar as we obtain consent for certain processing purposes, Art. 6 para. 1 lit. a DSGVO.

2. Telecommunications

For internal and external communication with participants (telephone calls, online meetings, web conferences, webinars, etc.), the necessary contact data, traffic data and content data are processed. For these purposes, we use service providers who, as telecommunication providers, are independent controlling parties within the scope of these services and are subject to telecommunications secrecy in accordance with § 3 TTDSG.

The video and audio contents are regularly not stored permanently. In the case of a webinar and insofar as all participants affected by a recording expressly consent, video and audio content may be recorded in individual cases. Names of participants, materials used and text content (chats and comments) are stored and processed according to their purposes for provision (e.g. logging, documentation).

Within the scope of use, cookies may also be used which are technically necessary for the realisation of the web conference (allocation and settings of the participants).

Categories of data processed: Name, contact details, user information, content data (video, audio, text, materials used), connection data, traffic data.

Recipients are the telecommunications service providers used. In addition, content data and contact data are disclosed to other participants in the course of planning and realisation, if and to the extent that they are provided voluntarily and are obviously intended for this purpose.

The storage period of the data is determined by the general criteria (see above). Traffic data is deleted by the respective telecommunication providers after the communication has ended, unless it is required for billing purposes or the users have given their consent to storage.

Legal basis: Contract performance and pre-contractual measures in the case of enquiries by the affected person, Art. 6 para. 1 lit. b DSGVO; our legitimate interest (results from the purposes), Art. 6 para. 1 lit. f DSGVO. Consent, if we obtain one for certain processing purposes (e.g. a recording), Art. 6 para. 1 lit. a DSGVO.

3. Conclusion and execution of the contract; provision of services

Within the framework of the conclusion of contracts as well as for the provision of services and the execution of contracts, including the initiation, negotiation, and execution of contracts, we process data of customers, clients, business partners and interested persons or the corresponding contact persons (affected persons). The purpose of the processing is both the provision of services within the framework of the contractual agreements and the communication, documentation, administration and invoicing required for this.

The provision of the data is necessary for the conclusion of the contract and its realisation. The provision of services is not possible without the provision of the required data.

Categories of data processed: Name, contact data, address data, contract data, payment transaction data, organisational and processing data for the execution of the contract (correspondence, communication, appointments, notes, minutes, activities).

Recipients: We use various service providers as well as subcontractors within the scope of the provision of services, to whom the data required in each case for the performance of services is passed on or disclosed.

In addition, third parties may also be considered as recipients within the scope of the execution of the contract, which may result from the respective service content of the contract (e.g. in the case of referral, order).

The legal basis is the performance of the contract and pre-contractual measures in the case of enquiries by the affected person, Art. 6 para. 1 lit. b DSGVO, as well as our legitimate interest (efficient performance of the contract and administration), Art. 6 para. 1 lit. f DSGVO. If we obtain consent for certain processing purposes, this is the legal basis, Art. 6 para. 1 lit. a DSGVO.

4. Procurement of goods, services, and other performances

To meet operational needs, we process personal data in the context of the procurement of goods, services, and other benefits, such as licences, insurance, or memberships, including information procurement, communication, benchmarking and contract execution. For this purpose, we also make use of publicly available data.

Affected persons: Freelancers; suppliers, service providers, interested persons, business partners or their contact persons.

Categories of data processed: Name, contact data, address data, contract data, payment transaction data, organisational and processing data for the execution of the contract (correspondence, communication, appointments, notes, minutes, activities).

Recipients: We also use various service providers as part of the procurement process, to whom the respective required data is passed on or disclosed.

The legal basis is the fulfilment of the contract, Art. 6 para. 1 lit. b DSGVO as well as our legitimate interest (safeguarding business interests), Art. 6 para. 1 lit. f DSGVO.

5. Dialogue and direct marketing, newsletter

We carry out personalised direct marketing measures and use the personal data voluntarily provided to us for this purpose in order to provide information about news and things worth knowing from our field of activity and also about our services and products. In doing so, we also observe the special conditions under competition law.

Direct marketing measures by post in the form of information letters or brochures to potential interested persons are in our legitimate interest in advertising and marketing.

Direct marketing in electronic form (e.g. e-mail, text message, fax), such as newsletters, only takes place with expressed consent, which we regularly obtain with the so-called double opt-in procedure on our website or other websites.

We only carry out direct telephone marketing if we have been given appropriate consent to do so or if we can assume that consent has been given in the cases specified by law.

The procedures for consent and its revocation as well as any objections issued are logged, as are the measures carried out. The log data contains the necessary information for identification and time details of the process and is only used for verification purposes. Cookies may also be used in this context, which are necessary for the recording.

Categories of data processed: As far as necessary for the individual measures and provided voluntarily: Name, address data, contact data; usage data for logging.

Recipients are the order processors used in the context of the realisation (service providers, platform providers, service providers, newsletter dispatch).

Legal basis: Consent, Art. 6 para. 1 lit. a DSGVO and our legitimate interest (advertising and marketing), Art. 6 para. 1 lit. f DSGVO.

6. Carrying out events and trade fairs

We process personal data for the planning, organisation, and realisation of events (trade fairs, company presentations to present the company, training courses, etc.). The purpose can be public relations and the acquisition of interested persons, customers, business partners and employees, but also the fulfilment of a contract, further training or other company purposes.

Recipients: We use service providers within the scope of order processing for carrying out events. Personal data is only transferred to third parties if and insofar as they are obviously intended to or can generally be expected to be transmitted and this is necessary in the context of the service provision, i.e., in particular in the context of reservations for event venues, transport companies, hotels, etc. The data is only transferred to third parties if and insofar as this is necessary in the context of the service provision.

Affected persons: Participants; business partners, customers, interested persons or their contact persons; employees

Categories of data processed: Name, contact details, address details, relevant information for the event implementation.

The legal basis is the provision of services within the framework of contractual relationships (Art. 6 para. 1 lit. b DSGVO) or within the framework of the employment relationship, § 26 BDSG; in addition, we have a legitimate interest (results from the above purposes), Art. 6 para. 1 lit. f DSGVO.
Insofar as we obtain consent for further purposes, this is the legal basis (Art. 6 para. 1 lit. a DSGVO).

7. Payment and monetary transactions, accounting, controlling

In order to fulfil our legal and contractual obligations within the scope of accounting duties, controlling requirements and payment transactions, we process the data required for this purpose. This includes, in particular, the preparation and recording of all relevant accounting transactions, control and verification of payment transactions, preparation of evaluations and preparation of financial statements, payment of liabilities; management and control of accounts, credit cards and payment service providers.

Affected persons: Employees; freelancers; customers, suppliers, service providers, interested persons, business partners or their contact persons; applicants (if reimbursements).

The categories of data processed are contact data, payment transaction data, accounting data, travel expenses, contract data, time recording data, etc.

Recipients: We also use service providers as order processors for the processing of accounting tasks. In addition, a transfer or disclosure to third parties may take place if it is necessary for the implementation of the processing or for corresponding control purposes to ensure proper processing (e.g. tax office, tax advisors, authorities, auditors, lawyers).

In the case of payment transactions, the data required for this specific purpose is passed on to the respective payment service provider (banks, payment service providers, etc.).

Legal basis: Legal regulations to comply with accounting and financial statement obligations, to ensure proper business operations and to ensure the continued existence of the company, Art. 6 para. 1 lit. c DSGVO.
Processing in the context of the fulfilment of contractual relationships, Art. 6 para. 1 lit. b DSGVO.
Our legitimate interest (safeguarding operational interests), Art. 6 para. 1 lit. f DSGVO.

8. Photo and video recordings at events

At events, trade fairs and other public occasions, we take film and/or photo recordings (recordings) of participating or present persons (persons concerned) for the purpose of public relations, company presentation and documentation. These recordings may be published on our homepage, social media channels, newsletters and in print media or also passed on to the press for the aforementioned purposes, provided that this can usually be expected, or consent has been given. We also refer to this accordingly on invitations and at the events.

The request of persons not to be recorded will be considered if they express this or clearly indicate it. To this end, the cameraman or photographer can be approached or clear signals can be given – even after any recordings have been made.

Recordings will be deleted or processed for deletion if they are obviously or presumably not desired by the persons concerned, for example unflattering pose or facial expression, situation, possible misinterpretation of the situation, risk of discrimination, privacy or intimate sphere may be affected.

The storage period depends on the purpose of the recording. This can vary, as there may be a great interest in certain recordings for archival purposes.

We may also commission service providers to make the recordings or purchase them from them.

We have a legitimate interest in processing the film and photo recordings for public relations, documentation and illustration of the activities mentioned. (Legal basis Art. 6 para. 1 lit. f DSGVO). Insofar as consent is given, the legal basis is Art. 6 para. 1 lit. a DSGVO.

If recordings allow conclusions to be drawn about special categories of personal data, the recordings are only used if the affected person has made the circumstances public themself (e.g. by wearing badges, etc.), Art. 9(2)(e) DSGVO.

9. Destruction of data carriers and documents

Data carriers and documents (paper, film, electronic, magnetic, optical data carriers, etc.) with non-public content that are no longer used or required are collected, kept locked, and destroyed at least according to security level 3 in accordance with the type of material as per DIN 66399. All personal data including special categories of all persons concerned are destroyed.

Categories of data processed: All processed data.

Receiver: Trustworthy and qualified service providers are used for professional destruction within the framework of data processing.

Legal basis: Fulfilment of a legal obligation, Art. 6 para. 1 lit. c) in conjunction with. Art. 17 DSGVO.

10. Assertion, exercise, or defence of legal claims; debt collection

If it is necessary to assert, exercise or defend legal claims or to collect debts, we process the necessary data and information from the parties involved and the persons required in the context of the facts. In this context, personal data may also be processed for this purpose if they were originally collected for another purpose (Art. 6 (4) DSGVO).

Affected persons: Employees; customers, interested persons, suppliers, service providers, business partners, authorities or their contact persons/representatives/authorised representatives; witnesses and experts; other claimants or opponents.

Categories of data processed: as far as necessary, personal master data; address data, contact data; required content data, recordings, documents and information.
Special categories of personal data: if and to the extent necessary (Art. 9 para. 2 lit. f DSGVO; § 24 para. 2 BDSG).

Recipients in connection with the processing may be different authorities, courts, claimants, companies or also service providers (e.g. lawyers, appraisers, debt collection companies, etc.) depending on the nature of the facts.

The legal basis is Art. 6 para. 1 lit. f DSGVO; § 24 para. 1 no. 2 BDSG. Our legitimate interest lies in the assertion, exercise or defence of legal claims. With regard to any necessary processing of special categories of personal data, Art. 9 para. 2 lit. f DSGVO; § 24 para. 2 BDSG applies.

F  Applications and recruiting

1. Recruiting, applications

We process data from applicants for the purpose of carrying out the application process. The data is generally collected directly from the applicants as part of the application process through the application documents, interviews, any aptitude tests, and questionnaires. However, we also use job exchanges and employment agencies.

We also use permissibly collected data made available by affected persons on publicly accessible sources for professional self-presentation and professional exchange, in particular on platforms such as XING or LinkedIn.

The data will only be used to fill the specific job or activity for which the person concerned has applied. We will only consider the application for other jobs or activities and pass on the data to other affiliated companies if we have been given the corresponding consent. If necessary, we will ask the affected persons to give their consent. This consent can be revoked at any time with effect for the future. If it is not given, this will not affect the application process in any way.

Recipients: The data is processed within the company by the departments and persons required during the application process (e.g. management, HR department, specialist department, if applicable works council, if applicable representation of severely disabled persons). In some cases, we involve service providers in the application process. If applicants' data is processed by them (e.g. personnel consultants), this takes place within the framework of commissioned processing.

Categories of data processed: Personal data, contact data, address data, application documents, information voluntarily provided by the affected person.

Obligation to provide data: The provision of data is voluntary. Failure to provide the data required to assess aptitude, ability and professional performance with regard to the vacant position may result in an application not being considered for the vacant position.

Storage period: if no employment relationship is established, application documents are deleted 6 months after completion of the application process. If a corresponding consent for a longer storage period has been granted, the deletion will take place at the latest after the expiry of this period.

If an employment relationship is established, the data is transferred to the personnel file. We provide separate information on processing within the scope of the employment relationship.

The legal basis for the required processing of applications in the context of a possible establishment of an employment relationship is Section 26 BDSG; Article 6 (1) lit. b DSGVO.
If and insofar as consent is given for disclosure or longer storage, the legal basis is Art. 6 Para. 1 lit. a DSGVO; Section 26 Para. 2 BDSG.

2. Active recruiting – identifying potential candidates

In order to draw the attention of potentially interested persons (affected persons) to our company and, if applicable, to motivate them to apply for jobs with us, we process data of individuals that they have made available on publicly accessible sources for professional self-presentation and professional exchange, in particular on platforms such as XING or LinkedIn.

If, when reviewing this data, people appear to be particularly suitable and it is apparent that the person may wish to be contacted for relevant offers, we will contact the person.

In doing so, we process the following categories of data if and insofar as they are provided by the affected person on the aforementioned platforms:

• Personal master data (first name, last name, name affixes, date of birth/age).
• Contact details (home address, telephone numbers, e-mail address).
• Suitability data (information on knowledge and skills, certificates, assessments).
• Information voluntarily provided by the affected person.

The data is only processed within the company by the departments and persons required for the processing (e.g. management, HR department, specialist department). Only if we involve third parties in the processing and data of affected persons is processed by them (e.g. personnel consultants) is this done within the framework of a contract for commissioned processing.

The data will be deleted after 6 months at the latest if there is no response from the person concerned. If an application procedure takes place, we refer to the corresponding privacy policy on this processing.

The legal basis for the processing is Art. 6 para. 1 lit. f DSGVO. Our legitimate interest lies in the recruitment of suitable employees for the company.

G  General explanations

1. Terms

With regard to the terms used 'personal data', 'processing', 'controller', 'affected person', 'third party' and other legal definitions, we refer to the provisions of Regulation (EU) 2016/679 (DSGVO) as well as the Federal Data Protection Act (BDSG), in particular Art. 4 DSGVO.

For the term 'affected person' we also use 'person concerned' or in connection with services also 'user'.

2. Transfer in third countries or to international organisations

The transfer of personal data to a third country or to international organisations is subject to special conditions. Insofar as such a transfer comes into consideration for individual processing operations, we point this out and explain the conditions under which the transfer takes place (e.g. adequacy decision, standard contractual clauses, etc.).

3. Categories of personal data (data categories)

We provide further information here for transparency and comprehensibility regarding the details of the data categories processed in the context of the processing operations. They should help to better understand and classify the data categories. However, not all data categories are necessarily processed by us.

Name
Name (first name, surname), name affixes, title, designations.

Address data
Name, postal address. In the case of contact persons in organisations (companies, authorities, etc.) also details of the organisation, area/department and activity/function.

Contact details
Name, telephone numbers, e-mail address, addresses for digital communication services (messenger, social media, etc.). In the case of contact persons in organisations (companies, authorities, etc.) also details of the organisation, area/department and activity/function.

Personal master data
Name (first name, surname), name affixes, title, designations, birth name if applicable, date and place of birth, gender.

Personal identification data
Identification no., tax no., social security no., copy of ID card.

Recordings
Pictures, photographs and video recordings.

Content data
Data that can be expected as content during the respective processing, especially those provided by affected persons. These are mostly files or data transmissions of text (e.g. chat), images, video, possibly music, but also protocols/notes of conversations.
Note: Permanent storage of recordings of conversations only takes place with the consent of the person concerned.

User information
Information on registered or known users of digital services: name, authentication or identifier, email, voluntary information (profile picture, phone, interests, preferences/settings for use, etc.).

Usage data
Data required for the use/utilisation and, if applicable, billing of services, telemedia and telecommunications services: Identification features of the user, start, end and scope of the respective use; services used

Metadata
Information on properties and on the use of other data, e.g. name of the author of documents, time of creation, modification or access/use of data, devices used, etc.

Connection data
Technical data for retrieval, connection and communication when using networks and services (intranet, internet):

• IP addresses of the systems involved in the communication (terminals, providers, proxy servers, etc.)
• Date and time of the connections.
• Data on the terminal device and browser/software used to connect, including the transmitted settings and metadata.
• Details of hardware used in the context of the use and its firmware/operating system.
• URL address of the request and the URL from which the request originated (referrer URL).
• technical communication information (request status/status code, amount of data transmitted, etc.).

Traffic data
Telecommunications service used, number/identifier of the connections involved (caller and called party), authorisation identifiers, card number if applicable, location data (for mobile phones), start and end of the respective connection (date and time), the data volumes transmitted.

Contract data
Contents of contracts and information on the performance of contracts as well as all data and information on their conclusion, performance, execution and termination.

Payment transaction data
Information on money and payment transactions such as time, amount, currency, purpose, recipient, ordering party, account information, credit card data, payment service provider.

Insurance data
Personal data, contact data, contract data, account details
Special categories: Health data

Personnel master data
Name, address data, contact data, date of birth, place of birth, gender, marital status, nationality, details of dependants / partners if applicable, tax details
Special categories: Religious affiliation

Identification and verification documents
Information on identity card, passport, residence and work permits, driver’s licence/driving permit, other qualification and training certificates

Application documents
Curriculum vitae, qualifications, certificates, assessments, references, information on knowledge and skills, documentation of interview and discussion content and any aptitude tests.

4. Information on cookies, web beacons, tracking pixels, fingerprints

a) General information about cookies

Cookies are small files in which information can be stored that is saved by a website on the user’s end device. This information is transferred to the website when it is requested again. Cookies are therefore very useful when it comes to the control and functions of websites, as it is possible to recognise the user session, e.g. to be able to assign login data or language settings, but also to clearly assign a shopping cart in a web shop to a user. However, depending on how they are used, cookies also enable the observation of user behaviour ('tracking'), especially if so-called third-party cookies are used, which also enable tracking across different websites.

Cookies have a defined lifetime after which they are automatically deleted (persistent cookies) or they are deleted when the browser is closed (session cookies).

The user can set the use of cookies with a corresponding configuration of the browser used so that no cookies or only certain cookies are accepted. The settings and instructions of the browser manufacturer must be followed. Cookies can also be manually deleted from the end device at any time. However, this may impair certain functionalities.

We point out when and which cookies are used for certain processing.

b) Technically necessary cookies

These cookies are technically necessary to enable the control and essential functions of the website or to provide services expressly requested by the user. The most important functions are settings made by the user, authentication (login) and the session status (session cookie), but also a shopping cart in online shops.

Cookies do not require explicit consent by the user, provided they are technically necessary and there is a legal basis for their use.

c) Legal basis for the use of optional cookies, “consent management”

The use of optional cookies regularly requires the user’s explicit consent, which is regularly requested from the user at the beginning of the use of the website by a tool for “consent management”, which is often provided by so-called consent management providers (CMP). This consent can be revoked at any time, usually by calling up the “consent management” tool again. The revocation does not affect the lawfulness of the processing based on consent until the time of revocation.

d) Web beacons and tracking pixels, fingerprints

Web beacons and tracking pixels are content (mostly small images, but also other elements) that are embedded in online content such as web pages, but also e-mails, and which are reloaded when the content is called up. These can also be used to track calls and actions, e.g. in the case of newsletters, whether and when they are called up.

Fingerprints are technical details and settings that are transferred to servers during the call-up and thus also allow a concrete allocation of the call-ups.

Depending on the purpose of use, the same applies to these technologies as to cookies with regard to consent and legality.