Data Protection and Privacy Statement

Basic information

Data subjects

This data protection and privacy statement is aimed at all persons who visit this website.

Controller

The controller for the processing described herein is:

Lufthansa Innovation Hub GmbH

Brunnenstrasse 19-21

10119 Berlin, Germany

represented by its managing director Xavier Lagardère.

[email protected]

The Group Data Protection Officer – FRA CJ/D can be reached as follows: 

[email protected]

Deutsche Lufthansa AG

Airportring – LAC

60546 Frankfurt, Germany

Rights

(1) Data subjects have the following rights with regard to the data stored concerning them personally: the right of access to information, the right to rectification of inaccurate data, the right to erasure of data for which there is no longer any reason for storage, and the rights to restriction of processing and to data portability. Moreover, they have the right to lodge a complaint with the supervisory authority with jurisdiction over the controller.

(2) Where the processing is based on consent granted by the data subjects, the data subjects are permitted to withdraw that consent at any time, with effect for the future. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required.

(3) Where the processing is based on fulfillment of a legitimate interest, meaning on point (f) of Article 6(1) of the EU General Data Protection Regulation (GDPR), the data subjects are permitted to object to the processing at any time. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required. If the objection is justified, the processing will be discontinued. Where the legitimate interest lies in direct marketing, an objection is always deemed to be justified.

Transfers of data to countries outside the European Union

(1) Where personal data are transferred to bodies outside the European Union, the controller is obligated to communicate additional safeguards pursuant to Articles 44 et seqq. GDPR.

(2) Where the controller invokes what is known as an adequacy decision in the data protection and privacy statement that follows, this means the recipient is located in a country, territory, or specified sector that the European Commission has decided offers an adequate level of data protection. In these cases, the guarantee follows from Article 45 GDPR.

(3) Where the controller invokes what are known as the EU standard contractual clauses in the data protection and privacy statement that follows, this means that the recipient has undertaken a contractual commitment to observe the EU data protection principles on the basis of what are known as the EU standard contractual clauses. In these cases, the guarantee follows from Article 45 GDPR.

(4) Where the controller invokes what are known as binding corporate rules in the data protection and privacy statement that follows, this means the competent supervisory authority has approved the transfer. In these cases, the guarantee follows from Article 47 GDPR.

(5) Where, in the data protection and privacy statement that follows, the controller invokes the fact that the data subjects have expressly consented to the transfer of their data to a country outside the European Union, this means that they are aware of all of the associated risks and consent to the transfer nevertheless. In these cases, the guarantee follows from point (a) of Article 49 (1) GDPR. In this context, please note the following risks: There are no codified provisions of law on data protection and privacy that are comparable to the GDPR in the United States, the Republic of India, or the Russian Federation. The authorities there have given themselves extensive access to data, and the principle of proportionality stipulated in the EU does not apply. Moreover, these countries do not provide any effective legal protections for EU citizens.

(6) The foregoing information is provided by way of precaution only. It applies only if and insofar as the data protection and privacy statement that follows makes reference thereto.

Further remarks

(1) No automated decision making, including profiling, takes place.

(2) There is no legal obligation of processing except where point (c) of Article 6(1) GDPR is referenced below.

Processing operations in conjunction with contracts

Purpose and legal basis

Unless otherwise indicated in this section (“Processing operations in conjunction with contracts”), the purpose of all processing operations described in this section is to establish, perform, and/or terminate contracts. The legal basis is as follows in the following cases: a. for contracts that are not employment contracts, point (b) of Article 6(1) GDPR. b. for employment contracts, Article 88 GDPR in conjunction with Sec. 26 (1) of the 2018 version of the German Federal Data Protection Act (BDSG 2018).

Duration of storage

(1) Personal data whose processing is described in this section are processed for as long as they are needed in order to establish, perform, and/or terminate contracts. A longer period of storage that is independent of achieving the purpose described in the first sentence above may arise from paragraphs (2) through (5).

(2) The personal data are stored for three years, with this period commencing on December 31 of the calendar year in which the data have been collected. Notwithstanding the information above (processing operations in conjunction with contracts / purpose and legal basis), this processing serves the controller’s legitimate interest in defending itself against claims arising out of the contractual relationship within the regular limitation period. Therefore, the legal basis is point (f) of Article 6(1) GDPR by way of exception.

(3) Notwithstanding the information above (processing operations in conjunction with contracts / purpose and legal basis), personal data arising from commercial or business letters that are received and from other documents that are relevant for taxation purposes are stored for six years, with the retention period typically commencing as of the end of the calendar year in which the relevant document has been created. This processing serves to fulfill obligations arising from tax and commercial law pursuant to Sec. 147 of the German Fiscal Code (AO) and Sec. 257 of the German Commercial Code (HGB). Therefore, the legal basis is point (c) of Article 6(1) GDPR by way of exception.

(4) Notwithstanding the information above (processing operations in conjunction with contracts / purpose and legal basis), personal data arising from books and records, inventory, annual financial statements, individual financial statements, consolidated financial statements, management reports and consolidated management reports, opening balance sheets, posting documents, customs-related documents, commercial books, and standard operating procedures and other organizational documents required in order to understand them are stored for ten years, with the retention period typically commencing as of the end of the calendar year in which the relevant document has been created. This processing serves to fulfill obligations arising from tax and commercial law pursuant to Sec. 147 AO and Sec. 257 HGB. Therefore, the legal basis is point (c) of Article 6(1) GDPR by way of exception.

(5) Notwithstanding the information above (processing operations in conjunction with contracts / purpose and legal basis), personal data arising from an application that does not lead to an employment relationship are stored for six months after the rejection notice is received by the data subject. This storage serves the controller’s legitimate interest in defending itself against accusations of violating the German General Act on Equal Treatment (AGG), with this interest typically ceasing to apply upon the expiration of a period of six months because assertion of any such claims within the period stipulated by Sec. 15 (4) AGG is typically no longer to be expected at that point. Therefore, the legal basis is point (f) of Article 6(1) GDPR by way of exception.

Scheduling of appointments

In brief: Data subjects can schedule appointments with this controller on this website, with the controller receiving, storing, and using all of the data required in order to make the appointment.

Processing in detail: If the data subjects wish to make an appointment for an interview with this controller, they can view available appointment dates and times and simply select one via an appointment scheduling portal that is integrated into this website. This controller will then receive a notification from the appointment scheduling portal.

Data that are processed: All data collected during scheduling of an appointment (typically name, email address, appointment date and time).

Third-party provider: The appointment scheduling tool Calendly from provider Calendly LLC BB&T (USA) is used. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://calendly.com/de/pages/privacy and https://calendly.com/de/pages/security. The fact that the provider is based outside the EU, in this case in the United States, and processes data, also does not conflict with the data processing operations. This is because no transfer of data controlled by the controller within the meaning of Article 44 GDPR takes place. The controller has not incorporated the appointment scheduling page into its own Internet page (for instance via iframe), but instead has incorporated a call to action button via which the data subject independently accesses the Calendly website. For this reason, it is not the controller that transfers the data subject’s data to the United States, but rather the data subject him- or herself. Even if this were viewed differently, the provider has, at the least, undertaken an obligation in accordance with the EU standard contractual clauses (Article 46 GDPR).

Recruiting

In brief: Data subjects can apply for employment with the controller on this website. The controller collects and further processes the data necessary for this.

Processing in detail: Die Betroffenen können sich auf dieser Internetseite über einen Recruiting-Bereich und/oder einen anderen Kontaktkanal für eine Beschäftigung bewerben. Der Verantwortliche nimmt diese Daten entgegen und verarbeitet sie, indem eine Vorauswahl und ggf. ein Bewerbungsgespräch und/oder Probearbeitstag vorzubereiten oder zu weiteren, bewerbungsrelevanten Zwecken zu kommunizieren. Dabei kann der Verantwortliche

Data subjects can apply for employment on this website via a recruiting section and/or another contact channel. The controller receives these data and processes them in order to carry out pre-screening and, where applicable, prepare for a job interview and/or trial day of work or to communicate for further purposes relevant to the application. In the process, the controller may

(1) access an internal area and view applicant data (including application documents and the date when the application was received). 

After that, it is possible that the controller may 

(2) prepare notes associated with the application data,

(3) carry out internal corporate communication concerning the person’s application (where applicable, with the specific departments concerned),

(4) document the decision regarding the further handling of the application,

(5) carry out and document the invitation to one or more job interviews,

(6) carry out and document the invitation to one or more trial days of work,

(7) transmit the employment contract document,

(8) transmit and document the rejection notice,

(9) carry out onboarding measures, and/or

(10) store the data subjects’ data in an applicant pool, assuming they have consented.

Data that are processed: All data arising from the application and the other content of communications between the data subjects and this controller.

Third-party provider: The recruiting tool Personio Recruiting from Personio GmbH (Germany, EU) is used. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://www.personio.de (“Product” tab).

Automated communication and interaction

In brief: The controller uses the data subjects’ communication and interaction data for automated communication and interaction with the data subjects.

Processing in detail:

Within the scope of the establishment, performance, and/or termination of contracts, the controller has automated parts of its communication with you. In the process, the controller processes all communication data of the data subjects that trigger automatic responses by this controller, such as the shipping or delivery of a product or service. In this regard, it controls

(1) the collection of your personal data during measures to prepare for the relevant contract,

(2) the communication required in order to establish, perform, and/or terminate the contract (particularly via email) with the data subjects, and

(3) the shipping or delivery of the products and/or services.

Data that are processed: (1) All contact and order data entered by you; (2) where applicable, payment data; (3) data regarding the shipping or delivery; and (4) data concerning the assertion of rights of data subjects and the response of this controller.

Third-party provider: The automation tool MailChimp from Rocket Science Group LLC (USA) is used. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://mailchimp.com/marketing-platform/ and https://mailchimp.com/features/email/. The fact that the provider is based outside the European Union does not conflict with the processing. This is because the provider has undertaken an obligation in accordance with the EU standard contractual clauses (Article 46 GDPR).

Third-party provider: In connection with automation, the interface tool Zapier from Zapier, Inc. (USA), is used. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://zapier.com/how-it-works. In brief, the controller located in this country can use Zapier to link applications so that the data of customers and prospective customers can be exchanged automatically between or among the different applications. The fact that the provider is based outside the European Union does not conflict with the processing. This is because the provider has undertaken an obligation in accordance with the EU standard contractual clauses. 

Processing operations with the consent of data subjects

Purpose and legal basis

Unless this section (“Processing operations with the consent of data subjects”) indicates otherwise, the processing operations are based solely on the consent of the data subjects. The relevant purpose is mentioned in the individual description of the processing. The legal basis is as follows in the following cases: a. for data subjects that are not employees of the controllers, point (a) of Article 6(1) GDPR. b. for employees of the controllers, Article 88 GDPR in conjunction with Sec. 26 (2) BDSG.

Duration of storage

(1) Personal data whose processing is described in this section are processed until the relevant consent has been withdrawn.

(2) Notwithstanding paragraph (1) above, the controller retains the data showing that consent has been granted for three years, with this period commencing on December 31 of the calendar year in which the consent is withdrawn. Notwithstanding the information above (processing operations with the consent of data subjects / purpose and legal basis), this processing serves to fulfill the legal obligation to be able to prove that consent has been granted. The legal basis is point (c) of Article 6(1) GDPR in conjunction with Article 7(1) GDPR by way of exception in these cases. This obligation ceases to apply three years after the consent is withdrawn, and in any event no later than the expiration of the limitation period.

Nature of consent (cookie consent tool)

Certain declarations of consent, particularly those that the controller obtains for the use of marketing and/or analysis cookies and the associated data processing, are obtained via what is known as a cookie consent tool. All data (IP address, consent status) are stored in this process. Notwithstanding the information above (processing operations with the consent of data subjects / purpose and legal basis), this processing serves to fulfill the legal obligation to be able to prove that consent has been granted. The legal basis is point (c) of Article 6(1) GDPR in conjunction with Article 7(1) GDPR by way of exception in these cases. This obligation ceases to apply three years after the consent is withdrawn, and in any event no later than the expiration of the limitation period.

Analytical tools

In brief: The controller uses cookies to analyze use behavior on and interaction with this website. After that, the controller analyzes and interprets this information to be able to design this website on an even more targeted basis.

Processing in detail: What are known as cookies are used to analyze user behavior by data subjects on this website. These are text files that are stored on the computer of data subjects and enable analysis of the use of the website. The information on use behavior is used to create reports on activity and interactions. This controller uses these data to be able to improve the use experience on the website on a regular basis. The controller can also use the statistics generated to improve what it offers in order to steer the interest of data subjects on a more targeted basis toward products and services that are suitable for them.

Data that are processed: Cookie-based data regarding the interactions (especially sequence of interactions, duration of stay).

Third-party provider: The analytical tool Google Analytics from Google Ireland Ltd. (Ireland, EU) is used in conjunction with the analysis of use behavior. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://support.google.com/analytics/answer/9306384?hl=de. The following is added on this point: The IP address is truncated (shortened) beforehand by the provider within Member States of the European Union or in other states that are signatories to the Agreement on the European Economic Area. Only in isolated cases is the full IP address transferred to a server of the provider in the United States and truncated there. The IP address transferred by the browser within the scope of the use of this tool is not combined with other data by the provider. The tool is also used for a cross-device analysis of visitor streams that is performed via a user ID. The data subjects can deactivate the cross-device analysis in their customer account under “My data” / “Personal data.” For information purposes, it is pointed out that this tool is used with the extension “_anonymizeIp().” As a result, IP addresses are truncated before they are processed further, which thus rules out the possibility of being associated with a specific person. Where the data collected regarding the data subjects do relate to a specific person, this association is thus ruled out immediately, and the personal data are thus erased right away. It does not conflict with the processing that the data are transferred to the United States, possibly in cooperation with Google LLC (USA). This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor.

Third-party provider:

The central control tool Google Tag Manager from Google Ireland Ltd. (Ireland, EU) is used in conjunction with the analysis of use behavior. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://marketingplatform.google.com/intl/de/about/tag-manager/. The following is added on this point: This tool allows the controller to incorporate various codes and services into this website in an organized and simplified way. In the process, this tool implements the tags or triggers the tags incorporated with it. When a tag is triggered, the provider may also process personal data. In the process, it is not impossible that the provider may also transfer the data to a server in a third country. Nonetheless, it does not conflict with the processing that the data are transferred to the United States, possibly in cooperation with Google LLC (USA). This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. 

Social media and networks (including means of marketing)

In brief: The controller uses social media and social networks, including for marketing and acquisition purposes. This gives the controller detailed information on the visitors to its websites and how data subjects interact with social media and networks. The controller also uses these media and networks on a targeted basis to reach out to and identify potential customers for marketing purposes.

Processing in detail: The controller uses social media and social networks. The controller has no influence over the data collected or the data processing operations, nor is it fully aware of the full scope of the data collection, the purposes of processing, the storage periods, or the circumstances surrounding the erasure of personal data. If and when data subjects visit the controller’s corporate and product pages on social media or ads, it is possible that the providers of the social media and networks may store the data collected regarding them as use profiles and use these profiles for purposes of advertising, market research, and/or demand-driven design of their websites. Data subjects have a right to object to the formation of these user profiles, but must contact the relevant provider to exercise this right. To the extent that this controller is able to influence the nature and scope of the associated processing of personal data, the purpose thereof consists in presenting the controller, analyzing the use behavior of data subjects in relation to the interaction with the corporate and/or product page maintained there, and communicating with the data subjects via this social network (possibly in advertising-related terms).

Status of controller: If and insofar as the controller analyzes user interactions with its corporate page, both the controller and the relevant provider of the social network or medium share the status of controller in this regard for purposes of data protection and privacy law, in accordance with Article 26 GDPR. In all other cases, the relevant provider of the social network or medium is engaged in accordance with Article 28 GDPR.

Data that are processed: Cookie or pixel-based data concerning the interactions with the website and the controller’s corporate and/or product pages, possibly the email address, name, and communication data.

Supplementary information on the legal basis: In addition to the general remarks made concerning the legal basis (processing operations with the consent of data subjects / purpose and legal basis), the following should be noted: If data subjects themselves maintain a profile with the relevant social network or medium, the legal basis is also the consent within the meaning of point (a) of Article 6(1) GDPR that they have granted to the provider of the relevant social network.

Third-party provider:

The social network Facebook from Meta Platforms Ireland Limited (Ireland, EU) is used. However, it is not impossible that data may be transferred to the parent company, Meta Platforms Inc. (USA), or that this company may be involved. To the extent that the controller and the provider of the social network or medium presented here share the status of controller, the agreement can be consulted here: https://www.facebook.com/legal/terms/page_controller_addendum. This text contains full information on the scope and division of tasks. In all other cases, the provider of the social network or medium has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://www.facebook.com/business/gdpr. The fact that it is not impossible that data may be transferred to the U.S.-based parent company or that this company may be involved does not conflict with the use of this third-party provider. This is because the processing of the personal data via this tool takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). This takes place toward the controller located in this country to the extent that this controller controls the data processing. In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. Where the provider of the social network or medium presented here controls the processing (for example if the data subjects visit the social network irrespective of any action on this website), there is already no transfer by the controller to the United States, with the result that the controller located in this country is also not required to present any further safeguard within the meaning of Articles 44 et seqq. GDPR. In these cases, there is, at most, a relationship within the meaning of Article 26 GDPR between the controller located in this country and the provider of the social network.

Third-party provider: The social network Instagram from Meta Platforms Ireland Limited (Ireland, EU) is used. However, it is not impossible that data may be transferred to the parent company, Meta Platforms Inc. (USA), or that this company may be involved. To the extent that the controller and the provider of the social network or medium presented here share the status of controller, the agreement can be consulted here: https://www.facebook.com/legal/terms/page_controller_addendum. This text contains full information on the scope and division of tasks. In all other cases, the provider of the social network or medium has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://help.instagram.com/519522125107875. The fact that it is not impossible that data may be transferred to the U.S.-based parent company or that this company may be involved does not conflict with the use of this third-party provider. This is because the processing of the personal data via this tool takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). This takes place toward the controller located in this country to the extent that this controller controls the data processing. In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. Where the provider of the social network or medium presented here controls the processing (for example if the data subjects visit the social network irrespective of any action on this website), there is already no transfer by the controller to the United States, with the result that the controller located in this country is also not required to present any further safeguard within the meaning of Articles 44 et seqq. GDPR. In these cases, there is, at most, a relationship within the meaning of Article 26 GDPR between the controller located in this country and the provider of the social network.

Third-party provider: The social network LinkedIn from LinkedIn Ireland Unlimited Company (Ireland, EU) is used. However, it is not impossible that data may be transferred to the parent company, LinkedIn Corporation (USA), or that this company may be involved. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv. The fact that it is not impossible that data may be transferred to the U.S.-based parent company or that this company may be involved does not conflict with the use of this third-party provider. This is because the processing of the personal data via this tool takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). This takes place toward the controller located in this country to the extent that this controller controls the data processing. In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. Where the provider of the social network or medium presented here controls the processing (for example if the data subjects visit the social network irrespective of any action on this website), there is already no transfer by the controller to the United States, with the result that the controller located in this country is also not required to present any further safeguard within the meaning of Articles 44 et seqq. GDPR. In these cases, there is, at most, a relationship within the meaning of Article 26 GDPR between the controller located in this country and the provider of the social network.

Useful information via email

In brief: Data subjects can order email content on this website. To this end, the contact details required for this are collected and used to deliver the content.

Processing and third-party providers in detail: The controller may process the data of data subjects in order to send them useful marketing information via email. This relates to an electronic circular published at regular and/or irregular intervals. At the start, the subjects provide the controller with those data that the controller requests in order to sign up. After the double opt-in procedure is carried out, the controller uses these data to conduct marketing outreach to data subjects via these emails.

Data that are processed: The controller processes the data that data subjects voluntarily disclose to the controller for this purpose (typically email and name), along with the data that the controller needs in order to demonstrate that consent has been granted (opt-in status data) and, where applicable, data concerning withdrawal of consent.

Additional information concerning consent as a legal basis: To obtain consent, the controller uses what is known as the “double opt-in” procedure. This means that after data subjects sign up, the controller sends them an email at the email address provided, asking them to confirm their consent. If they do not confirm that they have signed up within 30 days, their information is blocked and then automatically erased after one month. Beyond that, the controller stores the IP addresses they have used in each case, along with the times of the sign-up and confirmation. The purpose of this procedure is to prove that they have signed up and be able to investigate any possible misuse of their personal data. The legal basis of this processing is point (c) of Article 6(1) GDPR. According to this provision, this controller is permitted to process the data of data subjects if this is necessary to fulfill a legal obligation to which the controller is subject. The legal obligation follows from Article 7(1) or 5(1) GDPR. According to these provisions, this controller is legally obligated to document obtaining consent. This is possible only if the controller collects the data of data subjects for this for evidentiary purposes.

Third-party provider: The automation tool MailChimp from Rocket Science Group LLC (USA) is used. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://mailchimp.com/marketing-platform/ and https://mailchimp.com/features/email/. The fact that the provider is based outside the European Union does not conflict with the processing. This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor.

Third-party provider: In connection with automation, the interface tool Zapier from Zapier, Inc. (USA), is used. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://zapier.com/how-it-works. In brief, the controller located in this country can use Zapier to link applications so that the data of customers and prospective customers can be exchanged automatically between or among the different applications. The fact that the provider is based outside the European Union does not conflict with the processing. This is because the provider has undertaken an obligation in accordance with the EU standard contractual clauses.

Map service

In brief: In order to show data subjects directions or display a map for other reasons, the controller presents maps on this website. If and when data subjects reach pages that display these maps, data concerning the data subjects are transmitted to this controller and, in some cases, to the provider of the map service.

Processing and third-party providers in detail: This website displays a map that shows data subjects directions. As soon as the data subjects reach the relevant page, the data mentioned below are transferred to this controller and to the provider of the map service. The map is displayed only if consent has been granted beforehand.

Data that are processed:

(1) Data concerning the use of this website, (2) IP address and possibly (2) data concerning the address entered for route planning purposes.

Third-party provider: The map service Google Maps from Google Ireland Ltd. (Ireland, EU) is used. This entity has been engaged in accordance with Article 28 GDPR. However, it is not impossible that data may be transferred to the parent company, Google LLC (USA), or that this company may be involved. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://support.google.com/maps/answer/7576020?hl=de#null. Which specific data are transferred in detail also depends on whether the data subjects use this website as logged-in users of a Google account. Details concerning the transfer and use of data are available here: https://policies.google.com/privacy?hl=de. The fact that it is not impossible that data may be transferred to the U.S.-based parent company or that this company may be involved does not conflict with the use of this third-party provider. This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor.

Processing operations with a legitimate interest

Purpose and legal basis

Unless otherwise indicated in this section (“Processing operations with a legitimate interest”), the processing operations are based solely on a legitimate interest on the part of the controller or a third party. The relevant purpose is mentioned in the individual description of the processing. In these cases, the legal basis is point (f) of Article 6(1) GDPR.

Duration of storage

Personal data whose processing is described in this section are processed until the legitimate interest no longer exists or the data subjects have legitimately objected thereto, whichever comes first.

Marketing outreach to other parties to contracts and agreements

In brief: Where the data subjects enter into a contract or agreement with the controller, whether paid or unpaid, the controller will provide the data subjects with useful information via email. The data subjects can object to this at any time. This can be done, for example, by sending a message to the controller, with no particular form required.

Processing and third-party providers in detail: The controller processes the email address and name of data subjects in order to send them useful information via email at regular or irregular intervals. Moreover, the controller stores the information that a contractual relationship exists or has existed between the data subjects and the controller in order to be able to demonstrate its legitimate interest. The legitimate interest here follows from the circumstance that there is a contractual relationship between the data subjects and the controller within the context of which data subjects typically expect to receive marketing outreach by email. This is supported by recital 47, seventh sentence.

Data that are processed(1) Email address, (2) name, and (3) status information concerning the contractual relationship. 

Special note on the right to object: Data subjects can object to the use of their data for this purpose at any time. This can be done, for example, by sending a message to the controller, with no particular form required (to obtain contact channels, data subjects can consult the beginning of this statement and the legal notice). In particular, data subjects can object without any costs other than the costs of transmission at basic rates arising for this purpose.

Informational use of the website

In brief: If and when data subjects merely visit this website without interacting with it, this controller processes their data to the extent that so doing is necessary in technical terms in order to display the website.

Processing in detail: If data subjects use this website purely for informational purposes, meaning if and when they neither register as users nor transfer information otherwise, the controller collects some data from the data subjects to the extent that so doing is necessary in technical terms in order to display the website.

Data that are processed: IP address, date and time of inquiry, time zone difference from Greenwich Mean Time (GMT), content of request (concrete page), access status/HTTP status code, volume of data transmitted in each case, website from which the request originates, browser, operating system and interface, language and version of the browser software.

Rights management and external legal advice, where applicable

In brief: If and when data subjects assert rights toward this controller (such as requests for access to information), the controller processes the communication data associated with this in order to handle this in the interest of data subjects and to be able to defend itself, where applicable, against civil-law claims and accusations that carry fines or criminal penalties.

Processing in detail: If and when the data subjects assert claims of any kind against this controller, the data are processed as follows:

(1) The controller receives the request and stores all data associated with it.

(2) The controller uses these data to review the matter. The controller utilizes external legal advice where necessary.

(3) If the request is justified, the controller uses the data to accommodate it. Otherwise, the controller uses the data to provide information to data subjects.

(4) The controller retains the data that exist in the case of processing pursuant to sections 1 through 3 for three years, commencing on December 31 of the calendar year in which step 3 has taken place.

The legitimate interest in the case of sections 1 through 3 above follows from the interest of data subjects in their claims being processed and the controller’s interest in avoiding claims and sanctions. The legitimate interest in the case of section 4 above follows from the controller’s need to be able to defend itself later on against civil-law claims and accusations that carry fines or criminal penalties. This interest in storage pursuant to section 4 terminates when the limitation period pursuant to Sec. 193 and/or 195 of the German Civil Code (BGB) ceases to apply. 

Data that are processed: Name, contact details, and communication content.

Additional information concerning the legal basis: Processing pursuant to sections 1 through 3 is, additionally, also justified by point (c) of Article 6(1) GDPR, as the controller is obligated to review data subjects’ requests.

External Web hosting

In brief: The storage space required for this website is provided by an external provider. This means that all data of data subjects that are required in order to visit the website are also transferred to this provider.

Processing in detail: To publish this website, the controller has commissioned third-party providers to provide storage space and to deliver the site. In order for these service providers to be able to fulfill their tasks, they necessarily receive some data concerning the data subjects. The legitimate interest follows from the claim to being able to maintain a public presence.

Data that are processed: IP address, date and time of inquiry, time zone difference from Greenwich Mean Time (GMT), content of request (concrete page), access status/HTTP status code, volume of data transmitted in each case, website from which the request originates, browser, operating system and interface, language and version of the browser software, and where applicable also communication and interaction data arising from the behavior of data subjects.

Third-party provider: The Web hoster all-inkl from ALL-INKL.COM – Neue Medien Münnich (Germany, EU) is used. This entity has also been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://all-inkl.com/webhosting/.

Third-party provider: What is known as a content delivery network (CDN) is also used. The controller can achieve additional performance with a CDN. The content is duplicated at multiple data centers and thus distributed all over the world. This means that even users who are at a great geographic distance from the actual Web hosting provider can achieve fast loading times. The CDN Cloudflare from Cloudflare, Inc. (USA), is used for this. The fact that the provider is based outside the EU does not conflict with the engagement of this third-party provider. This is because the provider has undertaken an obligation in accordance with the EU standard contractual clauses.