PRIVACY POLICY

Table of Contents

1. Introduction
2. Controller
3. Contact Data Protection Officer
4. Overview of Data Processing
5. Relevant Legal Bases
6. Security Measures
7. Transmission of Personal Data
8. Data Processing in Third Countries
9. Use of Cookies
10. Provision of Online Services and Web Hosting
11. Contacting Us
12. Application Process
13. Cloud Services
14. Newsletters and Electronic Notifications
15. Promotional Communication via Email, Post, Fax or Telephone
16. Online Marketing
17. Social Media Presence
18. Management, Organization and Support Tools
19. Deletion of Data
20. Changes and Updates to the Privacy Policy
21. Rights of Data Subjects
22. Definitions

1. Introduction

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as “data”) we process, for which purposes, and to what extent. These privacy notices apply to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as “on…

The terms used are not gender-specific. Status: January 30, 2023

Back to the table of contents

2. Controller

IVD TRIALS GmbH 
Hans-Bunte-Straße 6 
69123 Heidelberg

Authorized Representative: 
Dipl.-Chem., Dipl.-Kfm. Oliver Bošnjak

Email: info(at)ivdtrials.com
Phone: +49 6221 4166-500

Legal Notice: https://www.ivdtrials.com/legal-notice

Back to the table of contents

3. Contact Data Protection Officer

Kompetenzteam Thomas, Owner: Katrin Thomas 
– Katrin Thomas – 
Phone: +49 6344 503949-0
datenschutz(at)ivdtrials.com

Back to the table of contents

4. Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects involved.

Types of data processed:

• Inventory data (e.g., names, addresses)
• Applicant data (e.g., personal details, postal and contact addresses, application documents and contained information such as cover letters, CVs, certificates, and other information provided voluntarily by applicants about themselves or their qualifications)
  • Content data (e.g., entries in online forms)
  • Contact data (e.g., email, phone numbers)
  • Meta/communication data (e.g., device information, IP addresses)
  • Usage data (e.g., visited websites, interest in content, access times)
• Categories of data subjects:
  • Employees (e.g., staff, applicants, former employees)
  • Interested parties
  • Communication partners
  • Customers
  • Users (e.g., website visitors, users of online services)
• Purposes of processing:
  • Provision of our online offering and user-friendliness
  • Conversion measurement (measuring the effectiveness of marketing measures)
  • Application procedures (establishment and any subsequent implementation and possible termination of the employment relationship)
  • Office and organizational procedures
  • Direct marketing (e.g., via email or postal mail)
  • Feedback (e.g., collecting feedback via online form)
  • Marketing
  • Contact requests and communication
  • Profiles with user-related information (creating user profiles)
  • Reach measurement (e.g., access statistics, recognizing returning visitors)

Back to the table of contents

5. Relevant Legal Bases

Below you will find an overview of the legal bases of the GDPR on which we base the processing of personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations of your or our country of residence or establishment may also apply. If more specific legal bases are relevant in individual cases, we will inform you of them in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
• Application procedures as a pre-contractual or contractual relationship (Art. 9 para. 2 lit. b GDPR) – Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g., health data such as disability status or ethnic origin) are requested from applicants in the context of the application process so that the controller or the data subject can exercise their rights arising from labor law and social security and social protection law and fulfill their respective obligations, the processing is carried out in accordance with Art. 9(2)(b) GDPR. In the event of processing necessary to protect the vital interests of the applicants or other persons, it is based on Art. 9(2)(c) GDPR. Processing for purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, health or social care or treatment, or the management of health or social care systems and services is carried out in accordance with Art. 9(2)(h) GDPR. If special categories of data are disclosed voluntarily based on explicit consent, their processing is carried out on the basis of Art. 9(2)(a) GDPR.

National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national data protection provisions apply in Germany. This includes in particular the Federal Data Protection Act (BDSG). The BDSG contains special regulations, in particular on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer and automated decision-making including profiling.

It also governs the processing of data for employment-related purposes (§ 26 BDSG), particularly with regard to the initiation, execution, or termination of employment relationships and the consent of employees. Furthermore, state data protection laws of the individual federal states (Länder) may also apply.

Back to the table of contents

6. Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the access, input, disclosure, securing of availability, and separation of data related to them. We have also implemented procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Furthermore, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, according to the principle of data protection by design and by default.

IP address shortening: If IP addresses are processed by us or by the service providers and technologies used, and processing a full IP address is not necessary, the IP address is shortened (also known as ‘IP masking’). In this case, the last digits or part of the IP address after a period are removed or replaced with placeholders. Shortening the IP address is intended to prevent or significantly hinder identification of a person by their IP address.

SSL encryption (https): To protect your data transmitted via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in your browser’s address bar.

Back to the table of contents

7. Transmission of Personal Data

In the course of processing personal data, data may be transmitted to other bodies, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include service providers responsible for IT tasks or providers of services and content that are embedded in a website. In such cases, we observe legal requirements and conclude appropriate contracts or agreements with recipients of your data to protect it.

Data transfers within our corporate group: We may transfer personal data to other companies within our corporate group or grant them access to this data. If the transfer serves administrative purposes, it is based on our legitimate business and economic interests, or it occurs if it is necessary for the fulfillment of our contractual obligations or if there is consent from the data subject or legal permission.

Back to the table of contents

8. Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if the processing occurs as part of using third-party services or the disclosure or transmission of data to other persons, bodies, or companies, this is only done in accordance with legal requirements.

Subject to explicit consent or contractually or legally required transfer, we only process or allow data to be processed in third countries with a recognized level of data protection, contractual obligations through so-called standard contractual clauses by the EU Commission, in the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR).

Information page of the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de

Back to the table of contents

9. Use of Cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie primarily serves to store information about a user during or after their visit within an online offering. Stored information can include, for example, language settings on a website, login status, a shopping cart, or the position at which a video was stopped. The term “cookies” also includes other technologies that fulfill similar functions (e.g., when user information is stored using pseudonymous online identifiers, also referred to as “user IDs”).

The following types and functions of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their browser.
• Permanent cookies: These remain stored even after the browser is closed. For example, the login status can be saved, or preferred content can be displayed directly when the user revisits the site. Likewise, user interests used for reach measurement or marketing purposes can be stored in such a cookie.
• First-party cookies: These are set by us.
• Third-party cookies: These are primarily used by advertisers (so-called third parties) to process user information.
• Necessary cookies (also: essential or strictly necessary): These are essential for operating a website (e.g., to store logins or other user inputs, or for security reasons).
• Statistics, marketing, and personalization cookies: These are generally used for reach measurement and when user interests or behavior (e.g., viewing certain content, using functions, etc.) are stored in a user profile on individual websites. These profiles serve to display content to users that potentially corresponds to their interests. This process is also referred to as “tracking.” Where we use cookies or tracking technologies, we inform you separately in our Privacy Policy or within the scope of obtaining your consent. Legal basis information: The legal basis on which we process your personal data using cookies depends on whether we ask you for your consent. If you consent to the use of cookies, the legal basis for processing your data is the declared consent (Art. 6(1)(a) GDPR). Otherwise, the data processed via cookies is processed based on our legitimate interests (e.g., in the economic operation of our online offering and its improvement) or if the use of cookies is necessary to fulfill our contractual obligations (Art. 6(1)(f) GDPR). Storage duration: Unless we provide explicit information on the storage duration of permanent cookies (e.g., as part of a cookie opt-in), please assume that the storage duration can be up to two years.

Used Services and Providers:

• We use Kadence & Gutenberg for content creation. This data is not shared with third parties.
• WPML: We use WPML for locale management. This data is not shared with third parties.
• Complianz: We use Complianz for cookie consent management. This data is not shared with third parties. For more information, please read the Complianz Privacy Statement.
• Google Analytics: We use Google Analytics, a web analytics service provided by Google LLC (“Google”), for website analytics. Google Analytics uses cookies to analyze how users use the website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. We have activated the IP anonymization feature on this website, which means your IP address will be truncated within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the US. Only in exceptional cases will the full IP address be sent to a Google server in the US and truncated there. Google will use this information on our behalf to evaluate your use of the website, compile reports on website activity, and provide other services related to website and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can prevent the storage of cookies by selecting the appropriate settings in your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) from being sent to Google, and the processing of this data by Google, by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=en. For more information on Google’s privacy practices, please visit: https://policies.google.com/privacy.

General information on withdrawal and objection (opt-out):

Depending on whether processing is based on consent or legal permission, you can revoke a given consent at any time or object to the processing of your data using cookie technologies (collectively referred to as “opt-out”). You can declare your objection using your browser settings, e.g., by disabling the use of cookies (note that this may limit the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared via many services, particularly in the case of tracking, through the websites:

• https://optout.aboutads.info
• https://www.youronlinechoices.com

You can also find additional opt-out information within the details on the services and cookies used.

Processing of cookie data based on consent:

We use a cookie consent management procedure in which user consents to the use of cookies and the processing and providers named in the cookie consent process are obtained, managed, and revoked by users.

The consent declaration is stored to avoid repeating the query and to be able to prove consent in accordance with legal obligations. The storage may be server-based and/or in a cookie (so-called opt-in cookie or by using comparable technologies) to associate the consent with a user or their device.

Unless individual details about providers of cookie management services are provided, the following applies: The storage duration of consent can be up to two years. A pseudonymous user ID is created and stored with the time of consent, information about the scope of the consent (e.g., which categories of cookies and/or service providers), as well as browser, system, and device used.

Types of data processed:

• Usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
• Data subjects: Users (e.g., website visitors, users of online services)
• Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

Back to the table of contents

10. Provision of Online Services and Web Hosting

To provide our online services securely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services, as well as security and technical maintenance services.

The data processed in the course of providing the hosting services may include all information relating to the users of our online offering that is generated during use and communication. This regularly includes the IP address required to deliver content from online services to browsers, and all entries made within our online offering or websites.

Email transmission and hosting: The web hosting services we use also include sending, receiving, and storing emails. For these purposes, the addresses of the recipients and senders, as well as other information regarding the email transmission (e.g., the involved providers) and the contents of the respective emails, are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but not on the servers from which they are sent and received (unless end-to-end encryption is used). Therefore, we cannot assume responsibility for the transmission path of emails between the sender and reception on our server.

Collection of access data and log files: We (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, messages about successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g., to prevent server overloads (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server utilization and stability.

• Types of data processed: Content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
• Used services and service providers:
  – VULTR: Services in the field of IT infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: VULTR, 319 Clematis Street Suite 900, West Palm Beach, FL 33401, United States; Website: https://www.vultr.com/; Data protection agreement has been concluded with the provider; The server is located in Frankfurt/Main, Germany.
  – EZProvider Networks Inc.: Services in the field of IT infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: EZProvider Networks Inc., #458-280 Nelson Street, Vancouver, B.C. V6B 2E2,Website: https://www.ezp.net/; Privacy Policy: https://www.ezp.net/privacy-policy/

Back to the table of contents

11. Contacting Us

When contacting us (e.g., via contact form, email, telephone, or social media), the information provided by the inquiring persons will be processed to the extent necessary to respond to the contact inquiries and any requested actions.

The response to contact inquiries within the context of contractual or pre-contractual relationships is carried out in order to fulfill our contractual obligations or to respond to (pre-)contractual inquiries, and otherwise on the basis of our legitimate interest in responding to the inquiries.

• Types of data processed: Inventory data (e.g., names, addresses), contact data (e.g., email, telephone numbers), content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Data subjects: Communication partners.
• Purposes of processing: Contact inquiries and communication.
• Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Back to the table of contents

12. Application Process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The required information results from the job description or, in the case of online forms, from the details provided therein.

As a rule, the required information includes personal details such as name, address, a way to contact the applicant, and evidence of the qualifications necessary for a position. Upon request, we are happy to provide information on what details are required.

If provided, applicants can submit their applications to us via an online form. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications via email. However, we ask you to note that emails are generally not encrypted when sent over the Internet. Emails are usually encrypted during transit, but not on the servers from which they are sent or received, unless end-to-end encryption is used. Therefore, we cannot assume responsibility for the transmission path of the application between the sender and reception on our server.

For the purpose of applicant searches, submission of applications, and selection of applicants, we may, in compliance with legal requirements, use applicant management or recruitment software and platforms and services from third-party providers.

Applicants are welcome to contact us regarding the method of submitting the application or send it to us by post.

Processing of special categories of data: If special categories of personal data within the meaning of Art. 9(1) GDPR (e.g., health data such as information about severe disability or ethnic origin) are requested from applicants during the application process so that the controller or the data subject can exercise rights arising from labor law and the law of social security and social protection and fulfill their respective obligations, the processing is carried out in accordance with Art. 9(2)(b) GDPR. In the case of protecting the vital interests of applicants or other persons, Art. 9(2)(c) GDPR applies, or for purposes of health care or occupational medicine, for the assessment of the employee’s working capacity, for medical diagnosis, for health or social care or treatment, or for the management of health or social care systems and services, Art. 9(2)(h) GDPR applies. If the special categories of data are voluntarily provided based on explicit consent, their processing is based on Art. 9(2)(a) GDPR.

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is unsuccessful, the applicant’s data will be deleted. Applicant data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicants, the deletion takes place no later than six months after the end of the application process so that we can answer any follow-up questions and comply with our obligations to provide proof under equal treatment regulations. Invoices for any reimbursement of travel expenses will be archived in accordance with tax regulations.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the ongoing application process, and they can revoke their consent at any time for the future.

Types of data processed: Applicant data (e.g., personal information, postal and contact addresses, application documents, and the information they contain, such as cover letters, resumes, certificates, and other information provided voluntarily or with regard to a specific position).

• Data subjects: Applicants
• Purpose of processing: Application procedure (establishment and possible subsequent implementation as well as potential termination of the employment relationship)
• Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 9(2)(b) GDPR).

Back to the table of contents

13. Cloud Services

We use software services accessible via the Internet and operated on the servers of their providers (so-called “cloud services”, also referred to as “Software as a Service”) for the following purposes: document storage and management, calendar management, email dispatch, spreadsheets and presentations, exchange of documents, content, and information with specific recipients or publication of websites, forms or other content and information, as well as chats and participation in audio and video conference.

In this context, personal data may be processed and stored on the servers of the providers, insofar as it is part of communication processes with us or is otherwise processed by us as set out in this Privacy Policy. This data may include, in particular, user master data and contact details, data concerning processes, contracts, and other procedures and their contents. The providers of the cloud services also process usage data and metadata, which they use for security purposes and service optimization.

If we provide forms or similar documents and content for other users or publicly accessible websites via the cloud services, the providers may store cookies on the users’ devices for the purpose of web analytics or to remember user settings (e.g., in the case of media control).

Legal basis information: If we request consent to use the cloud services, the legal basis for the processing is consent. Furthermore, their use may be part of our (pre-)contractual services, provided that the use of the cloud services has been agreed upon within this scope. Otherwise, the users’ data is processed based on our legitimate interests (i.e., interest in efficient and secure administrative and collaboration processes).

• Types of data processed: Inventory data (e.g., names, addresses), contact data (e.g., email, telephone numbers), content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
• Data subjects: Customers, employees (e.g., employees, applicants, former employees), interested parties, communication partners
• Purpose of processing: Office and organizational procedures
• Legal bases: Consent (Art. 6(1)(a) GDPR), contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR)
• Used services and service providers:
  – Microsoft Cloud Services: Cloud storage services; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://microsoft.com; Privacy policy: https://privacy.microsoft.com/en-us/privacystatement; Security information: https://www.microsoft.com/en-us/trust-center

Back to the table of contents

14. Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as “newsletters”) only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described as part of a registration, they are decisive for the users’ consent. Otherwise, our newsletters contain information about our services and us.

To register for our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal address in the newsletter or other information if required for the purposes of the newsletter

Double-opt-in procedure: Registration for our newsletter generally takes place in a so-called double-opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with someone else’s email address. The registrations for the newsletter are logged in order to prove that the registration process complies with legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to the data stored with the email service provider are also recorded.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove previously given consent. The processing of these data is limited to the purpose of potential defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called “blocklist”). Logging of the registration process is carried out on the basis of our legitimate interests in order to document its proper execution. If we commission a service provider to send emails, this is done based on our legitimate interest in a secure and efficient mailing system.

Legal basis information: The newsletter is sent based on the consent of the recipients or, if consent is not required, based on our legitimate interests in direct marketing, if and to the extent this is permitted by law, e.g., in the case of advertising to existing customers. If we commission a service provider to send emails, this is done based on our legitimate interests. The registration process is recorded based on our legitimate interests to prove that it was conducted in accordance with the law.

Content: Information about us, our services, promotions, and offers.

Measurement of open and click rates: The newsletters contain a so-called “web beacon”, i.e., a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. During this retrieval, technical information such as browser and system information, your IP address, and the time of retrieval is collected.

This information is used to technically improve our newsletter based on technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until it is deleted. These evaluations help us to recog…

The measurement of open and click rates, as well as the storage of measurement results in user profiles and their further processing, is based on the users’ consent.

A separate revocation of the performance measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or objected to. In this case, the stored profile information will be deleted.

• Types of data processed: Inventory data (e.g., names, addresses), contact data (e.g., email, telephone numbers), meta/communication data (e.g., device information, IP addresses), usage data (e.g., visited websites, interest in content, access times)
• Data subjects: Communication partners, users (e.g., website visitors, users of online services)
• Purposes of processing: Direct marketing (e.g., by email or post), reach measurement (e.g., access statistics, recognition of returning visitors), conversion measurement (measuring the effectiveness of marketing activities), profiles with user-related information (creating user profiles)
• Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR)
• Right to object (opt-out): You can cancel the receipt of our newsletter at any time, i.e., withdraw your consent or object to further receipt. A link to cancel the newsletter can be found either at the end of each newsletter or you may use one of the contact options provided above, preferably email.
• Used services and service providers:
  • Google Analytics: We use Google Analytics, a web analytics service provided by Google LLC (“Google”), for website analytics. Google Analytics uses cookies to analyze how users use the website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. We have activated the IP anonymization feature on this website, which means your IP address will be truncated within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the US. Only in exceptional cases will the full IP address be sent to a Google server in the US and truncated there. Google will use this information on our behalf to evaluate your use of the website, compile reports on website activity, and provide other services related to website and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can prevent the storage of cookies by selecting the appropriate settings in your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) from being sent to Google, and the processing of this data by Google, by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=en. For more information on Google’s privacy practices, please visit: https://policies.google.com/privacy.
  • Brevo: Email marketing platform; Service provider: Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin; Website: https://www.brevo.com/en/; Privacy Policy: https://www.brevo.com/en/legal/privacypolicy/

Back to the table of contents

15. Promotional Communication via Email, Post, Fax or Telephone

We process personal data for promotional communications across various channels (email, phone, post, fax), as permitted by law.

Recipients may revoke their consent or object to promotional communication at any time.

• Types of data processed: Inventory data (e.g., names, addresses), contact data (e.g., email, telephone numbers)
• Data subjects: Communication partners
• Purposes of processing: Direct marketing (e.g., by email or post)
• Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR)

Back to the table of contents

16. Online Marketing

We process personal data for the purposes of online marketing, which includes, in particular, the marketing of advertising space or the display of promotional and other content (collectively referred to as “content”) based on potential user interests and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (known as a “cookie”) or similar procedures are used, through which the relevant user information for the aforementioned content is stored. This information may include viewed content, visited websites, used online networks, communication partners, and technical information such as the browser used, the computer system used, and details about times of use. If users have consented to the collection of their location data, this may also be processed.

The IP addresses of the users are also stored. However, we use IP masking procedures available (i.e., pseudonymization by shortening the IP address) to protect the users. In general, no clear user data (such as email addresses or names) are stored within the scope of online marketing processes, but pseudonyms are used. That means neither we nor the providers of the online marketing procedures know the actual identity of the users, only the data stored in their profiles.

The information in the profiles is usually stored in cookies or by means of similar technologies. These cookies can later generally also be read on other websites that use the same online marketing method and analyzed for the purpose of displaying content, as well as supplemented with further data and stored on the server of the online marketing provider.

In exceptional cases, plain data may be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing process we use and the network links the users’ profiles with the aforementioned data. Please note that users may enter into additional agreements with the providers, e.g., by giving consent during registration.

We generally only receive access to summarized information about the success of our advertisements. However, within the scope of so-called conversion measurement, we can check which of our online marketing methods led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. Conversion measurement is used solely for performance analysis of our marketing activities.

Unless otherwise stated, please assume that cookies used are stored for a period of two years.

Legal bases: If we ask users for their consent, the legal basis for the processing is consent according to Art. 6(1)(a) GDPR. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services) according to Art. 6(1)(f) GDPR.

• Types of data processed: Usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
  Data subjects: Users (e.g., website visitors, users of online services)
  Purposes of processing: Marketing, profiling with user-related information (creating user profiles), conversion measurement (measuring the effectiveness of marketing activities)
  Security measures: IP masking (pseudonymization of the IP address)
  Legal bases: Consent (Art. 6(1)(a) GDPR), legitimate interests (Art. 6(1)(f) GDPR)
• Right to object (opt-out): Please refer to the privacy policies of the respective providers and their opt-out options. If no explicit opt-out option is provided, you can disable cookies in your browser settings, although this may restrict the functionality of our online services. We also recommend the following general opt-out options, depending on your region:
  a) Europe: https://www.youronlinechoices.eu
  b) Canada: https://www.youradchoices.ca/choices
  c) USA: https://www.aboutads.info/choices
  d) Cross-region: https://optout.aboutads.info
• Services and service providers used:
  Google Analytics: We use Google Analytics, a web analytics service provided by Google LLC (“Google”), for website analytics. Google Analytics uses cookies to analyze how users use the website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. We have activated the IP anonymization feature on this website, which means your IP address will be truncated within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the US. Only in exceptional cases will the full IP address be sent to a Google server in the US and truncated there. Google will use this information on our behalf to evaluate your use of the website, compile reports on website activity, and provide other services related to website and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can prevent the storage of cookies by selecting the appropriate settings in your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) from being sent to Google, and the processing of this data by Google, by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=en. For more information on Google’s privacy practices, please visit: https://policies.google.com/privacy.
• IP anonymization: We use IP anonymization with Matomo. In this case, your IP address is shortened before being analyzed, so it can no longer be uniquely assigned to you.
• Cookie-free analysis: We have configured Matomo so that it does not store cookies in your browser.
• Hosting: We host Matomo exclusively on our own servers, so all analytical data remains with us and is not shared.

Back to the table of contents

17. Social Media Presence

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We point out that user data may be processed outside the European Union. This may result in risks for users because it could make it more difficult to enforce their rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests. These usage profiles can, in turn, be used, for example, to display advertisements within and outside the networks that presumably correspond to the users’ interests. For these purposes, cookies are usually stored on users’ computers, in which the usage behavior and interests of the users are stored. In addition, data can also be stored in usage profiles regardless of the devices used by users (especially if users are members of the respective platforms and are logged in).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

Also, in the case of requests for information and the assertion of user rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the users’ data and can directly take appropriate measures and provide information. If you still require assistance, you are welcome to contact us directly.

• Types of data processed: Contact data (e.g., email, telephone numbers), content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
• Data subjects: Users (e.g., website visitors, users of online services)
• Purposes of processing: Contact inquiries and communication, feedback (e.g., collecting feedback via online form), marketing
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR)
• Services and service providers used:
  • LinkedIn – Social network
    Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
    Website: https://www.linkedin.com
    Privacy Policy: https://www.linkedin.com/legal/privacy-policy
    Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
  • Facebook – We are jointly responsible with Facebook Ireland Ltd. for the collection (but not the further processing) of data from visitors to our Facebook page (so-called “Fanpage”). This data includes information about the types of content users view or interact with, or actions taken by them (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy).

As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services called “Page Insights” to page operators, so they can understand how people interact with their pages and the content associated with them.

We have entered into a special agreement with Facebook (“Page Insights Controller Addendum”: https://www.facebook.com/legal/terms/page_controller_addendum), which sets out in particular the security measures Facebook must observe and in which Facebook has agreed to fulfill data subject rights (i.e., users can, for example, address information or deletion requests directly to Facebook). The rights of users (especially to access, erasure, objection, and complaints to the competent supervisory authority) are not restricted by these agreements with Facebook.

Further information can be found in the “Information about Page Insights Data”: https://www.facebook.com/legal/terms/information_about_page_insights_data

Back to the table of contents

18. Management, Organization and Support Tools

We use services, platforms, and software from other providers (hereinafter referred to as “third-party providers”) for organizational, administrative, planning, and service delivery purposes. In the process, personal data may be processed and stored on the servers of the third-party providers. This may affect various data that we process in accordance with this privacy policy. These may include, in particular, master and contact data of users, data on processes, contracts, and other procedures and their contents.

If users are referred to the third-party providers or their software or platforms in the course of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. Therefore, please observe the privacy notices of the respective third-party providers.

Legal basis information: If we ask users for their consent to use third-party providers, the legal basis for data processing is that consent. Their use may also be part of our (pre-)contractual services, provided that the use of the third-party providers was agreed upon in this context. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer you to the information about the use of cookies in this Privacy Policy.

• Types of data processed: Inventory data (e.g., names, addresses), contact data (e.g., email, telephone numbers), content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
• Data subjects: Communication partners, users (e.g., website visitors, users of online services)
• Purposes of processing: Contact inquiries and communication
• Legal bases: Consent (Art. 6(1)(a) GDPR), contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR)
• Services and service providers used:
  • Confluence – Software for creating and managing wiki & knowledge platforms
    Service provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA
    Website: https://www.atlassian.com/software/confluence
    Privacy Policy: https://www.atlassian.com/legal/privacy-policy
  • Jira – Web application for bug tracking, issue management, and operational project management
    Service provider: Atlassian Inc. (San Francisco, Harrison Street Location), 1098 Harrison Street, San Francisco, California 94103, USA
    Website: https://www.atlassian.com/software/jira
    Privacy Policy: https://www.atlassian.com/legal/privacy-policy
  • Trello – Project management tool
    Service provider: Trello Inc., 55 Broadway, New York, NY 10006, USA
    Parent company: Atlassian Inc., 1098 Harrison Street, San Francisco, California 94103, USA
    Website: https://trello.com/
    Privacy Policy: https://trello.com/privacy
  • WeTransfer – File transfer service over the Internet
    Service provider: WeTransfer BV, Oostelijke Handelskade 751, Amsterdam, 1019 BW, Netherlands
    Website: https://wetransfer.com
    Privacy Policy: https://wetransfer.com/legal/privacy

Back to the table of contents

19. Deletion of Data

The data we process will be deleted in accordance with the legal requirements as soon as the consents permitting processing are revoked or other permissions cease to apply (e.g., if the purpose for which the data was processed ceases to apply or if it is not necessary for the purpose).

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted to these purposes. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law, or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

As part of our privacy notices, we may provide users with additional information regarding the deletion and retention of data that specifically applies to the respective processing operations.

Back to the table of contents

20. Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes in the data processing we carry out make it necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and please verify the information before contacting us.

Back to the table of contents

21. Rights of Data Subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling, to the extent that it is related to such direct marketing.

Right to withdraw consent: You have the right to withdraw any consent given at any time.

Right of access: You have the right to request confirmation as to whether data concerning you is being processed, and to receive information about this data, as well as further information and a copy of the data, in accordance with legal requirements.

Right to rectification: You have the right, in accordance with the law, to request the completion of your data or the correction of inaccurate data concerning you.

Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted without delay, or alternatively, to request a restriction of the processing of your data.

Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or to request its transmission to another controller, in accordance with legal requirements.

Right to lodge a complaint with a supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

---

Supervisory authority responsible for us:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Königstraße 10a
70173 Stuttgart
Germany

Phone: +49 711 615541-0
Email: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de

Back to the table of contents

22. Definitions

In this section, you will find an overview of the terminology used in this Privacy Policy. Many of the terms are taken from the law and primarily defined in Article 4 of the GDPR. The legal definitions are binding. The following explanations are primarily intended to aid understanding. The terms are listed in alphabetical order.

• IP masking: “IP masking” refers to a method in which the last octet, i.e., the last two digits of an IP address, is deleted to prevent the IP address from being used to identify a person directly. Therefore, IP masking is a means of pseudonymizing processing operations, especially in online marketing.
• Conversion tracking: Conversion tracking (also known as “visitor action evaluation”) is a method used to determine the effectiveness of marketing activities. Typically, a cookie is stored on the user’s device on the websites where the marketing activities take place and is then retrieved again on the target website. For example, this allows us to understand whether ads we placed on other websites were successful.
• Personal data: “Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with user-related information: The processing of “profiles with user-related information” or simply “profiles” includes any type of automated processing of personal data that consists of using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include various information about demographics, behavior, and interests, such as interactions with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.
• Reach measurement: Reach measurement (also referred to as web analytics) serves to evaluate the flow of visitors to an online service and may include visitor behavior or interests in specific content, such as website content. With the help of reach analysis, website operators can determine, for example, at what times visitors use their website and which content interests them. This allows them to better tailor the website’s content to the needs of their visitors. For reach measurement purposes, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus achieve more accurate analyses of the use of an online service.
• Controller: The “controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and includes virtually any handling of data, such as collecting, evaluating, storing, transmitting, or deleting.

Back to the table of contents