This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as "data") within the scope of our services and the associated websites, functions and contents as well as external online presences, e.g. our social media profile. (hereinafter jointly referred to as "online service"). With regard to the terms used, such as "processing" or " controller", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
|Street no.:||Unter den Linden 26|
|Postcode, city, country:||35410 Hungen-Obbornhofen, Deutschland|
|Commercial Register No.:||District Court Giessen, HRB 8347|
|Managing Director:||Daniel Gal|
|Phone Number:||+49 60 36 43 28 505|
Data Protection Officer:
|Name:||Dr. Thomas Schwenke|
The Controller is hereinafter also referred to as "we" or "us".
Type of processed data:
- Inventory data (e.g., customer master data, such as names, addresses).
- Contact details (e.g., e-mail, phone numbers).
- Content Data (e.g., text input, photographs, videos).
- Contract Data (e.g., subject matter of the contract).
- Payment Data (e.g., bank details, payment history).
- Usage Data (e.g., visited websites, interest in content, access times).
- Meta/communication Data (e.g., device IDs, IP addresses).
Processing of special categories of Data (Art. 9 (1) GDPR):
No special categories of Data are processed.
Categories of data subjects:
- Customers / prospective customers / business partners.
- Visitors and users of the online service.
In the following, we will also summarise the data subjects as "users".
Purpose of Processing:
- Provision of our services, its contents and functions.
- Server hosting, domain registration, Software-as-a-Service (SaaS) services
- Provision of contractual services, customer care and support.
- Response to contact requests and communication with users.
- Marketing, advertising and market research.
- Security measures.
As of: May 2018
1. Terms used
1.1 "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
1.3 “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2. Relevant Legal Basis for the Processing
4. Security of Data Processing
4.1 We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of data subjects' rights, the erasure of data and the response to data hazards. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).
4.2 The security measures include in particular the encrypted transmission of data between your browser and our server.
4.3 Employees are bound to confidentiality with regard to data protection, are instructed, monitored, and informed of possible liability consequences.
5. Disclosure and Transmission of Data
5.1 If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1),) b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).
5.2 If we commission third parties with the processing of data on the basis of a so-called " Data Processing Agreement", this is done on the basis of Art. 28 GDPR.
5.3 If we disclose, transfer or otherwise grant access to data to other companies in our Group of Companies (Undertakings), this is done in particular for administrative purposes as a legitimate interest and in addition on the basis of a Data Processing Agreement.
6. Transfers to Third Countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU (e.g. for the USA by the "Privacy Shield") or compliance with officially recognised special contractual obligations (so-called "Standard Contractual Clauses").
7. Rights of Data Subjects
7.1 You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.
7.2 You have correspondingly. In accordance with Article 16 of the GDPR, the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.
7.3 In accordance with Art. 17 GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.
7.4 You have in accordance with Art. 20 GDPR the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
7.5 In accordance with Art. 77 GDPR, you also have the right to file a complaint with a supervisory authority.
8. Right of Withdrawal
You have the right to withdraw consents granted pursuant to Art. 7 (3 GDPR with effect for the future.
9. Right to Object
You can object to the future processing of the data concerning you in accordance with Art. 21 GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.
10. Cookies and Right to Object in Direct Marketing
10.2 If users do not want cookies to be stored on their computer, they are advised to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online services.
11. Erasure of data and archiving obligations
11.2 In accordance with statutory provisions in Germany, the records are kept in particular for 10 years in accordance with Sections 147 (1) German Financial Act (AO) , Sections 257 (1) No. 1 and 4, (4) German Commercial Code (HGB) (books, records, management reports, accounting documents, trading books, documents relevant to taxation, etc.) and for 6 years in accordance with Sections 257 (1) No. 2 and 3, (4) HGB (commercial letters).
12. Business-Related Analyses by LeadingReports GmbH
12.1 We process our customers' data as part of our contractual services, including the provision of our LeadingReports services (LeadingReports GmbH, Unter den Linden 26, 35410 Hungen, leadingreports.de) for the analysis of business website visitors. The legal basis for processing results from Art. 6 (1) b. GDPR (contractual services) and Art. 6 (1) f. GDPR (business interests), insofar as we use Leading Reports analyses ourselves. LeadingReports analyses are carried out using cookies or local & session storage. By analyzing the data collected and transmitted, we can track the usage behavior of visitors to websites that use LeadingReports analyses. The information refers in particular to the analysis of the various areas of interest on the basis of the use of the respective websites as well as the geographical origin of the visitors and information on these, but only if it concerns business/ company data, i.e. no personal data.
12.2 The processing of data by LeadingReports GmbH is aimed at the collection of data concerning companies, i.e. not at the processing of personal data. Therefore, the processing of personal data is avoided to the greatest possible extent. Where natural persons are concerned, the following data may be processed: The IP address of the user for direct resolution of company data (automatically collected by request), the language set by the user, the page visited, the page from which the user came (referrer), a pseudonymous user ID (gal-io-cl-uid) to recognize recurring visits; Google's UTM parameters for possible ad referrals (only stored as "comes from AdWords" or similar), the time of the page visit.
12.3. The processed data will not be used for any other purposes than those described here. If IP addresses are recorded, they are anonymised immediately after collection by deleting the last numeric keypad. The servers used for web analysis are operated exclusively on the territory of the Federal Republic of Germany.
12.5 The data is processed on the base of an order processing contract pursuant to Art. 28 (3) sentence 1 GDPR. If you do not agree to the processing of your data by LeadingReports GmbH in the future, you can object to the processing by excluding the IP address you use on this website: https://io.leadingreports.de/exclude-ip
12.6 You may also click the following link, which will set an opt-out cookie that applies to this domain and the browser used (if you delete your browser cookies or use a different browser the next time you visit, you must click the link again to prevent your anonymized usage data from being collected):
13. Administration, Financial Accounting, Office Organization, Archiving
13.1. We process data in the course of administrative tasks as well as the organisation of our company, financial accounting and compliance with legal obligations, e.g. archiving. We process the same data that we process as part of the performance of our contractual services. The processing bases are Art. 6 (1) c. GDPR, Art. 6 (1) f., Art. 28 GDPR. Data subjects are affected by the processing: customers, interested parties, business partners and website visitors. The purpose of the processing is the administration, financial accounting, office organization, archiving of data that serve the maintenance of our company and our services.
13.2. We disclose or transmit data to the tax authorities, tax consultants, auditors, other fee offices, legal advisors and payment service providers.
13.4. Furthermore, we store information on business partners, customers and prospects on the basis of our business interests, e.g. for the purpose of making contact at a later date. We store this data, which is mainly company-related, permanently.
14. Economic Analyses and Market research
14.1. In order to operate our business economically and to identify market trends, customer and user wishes, we analyse the data available to us on business transactions, contracts, inquiries, etc., in order to ensure that we are able to offer our customers the best possible service. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 (1) f. GDPR, whereby the persons concerned include customers, prospective customers, business partners, visitors and users of our online service. The analyses are carried out for the purpose of economic evaluations, marketing and market research. The analyses serve us to increase the user-friendliness, the optimization of our offer and the economic efficiency. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with aggregated values.
14.2. If these analyses or profiles are personal, they will be deleted or made anonymous upon cancellation of the contractual relationship, otherwise after three years from the conclusion of the contract. For the rest, macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.
15. Contact and Customer Service
15.1. When contacting us (via contact form or e-mail), the user's details will be processed for processing the contact request and its handling in accordance with Art. 6 (1) b./ f. GDPR.
15.2. User information may be stored in our Customer Relationship Management System ("CRM System") or comparable request organization.
15.3. Outside of existing customer relationships, we will delete the requests if they are no longer necessary. Within customer relations we store the data for their duration; we check the necessity of the storage every three years; furthermore, the legal archiving obligations apply.
16. Collection of access data (logfiles)
16.1. For the purposes of our legitimate interests, we collect data every time the server on which the service is located is accessed. This data is collected in the form of server log files. These access logs include the name of the webpage and/or file accessed by the User, the date and time of access, the amount of data transferred, notification of successful retrieval, details of the web browser used (including the version), the User’s operating system, the referrer URL (of the previous page linking to our website), the IP address and the requesting provider.
16.2. Log file information is retained for security reasons (e.g. to detect improper use or fraud) for a maximum of seven days before being deleted. Data that is to be retained as evidence shall be excluded from deletion until the relevant case has been finalized.
17. Google Analytics
17.2. Google is certified under the Privacy Shield framework which offers a guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
17.3. Google will use this information on our behalf for the purpose of evaluating use of our Websites by the User, compiling reports on activity on the Websites, and providing us with other services relating to the use of the Websites and use of the Internet. This process may involve creating pseudonymized usage profiles of Users from the processed data.
17.4. We use Google Analytics to display the ads placed by Google and its partners within advertising services, only to those users who have shown an interest in our online offers or who have particular characteristics (e. g. interests in certain topics or products determined by the websites visited) that we transmit to Google (so-called Remarketing or Google Analytics audiences). With the help of remarketing audiences, we would also like to ensure that our advertisements are in line with the potential interest of the users and do not have a nuisance effect.
17.5. We only use Google Analytics with IP anonymization enabled. That means Google truncates the User’s IP address within Member States of the European Union and in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.
17.6. The IP address transmitted by the User’s browser is not associated with any other data held by Google. Users can prevent cookies from being installed on their computer by adjusting their browser settings accordingly. Users can also prevent Google from collecting data generated by cookies concerning their use of the Websites and can prevent Google from processing this data by downloading and installing a browser plug-in from the following link:http://tools.google.com/dlpage/gaoptout?hl=en.
17.7. Further information on Google's use of data for marketing purposes can be found on the overview page: https://policies.google.com/technologies/ads Google's data protection declaration can be accessed at https://policies.google.com/privacy. If you wish to object to interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google: https://adssettings.google.com/authenticated.
17.8. Personal data will be made anonymous or deleted after a period of 14 months.
18. Google Conversion und Advertising Display Services
18.1. For the purposes of our legitimate interests (i.e. our interest in analysing, optimizing and running our Websites in a commercially viable manner within the meaning of Art. 6 (1) f. of the GDPR), we use the Google’s conversion und advertising Display, marketing and remarketing services (hereinafter referred to as “Google marketing services”) provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
18.2. Google is certified under the Privacy Shield framework which offers a guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google marketing services enable us to display ads for and on our website in a more targeted fashion, helping us to only show ads to Users that are potentially of interest to them. The method we use, known as remarketing, involves, for example, showing Users ads for products in which they have already shown an interest on other websites. For this purpose, our Websites – and other websites on which Google marketing services are active – contain a snippet of code, which is executed directly by Google. This integrates what are known as (re)marketing tags in the website (invisible image files or code, also known as web beacons). With the help of these tags, an individual cookie, i.e. a small file, is saved on the User’s device (comparable technologies may also be used instead). These cookies may be set from a few different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com and googleadservices.com. This file notes which sites the User visits, which content interests the User, and which offers he or she clicked, as well as technical information on the browser and operating system, referring websites, visit duration and other data on the use of the Websites. The User’s IP address is also recorded, though we wish to make it clear that, within the context of Google Analytics, the IP address is truncated within European Union Member States and in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to the US-based Google server and truncated there. The IP address is not merged with User data within other Google offerings or services. The information referred to above may also be linked to comparable information from other sources. If the User subsequently visits other websites, they may be presented with ads tailored to them according to their interests.
18.4. User data is processed in a pseudonymized manner within the context of Google marketing services, i.e. Google does not store and process details such as the name or email address of the User, but instead processes the relevant data within pseudonymized usage profiles based on cookies. This means that, from Google’s perspective, the ads are not managed for and displayed to a named or otherwise identifiable person, but rather for and to the cookie holder, regardless of who this cookie holder is. That is not, however, the case if a User has expressly granted Google permission to process their data in a non-pseudonymized manner. Information collected on Users by Google marketing services is transmitted to Google and stored on Google’s servers in the USA.
18.5. One of the Google marketing services we use is the online advertising service “Google AdWords”. In the case of Google AdWords, each AdWords client receives a different “conversion cookie”. Thus, cookies cannot be tracked across the websites of AdWords clients. The information collected by the conversion cookies is used to provide aggregate conversion statistics for AdWords clients who have opted in to conversion tracking. AdWords clients are informed of the total number of users who clicked on the ad and were forwarded to a conversion tracking tag page. However, they do not receive any information that would enable them to identify users personally.
18.7. We use "Google Optimize" a service that allows us to track the effects of various changes to a website (e. g. changes in input fields, design, etc.) within the framework of so-called "A/B tests".
18.8. We may also use the Google Tag Manager to incorporate and manage Google analysis and marketing services in our Websites.
18.9. The data may be processed by Google for up to two years before it is anonymised or deleted.
18.10. Further information on Google's use of data for marketing purposes can be found on the overview page: https://policies.google.com/technologies/ads Google's data protection declaration can be accessed at https://policies.google.com/privacy. If you wish to object to interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google: https://adssettings.google.com/authenticated.
19. Communication via Mail, E-Mail, Fax or Telephone
19.1. We use means of telecommunication such as mail, telephone or e-mail for business transactions and marketing purposes. We process inventory data, address and contact data as well as contract data of customers, participants, interested parties and communication partners.
19.2. The processing is carried out on the basis of Art. 6 (1) a., Art. 7 GDPR, Art. 6 (1) f. GDPR in conjunction with legal requirements for advertising communications. Contact is only established with the consent of the contact partners or within the scope of legal permissions and the processed data is deleted as soon as it is not required and otherwise with objection/ revocation or discontinuation of the authorization basis or legal archiving obligations.
20. Integration of third-party services and content
20.1. For the purposes of our legitimate interests (i.e. our interest in analysing, optimizing and running our Websites in a commercially viable manner within the meaning of Art. 6 (1) f. of the GDPR), we use third-party content and service delivery services on our Websites in order to incorporate content and services such as videos and fonts, for example (hereinafter jointly referred to as “content”). The third-party provider of this content always requires the User's IP address in order to send the content to the browser of the respective User. In other words, the IP address is required to display this content. We endeavour only to use such content where the respective provider uses the IP address exclusively to deliver said content. Third-party providers may additionally use “pixel tags” (invisible image files, also known as web beacons) for statistical or marketing purposes. Pixel tags can be used to analyse information such as the number of visitors accessing the pages of this website. The pseudonymized information may additionally be stored on User devices in the form of cookies. This information includes technical information on the browser and operating system, referring websites, time spent on the website, and further details on how Users make use of our Websites, plus it can also be combined with comparable information from other sources.
20.2. The list below provides an overview of third-party providers and their content as well as links to their privacy policies, which contain further information on data processing and opt-out mechanisms, some of which have already been discussed here:
- External icons, fonts and scripts, of the "Bootstrap" framework, whose servers are also located in the USA. Further information: http://getbootstrap.com/about/.