About Privacy Protection

The privacy policy of Doppstadt Beteiligungs GmbH is based on terms used by the European regulators and legislators when enacting the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand both for the general public and for our customers and business partners. To ensure this, we would like to explain the terms that are used here in advance.

In our privacy policy, we use the following terms, among others:

a) Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter called “data subject concerned” or “data subject”). An identifiable natural person is one, who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

B) Data subject

A data subject is any identified or identifiable natural person, whose personal data are processed by the controller.

c) Processing

(4) Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Blocking of processing

Blocking of processing means the marking of stored personal data with the aim of limiting their processing in the future.

e) Profiling

Profiling is any type of automated processing of personal data that comprises the use of personal data to evaluate certain personal aspects relating to a natural person, especially in order to analyze or predict aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change in location of this natural person.

f) Pseudonymization

Pseudonymization means the processing of personal data in such a way that personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is stored separately and subject to technical and organizational measures ensuring that the personal data cannot be assigned to an identified or identifiable natural person.

g) Controller

Controller means the natural or legal person, public authority, institution or any other body, while alone or jointly with others determines the purposes and means of processing personal data. If the purposes and means of such processing are specified on the basis of European Union law or the law of the member states, the controller or the specific criteria for his or her designation can be provided in accordance with European Union law or the law of the member states.

h) Processor

Processor means a natural or legal person, public authority, institution or any other body which processes personal data on behalf of the controller.

i) Recipient

Recipient means a natural or legal person, public authority, institution or any other body, to which personal data are disclosed, regardless of whether it is a third party or not. Public authorities which possibly receive personal data as part of a specific investigation mandate under European Union law or the law of the member states, are not deemed as recipients.

j) Third party

A third party is a natural or legal person, public authority, institution or any other body other than the data subject concerned, the controller, the processor and the persons, who are authorized to process the personal data under the direct responsibility of the controller or the processor.

k) Consent

Consent is any declaration of intent voluntarily given by the data subject for the specific case in an informed manner and unambiguously in the form of a declaration or any other recognizable affirmative act, with which the data subject indicates that they agree with the processing of their personal data.

The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the member states of the European Union and other provisions of data protection nature is:

Doppstadt Beteiligungs GmbH
Steinbrink 4
D-42555 Velbert
Tel. +49 2052 889-0
Fax. +49 2052 889-144
email: info(at)doppstadt.de
Internet: www.doppstadt.de

The controller has appointed a data security officer who can be reached as follows:

Doppstadt Beteiligungs GmbH
Data security officer
Stephan Viehoff
Steinbrink 4
D-42555 Velbert
Tel. +49 2052 889-0
Fax. +49 2052 889-144
email: datenschutz(at)doppstadt.de

Every data subject is entitled to contact our data security officer directly at any time with any questions and suggestions he or she may have relating to privacy protection.

Our website collects some general data and information on the basis of Art. 6 Para. 1 (f) of GDPR every time it is accessed by a data subject or an automated system. Such general data and information are temporarily stored in the server’s logfiles. The following may be collected

1. the operating system used by the accessing system and its interface,
2. the browser type used including language and version of the browser software,
3. the website, from which an accessing system reaches our website (a so-called referrer),
4. the sub-websites which are accessed by an accessing system on our website,
5. the date and the time of access to the website (including time zone difference to Universal Time Coordinated (UTC)),
6. the amount of data transferred in each respective case,
7. the internet protocol address (IP address),
8. the internet service provider of the accessing system
9. other similar data and information that serves to avert risks in case of attack on our information technology systems.

When using such general data and information, Doppstadt Beteiligungs GmbH does not draw any conclusions about the data subject. This information is needed to

1. correctly provide the contents of our website,
2. optimize the contents of our website and the advertising for it,
3. ensure the permanent functionality of our information technology systems and the technology of our website,
4. provide law enforcement authorities with the necessary information for prosecution purposes in case of a cyber attack.

This anonymously collected data and information are thus evaluated on the one hand statistically and on the other hand with the objective of increasing data protection and security in our company in order to ultimately ensure an optimum level of security for the personal data that we process. The anonymous data from server log files are stored separately from all personal data provided by a data subject.

In order to be able to securely and efficiently provide our online content, we rely on the services of one or more web hosting providers, where our online content can be accessed from their servers (or servers managed by them). For these purposes, we are able to use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.

The data processed as part of providing the hosting offer may include all the information relating to the users of our online offering and which are occur as part of use and communication. This normally includes the IP address, which is necessary to be able to deliver the content of online offers to browsers, and all entries made within our online offering or from our websites.

Email delivery and hosting: The web hosting services that we use also include the delivery, receipt and storage of emails. For these purposes the addresses of the recipients and senders as well as further information relating to email delivery (e.g. the providers involved) and the content of the respective emails are processed. The aforementioned data can moreover be processed for the purpose of identifying SPAM. Note that emails are generally not sent in encrypted form on the internet. As a rule, emails are encrypted when in transit, but not on the servers from which they are sent and received (unless a so-called end-to-end encryption process is utilized). Therefore we are not able to assume any responsibility for the emails’ transit between the sender and the receipt on our server.

• Types of data processed: Content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in contents, access times), meta/communication data (e.g. Device information, IP addresses), inventory data (e.g. names, addresses), contact information (e.g. email, phone numbers).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Contractual services, range-of-coverage measurement (e.g. access statistics, recognition of recurring visitors), tracking (e.g. Interest-/behavior-based profiling, use of cookies), evaluation of visitor actions, server monitoring and error detection, contact requests and communication, remarketing, profiling (creation of user profiles), conversion measurement (measurement of effectiveness of marketing measures).
• Legal basis: Legitimate interests (Art. 6 Para. 1 (1) f) of GDPR), Consent (Art. 6 Para. 1 (1) a) of GDPR).

In accordance with the statutory requirements while taking into account the state of technology, implementation costs, type, scope, circumstances and purposes of processing as well as different probabilities of occurrences and extents of the threat to rights and freedoms of natural persons, we take the appropriate technical and organizational measures for ensuring an appropriate level of protection against risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to and viewing of data, input, transfer, ensuring their availability and their separation. Moreover, we have set up procedures that ensure the safeguarding of data subject rights, the deletion of data and response to threats to data. In addition, we take into account the protection of personal data already duri9ng the development and selection of hardware, software as well as processes in accordance with the principle of data protection by means of equipment design and default data privacy settings.

If it is possible for us or if it is not necessary to save the IP address, we will shorten or have your IP address shortened. In the case of IP address shortening, also referred to as "IP masking", the last 8-bit byte, i.e. the last two digits of an IP address, are deleted (the IP address is in this context an identifier individually associated with an internet connection by the online access provider). Shortening the IP address should prevent or make it significantly more difficult to identify a person based on their IP address.

We use a TLS or SSL encryption in order to protect the data that you transmit when visiting our website. You can identify encrypted connections based on the prefix “https://” or the lock shown in the address bar of your browser.

You have the option of contacting us by mail, phone fax or email or via the internet (e.g., by using contact forms, social media).

If you contact us by mail, we can process in particular your address data (e.g. first and last name, address, place of residence, postal code), date and time of receipt of your correspondence and any data that are provided in your correspondence.

If you have contacted us, it is possible that a secretary service may also process your data and send that to us after receipt of your communication. Depending on the data that you provide her, we will contact you either by phone, fax or email and call you back or write you if necessary.

If you contact us by phone, your phone number in particular and, if required, your name, email address, time of the call and details relating to the reason for your call will be processed during the call upon request.

If you contact us by fax, the fax number or the sender ID as well as the data resulting from the fax will be processed in particular.

When contacting us via email, your email address, time of the email and any data resulting from the text (including documents possibly attached) will be processed in particular.

The purpose of processing the above data is to process your contact request and to be able to contact you in order to answer your request. The legal basis for the processing of personal data as described here includes the fulfillment of the contracts and pre-contractual inquiries according to Art 6 Para. 1 (b) as well as our legitimate interest according to Art. 6 Para. 1 (f) of GDPR. It is our legitimate interest to offer you the opportunity to contact us at any time and to respond to your inquiries.

The personal data will only be processed for as long as is necessary to process the contact request.

You have the opportunity of registering on your website by providing your personal data. The personal data transmitted to us are determined by the respective entry screen that is used for registration. The personal data provided by you will only be collected and stored for our internal use and for our own purposes. We can transfer such data to one or more processors, e.g. a parcel service, who also uses personal data exclusively for use, which can be attributed to us.

When registering on our website, the IP address assigned by your Internet Service Provider (ISP), the date and the time of your registration are also saved. These data are stored in light of the fact that the misuse of our services can only be prevented in this manner and such data also enable the investigation of crimes committed if necessary. In this respect, the storage of such data is necessary for our own security. In general, such data are not provided to third parties, unless there is a legal obligation to do or the provision is used for law enforcement purposes.

Your registration takes place subject to voluntary disclosure of your personal data to us in order to offer you contents or services, which can only be offered to registered users as a result of the nature of the matter. Registered persons are free to change the personal data provided during registration at any time or to have such data deleted from the database in full.

Upon request, we will provide every data subject with information about the personal data that we have saved with regard to them. We moreover correct or delete personal data on request or at your notice, unless stipulated otherwise by statutory safekeeping obligations. All of our employees are available to you as contact in this context.

We use SnapAddy software to record and manage contacts. The provider is snapADDY GmbH, Haugerkirchgasse 7, 97070 Würzburg.

SnapAddy is used on the basis of our legitimate interest in accordance with Article 6 (1) (f) GDPR. The website operator has a legitimate interest in efficient contact management. If a corresponding consent has been requested, the processing takes place exclusively on the basis of Article 6 (1) (a) GDPR; the consent can be revoked at any time.

SnapAddy's privacy policy can be found at https://www.snapaddy.com/de/privacy-security-hub/datenschutz.html.

Order processing
We have concluded an order processing contract (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

If you would like to place an order in our webshop, it is necessary for completing the contract that you provide the personal data that we need for processing your order. Mandatory information which is necessary for processing contracts shall be marked separately, additional information is voluntary. We process the data provided by you in order to take care of your order. To do this, we are able to send your payment information to our main bank or a payment service provider. The legal basis for this is Art. Art. 6 Para. 1 Cl. 1 (b) of GDPR.

We can also process the data that you provide in order to inform you about other interesting products in our product range or send you emails with technical information.

Due to commercial and tax regulations, we are obligated to store your address, payment information and order details for a period of ten (10) years. That said, we will restrict processing after four (4) years; in other words, your data will only be used to comply with the statutory obligations.

To prevent unauthorized access by third parties to your personal data, in particular financial data, the order process is encrypted using TLS technology.

Contractual partners are able to create a customer account within our website. If the registration of a customer account is required, contractual partners will be informed in this regard as well as with regard to the information required for registration. Customer accounts are not public and thus cannot be indexed by search engines. As part of registration and subsequent logins and use of the customer account, we save the IP addresses of customers in addition to the access times in order to be able to verify the login and prevent any misuse of a customer account.

If customers have cancelled their customer account, the data relating to the customer account will be deleted, notwithstanding their need to be stored for legal reasons. It is the customer's responsibility to secure their data when terminating the customer account.

We process personal data for the purposes of advertising communication, which may take place by way of diverse channels, such as email, phone, mail or fax. In this context, we observe the legal requirements and obtain the necessary consents, if the communication is not legally permitted.

The recipients have the right to revoke their consent at any time or to object to the advertising communication at any time.

After revocation or objection, we can store the data needed to verify the consent for up to three (3) years on the basis of our legitimate interests before we delete them. The processing of such data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of a consent is confirmed at the same time.

• Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. email, phone numbers).
• Data subjects: Communication partner.
• Purposes of processing: Direct marketing (e.g. by email or by mail).
• Legal basis: Consent (Art. 6 Para. 1 (1) a) of GDPR), legitimate interests (Art. 6 Para. 1 (1) f) of GDPR).

We only send newsletters, emails and other electronic messages (hereinafter called “Newsletters”) only with the recipient’s consent or legal permission. If the contents of the Newsletters are specifically outlined during the Newsletter registration, they are decisive for the consent of the users. Our Newsletters otherwise contain information about use and our services. If necessary, we utilize email marketing service providers; reference is made to these and their contact information below.

In order to subscribe to our Newsletters, it is generally sufficient when you provide your email address. We can, however, ask you to provide your name so that we are able to address you personally in the Newsletters or to provide other information provided that such is necessary for the purposes of the Newsletters.

Registering for our Newsletter is generally based on the use of a so-called double-opt-in procedure: After registering, you will receive an email, asking you to confirm your registration. This confirmation is necessary for ensuring that no one registers while using someone else’s email addresses. Registrations for the Newsletter are recorded in order to be able to verify the registration process in accordance with the legal requirements. This includes the storage of the time of registration and confirmation as well as the IP address. Changes to your data stored by email marketing service provider are also recorded.

We can save the unsubscribed email addresses for a period of up to three (3) years on the basis of our legitimate interests, before we delete them in order to be able to verify a previously given consent. The processing of such data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of a consent is confirmed at the same time. In the case of obligations to constantly observe any conflicts, we reserve the right to store the email address in a blacklist for this purpose alone.

The registration process is logged on the basis of our legitimate interests according to Art. 6 Para. 1 (1) f) of GDPR in order to verify that this process takes place properly. If we commission a service provider with the delivery of emails, this is done on the basis of our legitimate interest in an efficient and secure delivery system.

The Newsletters are delivered on the basis of the recipients’ consent or if consent is not necessary, on the basis of our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g., in the event of advertising to existing customers. The registration process is recorded on the basis of our legitimate interests in verifying that the process is carried out in accordance with the law.

Contents: Information about us, our services, promotions and offers.

Performance measurement: The Newsletters contain a so-called “web beacons”, i.e. a pixel-sized file that is called by our server when opening the Newsletter from our server or, if we use an email marketing service provider, from its server. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected.

This information is used to technically improve our Newsletters on the basis of technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined with the aid of the IP address) or the access times. This analysis also includes determining whether the Newsletters have been opened, when they are opened and which links have been clicked. This information can be assigned to the individual recipients of the Newsletters for technical reasons. It is, however, not our intention nor, if used, that of our email marketing service provider to observe individual users. Instead we utilize the evaluations to understand the reading habits of our users and adapt our contents to them or send different contents in accordance with the interests of our users.

The Newsletters and performance measurement are evaluated, subject to the express consent of the users, on the basis of our legitimate interests for the purpose of using a user-friendly and secure Newsletter system, which serves both our business interests and meets the expectations of our users.

A separate objection to the performance measurement is unfortunately not possible; in such case the entire Newsletter subscription must be cancelled or revoked.

Consent to the delivery of emails can be made dependent on the use of free services (e.g. access to certain contents or participation in certain promotions). If the users would like to make use of the free service without registering for the Newsletter, we ask you to contact us.

Right to Withdraw Consent

You have the right to revoke your consent at any time without affecting the legality of the processing carried out on the basis of the consent up to the time of consent withdrawal. You can send us your withdrawal of consent at any time (for instance via email to datenschutz(at)doppstadt.de).

You can also grant your consent by simply clicking on the link provided in our Newsletter.

Right to Object

If the processing of your data is not covered by the consent (especially log files), you have a right to object.

You can send us your objection at any time (for instance via email to datenschutz(at)doppstadt.de).

• Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. email, phone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. visited websites, interest in contents, access times).
• Special data categories: possibly health data (Art. 9 Para. 1 of GDPR).
• Data subjects: Communication partners, users (e.g. website visitors, users of online services).
• Purposes of processing: Direct marketing (e.g. by email or mail), contractual services, contact inquiries and communication, range-of-coverage measurement (e.g. access statistics, recognition of recurring visitors), tracking (e.g. interest-/behavior-based profiling, use of cookies), profiling (creation of user profiles).
• Legal basis: Consent (Art. 6 Para. 1 (1) a) of GDPR), legitimate interests (Art. 6 Para. 1 (1) f) of GDPR).
• Opt-out option: You can cancel the receipt of our Newsletter at any time, i.e. to revoke your consent or object to any further receipt. You will find a link to cancel the Newsletter at the end of every Newsletter or you can use one of the contact options cited above, preferably email, in this regard.

Due to statutory regulations, the website of Doppstadt Beteiligungs GmbH contains information that enables visitors to quickly contact us electronically and communicate directly with us, which also include a general email address. If you contact us by email or by using the contact form, the personal data that you provide will be saved automatically. Such personal data provided to us on a voluntary basis are saved for processing purposes or to be able to contact you. Such personal data are not passed on to third parties.

We process and store your personal data only for the period that is necessary to attain the purpose of storage or if this has been provided for by the European regulators and legislators or another legislator in laws or regulations to which we are subject.

If the purpose of storage no longer applies or if a storage period prescribed by the European regulators or another legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

a) Right to confirmation

Every data subject has the right as granted by European regulators and legislators to request confirmation from the controller with regard to whether personal data relating to the data subject are processed. If a data subject would like to make use of this right to confirmation, they are entitled to contact an employee of the controller at any time.

b) Right to information

Any person affected by the processing of personal data has the right granted by European regulators and legislators to obtain information free of charge about their personal data stored and receive a copy of such information from the controller at any time. Moreover, the European regulators and legislators have granted data subjects access to the following information:

• Purposes of processing
• Categories of personal data that are processed
• The recipients or categories of recipients, to whom the personal data have been or will be disclosed, in particular for recipients in third countries or for international organizations
• If possible, the planned duration, for which the personal data are stored, or, if that is not possible, the criteria for determining this duration
• The existence of a right to correct or delete the personal data relating to the data subject or to restrict the processing of personal data by the controller or a right to object to such processing
• The existence of a right to file a complaint with a supervisory authority
• If the personal data are not collected from the data subject concerned: All available information about the origin of the data
• The existence of an automated decision-making including profiling in accordance with Art. 22 Para. 1 and 4 of GDPR and – at least in these cases – meaningful information on the logic involved as well as the scope and the desired effects of such processing for the data subject.

Moreover, the data subject also has the right to be informed as to whether the personal data were transferred to a third country or an international organization. If this is the case, the data subject is also entitled to receive information about the appropriate guarantees in connection with the transfer.

If a data subject would like to make use of this right to information, they are entitled to contact an employee of the controller at any time.

c) Right to correction

Every data subject affected by the processing of personal data has the right granted by European regulators and legislators to request immediate correction of any incorrect personal data relating to them. Moreover, the data subject is entitled to request completion of incomplete personal data, even by means of a supplementary statement, while taking into account the purposes of processing.

If a data subject would like to make use of this right to correction, they are entitled to contact an employee of the controller at any time.

d) Right to deletion (Right to be forgotten)

Every data subject affected by the processing of personal data has the right as granted by European regulators and legislators to request that the controller immediately delete the personal data relating to them if one of the following reasons applies and as far as processing is not necessary:

• The personal data were collected for such purposes or processed in another manner for which the data are no longer needed.
• The data subject revokes their consent, which processing was based on under Art. 6 Para. 1 (a) of GDPR or Art. 9 Para. 2 (a) of GDPR, and there is no other legal basis for the processing.
• The data subject objects to the processing in accordance with Art. 21 Para. 1 of GDPR, and there are no overriding legitimate reasons for the processing, or the date subject objects to the processing in accordance with Art. 21 Para. 2 of GDPR.
• The personal data were processed unlawfully.
• The deletion of personal data is necessary for fulfilling a legal obligation under EU law or the law of member states, to which the controller is subject.
• The personal data were collected with regard to offered services of the information society in accordance with Art. 8 Para. 1 of GDPR.

If one of the aforementioned reasons applies and a data subject wants to have their personal data stored by Doppstadt Beteiligungs GmbH deleted, they can contact an employee of the controller at any time. The employee of Doppstadt Beteiligungs GmbH will arrange for the immediate compliance with the deletion request.

If the personal data were disclosed or released by Doppstadt Beteiligungs GmbH and our company as controller is obligated under Art. 17 Para. 1 of GDPR to delete the personal data, then Doppstadt Beteiligungs GmbH shall undertake appropriate measures, including those of a technical nature, while taking into account the available technology and implementation costs, in order to inform other controllers who are processing the disclosed personal data that the data subject has requested the deletion of all links to the personal data or copies or replications of the relevant personal data by these other data controllers, provided that the processing thereof is not necessary. The employee of Doppstadt Beteiligungs GmbH will take the necessary steps in individual cases.

e) Right to restrict processing

Every data subject affected by the processing of personal data has the right as granted by European regulators and legislators to request that the controller restrict processing if one of the following prerequisites has been satisfied:

• The accuracy of the personal data is disputed by the data subject, for a period of time that enables the controller to check the accuracy of the personal data.
• The processing is unlawful, the data subject declines the deletion of personal data and instead requests the restriction of the use of personal data.
• The controller no longer needs the personal data for processing purposes, but the data subject requires such information to assert, exercise or defend any legal claims.
• The data subject has objected to processing in accordance with Art. 21 Para. 1 of GDPR and it is not yet clear whether the controller’s legitimate reasons outweigh those of the data subject.

If one of the aforementioned requirements has been fulfilled and a data subject wants to have their personal data stored by Doppstadt Beteiligungs GmbH deleted, they can contact an employee of the controller in this regard at any time. The employee of Doppstadt Beteiligungs GmbH will take the necessary steps to restrict processing.

f) Right to portability of personal data

Every data subject affected by the processing of personal data has the right as granted by European regulators and legislators to receive the personal data that they have provided to the controller in a structured, standard and machine-readable format. The data subject moreover has the right to transfer such personal data to another controller without any hindrance on part of the controller, who had received the personal data, provided that the processing is based on the consent given in accordance with Art. 6 Para. 1 (a) of GDPR or Art. 9 Para. 2 (a) of GDPR or on a contract under Art. 6 Para. 1 (b) GDPR and processing is carried out with the aid of automated processes if the processing is not necessary for carrying out a task that is in the interest of the general public or in the exercise of official authority, which was transferred to the controller.

Moreover, the data subject has the right when exercising their right to portability of the personal data in accordance with Art. 20 Para. 1 of GDRP to have the personal data directly sent from one controller to another controller, provided that this is technically feasible and that that is not adversely affected by the rights and freedoms of other persons.

To assert the right to portability of personal data, the data subject may contact an employee of Doppstadt Beteiligungs GmbH at any time.

g) Right to object

Every data subject affected by the processing of personal data has the right as granted by European regulators and legislators for reasons arising from a particular situation to object at any time to the processing of personal data relating to them, which is based on Art. 6 Para. 1 (e) or (f) of GDPR. This also applies to profiling based on these provisions.

Doppstadt Beteiligungs GmbH will no longer process personal data in case of an objection, unless we are able to provide compelling legitimate reasons for such processing that outweigh the interests, rights and freedoms of the data subject or the processing serves the assertion, exercising and defense of legal claims.

If Doppstadt Beteiligungs GmbH processes personal data for direct advertising purposes, the data subject has the right to object to the processing of personal data at any time for the purpose of such advertising. This also applies to profiling insofar as it involves such direct advertising. If the data subject objects to data processing by Doppstadt Beteiligungs GmbH for the purpose of direct advertising, Doppstadt Beteiligungs GmbH will no longer process personal data for such purposes.

In addition, the data subject has the right for reasons that result from their particular situation to object to the processing of personal data relating to them, which is carried out at Doppstadt Beteiligungs GmbH for scientific or historical research purposes or for statistical purposes according to Art. 89 Para. 1 of GDPR, unless such processing is necessary for fulfilling a task in an official interest.

To assert the right to object, the data subject may contact any employee of Doppstadt Beteiligungs GmbH or another employee directly. The data subject is moreover free to assert their right to object with the aid of automated procedures subject to technical specifications in connection with the use of services of the information society, regardless of Directive 2002/58/EC.

h) Automated decisions in individual cases including profiling

Every data subject affected by the processing of personal data has the right as granted by European regulators and legislators not to be subjected to a decision based solely on automated processing – including profiling, which has a legal effect on them or similarly has a significant impact on them, provided that the decision

(1) is not necessary for forming or fulfilling an agreement between the data subject and the controller, or

(2) is admissible as a result of statutory provisions of the European Union or the member states, which the controller is subject to and these statutory provisions contain appropriate measures for safeguarding the rights and freedoms and the legitimate interests of the data subject or

(3) is made with the express consent of the data subject.

If the decision

(1) is necessary for forming or fulfilling an agreement between the data subject and the controller, or

(2) is made with the express consent of the data subject,

Doppstadt Beteiligungs GmbH takes appropriate measures for safeguarding the rights and freedoms as well as the legitimate interests of the data subject, which at least includes the right to obtain the involvement of a person on part of the controller, to present their own position and to contest the decision.

If a data subject would like to make use of rights relating automated decisions, they are entitled to contact an employee of the controller in this regard at any time.

i) Right to revoke consent under data privacy laws

Every data subject affected by the processing of personal data has the right as granted by European regulators and legislators to revoke consent to processing of personal data at any time.

If a data subject would like to assert their right to revoke consent, they are entitled to contact an employee of the controller in this regard at any time.

j) Right to file a complaint with a supervisory authority

If you are of the opinion that the processing of personal data concerning you violates the GDPR, you have the right to complain to a supervisory authority, in particular in the member state of your place of residence, your place of work or the location of the alleged infringement without prejudice to any other administrative or judicial remedy.

The supervisory authority, to whom the complaint was submitted, shall inform the complainant about the status and the results of the complaint, including the possibility of any judicial remedy in accordance with Art. 78 of GDPR.

Contact details for the competent supervisory authority:

Landesbeauftragte für Datenschutz und Informationsfreiheit (State Official for Data Privacy and Freedom of Information) North Rhine Westphalia

Helga Block
Postfach 20 04 44
40102 Düsseldorf
Kavalleriestraße 2-4
40213 Düsseldorf
Ph.: +49(0)2 11 384 24-0
Fax: +49(0)2 11 384 24-10
email: poststelle(at)ldi.nrw.de
Homepage: http://www.ldi.nrw.de

This website uses the “Custom Audiences” remarketing function of Facebook Inc. (Facebook). This allows users of the website to see interest-based advertisements (Facebook ads) when visiting the social network Facebook or other websites that also use this function. In doing so, we are interested in showing you advertisements that are of interest to you in an effort to make our website more appealing to you. Your express consent is required for this.

Facebook Custom Audiences is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland; parent company is Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.

On the basis of the implemented marketing tools, your browser automatically establishes a direct connection with the Facebook server. We do not have any influence on the scope and further use of the data that are collected by Facebook through use of this tool and thus inform you according to our level of knowledge: By integrating Facebook Custom Audiences, Facebook receives information that you have accessed the corresponding page on our website or you have clicked on an advertisement from us. If you are logged in to a Facebook service, Facebook is able to assign your visit to your account. Even if you are not registered with Facebook or have not logged in, there is a possibility that the provider is able to find out and save your IP address and other identifying features.

With the aid of the Facebook Pixel, Facebook is able to determine the visitors of our online content as a target group for the presentation of advertisements (so-called "Facebook ads"). Accordingly, we utilize the Facebook Pixel in order to display Facebook ads placed by us to those Facebook users who have shown an interest in our online content or those we have transmitted to Facebook (Custom Audiences). With the aid of the Facebook Pixel we would also like to ensure that our Facebook ads correspond with the potential interest of users and are not annoying. With the aid of the Facebook Pixel we are also able to recognize the effectiveness of Facebook ads for statistic and market research purposes by seeing whether users have been redirected to our website after clicking on a Facebook ad (so-called “Conversion”).

Moreover we use the additional function “Advanced Matching” with the use of Facebook Pixel (data like phone numbers email addresses or Facebook IDs of users) are transmitted to Facebook (in encrypted form) to create target groups (“Custom Audiences” or “Look Alike Audiences”). You can find more information about “Advanced Matching” at https://www.facebook.com/business/help/611774685654668.

The legal basis for processing your data is the consent that you have given in accordance with Art. 6 Para. 1 (1) a) of GDPR.

Withdrawal of your Consent

We only use Facebook Custom Audiences subject to your consent. You have the right to revoke your consent by

• preventing the storage of cookies by implementing the corresponding settings in your browser; please note however that you will not be able to utilize all the functions of our website to the full extent;
• deactivating your consent by using our consent tool;
• deactivating the function “Facebook Custom Audiences” as a logged-in user at https://www.facebook.com/settings/?tab=ads#_.

Further information for data processing by Facebook can be found at https://www.facebook.com/about/privacy.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We maintain a fan page on the Facebook social media platform. Facebook Ireland Ltd (“Facebook”) provides us as “administrator” with “Facebook Insights”. These involve different statistics that provide us with information about the use of our Facebook fan page by visitors. More information in this regard can be found at https://www.facebook.com/business/pages/manage#page_insights.

Facebook processes various information (including personal data) in order to generate these statistics.

In accordance with Art. 26 of GDPR, Facebook and we share a joint responsibility when it comes to the processing of Insights data. For the in-depth regulation of the respective responsibility, Facebook has prepared an updated Page Insights addendum that took effect on November 28, 2019 and shall apply to further use of Facebook pages as of this date.

We provide you with this information from Facebook in words as part of the required transparency below; you can also find this directly on Facebook’s page at https://www.facebook.com/legal/terms/page_controller_addendum.

* * *

Information about Page Insights

If people use Facebook products like pages, among other things, Facebook (including “we” or “us”) collects information as described in Facebook’s Data Policy under “What kinds of information do we collect?” (Information about how we use cookies and similar technologies can be found in our Cookie Policy).

This also includes information about how people use Facebook products, e.g. the types of contents the people view or with whom they interact, or the actions they take (see under “Thins you and others do and provide” in Facebook Data Policy) as well as information about the devices you use (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under “Device Information” in Facebook’s Data Policy). The information that Facebook actually collects depends on whether and how people use the Facebook Products.

As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information in order to provide analytical services, so-called Page Insights, for page administrators, so that they have information about how people interact with their pages and the associated contents. The processing of personal data for Page Insights may be subject to the following agreement on shared responsibility (Pages Insights Controller Addendum).

Data Processing for Page Insights

Page Insights are compiled statistics that are generated on the basis of certain events that are logged by Facebook servers if people interact with pages and contents associated with them.

Such events consist of varying data points, which include, e.g., the following, depending on the specific event:

• An action. This includes actions like the following (you can see the actions that are available for your page in the Insights section of your page):
  • Viewing a page, a post, a video, a story or other contents associated with a page
  • Interacting with a story
  • Following or unfollowing a page
  • Liking or unliking a page or a post
  • Recommending a page in a post or comment
  • Commenting on, sharing or reacting to a page’s post (including the type of reaction)
  • Hiding a page’s post or reporting it as spam
  • Moving the mouse over a link to a page or its name or the profile picture of a page in order to preview the page’s contents
  • Clicking on the website, phone number, “Get directions” button or another button on a given page
  • Viewing the event on a page, reacting to an event (including the type of reaction), clicking on a link for event tickets
  • Starting a Messenger communication with the page
  • Viewing or clicking on items in a page’s shop
• Information about the action, the person taking the action, and the browser/app used for that. These are for example:
  • Date and time of action
  • Country/city (estimated from IP address or imported from user profile in case of logged-in users)
  • Language code (from the browser’s http header and/or language setting)
  • Age/gender group (from the user profile, only for logged-in users)
  • Previously visited websites (from the browser’s http header)
  • Whether the action was taken from a computer or a mobile device (from the browser’s user agent or from app attributes)
  • Facebook user ID (only for logged-in users)

We determine whether people are logged-in users of Facebook via cookies in accordance with our Cookie Policy. Only a few events can be triggered by people who are not logged into Facebook. This includes, among other things, visiting a page or clicking on a photo or video in a post to view it.

Page administrators do not have access to personal data that are processed as part of events but only access to the aggregated Page Insights. Events that are used to generate Page Insights do not store any IP addresses, cookie IDs or any other identifiers associated with people or their devices aside from a Facebook user ID for people logged into Facebook.

The events logged by Facebook to generate Page Insights are determined exclusively by Facebook and cannot be set, changed or otherwise influenced by page administrators.

Pages Insights Controller Addendum

Where an interaction of people with your page and the content associated with it triggers the creation of an event for Page Insights which includes personal data for whose processing you (and/or any third party for whom you are creating or administering the page) determine the means and purposes of the processing jointly with Facebook Ireland Limited, you acknowledge and agree on your own behalf (and as agent for and on behalf of any such other third party) that this Page Insights Controller Addendum ("Page Insights Addendum") applies:

• You and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook Ireland”, “we” or “us”; together the “Parties”) acknowledge and agree to be joint controllers in accordance with Art. 26 of GDPR for the processing of personal data in events for Page Insights (Insights Data). The joint controllership covers the creation of those events and their aggregation into Page Insights that are provided to page administrators. The Parties agree that for any other processing of personal data in connection with a page and/or the content associated with it for which there is no joint determination of the purposes and means, Facebook Ireland and, as the case may be, you, remain separate and independent controllers.
• The processing of Insights Data is subject to the provisions of this Page Insights Addendum. They apply to all activities in the course of which Facebook Ireland, its employees or processor(s) process Insights Data.
• Facebook Ireland's and your responsibilities for compliance with the obligations under the GDPR with regard to the processing of Insights Data are determined as follows:
  • Facebook Ireland: Facebook Ireland will ensure that it has a legal basis for the processing of Insights Data, which are set out in the Data Policy of Facebook Ireland (see under “What is our legal basis for processing data?”). Unless specified otherwise in this Page Insights Addendum, Facebook Ireland assumes the responsibility for compliance with the applicable obligations under the GDPR for the processing of Insights Data (including, but not limited to, Art. 12 and 13 of GDPR, Art. 15 to 21 of GDPR, Art. 33 and 34 of GDPR). Facebook Ireland will implement appropriate technical and organizational measures to ensure the security of the processing in accordance with Art. 32 of GDPR. This does include the measures listed in the Annex below (as updated from time to time, for example to reflect technological developments). All employees of Facebook Ireland involved in the processing of Insights Data are bound by appropriate obligations to maintain the confidentiality of Insights Data.
  • Page administrators: You should ensure that you also have a legal basis for the processing of Insights Data. In addition to the information provided by Facebook Ireland to data subjects via the Information about Page Insights , you should identify your own legal basis including the legitimate interests you pursue, if applicable, the responsible data controller(s) on your side including their contact details as well as the contact details of the data protection officer(s) (Art .13 Para. 1 (a – d) of GDPR), if any.
• Facebook Ireland will make the essence of this Page Insights Addendum available to data subjects (Art. 26 Para. 2 of GDPR). This is currently done via the Information about Page Insights data, which can be accessed from all pages.
• Facebook Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. You acknowledge and agree that only Facebook Ireland has the power to implement decisions about the processing of Insights Data. You also acknowledge and agree that the lead supervisory authority for the joint processing is the Irish Data Protection Commission (notwithstanding Article 55(2) of GDPR, where applicable).
• This Page Insights Addendum does not grant you any right to request the disclosure of personal data of Facebook users that is processed in connection with Facebook Products, including especially for Page Insights that we provide to you.
• The Parties designate the communication channels referenced in the Information about Page Insights data or in any subsequent document as contact points for data subjects.
• If data subjects exercise their rights under GDPR with regard to the processing of Insights Data against you (Art. 26(3) of GDPR), or you are contacted by a supervisory authority with regard to the processing of Insights Data, each a "Request", you will forward all relevant information regarding such Requests to us promptly but within a maximum of seven calendar days. For this purpose, you can submit this form. Facebook Ireland agrees to answer Requests from data subjects in accordance with our obligations under this Page Insights Addendum. You agree to take all reasonable endeavors in a timely manner to cooperate with us in answering any such Request. You are not authorized to act or answer on Facebook Ireland’s behalf.
• If you use a Page, you agree that any claim, cause of action or dispute that you have against us, which arises out of or relates to this Page Insights Addendum, must be resolved exclusively in the courts of Ireland, that you irrevocably submit to the jurisdiction of the Irish courts for the purpose of litigating any such claim and that the laws of Ireland will govern this Page Insights Addendum, without regard to conflict of law provisions. If you are a consumer who habitually resides in a member state of the European Union, only 4.4 of our Terms of Service applies.
• We may need to update the Page Insights Addendum from time to time. By continuing any use of Pages after any notification of an update to this Page Insights Addendum, you agree to be bound by it. If you do not agree to the updated Page Insights Addendum, please stop all use of Pages. If you are a consumer who habitually resides in a member state of the European Union, only 4.1 of our Terms of Service applies.
• If any portion of this Page Insights Addendum is found to be unenforceable, the remaining portion will remain in full force and effect. If we fail to enforce any portion of this Page Insights Addendum, it will not be considered a waiver. Any amendment to or waiver of these terms requested by you must be made in writing and signed by us.
• This Page Insights Addendum applies only to the processing of personal data within the scope of Regulation (EU) 2016/679 (“GDPR”). “personal data”, “processing”, “controller”, “processor”, “supervisory authority” and “data subject” in this Page Insights Addendum have the meanings set out in GDPR.

Annex: Security

“Applicable Products” includes Facebook Pages and Pages Insights.

1. 1. Organization of Information Security

Facebook has a designated security officer with overall responsibility for security in the organization. Facebook has personnel responsible for oversight of security of the Applicable Products.

1. Physical and Environmental Security

Facebook’s security measures include controls designed to provide reasonable assurance that physical access to data processing facilities is limited to authorized persons and that environmental controls are established to detect, prevent, and control destruction due to environmental hazards. The controls include:

1. 1. Logging and auditing of physical access to the data processing facility by employees and contractors;
   2. Camera surveillance systems at the data processing facility;
   3. Systems that monitor and control the temperature and humidity for the computer equipment in the data processing facility;
   4. Power supply and backup generators at the data processing facility;
   5. Procedures for secure deletion and disposal of data, subject to the Applicable Products Terms; and
   6. Protocols requiring ID cards for entry to all Facebook facilities for all personnel working on the Applicable Products.
2. Personnel
   1. Training Facebook ensures that all personnel with access to Insights Data undergo security training.
   2. Screening and Background Checks Facebook has a process for:
      1. verifying the identity of the personnel with access to Insight Data, and
      2. performing background checks, where legally permissible, on personnel working on or supporting aspects pertaining to the Applicable Products in accordance with Facebook standards.
   3. Personnel Security Breach Facebook takes disciplinary action in the event of unauthorized access to Insights Data by Facebook personnel, including, where legally permissible, punishments up to and including termination.
3. Security Testing

Facebook performs regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.

1. Access Control
   1. Password Management Facebook has established procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
      1. password provisioning, including procedures designed to verify the identity of the user prior to a new, replacement, or temporary password;
      2. cryptographically protecting passwords when stored in computer systems or in transit over the network;
      3. altering default passwords from vendors;
      4. strong passwords relative to their intended use; and
      5. education on good password practices.
   2. Access Management Facebook also controls and monitors its personnel’s access to its systems using the following:
      1. established procedures for changing and revoking access rights and user IDs, without undue delay;
      2. established procedures for reporting and revoking compromised access credentials (passwords, tokens etc.);
      3. maintaining appropriate security logs including where applicable with user ID and time stamp;
      4. synchronizing clocks with NTP; and
      5. logging the following minimum user access management events:
         • Authorization changes;
         • Failed and successful authentication and access attempts; and
         • Read and write operations.
2. Communications Security
   1. Network Security
      1. Facebook employs technology that is consistent with industry standards for network segregation.
      2. Remote network access to Facebook systems requires encrypted communication via secured protocols, and use of multi-factor authentication.
   2. Protection of Data in Transit Facebook enforces use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
3. Vulnerability Management

Facebook institutes and maintains a vulnerability management program covering the Applicable Products that includes definitions of roles and responsibilities for vulnerability monitoring, vulnerability risk assessment, and patch deployment.

1. Security Incident Management
   1. Facebook maintains a security incident response plan for monitoring, detecting, and handling possible security incidents affecting Insights Data. The security incident response plan at least includes definitions of roles and responsibilities, communication, and post mortem reviews, including root cause analysis and remediation plans.
   2. Facebook monitors its systems for any security breaches and malicious activity affecting Insights Data.

* * *

Below you will find the key details relating to the agreement formed between Facebook and us in accordance with Art. 26 of GDPR.

Joint controllers are

Facebook Ireland Ltd
4 Grand Canal Square
Dublin 2
Ireland

and

Doppstadt Beteiligungs GmbH

Steinbrink 4

D-42555 Velbert

Tel. +49 2052 889-0

Fax. +49 2052 889-144

email: info(at)doppstadt.de

Internet: www.doppstadt.de

Facebook has assumed primary responsibility for all obligations under GDPR for data processing. This means in particular:

• Facebook assumes the necessary information obligations (e.g. according to Art. 13 of GDPR),
• Data subject rights can be asserted against Facebook (e.g. right to information or deletion, objection to data processing or revocation of a given consent),
• Safeguarding of technical and organizational measures for data processing.

Facebook provides detailed information about data processing at https://www.facebook.com/ (Art. 13 of GDPR). To provide you with an overview of the essential information, we also make reference to the content and links provided there by Facebook within the framework of this privacy policy.

Regardless of Facebook’s primary responsibility, you may also assert your rights against us directly in accordance with GDPR. We will then forward your request to Facebook using the provided form.

Facebook’s legal bases and purposes of processing can be found at https://www.facebook.com/about/privacy/legal_bases and https://de-de.facebook.com/policy.php.

We have a legitimate interest in being able to track user behavior on our Facebook fan page; accordingly, the legal basis for processing data is Art. 6 Para. 1 (f) of GDPR. In this way, it is possible for us to extend the scope and effectiveness of our activities such as campaigns and posts with processed statistics. For instance, we are able to continuously optimize our website and offer as needed, which also represents the purpose of processing in accordance with GDPR.

Facebook may also process in particular the following data:

• User interaction, such as click behavior, posts, likes, viewing of videos, page views, etc.
• Cookies
• Demographic characteristics, such as age, gender, state, etc.
• IP address
• System and device information (browser type, operating system, etc.)

When visiting our Facebook fan page, the exact processing of your personal data depends on whether you have a Facebook account or not. If you have a Facebook account, Facebook is able to permanently assign the data to your account in order to learn more about you.

Even if you do not have a Facebook account, Facebook is able to save your data. This can happen through the use of cookies. They allow Facebook to save and process information about you, even without you having a Facebook account. You will find more information about Facebook cookies at https://de-de.facebook.com/policies/cookies/.

We only receive from Facebook anonymized statistics about the use of our fan page. We can only see how many users have carried out which interactions, but no which user has carried out a specific action. The statistics of the Insights data do not allow us to draw any conclusions about a specific person.

In an appendix on the information about page Insights, Facebook also provides information about the technical and organizational measures taken in accordance with Art. 32 of GDPR to protect your data.

In case of joint responsibility, you can assert your rights as already mentioned directly against Facebook or us.

At https://de-de.facebook.com/policies/cookies/, you can also configure your settings for the use of cookies. You will find under the sections “If you have a Facebook account” (Facebook account present) and “Public” (no Facebook account present) information about how you may advise Facebook that you object to processing.

Using your browser, you can set the storage period for the respective cookies if you view the cookies (usually by clicking on the “i” next to the address bar, e.g. in Firefox or Google Chrome).

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We currently use the following social media plug-ins: Facebook, Instagram, YouTube, LinkedIn. In this context, we use the so-called two-click solution. In other words, when you visit our website, no personal data are passed on initially to the providers of the plug-ins. The provider of the plug-ins can be identified by the mark on the box above its first letter or the logo. We offer you the opportunity to directly communicate with the provider of the plug-in by using the button. The plug-in provider only receives information that you have accessed the corresponding website of our online offering if you click on the highlighted field, thus activating it. Other data will also be transmitted. In the case of Facebook, IP addresses are anonymized immediately after their collection according to the relevant service provider in Germany. By activating the plug-ins, personal data are transmitted by you to the plug-in provider and stored there (at US providers in the US). Since the plug-in provider carries out the data collection with the aid of cookies in particular, we recommend you to delete all cookies using your browser's security settings.

We have no control over the collected data and the data processing operations nor do we know the full extent of the data collection, the purpose of processing and the respective storage periods. We also do not have any information relating to the deletion of data collected by the plug-in provider.

The plug-in provider stores the data collected about you as usage profiles and utilizes these for advertising purposes, market research and/or to tailor its website to address requirements. Such an evaluation is carried out in particular (even for users not signed in) to provide requests-oriented advertising and to inform other users of the social network about your activities on our website. You are entitled to object to the creation of such user profiles, whereas you have to contact the respective plug-in provider to assert your objection. Plug-ins give us an opportunity to interact with social networks and other users, allowing us to improve our offering and make our presentation more interesting for you as a user. The use of plug-ins is legally permitted under Art. 6 Para. 1 (1) f) of GDPR.

The data disclosure takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in with the plug-in provider, the data collected about you from us are directly assigned to your existing account with the plug-in provider. If you press the activated button and link, e.g., the page, the plug-in provider stores this information in your user account as well and publicly shares that with your contacts. We recommend that you regularly log out when you are done using a social network, especially prior to activating the button, since this will help to prevent an assignment to your profile with the plug-in provider.

If, alternatively, only links to the services are included, you will be redirected to our respective page after clicking the link, i.e. only then will the data be transferred to the relevant service.

For more information about the purpose and scope of the data collection and their processing by the plug-in provider, consult the respective providers’ privacy policies listed below. There you will also find more information about your rights in this regard and possible settings to protect your privacy.

Addresses of the respective plug-in providers and URLs with their privacy policies:

Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; https://www.facebook.com/policy.php; for more information about data collection: https://www.facebook.com/help/186325668085084, https://www.facebook.com/about/privacy/your-info-on-other#applications and https://www.facebook.com/about/privacy/your-info#everyoneinfo.

YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066 USA; subsidiary of Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de.

LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; https://www.linkedin.com/legal/privacy-policy.

Instagram: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland; help.instagram.com/155833707900388; https://www.instagram.com/about/legal/privacy/.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

Our website uses the font Awesome for uniform display of fonts and icons. Provider is Fonticons, Inc., 6 Porter Road Apartment 3R, Cambridge, MA 02140, USA. According to the company and its Privacy Policy, Fonticons, Inc. observes the European regulations of GDPR.

When accessing a page, your browser loads the necessary web fonts and icons into your browser cache to facilitate the correct displaying of texts, fonts and icons. It is possible that the following data may be transferred to Fonticons, Inc.:

• IP address
• Operating system
• Browser name + language settings
• Name of browser used
• Website, from which the request was triggered
• Operating system
• Screen resolution

By integrating the font Awesome, we pursue the objective of being able to display uniform fonts on your device.

The legal basis for the above-described processing of personal data is Art. 6 Para. 1 (f) of GDPR. Our legitimate interest which is required for this is in the great benefit provided by a uniform presentation of fonts. As a result of the option of a uniform presentation, we are able to keep the design expenditure lower than if we had to react to the font standards of different operating systems or browser with our own graphically adapted websites.

The privacy policy of Fonticons, Inc. can be found at https://fontawesome.com/privacy and for more information at https://fontawesome.com/help. If your browser does not support the font Awesome, your device will use the default font.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We use various services from Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland, on our website. More information about the individual services of Google can be found below in this privacy policy.

By integrating Google services, Google may collect and process information (including personal data). It cannot be excluded that Google sends the information to a server in a third country.

We cannot influence the data that Google actually collects and processes. Google does state, however, that the following information (including personal data) may in principle be processed as well:

• Protocol data (in particular IP address)
• Location-related information
• Unique application numbers
• Cookies and similar technologies

If you are logged into your Google account, Google may add the processed information to your account depending on your account settings and treat it as personal data. More information in this regard can be found at https://www.google.de/policies/privacy/ partner.

Google moreover states in this regard:

“We may link personal data from one service with information and personal data from other Google services. By doing so, we make it easier for you to share, e.g., contents with friends and acquaintances. Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.” (https://www.google.com/intl/de/policies/privacy/index.html)

You can prevent such data from being directly added by logging out of your Google account or by making the appropriate account settings in your Google account.

You can also change your cookie settings (e.g. delete, block, etc.).

You can find more information in Google’s privacy policies: https://www.google.com/policies/privacy/.

You can find information about Google’s privacy settings athttps://privacy.google.com/take-control.html.

The provision of personal data is neither required nor by law nor by contract and is also not required for forming an agreement. You are also not obligated to provide personal data. Failing to provide personal data may, however, mean that you might not be able to use all or some functions of our website.

Note on transferring data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We have integrated Google Ads and conversion tracking as part of Google Ads on this website. Google Ads is an internet ad service that allows advertisers to place ads both in the results of the Google search engine and in Google advertising network. Google Ads allows advertisers to define certain keywords in advance, by means of which an advertisement is displayed exclusively in Google’s search engine results when the user uses the search engine to search for a keyword-relevant search result. In Google’s advertising network, the ads are placed on topic-relevant websites using an automatic algorithm while taking the previously defined keywords into account.

Google Ads is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

The purpose of Google Ads is to promote our website by displaying interest-based advertisements on the websites of third-party companies and in the results of Google’s search engine and by displaying a third-party advertisement on our website.

The legal basis for processing your data is the consent that you have given in accordance with Art. 6 Para. 1 (1) a) of GDPR.

Withdrawal of your consent

We only use Google Ads subject to your consent. You have the right to revoke your consent by

• preventing the storage of cookies by implementing the corresponding settings in your browser; please note however that you will not be able to utilize all the functions of our website to the full extent;
• deactivating your consent by using our consent tool;
• accessing the link www.google.de/settings/ads in any web browser that you use and by configuring the required settings there.

If you access our website via a Google ad, Google will place a so-called conversion cookie on your device or system. A conversion cookie loses its validity after thirty (30) days and is not used to identify you. If the conversion cookie has not yet expired, it is used to determine whether certain sub-pages, such as the shopping cart from an online shop system, have been accessed on our website. With the conversion cookie, both Google and we are able to see whether a data subject who came to our website via an advertisement has generated sales, i.e. completed or cancelled the purchase of a product.

The data and information collected due to the use of the conversion cookie are used by Google to generate visitor statistics for our website. These visitor statistics in turn are used by us to determine the total number of users who were referred to us via ads, i.e. in order to determine the success or lack of success of the respective ads and to optimize our ads for the future. Neither our company nor other Google Ads advertisers receive information from Google that could be used to identify you.

The conversion cookie is used to store personal information, e.g., the websites that you visit. Every time that you visit our website, personal data, including the IP address of the internet connection you use, are transmitted to Google.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We have integrated Google Maps on our website. This allows us to show you interactive maps directly on the website and make the use of the map function as convenient as possible. By using this service, you will be able to see our location and directions provided to make a possible trip easy.

Google Maps is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

By visiting the website, Google receives information about the fact that you have accessed the corresponding sub-page of our website. This happens regardless of whether you have a Google user account that are logged into it or do not have a user account. If you are logged into Google, your data are directly assigned to your account.

You can find more information about Google’s data processing in its privacy policy: https://policies.google.com/privacy. There you can also change your personal privacy settings in the data protection center. Google’s terms of service can be found at http://www.google.de/intl/de/policies/terms/regional.html. Additional terms and conditions of use for Google Maps can be found at https://www.google.com/intl/de_de/help/terms_maps/.

The legal basis for processing your data is the consent that you have given in accordance with Art. 6 Para. 1 (1) a) of GDPR.

Withdrawal of your consent

We only use Google Maps subject to your consent. You have the right to revoke your consent by

• preventing the storage of cookies by implementing the corresponding settings in your browser; please note however that you will not be able to utilize all the functions of our website to the full extent;
• deactivating your consent by using our consent tool;
• deactivating JavaScript in your browser settings. In such case, you cannot use our website or only to a limited extent.

If you would prefer the use not to be associated with your Google profile, you need to log out of Google prior to actuating the button. Google stores the data collected about you as usage profiles and utilizes such data for advertising purposes, market research and/or to tailor its website to address requirements. Such an evaluation is carried out in particular (even for users not signed in) to provide requests-oriented advertising and to inform other users of the social network about your activities on our website. You are entitled to object to the creation of such user profiles, whereas you have to contact Google in order to assert your objection.

We do not collect any personal data by integrating Google Maps.

Your personal data are provided voluntary, solely based on your consent. Should you opt to prevent access, this may result in limited functionality on the website.

Note on transferring data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

This website uses Google reCAPTCHA, a Captcha service of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google reCAPTCHA is used to ensure that entries made on our website are actually made by real people and are not automated, e.g. by software (so-called robots).

For this purpose, reCAPTCHA (No CAPTCHA reCAPTCHA) shows you a clickable “I am not a robot” checkbox. reCAPTCHA uses various characteristics to analyze the user’s behavior as soon as he or she visits the website. If applicable, you may also see various images shown after clicking the checkbox, where you are asked to select by clicking the applicable images that match a given motif (e.g. select all images with cars).

reCAPTCHA is integrated via an interface (“API:) to the Google services. By integrating reCAPTCHA, Google may collect and process information (including personal data). It cannot be excluded that Google sends the information to a server in a third country.

reCAPTCHA may use cookies that are stored on your device and which enable an analysis of the use of websites that you visit. In addition, reCAPTCHA also uses web beacons, i.e. a small pixel or graphics. The information possibly generated by the cookie in conjunction with the web beacon with regard to your use of this website (including your IP address) is transmitted to a Google server, possibly in the US or other third countries, and stored there.

You will find more information about the functionality of reCAPTCHA at: https://developers.google.com/recaptcha/.

By integrating reCAPTCHA, we pursue the objective of determining whether entries made on our website are actually provided by a real person or by a bot. The automated check of whether a real person or a bot makes the entries, speeds up and simplifies our workload and increases the degree of reliability of the provided entries. It also prevents any abuse.

The legal basis for processing your data is the consent that you have given in accordance with Art. 6 Para. 1 (1) a) of GDPR.

Withdrawal of your consent

We only use Google reCAPTCHA subject to your consent. You have the right to revoke your consent by

• preventing the storage of cookies by implementing the corresponding settings in your browser; please note however that you will not be able to utilize all the functions of our website to the full extent;
• deactivating your consent by using our consent tool.

Note on transferring data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We have integrated Instagram service components on this website. Instagram is a service that can be qualified as an audiovisual platform and allows users to share photos and videos and further share such data on other social media networks.

Instagram is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

Every time one of the individual pages of the website that is operated by us and on which an Instagram component (Insta button) has been integrated is accessed, the web browser on your system is automatically triggered by the respective Instagram component to download a presentation of the corresponding Instagram component. As part of this technical process, Instagram is informed about which specific sub-page you visit on our website.

If you are logged into Instagram at the same time, Instagram recognizes the specific sub-page you have visited every time you access our website and during the entire duration of your visit to our website. Such information is collected by the Instagram component and associated by Instagram with your Instagram account. If you actuate one of the Instagram buttons integrated on our website, the resulting data and information are associated with your personal Instagram account and stored and processed by Instagram.

Instagram always receives information via the Instagram component that you have visited our website if you are also logged into Instagram at the time you access our website; i.e. this happens regardless of whether you click on the Instagram component or not. If you do not want this information to be sent Instagram, you can prevent this from happening by logging out of your Instagram account before accessing our website.

Further information and Instagram’s valid privacy policy can be found at https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We have integrated components of the LinkedIn Corporation on this website. LinkedIn is an internet-based social network that enables users to connect with existing business contacts and develop new business contacts. LinkedIn has over 400 million registered users in more than 200 countries. That makes LinkedIn the largest platform currently for business contacts and one of the most visited websites in the world.

LinkedIn is operated by the LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible for data protection matters outside of the US.

Every time you visit our website, which is equipped with a LinkedIn component (LinkedIn plug-in), this component causes your browser to download a corresponding representation of the LinkedIn component. You can find more information about LinkedIn plug-ins at https://developer.linkedin.com/plugins. As part of this technical process, LinkedIn is informed about which specific sub-page you visit on our website.

If you are logged into LinkedIn at the same time, LinkedIn recognizes the specific sub-page you have visited every time you access our website and during the entire duration of your visit to our website. Such information is collected by the LinkedIn component and associated by LinkedIn with your LinkedIn account. If you press a LinkedIn button integrated on our website, LinkedIn will assign this information to your personal LinkedIn user account and save such personal data.

LinkedIn always receives information via the LinkedIn component that you have visited our website if you are also logged into LinkedIn at the time you access our website; i.e. this happens regardless of whether you click on the LinkedIn component or not. If you do not want this information to be sent LinkedIn, you can prevent this from happening by logging out of your LinkedIn account before accessing our website.

LinkedIn offers at https://www.linkedin.com/psettings/guest-controls the option of unsubscribing from emails, SMS messages and targeted advertisements as well as managing advertisement settings. LinkedIn moreover uses partners like Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame, which are able to set cookies. Such cookies can be objected to at https://www.linkedin.com/legal/cookie-policy. LinkedIn’s applicable privacy policy can be found at https://www.linkedin.com/legal/privacy-policy. LinkedIn’s cookie policy can be found at https://www.linkedin.com/legal/cookie-policy.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

We have integrated YouTube components on this website. YouTube is an online video portal that allows video publishers to post video clips free of charge and other users to view, evaluate and comment on such free of charge. YouTube permits the publication of all types of videos, which is why it is possible to access entire films and TV programs as well as music videos, trailers or videos made by users themselves via the online portal.

YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

Every time one of the individual pages of the website that is operated by us and on which a YouTube component (YouTube video) has been integrated is accessed, the web browser on your system is automatically triggered by the respective YouTube component to download from YouTube a presentation of the corresponding YouTube component.

You can find more information about YouTube at https://www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google is informed about which specific sub-page you visit on our website.

If you are logged into YouTube at the same time, this information will be collected by YouTube and Google and assigned to your YouTube account.

YouTube and Google always receive information via the YouTube component that you have visited our website if you are also logged into YouTube at the time you access our website; i.e. this happens regardless of whether you click on a YouTube component or not. If you do not want this information to be sent YouTube and Google, you can prevent this from happening by logging out of your YouTube account before accessing our website.

The privacy policy published by YouTube at https://www.google.de/intl/de/policies/privacy/ provides detailed information about the collection, processing and use of personal information by YouTube and Google.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

For communication purposes, we also use messenger services that the website visitor can call up directly there. We therefore ask you to observe the following information on the functionality of the messenger, on encryption, on the use of the communication metadata and on your options for objection.

You can also contact us in alternative ways, e.g. by phone or email. Please use the alternative contact options communicated to you or given within our online offer if you do not agree to the conditions for using the messenger services.

In the case of end-to-end encryption of content (i.e. the content of your message and attachments), we point out that the communication content is encrypted from end to end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use the latest version of the messenger with activated encryption to ensure that the message content is encrypted.

However, we also point out to our communication partners that the messenger providers cannot see the content, but can find out that and when communication partners are communicating with us as well as technical information about the device used by the communication partner and, depending on the settings of their device, location information (so-called metadata).

If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. If we do not ask for consent and you contact us, for example, we use Messenger in relation to our contractual partners as well as in the context of contract initiation as a contractual measure and in the case of other interested parties and communication partners on the basis of our legitimate interests in a fast and efficient communication and meeting the needs of our communication partner for communication via messengers. Furthermore, we would like to point out that we do not transmit the contact details communicated to us to the messenger for the first time without consent.

In the case of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e. for example after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any information from the communication partner if no reference is made to a previous conversation is to be expected and the deletion does not conflict with any statutory retention requirements.

Revocation of your consent: If we use the messenger service with your consent, you can revoke your consent at any time by deactivating your consent via our consent tool.

Finally, we would like to point out that, for reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case if, for example, internal contract information requires special confidentiality or a response via the messenger does not meet the formal requirements. In such cases, we refer you to more appropriate communication channels.

• Processed data types: contact data (e.g. e-mail, telephone numbers), usage data (e.g. websites visited, interest in content, access times), meta / communication data (e.g. device information, IP addresses), content data (e.g. text entries, photographs, videos ).
• Affected persons: communication partner.
• Purposes of processing: contact inquiries and communication, direct marketing (e.g. by email or post).
• Legal bases: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), (pre-) contractual obligations (Art. 6 Para. 1 S. 1 lit. b. GDPR), legitimate interests (Art. 6 Para . 1 S. 1 lit.f. GDPR).

Used services and service providers:

• WeChat:
  WeChat Messenger with end-to-end encryption;
  Service provider: Tencent International Service Europe B.V., 26.04, Amstelplein 54, 1096 BC Amsterdam, The Netherlands;
  Website:https://www.endung.com/de;
  Data protection declaration:https://www.endung.com/de/privacy_policy.html.

As part of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers in this regard in addition to banks and credit institutions (collectively referred to as “payment service providers”).

The data processed by the payment service providers include inventory data, such as name and address, bank information like account numbers or credit card numbers, passwords, TANs and checksums as well as contract-, sum- and recipient-based information. The information is necessary for carrying out the transactions. The data entered, however, will only be processed and stored by the payment service providers, i.e. we do not receive any account or credit-card-related information, but only information with confirmation or negative information about the payment. Under certain circumstances, data will be transmitted by the payment service providers to credit reporting agencies. The purpose of this transmission is to verify one’s identity and creditworthiness. In this context, we make reference to the general terms and conditions and the privacy policies of the payment service providers.

Payment transactions are subject to the terms and conditions and the privacy policies of the respective payment service providers, which can be accessed on the respective websites or transaction applications. We also make reference to these for the purpose of further information and the assertion of rights to revoke or inform and other data subject rights.

• Types of Data Processed: Inventory data (e.g. names, addresses), payment information (e.g. Bank details, invoices, payment history), contractual data (e.g. contractual subject, term, customer category), usage data (e.g. visited websites, interest in contents, access times), meta/communication data (e.g. device information, IP addresses), contact information (e.g. email, phone numbers), content data (e.g. text entries, photographs, videos).
• Data subjects: Customers, interested parties, users (e.g. website visitors, users of online services).
• Purposes of processing: Contractual services, tracking (e.g. Interest-/behavior-based profiling, use of cookies), feedback (e.g. collecting feedback via online form), contact inquiries and communication, affiliate tracking.
• Legal basis: Fulfillment of contracts and pre-contractual inquiries (Art. 6 Para. 1 (1)  b) of GDPR), legitimate interests (Art. 6 Para. 1 (1) f) of GDPR), consent (Art. 6 Para. 1 (1) a) of GDPR).

Services Used and Service Providers:

• PayPal: Payment services and solutions (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg;
  Website: https://www.paypal.com/de;
  Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Note on Transferring Data to the US: The service provider has its headquarters in the US. The European Court of Justice (ECJ) has declared in its ruling on July 16, 2020 that the so-called EU-US Privacy Shield agreement is not valid (C-311/18).
We would like to point out that the United States are not a safe third country within the meaning of the EU’s data protection law. US companies are obligated to disclose personal information to security agencies without the concerned data subject being able to take legal action against this. It can thus not be ruled out that the US authorities (e.g. Secret services) may process, evaluate and permanently store your data on US servers for monitoring purposes. We do not have any influence on such processing activities.

Below you will find the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process the personal data. Note that national data protection requirements in your or our country of residence or domicile may be applicable in addition to the provision of the GDPR.

Besides the privacy regulations of the General Data Protection Regulations, Germany’s national regulations on data protection apply. This includes in particular the personal data protection act during data processing (Germany’s Federal Data Protection Act (BDSG)). The BDSG contains in particular special regulations on the right to information, right to deletion, right to object to processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making process in individual cases including profiling. It also regulates data processing for the purposes of employment (Sect. 26 of BDSG), especially with regard to establishing, fulfilling or terminating employment relationships and the consent of employees. In addition, state data protection regulations of the individual federal states may apply as well.

Art. 6 Para. 1 (a) of GDPR forms the legal basis for our company and processing operations, during which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for fulfilling a contract, to which the data subject is a party, as is the case, e.g., with processing operations that are necessary for delivering goods or performing any other service or service in return, the processing is based on Art. 6 Para. 1 (b) of GDPR. The same applies to such processing operations that are necessary for carrying out pre-contractual measures, e.g., in case of inquiries relating to our products or services.

If our company is subject to a legal obligation, which requires the processing of personal data, such as to fulfill tax obligations, processing is based on Art. 6 Para. 1 (c) of GDPR.

Ultimately, processing operations could be based on Art. 6 Para. 1 (f) of GDPR. Processing operations that are not covered by any of the aforementioned legal principles are based on this legal basis if the processing is necessary for safeguarding the legitimate interest of our company or a third party, provided that the interests do not outweigh the fundamental rights and freedoms of the data subject. Such processing operations are permitted to us in particular because the European legislator has mentioned them specifically. In this context, it is of the opinion that a legitimate interest may be assumed if the data subject is a customer of the controller (Recital 47 (2) to GDPR).

If the processing of personal data is based on Art. 6 I (f) of GDPR, our legitimate interest is to ensure the efficient performance of our business operations for the well-being of our employees and shareholders.

We process and store your personal data only for the period that is necessary to fulfill the purpose of storage or if this has been provided for in laws or regulations. After the purpose has been fulfilled or no longer exists, your personal data will be deleted or blocked. In the case of blocking, the deletion takes place as soon as there are no retention periods defined by law, articles of incorporation or contracts to the contrary and there is no reason to assume that a deletion adversely affects your legitimate interests, and a deletion does not result in disproportionate expenditure due to the special type of storage.

Otherwise, the specific criteria for the retention period are listed in the individual section of this privacy policy.

You have the opportunity to check, change or delete the personal data provided to us at any time by sending an email to us at datenschutz[a]doppstadt.de. In this manner, you can also exclude the receipt of any further information for the future.

You also have the right to withdraw your consent at any time with effect for the future.

The data processed by us will be deleted in accordance with the legal requirements, as soon as the consents given for processing have been revoked or other permissions no longer exist (e.g. if the purpose for processing such data does not exist or they are no longer required for the purpose).

If the data are not deleted, because they are required for other legally permissible purposes, their processing is limited to these purposes, i.e. the data are blocked and shall not be processed for other purposes. For instance, this applies to data that must be kept for commercial or tax law reasons or storage of which is necessary for asserting, exercising or defending against legal claims or for protecting the rights of another natural or legal person.

We will inform you that the provision of personal data are in part required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. Information about the contractual partner). Sometimes, it may be necessary for forming a contract that a data subject provides us with personal data that must be processed subsequently by us. For instance, the data subject is obligated to provide us with personal data if our company forms a contract with that data subject. Failure to provide personal data could mean that a contract may not be formed with the data subject.

Before the data subject provides personal data, the data subject must contact one of our employees. Our employee will explain to the data subject on a case-by-case basis whether the provision of personal data is required by law or the contract or is necessary for forming a contract, whether there is an obligation to provide personal data, and what the consequence would be for failing to provide personal data.

As a responsible company, we waive the use of automated decision-making.