Skip to main content

Privacy policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as „data“) that we process, for what purposes, and to what extent in the context of providing our application.

The terms used are not gender-specific.

Status: February 26, 2026

Table of Contents

Preamble
Controller
Contact Data Protection Officer
Overview of Processing Activities
Relevant Legal Bases
Security Measures
Transfer of Personal Data
International Data Transfers
General Information on Data Storage and Deletion
Rights of Data Subjects
Business Services
Payment Procedures
Provision of the Online Offer and Web Hosting
Use of Cookies
Processing of Data within the Application (App)
Obtaining Applications via App Stores
Contact and Inquiry Management
Video Conferences, Online Meetings, Webinars, and Screen Sharing
Cloud Services
Newsletters and Electronic Notifications
Web Analysis, Monitoring, and Optimization
Customer Reviews and Rating Procedures
Presence in Social Networks (Social Media)
Plugins and Embedded Functions and Content
Processing of Data in the Context of Employment Relationships
Application Procedures
Amendment and Updates
Definitions

Controller

signotec GmbH
Am Gierath 20b
40885 Ratingen
Germany

Authorized representative: Arne Brandes

Email address: info@signotec.de
Phone: +49 21025357510

Contact Data Protection Officer

signotec GmbH
Data Protection Officer
Am Gierath 20b
40885 Ratingen
Germany

Email: datenschutz@signotec.de

Overview of Processing Activities

The following overview summarizes the types of processed data and the purposes of their processing and refers to the data subjects concerned.

Types of processed data

  • Master data
  • Employee data
  • Payment data
  • Location data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication, and procedural data
  • Social data
  • Applicant data
  • Image and/or video recordings
  • Audio recordings
  • Log data
  • Performance and behavioral data
  • Working time data
  • Salary data

Special categories of data

  • Health data
  • Religious or philosophical beliefs
  • Trade union membership

Categories of data subjects

  • Service recipients and clients
  • Employees
  • Interested parties
  • Communication partners
  • Users
  • Applicants
  • Business and contractual partners
  • Persons depicted

Purposes of processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Direct marketing
  • Reach measurement
  • Tracking
  • Office and organizational procedures
  • Target group formation
  • Organizational and administrative procedures
  • Application procedures
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of our online offering and user-friendliness
  • Establishment and execution of employment relationships
  • IT infrastructure
  • Public relations
  • Business processes and economic procedures

Relevant Legal Bases

Relevant legal bases under the GDPR:
Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in this privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights, and freedoms of the data subject requiring the protection of personal data do not override those interests.
  • Application procedures as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b GDPR) – If special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data such as disability status or ethnic origin) are requested from applicants during the application process so that the controller or the data subject can exercise their rights and fulfill their obligations under labor law and social security and social protection law, their processing is carried out in accordance with Art. 9 para. 2 lit. b GDPR; in the case of protecting vital interests of applicants or other persons according to Art. 9 para. 2 lit. c GDPR; or for purposes of preventive healthcare or occupational medicine, for assessing the working capacity of the employee, for medical diagnosis, care or treatment in the health or social sector, or for the management of systems and services in the health or social sector according to Art. 9 para. 2 lit. h GDPR. If special categories of data are communicated on the basis of voluntary consent, their processing is carried out on the basis of Art. 9 para. 2 lit. a GDPR.
  • Processing of special categories of personal data related to healthcare, profession, and social security (Art. 9 para. 2 lit. h GDPR) – Processing is necessary for purposes of preventive healthcare or occupational medicine, for assessing the working capacity of an employee, for medical diagnosis, care or treatment in the health or social sector, or for the management of systems and services in the health or social sector based on Union or Member State law or pursuant to a contract with a health professional.

National Data Protection Regulations in Germany

In addition to the data protection regulations of the GDPR, national regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions regarding the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer of data, as well as automated decision-making in individual cases, including profiling. In addition, state data protection laws of the individual federal states may apply.

Note on the applicability of GDPR and Swiss DSG

These data protection notices serve to provide information both under the Swiss Federal Act on Data Protection (DSG) and under the General Data Protection Regulation (GDPR). For this reason, please note that due to the broader territorial scope and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DSG such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. However, the legal meaning of the terms will continue to be determined under the Swiss DSG within its scope of application.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability assurance, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. We also take the protection of personal data into account during the development or selection of hardware, software, and processes, in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS):
To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, signaling to users that their data is transmitted securely and in encrypted form.

Transfer of Personal Data

As part of our processing of personal data, it may be transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with recipients to ensure the protection of your data.

International Data Transfers

Data processing in third countries:
If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing or transferring data to other persons, bodies, or companies (which can be identified by the provider’s postal address or explicit reference in this privacy policy), this is always done in compliance with legal requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by an adequacy decision of the European Commission dated July 10, 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers, which comply with the requirements of the European Commission and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the Standard Contractual Clauses serve as an additional safeguard. Should there be changes to the DPF, the Standard Contractual Clauses act as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For individual service providers, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information about the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce: https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found on the European Commission’s website:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are withdrawn or no further legal basis for processing exists. This applies to cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions apply if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that apply specifically to certain processing operations.

If multiple retention periods or deletion deadlines are specified, the longest period always applies. Data that is no longer required for its original purpose but is retained due to legal requirements or other reasons is processed exclusively for the reasons justifying its retention.

Retention and deletion of data:
The following general retention periods apply under German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the organizational documents required to understand them (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
  • 8 years – Accounting documents such as invoices and expense receipts (§ 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO and § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
  • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, and other documents relevant for taxation, e.g., wage slips, cost accounting sheets, calculation documents, price labels, as well as payroll records if not already accounting documents, and cash register receipts (§ 147 para. 1 no. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 no. 2 and 3 in conjunction with para. 4 HGB).
  • 3 years – Data required to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Start of the period at the end of the year:
If a period does not explicitly begin on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the date on which the termination or other end of the legal relationship becomes effective.

Rights of Data Subjects

Rights under the GDPR:
As a data subject, you have various rights under the GDPR, particularly arising from Articles 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to such processing; this also applies to profiling related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent given at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about such data, as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right to request the completion or correction of inaccurate data concerning you in accordance with legal requirements.
  • Right to erasure and restriction of processing: You have the right to request that data concerning you be deleted without undue delay or, alternatively, to request restriction of processing in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request its transfer to another controller.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Business Services

We process the personal data of our contractual and business partners, such as customers, clients, interested parties, suppliers, and other cooperation partners (collectively referred to as “contractual partners”), for the initiation, execution, and settlement of contractual relationships and comparable legal relationships. This also includes pre-contractual measures carried out upon request, as well as communication in connection with the respective contractual relationship.

Processing serves in particular to fulfill our contractual obligations. This includes the provision of agreed services, any update and information obligations, handling warranty claims and service disruptions, processing withdrawals and terminations, reversals, refunds, and handling other contract-related declarations and inquiries. This applies to both one-time contracts and ongoing contractual relationships.

In particular, we process master data such as name, address, and, if applicable, company name; contact data such as email address and telephone number; contract and service data such as subject matter and duration of the contract, order or transaction number; usage and service data; payment and billing data; and communication content and history. Where necessary, we also process data disclosed or transmitted to us in the course of fulfilling an order.

We also process data to safeguard our rights and to fulfill legal obligations. This includes, in particular, retention obligations under commercial and tax law, documentation obligations, and, where applicable, obligations to provide evidence and accountability. Processing may also be carried out based on our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as in protecting our business operations and contractual partners from misuse, threats to data, confidential information, and other legal interests. This may include engaging external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other agents, insofar as this is necessary for contract performance or compliance with legal obligations.

Personal data is only disclosed to third parties insofar as this is necessary for contract performance, pre-contractual measures, the protection of legitimate interests, or compliance with legal obligations. Any further processing, particularly for marketing purposes, is explained separately in this privacy policy.

We inform contractual partners which data is required in each case during data collection, for example in online forms through appropriate markings or in personal contact.

Data is deleted as soon as it is no longer required for the above purposes and no legal retention obligations apply. Legal retention periods, particularly under commercial and tax law, may require longer storage. Data transmitted in the context of a specific order is deleted after completion of the order and expiration of any retention periods, unless further legal or contractual obligations require continued storage.

The legal basis for processing is Art. 6 para. 1 lit. b GDPR for pre-contractual measures and contract performance, and Art. 6 para. 1 lit. c GDPR for compliance with legal obligations. Where processing is based on legitimate interests, it is carried out pursuant to Art. 6 para. 1 lit. f GDPR. These legitimate interests include ensuring proper and efficient business organization, internal administration and documentation of business processes, enforcement and defense of legal claims, ensuring IT and data security, preventing misuse and fraud, and managing and developing our business operations.

Types of data processed:
Master data (e.g., full name, address, contact information, customer number); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or phone numbers); contract data (e.g., subject matter, duration, customer category); usage data (e.g., page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Data subjects:
Service recipients and clients; interested parties; business and contractual partners.

Purposes and legitimate interests:
Provision of contractual services; security measures; communication; office and organizational procedures; administrative procedures; business processes and economic operations.

Retention and deletion:
Deletion in accordance with the section “General Information on Data Storage and Deletion.”

Legal bases:
Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR); legal obligation (Art. 6 para. 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

Online shop, order forms, e-commerce, and service fulfillment:
We process customer data to enable them to select, purchase, or order products, goods, and related services, as well as their payment and delivery or execution. Where necessary for order fulfillment, we use service providers, particularly postal, freight, and shipping companies. For payment processing, we use banks and payment service providers. Required information is marked accordingly in the ordering process and includes data necessary for delivery, provision, and billing, as well as contact details for follow-up communication.
Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR).

Consulting:
We process data of our clients and interested parties to provide our services. This includes communication, needs analysis, planning and implementation of consulting projects, documentation, data management, scheduling, billing, follow-ups, and quality assurance. Data processing depends on the underlying contractual relationship. Data may be disclosed to third parties if necessary, legally required, or based on consent.
Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR).

IT services:
We process customer data to provide planning, implementation, and support of IT solutions. This includes project management, documentation, change management, CRM, technical support, troubleshooting, reporting, and performance analysis to ensure quality and compliance.
Legal basis: Art. 6 para. 1 lit. b, c, and f GDPR.

Provision of software and platform services:
We process user data (including registered and trial users) to provide contractual services and, based on legitimate interests, to ensure the security and further development of our offering. Required information is indicated during the contract process and includes data necessary for service provision, billing, and communication.
Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR).

Payment Procedures

Within the scope of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, use banks, credit institutions, and additional service providers (collectively referred to as “payment service providers”). Payment transactions are carried out exclusively via encrypted connections in accordance with the state of the art, ensuring that the data entered is protected against unauthorized access during transmission.

The data processed by the payment service providers includes master data, such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract-related, amount-related, and recipient-related information. This information is necessary to carry out the transactions. However, the entered data is processed and stored only by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming or rejecting a payment. Under certain circumstances, the payment service providers may transmit data to credit agencies. This transmission is intended for identity and creditworthiness checks. In this regard, we refer to the terms and conditions and the privacy policies of the payment service providers.

Payment transactions are subject to the terms and conditions and privacy policies of the respective payment service providers, which can be accessed on their respective websites or transaction applications. We also refer you to these for further information and for exercising rights of withdrawal, access, and other data subject rights.

Types of processed data:
Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter, duration, customer category); usage data (e.g., page views and duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Data subjects:
Service recipients and clients; business and contractual partners; interested parties.

Purposes of processing and legitimate interests:
Provision of contractual services and fulfillment of contractual obligations; business processes and economic operations.

Retention and deletion:
Deletion in accordance with the information in the section “General Information on Data Storage and Deletion.”

Legal bases:
Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

Mollie: Payment services (technical integration of online payment methods); service provider: Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands; legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); website: https://www.mollie.com/de; privacy policy: https://www.mollie.com/de/privacy.

PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg; legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); website: https://www.paypal.com/de; privacy policy: https://www.paypal.com/de/legalhub/paypal/privacy-full.

Provision of Online Services and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Types of processed data:
Usage data (e.g., page views and duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); log data (e.g., log files relating to logins or the retrieval of data or access times).

Data subjects:
Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests:
Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); security measures.

Retention and deletion:
Deletion in accordance with the information in the section “General Information on Data Storage and Deletion.”

Legal bases:
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

  • Provision of online services on rented storage space: To provide our online services, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (“web host”); legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
  • Collection of access data and log files: Access to our online services is logged in so-called “server log files.” These may include the address and name of accessed web pages and files, date and time of access, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (previously visited page), IP addresses, and the requesting provider. Server log files are used for security purposes (e.g., to prevent server overload, especially in the case of abusive attacks such as DDoS attacks) and to ensure server capacity utilization and stability; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
  • Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data required for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.
  • Hetzner: Services in the field of IT infrastructure and related services (e.g., storage space and/or computing capacity); service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); website: https://www.hetzner.com; privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz; data processing agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
  • Netlify: Creation, management, and hosting of websites, online forms, and other web elements; service provider: Netlify, Inc., 2343 3rd Street, Suite 296, San Francisco, California 94107, USA; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); website: https://www.netlify.com; privacy policy: https://www.netlify.com/privacy; data processing agreement: https://www.netlify.com/gdpr-ccpa/; basis for third-country transfers: standard contractual clauses (https://www.netlify.com/gdpr-ccpa/).

Use of Cookies

The term “cookies” refers to functions that store information on users’ devices and read it from them. Cookies may also be used for various purposes, such as functionality, security, and convenience of online services, as well as for creating analyses of visitor traffic. We use cookies in accordance with legal requirements. Where necessary, we obtain users’ consent in advance. If consent is not required, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and functions, such as saving settings and ensuring the functionality and security of our online services. Consent can be withdrawn at any time. We clearly inform users about its scope and which cookies are used.

Notes on legal bases:
Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on legitimate interests as explained above and in the context of the respective services and procedures.

Storage duration:
With regard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (session cookies): Deleted at the latest when a user leaves an online service and closes their device (e.g., browser or mobile application).
  • Persistent cookies: Remain stored even after the device is closed. For example, login status can be saved and preferred content displayed directly when the user revisits a website. User data collected via cookies may also be used for reach measurement. Unless we explicitly inform users about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are persistent and may be stored for up to two years.

General information on withdrawal and objection (opt-out):
Users can withdraw their consent at any time and also object to processing in accordance with legal requirements, including via their browser’s privacy settings.

Types of processed data:
Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Data subjects:
Users (e.g., website visitors, users of online services).

Legal bases:
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further information on processing operations, procedures, and services:

  • Processing of cookie data based on consent: We use a consent management solution to obtain, record, manage, and allow withdrawal of user consent for the use of cookies and related processing. This includes storing consent declarations to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage may take place on the server and/or in a cookie (opt-in cookie) or via comparable technologies. A pseudonymous user identifier may be stored along with timestamp, scope of consent, and device/browser information. Consent may be stored for up to two years; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
  • Cookiebot: Storage and management of consent, logging of user decisions, display of privacy notices, and enabling withdrawal or adjustment of consent; provider: Usercentrics A/S, Copenhagen, Denmark; website: https://www.cookiebot.com/de; privacy policy: https://www.cookiebot.com/de/privacy-policy/.
  • Usercentrics: Storage and management of consent, logging of user decisions, display of privacy notices, and enabling withdrawal or adjustment of consent; provider: Usercentrics GmbH, Munich, Germany; website: https://usercentrics.com/de; privacy policy: https://usercentrics.com/de/datenschutzerklaerung/.

Processing of Data within signotec Applications (Apps)

We process users’ data within our applications to the extent necessary to provide users with the respective application and its functionalities, to monitor its security, and to further develop it. We may also contact users in compliance with legal requirements if communication is necessary for administrative purposes or for the use of the application. Otherwise, with regard to the processing of user data, we refer to the privacy notices in this privacy policy.

Legal bases:
The processing of data required to provide the functionalities of the application serves the fulfillment of contractual obligations. This also applies if the provision of functions requires user permissions (e.g., granting access to device functions). If the processing of data is not necessary for providing the functionalities of the application, but serves the security of the application or our economic interests (e.g., collecting data for optimization or security purposes), it is carried out on the basis of our legitimate interests. If users are explicitly asked for their consent to process their data, the processing of the data covered by the consent is carried out on the basis of that consent.

Types of processed data:
Master data (e.g., full name, residential address, contact information, customer number, etc.); usage data (e.g., page views and duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter, duration, customer category); image and/or video recordings (e.g., photographs or video recordings of a person); location data (information about the geographical position of a device or a person).

Data subjects:
Users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests:
Provision of contractual services and fulfillment of contractual obligations; security measures; provision of our online offering and user-friendliness.

Retention and deletion:
Deletion in accordance with the section “General Information on Data Storage and Deletion.”

Legal bases:
Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

  • Commercial use:
    We process the data of users of our application, registered users, and potential test users (hereinafter collectively referred to as “users”) in order to provide our contractual services and, based on legitimate interests, to ensure the security of our application and to further develop it. The required information is marked accordingly within the context of usage, order, or similar contractual processes and may include information necessary for providing services and billing, as well as contact information for communication; legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
  • Storage of a universal and unique identifier (UUID):
    The application stores a so-called universally unique identifier (UUID) for the purpose of analyzing usage and functionality of the application and storing user settings. This identifier is generated upon installation (not linked to the device, i.e., not a device ID), persists between app launches and updates, and is deleted when the user removes the application from their device.
  • Device permissions for access to functions and data:
    The use of our application or its functionalities may require user permissions to access certain functions of the device used or data stored on or accessible via the device. By default, these permissions must be granted by users and can be revoked at any time in the device settings. The exact procedure depends on the device and software used. Users can contact us if clarification is needed. Denying or revoking permissions may affect the functionality of our application.
  • Access to the camera and stored recordings:
    Within the use of our application, image and/or video recordings (including audio recordings) of users (and other persons captured in the recordings) are processed via access to camera functions or stored recordings. Access requires user permission, which can be revoked at any time. Processing is carried out solely to provide the respective functionality of the application.
  • Processing of location data:
    Location data collected by the device or entered by users is processed within the use of our application. This requires user permission, which can be revoked at any time. The use of location data is limited to providing the respective functionality of the application.
  • No location history or movement profiles:
    Location data is only used selectively and is not processed to create location histories or movement profiles of devices or users.
  • Product activation:
    To ensure proper use and licensing of our software, for products with online licensing, a device ID and license information are automatically transmitted to us regularly—typically every 24 hours, but at least once every 60 days. This data is processed solely for license validation.
  • Software-as-a-Service:
    We host SaaS and licensing services within Germany. No data transfer outside the EU takes place unless explicitly stated and legally justified (e.g., via EU standard contractual clauses). Further information can be found in the respective user agreements.
  • Data security:
    We implement technical and organizational measures (TOMs) to protect your data against manipulation, loss, destruction, or unauthorized access. These include encrypted connections, access controls, and regular security updates. Current TOMs are available upon request at info@signotec.de.

Obtaining Applications via App Stores

Our application is distributed via special online platforms operated by third-party providers (“app stores”). In this context, the privacy policies of the respective app stores apply in addition to our own, particularly regarding analytics and interest-based marketing as well as any potential costs.

Types of processed data:
Master data; payment data; contact data; contract data; usage data; meta, communication, and procedural data.

Data subjects:
Service recipients and clients; users (e.g., website visitors, users of online services).

Purposes of processing and legitimate interests:
Provision of contractual services and fulfillment of contractual obligations; provision of our online offering and user-friendliness.

Retention and deletion:
Deletion in accordance with the section “General Information on Data Storage and Deletion.”

Legal basis:
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on services:

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media), as well as within existing user and business relationships, the data provided by the inquiring persons is processed to the extent necessary to respond to contact inquiries and any requested measures.

Types of processed data:
Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts, as well as related information such as authorship or time of creation); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

Data subjects:
Communication partners; service recipients and clients; interested parties; business and contractual partners.

Purposes of processing and legitimate interests:
Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online forms); provision of our online offering and user-friendliness; office and organizational procedures.

Retention and deletion:
Deletion in accordance with the section “General Information on Data Storage and Deletion.”

Legal bases:
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).

Further information on processing operations, procedures, and services:

Video Conferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications from third-party providers (hereinafter referred to as “conference platforms”) for conducting video and audio conferences, webinars, and other types of video and audio meetings (collectively referred to as “conferences”). When selecting conference platforms and their services, we comply with legal requirements.

Data processed by conference platforms:
In the course of participating in a conference, the conference platforms process the personal data of participants listed below. The scope of processing depends on the data required for a specific conference (e.g., login data or real names) and any optional information provided by participants. In addition to processing for conducting the conference, participant data may also be processed for security purposes or service optimization.

Processed data includes personal data (first name, last name), contact details (email address, phone number), access data (access codes or passwords), profile images, professional role/function, IP address, device information, operating system, browser and its technical and language settings, information about communication content (chat inputs, audio and video data), and usage of other available features (e.g., polls). Communication content is encrypted to the extent technically provided by the platform. If participants are registered users of the platform, additional data may be processed in accordance with the agreement with the respective provider.

Logging and recordings:
If text entries, participation results (e.g., from polls), or audio/video recordings are logged, participants will be informed in advance and, where required, asked for consent.

Data protection measures for participants:
Please refer to the privacy policies of the conference platforms for details on data processing and choose the security and privacy settings that best suit you. During video conferences, please ensure the protection of your data and personal privacy in the background (e.g., informing cohabitants, locking doors, or using background blur features where available). Access links and credentials must not be shared with unauthorized third parties.

Notes on legal bases:
If we process user data in addition to the conference platforms and request user consent (e.g., for recording conferences), the legal basis is consent. Processing may also be necessary for fulfilling contractual obligations (e.g., participant lists, documentation of results). Otherwise, processing is based on our legitimate interests in efficient and secure communication.

Types of processed data:
Master data; contact data; content data; usage data; image/video recordings; audio recordings; log data (e.g., login logs or access times).

Data subjects:
Communication partners; users (e.g., website visitors, users of online services); depicted persons.

Purposes:
Provision of contractual services; communication; organizational procedures.

Retention and deletion:
Deletion in accordance with the section “General Information on Data Storage and Deletion.”

Legal basis:
Legitimate interests (Art. 6 para. 1 lit. f GDPR).

Further information on services:

  • Microsoft Teams:
    Used for conducting online events, conferences, and communication with internal and external participants. Features include voice transmission, direct messaging, group communication, and collaboration tools. Processed data includes name, business contact details, work profile, participation, and content (audio/video, speech, chat, files, speech transcription). Processing serves purposes such as efficiency and productivity improvement, cost efficiency, flexibility, mobility, improved communication, IT security, centralized platform use, and business operations.

Audio signals are generally not stored unless recording is activated. Meeting and conference recordings are stored for 90 days by default unless otherwise specified. Chat and file content are stored according to administrator or user-defined policies; by default, there is no automatic deletion. Channels must be renewed every 180 days, otherwise content is deleted. Additionally, system-generated logs, diagnostic data, and metadata are processed to improve product stability, security, and performance.

Service providers: Microsoft Ireland Operations Limited, Dublin, Ireland; Microsoft Corporation, Redmond, USA.
Legal basis: legitimate interests (Art. 6 para. 1 lit. f GDPR).
Website: https://www.microsoft.com/de-de/microsoft-teams/
Privacy policy: https://privacy.microsoft.com/de-de/privacystatement
Security information: https://www.microsoft.com/de-de/trustcenter
Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses.

Cloud Services

We use software services accessible via the Internet and executed on the servers of their providers (so-called “cloud services”, also referred to as “Software as a Service”) for storing and managing content (e.g., document storage and management, exchange of documents, content and information with specific recipients, or publication of content and information).

Within this context, personal data may be processed and stored on the providers’ servers if it is part of communication processes with us or is otherwise processed by us as described in this privacy policy. This data may include, in particular, master data and contact data of users, data relating to processes, contracts, other procedures, and their content. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.

If we provide forms or other documents and content for other users or publicly accessible websites using cloud services, the providers may store cookies on users’ devices for web analytics purposes or to remember user settings (e.g., media controls).

Types of processed data:
Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

Data subjects:
Interested parties; communication partners; business and contractual partners.

Purposes of processing and legitimate interests:
Office and organizational procedures; IT infrastructure (operation and provision of information systems and technical devices such as computers and servers).

Retention and deletion:
Deletion in accordance with the section “General Information on Data Storage and Deletion.”

Legal basis:
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

  • Microsoft 365 and Microsoft cloud services:
    Provision of applications, protection of data and IT systems, and use of system-generated logs, diagnostic data, and metadata for contract performance by Microsoft. Processed data includes contact data (name, email address), content data (files, comments, profiles), software setup and inventory data, device connectivity and configuration data, work interactions (e.g., badge swipe), as well as log and metadata.

Processing is carried out for purposes such as increasing efficiency and productivity, cost efficiency, flexibility, mobility, improved communication, integration of Microsoft services, IT security, and Microsoft business operations. Data retention depends on the respective documents and company policies; for Defender (data and IT protection) up to 12 months, and for print management 10 days. Additionally, diagnostic data is collected for product stability and improvement.

Service providers: Microsoft Ireland Operations Limited, Dublin, Ireland; Microsoft Corporation, Redmond, USA.
Legal basis: legitimate interests (Art. 6 para. 1 lit. f GDPR).
Website: https://microsoft.com/de-de
Privacy policy: https://privacy.microsoft.com/de-de/privacystatement
Security information: https://www.microsoft.com/de-de/trustcenter
Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses.

  • STARFACE Cloud (telephone system):
    Provision of a cloud-based telephone system for handling incoming and outgoing calls and for internal and external business communication. Processed data includes communication and connection data (caller and callee numbers, date and time of calls, call duration), voicemail data (if applicable), device and configuration data, user account data (name, business contact details), and system-generated logs and metadata.

Processing is carried out to ensure efficient and reliable business communication, IT security, error analysis, system stability, and organization and documentation of communication processes. Data retention depends on system settings and internal company policies.

Service provider: STARFACE GmbH, Stephanienstraße 102, 76133 Karlsruhe, Germany.
Website: https://www.starface.com
Privacy policy: https://www.starface.com/de/datenschutz/
Legal bases: legitimate interests (Art. 6 para. 1 lit. f GDPR) and, where applicable, contract performance and pre-contractual measures (Art. 6 para. 1 lit. b GDPR).
Processing generally takes place within the EU; any transfer to third countries is based on appropriate safeguards pursuant to Art. 44 et seq. GDPR.

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) only with the consent of the recipients (double opt-in) or on the basis of a legal authorization. If the content of the newsletter is specified during registration, it is decisive for the user’s consent. Usually, providing your email address is sufficient for registration. However, to offer a personalized service, we may request your name or additional information if necessary for the newsletter’s purpose.

Deletion and restriction of processing:
We may store unsubscribed email addresses for up to three years based on our legitimate interests in order to prove previously given consent. Processing of this data is limited to the purpose of defending against potential claims. An individual deletion request is possible at any time if the previous consent is confirmed.

In cases where we must permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (“blocklist”).

Logging of the registration process is carried out based on our legitimate interests to prove proper execution. If we use a service provider for sending emails, this is based on our legitimate interests in an efficient and secure mailing system.

Content:
Information about us, our services, promotions, and offers.

Types of processed data:
Master data; contact data; meta, communication, and procedural data; usage data.

Data subjects:
Communication partners.

Purposes of processing and legitimate interests:
Direct marketing (e.g., via email or post); reach measurement (e.g., access statistics, recognition of returning visitors).

Legal bases:
Consent (Art. 6 para. 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Right to object (opt-out):
You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to further receipt. A link to unsubscribe can be found at the end of each newsletter or you can use one of the contact options provided above, preferably email.

Further information on processing operations, procedures, and services:

  • Measurement of open and click rates:
    Newsletters contain so-called “web beacons” (pixel-sized files) that are retrieved when the newsletter is opened. During retrieval, technical information (e.g., browser, system data), IP address, and time of access are collected. This information is used to improve the newsletter based on technical data or audience behavior (e.g., location determined via IP or access times).

This analysis also includes determining whether newsletters are opened, when they are opened, and which links are clicked. The collected information is assigned to individual recipients and stored in their profiles until deletion. Based on this, user profiles are created to analyze usage behavior and characteristics.

The measurement of open and click rates and storage of results in user profiles are carried out based on user consent. A separate withdrawal of this tracking is not possible; in such cases, the entire newsletter subscription must be canceled. Stored profile data will then be deleted.
Legal basis: consent (Art. 6 para. 1 lit. a GDPR).

  • Reminder emails for order processes:
    If users do not complete an order process, we may send reminder emails with a link to continue the process. This may be useful if the process was interrupted (e.g., browser crash or oversight). Sending such emails is based on user consent, which can be withdrawn at any time.
    Legal basis: consent (Art. 6 para. 1 lit. a GDPR).
  • Brevo:
    Email delivery and automation services; service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany;
    Legal basis: legitimate interests (Art. 6 para. 1 lit. f GDPR);
    Website: https://www.brevo.com/
    Privacy policy: https://www.brevo.com/legal/privacypolicy/
    Data processing agreement: provided by the service provider.

Hier ist die Übersetzung deines Textes in britisches Englisch, optimiert für eine Datenschutzerklärung (Privacy Policy).

Web Analysis, Monitoring and Optimisation

Web analysis (also referred to as „reach measurement“) is used to evaluate the visitor flows of our online services and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognise at what time our online services or their functions or content are most frequently used, or invite users to return. It also enables us to understand which areas require optimisation.

In addition to web analysis, we may also use testing procedures, for instance, to test and optimise different versions of our online services or their components.

Unless otherwise stated below, profiles—i.e., data summarised for a usage process—may be created for these purposes and information may be stored in a browser or terminal device and then read. The information collected includes, in particular, websites visited and elements used there, as well as technical information, such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data by us or the providers of the services we use, the processing of location data is also possible.

Furthermore, the IP addresses of users are stored. However, we use an IP masking procedure (i.e., pseudonymisation by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored within the scope of web analysis, A/B testing and optimisation; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

  • Processed data types: Usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, involved persons).

  • Data subjects: Users (e.g. website visitors, users of online services).

  • Purposes of processing and legitimate interests: Reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles); provision of our online services and user-friendliness. Tracking (e.g. interest-/behaviour-related profiling, use of cookies).

  • Retention and deletion: Deletion according to the details in the section „General Information on Data Storage and Deletion“. Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users‘ devices for a period of two years).

  • Security measures: IP masking (pseudonymisation of the IP address).

  • Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

  • Google Analytics: We use Google Analytics to measure and analyse the use of our online services on the basis of a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It serves to assign analysis information to a terminal device in order to recognise which content users have accessed within one or various usage processes, which search terms they have used, whether they have accessed it again or interacted with our online services. Likewise, the time of use and its duration are stored, as well as the sources of users referring to our online services and technical aspects of their terminal devices and browsers. Pseudonymous user profiles are created with information from the use of different devices, whereby cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used exclusively for this derivation of geolocation data before being immediately deleted. They are not logged, are not accessible and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Security measures: IP masking (pseudonymisation of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

  • Google Tag Manager: We use the Google Tag Manager, software from Google that allows us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that serve to capture and analyse visitor activities. This technology helps us to improve our website and the content offered on it. The Google Tag Manager itself does not create user profiles, does not store cookies with user profiles and does not perform independent analyses. Its function is limited to simplifying and making the integration and management of tools and services we use on our website more efficient. Nevertheless, when using the Google Tag Manager, the user’s IP address is transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set. However, this data processing only takes place if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer to the subsequent sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms).

  • Microsoft Clarity: Web analysis, reach measurement and analysis of user behaviour regarding usage and interests concerning functions and content as well as their usage duration on the basis of a pseudonymous user identification number and profile formation; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://clarity.microsoft.com; Privacy Policy: https://privacy.microsoft.com/en-gb/privacystatement; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/en-us/privacy/privacystatement).

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimise and advertise our services. If users rate us via the participating rating platforms or procedures or otherwise provide feedback, the General Terms and Conditions or Terms of Use and the privacy notices of the providers also apply. As a rule, the rating also requires registration with the respective providers.

To ensure that the persons providing the ratings have actually used our services, we transfer the necessary data regarding the customer and the service used to the respective rating platform (including name, email address and order number or article number) with the customer’s consent. This data is used solely to verify the authenticity of the user.

  • Processed data types: Contract data (e.g. subject matter of contract, term, customer category); usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, involved persons).

  • Data subjects: Service recipients and clients. Users (e.g. website visitors, users of online services).

  • Purposes of processing and legitimate interests: Feedback (e.g. collecting feedback via online form). Marketing.

  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

  • Google Customer Reviews: Service for obtaining and/or displaying customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further information: Within the scope of obtaining customer reviews, an identification number and time for the transaction to be reviewed are processed. In the case of review requests sent directly to customers, the customer’s email address and their information regarding the country of residence, as well as the review details themselves, are processed. Further details on types of processing and data processed: https://business.safety.google/adsservices/. Data processing terms for Google advertising products: Information on services, data processing terms between controllers and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

Presence in Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users, as it could, for example, make the enforcement of user rights more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on usage behaviour and the resulting interests of the users. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users‘ computers, in which the usage behaviour and interests of the users are saved. In addition, data independent of the devices used by the users may also be stored in the usage profiles (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the possibilities of objection (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also, in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the latter have access to the user data and can directly take appropriate measures and provide information. Should you nevertheless require assistance, you may contact us.

  • Processed data types: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts as well as information concerning them, such as details on authorship or time of creation). Usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).

  • Data subjects: Users (e.g. website visitors, users of online services).

  • Purposes of processing and legitimate interests: Communication; feedback (e.g. collecting feedback via online form). Public relations.

  • Retention and deletion: Deletion according to the details in the section „General Information on Data Storage and Deletion“.

  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

  • Instagram: Social network, allows sharing of photos and videos, commenting and favouriting posts, messaging, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

  • Facebook Pages: Profiles within the social network Facebook – Together with Meta Platforms Ireland Limited, the controller is responsible for the collection and transmission of data of visitors to our Facebook page („Fanpage“). This includes, in particular, information about user behaviour (e.g. content viewed or interacted with, actions performed) as well as device information (e.g. IP address, operating system, browser type, language settings, cookie data). Further details can be found in the Facebook Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical evaluations via the „Page Insights“ service, which provide information on how people interact with our page and its content. This is based on an agreement with Facebook („Information about Page Insights“: https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, among other things, security measures and the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users can therefore direct requests for information or deletion directly to Facebook. The rights of users (in particular information, deletion, objection, complaint to a supervisory authority) remain unaffected by this. The joint responsibility is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Meta Platforms Ireland Limited is solely responsible for further processing, including a possible transfer to Meta Platforms Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).

  • LinkedIn: Social network – Together with LinkedIn Ireland Unlimited Company, we are responsible for the collection (but not the further processing) of data of visitors used to create the „Page Insights“ (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as the actions they take. In addition, details about the devices used are recorded, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, hierarchy level, company size and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy. We have entered into a special agreement with LinkedIn Ireland („Page Insights Joint Controller Addendum“, https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfil the rights of the data subjects (i.e. users can, for example, direct requests for information or deletion directly to LinkedIn). The rights of users (in particular the right to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, particularly regarding the transfer of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/personalizationoff.

  • Xing: Social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.xing.com/. Privacy Policy: https://privacy.xing.com/en/privacy-policy.

Plug-ins and Embedded Functions as well as Content

We integrate functional and content elements into our online services that are obtained from the servers of their respective providers (hereinafter referred to as „third-party providers“). These may be, for example, graphics, videos or city maps (hereinafter uniformly referred to as „content“).

Integration always requires that the third-party providers of this content process the user’s IP address, as they could not send the content to their browser without the IP address. The IP address is therefore required for the display of this content or these functions. We endeavour to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as „web beacons“) for statistical or marketing purposes. Through „pixel tags“, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time and other details about the use of our online services, but may also be combined with such information from other sources.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

  • Processed data types: Usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, involved persons). Location data (information on the geographical position of a device or a person).

  • Data subjects: Users (e.g. website visitors, users of online services).

  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; provision of contractual services and fulfilment of contractual obligations; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behaviour-related profiling, use of cookies); target group formation. Marketing.

  • Retention and deletion: Deletion according to the details in the section „General Information on Data Storage and Deletion“. Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users‘ devices for a period of two years).

  • Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

  • Google Maps: We integrate maps from the „Google Maps“ service of the provider Google. The data processed may include, in particular, IP addresses and location data of users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

  • reCAPTCHA: We integrate the „reCAPTCHA“ function to be able to recognize whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called „bots“). The data processed may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, duration of stay on websites, previously visited websites, interactions with ReCaptcha on other websites, cookies where applicable, and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offer from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum (from 02.04.2026). Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://cloud.google.com/terms/sccs/eu-c2p (from 02.04.2026)).

  • YouTube Videos: Videos stored on YouTube are embedded within our online services. The integration of these YouTube videos takes place via a special domain using the „youtube-nocookie“ component in the so-called „enhanced data protection mode“. In „enhanced data protection mode“, until the video is started, only information, including your IP address and details about the browser and your terminal device, may be stored on your terminal device in cookies or using comparable procedures that YouTube requires for the output, control and optimisation of the video display. As soon as you play the videos, additional information for the analysis of usage behaviour as well as for storage in the user profile and for the personalisation of content and advertisements by YouTube can be processed. The storage duration for the cookies can be up to two years; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://support.google.com/youtube/answer/171780?hl=de#zippy=%2Cturn-on-privacy-enhanced-mode.

Hier ist die Übersetzung für den Abschnitt „Verarbeitung von Daten im Rahmen von Beschäftigungsverhältnissen“ im britischen Englisch. Ich habe darauf geachtet, dass die rechtliche Terminologie (wie z. B. National Insurance oder Contract performance) zum britischen Kontext passt.

Processing of Data within the Scope of Employment Relationships

In the context of employment relationships, personal data is processed with the aim of effectively managing the establishment, performance, and termination of such relationships. This data processing supports various operational and administrative functions required for the management of employee relations.

The data processing encompasses various aspects, ranging from the initiation of the contract to its dissolution. This includes the organisation and management of daily working hours, the administration of access rights and permissions, as well as the handling of personnel development measures and employee appraisals. The processing also serves the accounting and management of wage and salary payments, which represent critical aspects of contract performance.

Additionally, data processing takes into account the legitimate interests of the responsible employer, such as ensuring workplace security or recording performance data for the evaluation and optimisation of operational processes. Furthermore, data processing includes the disclosure of employee data within the scope of external communication and publication processes where this is required for operational or legal purposes.

The processing of this data is always carried out in compliance with the applicable legal frameworks, with the objective of creating and maintaining a fair and efficient working environment. This also includes the consideration of the data protection of the employees concerned, and the anonymisation or deletion of data once the purpose of processing has been fulfilled or in accordance with statutory retention periods.

  • Processed data types: Employee data (information on employees and other persons in an employment relationship); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of contract, term, customer category); master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts as well as information concerning them, such as details on authorship or time of creation); social data (data subject to social secrecy, processed for example by social security institutions, social welfare agencies or pension authorities); log data (e.g. log files regarding logins or the retrieval of data or access times); performance and behavioural data (e.g. performance evaluations, feedback from supervisors, training participation, compliance with company policies, self-assessments and behavioural assessments); working time data (e.g. start of working hours, end of working hours, actual hours worked, target hours, break times, overtime, holidays, special leave, sick days, absences, home-office days, business trips); salary data (e.g. basic salary, bonus payments, incentives, tax code information, supplements for night work/overtime, tax deductions, National Insurance contributions, net payout amount); image and/or video recordings (e.g. photographs or video recordings of a person); usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, involved persons).

  • Special categories of personal data: Health data; religious or philosophical beliefs; trade union membership.

  • Data subjects: Employees (e.g. staff, applicants, temporary workers and other employees).

  • Purposes of processing and legitimate interests: Establishment and performance of employment relationships (processing of employee data within the scope of establishing and performing employment relationships); business processes and commercial procedures; provision of contractual services and fulfilment of contractual obligations; public relations; security measures. Office and organisational procedures.

  • Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR). Processing of special categories of personal data in relation to health, occupation and social security (Art. 9(2)(h) GDPR).

Further information on processing operations, procedures and services:

  • Recording of Working Hours: Procedures for recording employees‘ working hours include both manual and automated methods, such as the use of time clocks, time-tracking software or mobile apps. This involves activities such as entering clock-in and clock-out times, break times, overtime and absences. The verification and validation of recorded working hours include comparison with duty or shift schedules, the checking of absences and the approval of overtime by supervisors. Reports and analyses are generated based on the recorded working hours to provide records of hours worked, overtime reports and absence statistics for management and the HR department; Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

  • Permission Management: Procedures required for the definition, management and control of access rights and user roles within a system or organisation (e.g. creation of permission profiles, role- and access-based control, checking and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

  • Special Categories of Personal Data: Special categories of personal data are processed within the scope of the employment relationship or to fulfil legal obligations. The processed special categories of personal data include data concerning health, trade union membership or religious affiliation of employees. This data may, for example, be passed on to health insurance providers or processed to assess the employees‘ fitness for work, for occupational health management or for declarations to the tax office; Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

  • Sources of Processed Data: Personal data obtained during the application process and/or the employment relationship is processed. In addition, where legally required, personal data is collected from other sources. These may include tax authorities for tax-relevant information, the respective health insurance provider for information on incapacity for work, third parties such as employment agencies or publicly accessible sources such as professional social networks in the context of application procedures; Legal bases: Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

  • Purposes of Data Processing: The personal data of employees is primarily processed for the establishment, implementation and termination of the employment relationship. Furthermore, the processing of this data is necessary to fulfil legal obligations in the field of tax and social security law. In addition to these primary purposes, employee data is also used to fulfil regulatory and supervisory requirements, to optimise electronic data processing procedures and to compile internal or cross-company data, potentially including statistical data. Furthermore, employee data may be processed for the assertion of legal claims and for defence in legal disputes; Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

  • Transfer of Employee Data: Internally, employee data is only processed by those departments that require it to fulfil operational, contractual and legal obligations. Data is only passed on to external recipients if this is legally required or if the employees concerned have given their consent. Possible scenarios for this include requests for information from authorities or in the event of capital-forming benefits (Vermögenswirksame Leistungen). Furthermore, the controller may forward personal data to other recipients insofar as this is necessary to fulfil its contractual and legal obligations as an employer. These recipients may include: a) Banks b) Health insurance providers, pension insurance institutions, retirement provision providers and other social security institutions c) Authorities, courts (e.g. tax authorities, labour courts, other supervisory authorities within the scope of fulfilling reporting and information obligations) d) Tax and legal advisors e) Third-party debtors in the event of wage and salary garnishments f) Other bodies to which legally mandatory declarations must be made. Furthermore, data may be passed on to third parties if this is necessary for communication with business partners, suppliers or other service providers. Examples of this include information in the sender area of emails or letterheads as well as the creation of profiles on external platforms; Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

  • Transfer of Employee Data to Third Countries: The transfer of employee data to third countries (countries outside the European Union (EU) and the European Economic Area (EEA)) only takes place if it is necessary for the performance of the employment relationship, is legally required or if employees have given their consent. Employees will be informed separately about the details where legally required; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

  • Business Travel and Expense Accounting: Procedures required for the planning, implementation and billing of business trips (e.g. booking trips, organising accommodation and transport, managing travel expense advances, submitting and checking travel expense claims, monitoring and booking the costs incurred, compliance with travel policies, handling travel expense management); Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

  • Payroll and Wage Accounting: Procedures required for the calculation, payment and documentation of wages, salaries and other benefits for employees (e.g. recording working hours, calculating deductions and supplements, paying taxes and social security contributions, creating payslips, maintaining wage accounts, reporting to the tax office and social security institutions); Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR).

  • Deletion of Employee Data: Employee data is deleted in accordance with German law if it is no longer required for the purpose for which it was collected, unless it must remain stored or archived due to legal obligations or the interests of the employer. The following retention and archiving obligations are observed:

    • General personnel records (e.g. employment contract, reference, supplementary agreements) are kept for up to three years after termination of employment (§ 195 BGB).

    • Tax-relevant documents in the personnel file are kept for six years (§ 147 AO, § 257 HGB).

    • Information on wages and working hours for (accident) insured persons with proof of wages is kept for five years (§ 165 I 1, IV 2 SGB VII).

    • Salary lists including lists for special payments, provided a booking voucher exists, are kept for ten years (§ 147 AO, § 257 HGB).

    • Wage lists for intermediate, final and special payments are kept for six years (§ 147 AO, § 257 HGB).

    • Documents on employee insurance, provided booking vouchers exist, are kept for ten years (§ 147 AO, § 257 HGB).

    • Contribution statements to social security institutions are kept for ten years (§ 165 SGB VII).

    • Wage accounts (Lohnkonten) are kept for six years (§ 41 I 9 EStG).

    • Applicant data is kept for a maximum of six months from receipt of the rejection.

    • Working time records (for more than 8 hours on working days) are kept for two years (§ 16 II ArbZG).

    • Application documents (following online job advertisement) are kept for three to a maximum of six months after receipt of the rejection (§ 26 BDSG, § 15 IV AGG).

    • Certificates of incapacity for work (AU) are kept for up to five years (§ 6 I AAG).

    • Documents on occupational pension schemes are kept for 30 years (§ 18a BetrAVG).

    • Sickness data of employees is kept for twelve months after the start of the illness if the absences do not exceed six weeks in a year.

    • Maternity protection documents are kept for two years (§ 27 (5) MuSchG). Legal bases: Art. 6(1)(b), (c) and (f) GDPR; Art. 9(2)(h) GDPR.

  • Personnel File Management: Procedures required for the organisation, updating and management of employee data and documents (e.g. recording personnel master data, storing employment contracts, references and certificates, updating data in the event of changes, compiling documents for employee appraisals, archiving personnel files, compliance with data protection regulations); Legal bases: Art. 6(1)(b), (c) and (f) GDPR; Art. 9(2)(h) GDPR.

  • Personnel Development, Performance Evaluation and Employee Appraisals: Procedures required in the area of promoting and further developing employees as well as in evaluating their performance and in the context of employee appraisals (e.g. needs analysis for further training, planning and implementation of training measures, creation of performance evaluations, implementation of target agreement and feedback discussions, career planning and talent management, succession planning); Legal bases: Art. 6(1)(b), (c) and (f) GDPR; Art. 9(2)(h) GDPR.

  • Obligation to Provide Data: The controller informs employees that the provision of their data is necessary. This is generally the case if the data is required for the establishment and implementation of the employment relationship or if its collection is required by law. The provision of data may also be necessary if employees assert claims or if employees are entitled to claims. The implementation of these measures or the fulfilment of benefits is dependent on the provision of this data (for example, the provision of data for the purpose of receiving wages); Legal bases: Art. 6(1)(b), (c) and (f) GDPR.

  • Publication and Disclosure of Employee Data: Employee data will only be published or disclosed to third parties if, on the one hand, this is necessary to perform work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website or in public registers by agreement or agreed task description, or if the field of activity includes representative functions. Likewise, this may be the case if a presentation to or communication with the public occurs within the scope of performing tasks, such as photographs within the scope of public relations. Otherwise, employee data is only published with their consent or based on the employer’s legitimate interests, for example in the case of stage or group photographs at a public event; Legal bases: Art. 6(1)(b) and (f) GDPR.

Application Procedure

The application procedure requires applicants to provide us with the data necessary for their assessment and selection. The specific information required can be found in the job description or, in the case of online forms, in the details provided there.

In principle, the required information includes personal details such as name, address, contact details, and evidence of the qualifications necessary for a position. Upon request, we are also happy to provide additional information on which details are required.

Where available, applicants are welcome to submit their applications via our online form, which is encrypted according to the current state of the art. Alternatively, applications may be sent to us by email. However, we would like to point out that emails sent over the internet are generally not encrypted. Although emails are usually encrypted in transit, this does not occur on the servers from which they are sent and received. Therefore, we cannot accept responsibility for the security of the application on its transmission path between the sender and our server.

For the purposes of searching for, submitting, and selecting applicants, we may use applicant management or recruitment software, platforms, and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of submission or to send us their application by post.

Processing of special categories of data: Insofar as special categories of personal data (Art. 9(1) GDPR, e.g. health data, such as severely disabled status or ethnic origin) are requested from or provided by applicants within the scope of the application procedure, their processing is carried out so that the controller or the data subject can exercise the rights and fulfil the obligations arising from labour law and social security and social protection law. This also applies in the case of protecting the vital interests of the applicants or other persons, or for the purposes of preventive medicine or occupational medicine, for the assessment of the employee’s fitness for work, for medical diagnosis, for the provision of health or social care or treatment, or for the management of health or social care systems and services.

Deletion of data: In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants‘ data will be deleted. Applicants‘ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified withdrawal by the applicant, deletion will take place at the latest after the expiry of a six-month period, so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence under the regulations on the equal treatment of applicants. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process, and that they can withdraw their consent at any time for the future.

  • Processed data types: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts as well as information concerning them, such as details on authorship or time of creation). Applicant data (e.g. personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, CV, certificates and other information provided voluntarily by applicants regarding their person or qualifications).

  • Data subjects: Applicants.

  • Purposes of processing and legitimate interests: Application procedure (establishment and any subsequent implementation as well as possible subsequent termination of the employment relationship).

  • Retention and deletion: Deletion according to the details in the section „General Information on Data Storage and Deletion“.

  • Legal bases: Application procedure as a pre-contractual or contractual relationship (Art. 6(1)(b) GDPR).

Changes and Updates

We ask you to inform yourself regularly about the content of our privacy policy. We will adjust the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Insofar as we provide addresses and contact information of companies and organisations in this privacy policy, please note that addresses may change over time and we ask you to check the details before contacting us.

Hier ist die Übersetzung des Abschnitts „Begriffsdefinitionen“ in britischem Englisch. Ich habe darauf geachtet, die offiziellen Begriffe der UK GDPR (z. B. Data Subject, Controller) sowie die im britischen Arbeits- und Wirtschaftsrecht üblichen Bezeichnungen zu verwenden.

Definitions of Terms

This section provides an overview of the terminology used in this privacy policy. Insofar as the terms are defined by law, their statutory definitions shall apply. The following explanations are intended primarily to aid understanding.

  • Employees: Employees are defined as persons who are in an employment relationship, whether as staff, salaried employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee established by an employment contract or agreement. It involves the employer’s obligation to pay remuneration to the employee while the employee provides their work performance. The employment relationship comprises various phases, including the establishment (when the contract is concluded), the performance (when the employee carries out their work activities), and the termination (when the relationship ends, whether through notice, a settlement agreement, or otherwise). Employee data is all information relating to these persons within the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank details, working hours, holiday entitlements, health data, and performance appraisals.

  • Master Data: Master data includes essential information required for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include, among other things, personal and demographic details such as names, contact information (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between persons and services, facilities, or systems by enabling unique assignment and communication.

  • Content Data: Content data includes information generated in the course of creating, editing, and publishing content of all kinds. This category of data may include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.

  • Contact Data: Contact data is essential information that enables communication with persons or organisations. It includes, among other things, telephone numbers, postal addresses, and email addresses, as well as means of communication such as social media handles and instant messaging identifiers.

  • Performance and Behavioural Data: Performance and behavioural data refers to information related to how individuals perform tasks or behave in a specific context, such as in an educational, work, or social environment. This data may include metrics such as productivity, efficiency, quality of work, attendance, and compliance with policies or procedures. Behavioural data could include interactions with colleagues, communication styles, decision-making processes, and reactions to various situations. These types of data are often used for performance evaluations, training and development measures, and decision-making within organisations.

  • Meta, Communication, and Procedural Data: These are categories containing information about the way data is processed, transmitted, and managed. Metadata, also known as data about data, includes information describing the context, origin, and structure of other data (e.g., file size, creation date, author, or revision history). Communication data records the exchange of information between users via various channels (e.g., email traffic, call logs, social network messages, and chat histories), including the parties involved, timestamps, and transmission paths. Procedural data describes processes within systems or organisations, including workflow documentation, logs of transactions and activities, and audit logs used for tracking and verifying operations.

  • Usage Data: Usage data refers to information capturing how users interact with digital products, services, or platforms. This includes a wide range of information showing how users use applications, which functions they prefer, how long they stay on certain pages, and the paths they navigate through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analysing user behaviour, optimising user experiences, personalising content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.

  • Personal Data:Personal data“ means any information relating to an identified or identifiable natural person (hereinafter „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • Profiles with User-Related Information: The processing of „profiles with user-related information“, or „profiles“ for short, comprises any kind of automated processing of personal data consisting of the use of this personal data to analyse, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information regarding demographics, behaviour, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are frequently used for profiling purposes.

  • Log Data: Log data is information about events or activities logged in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used for analysing system problems, security monitoring, or generating performance reports.

  • Reach Measurement: Reach measurement (also known as web analytics) serves to evaluate the visitor flows of an online offer and can include the behaviour or interests of visitors in specific information, such as the content of websites. With the help of reach analysis, operators of online offers can, for example, recognise at what time users visit their websites and what content they are interested in. This allows them to better adapt the content of the websites to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognise returning visitors and thus obtain more precise analyses of the use of an online offer.

  • Location Data: Location data is generated when a mobile device (or another device with the technical requirements for location determination) connects to a radio cell, a WLAN, or similar technical means and functions of location determination. Location data serves to indicate the geographically determinable position on earth at which the respective device is located. Location data can be used, for example, to display map functions or other location-dependent information.

  • Tracking: „Tracking“ occurs when the behaviour of users can be traced across multiple online offers. As a rule, behaviour and interest information is stored in cookies or on the servers of the providers of tracking technologies with regard to the online offers used (so-called profiling). This information can then be used, for example, to display advertisements to users that presumably correspond to their interests.

  • Controller: „Controller“ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • Processing: „Processing“ means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically every handle on data, be it collection, evaluation, storage, transmission, or deletion.

  • Contract Data: Contract data is specific information relating to the formalisation of an agreement between two or more parties. It documents the terms and conditions under which services or products are provided, exchanged, or sold. This category is essential for managing and fulfilling contractual obligations and includes the identification of the parties as well as the specific terms and conditions. Contract data may include start and end dates, the type of services or products agreed upon, pricing, payment terms, cancellation rights, and special clauses. It serves as the legal basis for the relationship and is crucial for clarifying rights and obligations.

  • Payment Data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is critical for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction dates, verification numbers, and billing information. Payment data may also include information on payment status, chargebacks, authorisations, and fees.

  • Target Group Formation: Target group formation (also known as „Custom Audiences“) occurs when target groups are determined for advertising purposes (e.g., displaying ads). For example, based on a user’s interest in certain products or topics on the internet, it can be concluded that this user is interested in advertisements for similar products or the online shop where they viewed the products. „Lookalike Audiences“ (or similar target groups) occur when content deemed suitable is displayed to users whose profiles or interests presumably correspond to those for whom the profiles were created. Cookies and web beacons are typically used for the formation of custom and lookalike audiences.