Privacy statement

In this privacy statement we (the company caralegal GmbH) inform you about the processing of personal data when using our website. You can print or save this privacy statement by using the usual functionality of your browser.

1. Contact

The point of contact and so-called controller for the processing of your personal data when visiting this website within the meaning of the EU General Data Protection Regulation (GDPR) is

caralegal GmbH
Am Hamburger Bahnhof 4
10557 Berlin
Germany

Email: privacy@caralegal.eu

Phone: +49 30 9954 5740

If you have any questions about data protection in connection with our product caralegal or the use of our website, you can also contact our data protection officer at any time. The data protection officer can be contacted at the above postal address or by sending an email to the address provided (please mark all correspondence with: “F.A.O. data protection officer”).

2. Data processing on our website

2.1. Visiting our website / Connection data

Every time you use/visit our website, we collect the connectiondata automatically transmitted by your browser in order to make visiting the website possible. This connectiondata includes the so-called http-header-information, including the user agent, and include in particular:

  • IP address of the requesting device;
  • date and time of the request;
  • addresses of the website visited and the requesting website;
  • information about the browser used and the operating system;
  • online identifiers (e.g. device IDs, session IDs).

The data processing of this connection data is necessary to enable the visit of the website and to ensure the permanent operability and security of our systems as well as to generally administratively maintain our website. For the purposes described above, the connection data is also stored temporarily and limited to the most necessary content in internal log files in order to compile statistical information about the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices with which the pages are accessed increases) and for general administrative maintenance of our website.

The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as the page call occurs in the course of the initiation or fulfillment of a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in enabling the website call and the permanent functionality and security of our systems. The automatic transmission of the connection data and the log files developed from it, however, do not constitute access to the information in the terminal equipment in the sense of the ePrivacy Directive of the EU member states, in Germany § 25 TTDSG. Apart from that, however, it would be absolutely necessary anyway.

For data protection reasons, log files are not permanently stored or analyzed by us.

2.2. Making contact

You have various options for contacting us, for example via the contact form on this website or by phone. In this context, we process personal data exclusively for the purpose of communication with you.

The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as your information is required to answer your inquiry or to initiate or fulfill a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest that you contact us and that we can answer you inquiry. We only make promotional telephone calls if you have given your consent for this. If you are not an existing customer, we will also send you promotional emails only on the basis of your consent. The legal basis in these cases is Art. 6 para. 1 lit. a GDPR in conjunction with § 7 para. 2 No. 1 or 2 UWG.

The data collected by us when using the contact form will be automatically delted after your request has been fully processed, unless we still need your request to fulfill contractual or legal obligations (see section 7 “Storage period”).

2.3. SCC-Generator

You have the option via our website https://caralegal.eu/scc-generator/ to obtain a suitable contract template for so-called standard contractual clauses (Implementing Decision 2021/914) (“SCC”) with the help of our so-called SCC-generator. In this context, we process your data in order to provide you with the automatically generated contract template. If you have selected the voluntary option for requesting a free demo access to caralegal in the SCC-generator, we will also process your data for sending you corresponding product information and for providing you with free demo access.

The legal basis in both cases is your consent pursuant to Art. 6 para. 1 lit. a GDPR.

For the provision of the SCC-generator, we use LamaPoll, a product of Lamano GmbH & Co.KG, Frankfurter Allee 69, 10247 Berlin (https://www.lamapoll.de). The data is processed by LamaPoll on servers of Lamano GmbH & Co.KG, which are located in Germany. We have concluded a data processing agreement in accordance with Art. 28 GDPR.

Further information on data protection and data security can be found at: https://www.lamapoll.de/Support/Datenschutz and https://www.lamapoll.de/Support/Sicherheit.

3. Use of tools

3.1 Technologies used

This website uses various services and applications (collectively, “tools”) provided either by us or by third parties. These include, in particular, tools that use technologies to store or access information in the terminal equipment:

    • Cookies: information stored on the terminal equipment, consisting in particular of a name, a value, the storing domain and an expiration date. So called session cookies are deleted after the session, while so-called persistent cookies are deleted after the specified expiration date. Cookies can also be removed manually.
    • Web storage (local storage / session storage): information stored on the terminal equipment, consisting of a name and a value. Information in the session storage is deleted after the session, while information in the local storage has no expiration date and basically remains stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with time entry). Information in local and session storage can also be removed manually.
    • JavaScript: programming codes (scripts) embedded in or called up from the website that, for example, set cookies and web storage or actively collect information from the terminal equipment or about the usage behavior of visitors or users. JavaScript can be used for “active fingerprinting” and the creation of usage profiles. JavaScript can be blocked by a setting in the browser, although most services will then no longer function.
    • Pixel: Tiny graphic automatically loaded by a service, which can make it possible to recognize visitors by automatically transmitting the usual connection data (in particular IP address, information about browser, operating system, language, address called up and time of call-up) and to determine, for example, whether an email has been opened or a website visited. With help of pixels, “passive fingerprinting” and the creation of usage profiles can be carried out. The use of pixels can be prevented, for example, by blocking images (e.g. in emails), although the display is then severely restricted.

    With the aid of these technologies and also by simply establishing a connection on a page, so-called “fingerprints” can be created, i.e. usage profiles that do not require the use of cookies or web storage and can still recognize visitors. Fingerprints based on the connection setup cannot be completely prevented manually. Most browsers are set by default to accept cookies, the execution of scripts and the display of graphics. However, you can usually adjust your browser settings to reject all or certain cookies or to block scripts and graphics. If you block cookies from being stored, graphics from being displayed, and scripts from running entirely, our services are not likely to function properly or at all.

    In the following, we list the tools used by category, informing you in particular about the providers of the tools, the storage period of the cookies or information in local storage and session storage, and the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can revoke it.

    If – even despite the greatest care – the information in the consent banner contradicts that said in this data privacy policy, the information in this data privacy policy prevails.

    3.2 Legal basis and revocation

    3.2.1. Legal basis

    We use tools necessary for website operation based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to provide the basic functions of our website. In certain cases, these tools may also be necessary for the fulfillment of a contract or to carry out pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR. In these cases the access to and the storage of information in the terminal equipment is absolutely necessary and takes place on the basis of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

    We use all other non-essential (optional) tools that provide additional functions, in particular those for marketing purposes, based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. The access to and the storage of information in the terminal equipment then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 para. 1 TTDSG. Data processing with the help of these tools only takes place if we have received your prior consent for this.

    If personal data is transferred to third countries, we refer you to section 6 (“Data transfer to third countries”), also with regard to the possible associated risks. We will inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other guarantees have been concluded. If you have given your consent to the use of certain tools and the associated transfer of your personal data to third countries, we (also) transfer the data processed when using the tools to third countries on the basis of this consent in accordance with Art. 49 para. 1 lit. a GDPR.

    3.2.2. Obtaining your consent

    For obtaining and managing your consents, we use the WordPress plugin “Borlabs Cookie”. This generates a banner that informs you about data processing on our website and gives you the option to consent to all, some or no data processing through optional tools. This banner appears the first time you visit our website and when you revisit the selection of your preferences to change them or revoke consents. The banner also appears on subsequent visits to our website, provided that you have disabled the storage of cookies or the cookies or information in the local storage of “Borlabs Cookie” have been deleted or have expired.

    In addition, the WordPress plugin “Borlabs Cookie” sets a necessary cookie (“borlabs-cookie”) to store your given consents and revocations. If you delete your cookies, we will ask you for your consent again when you visit our website at a later time.

    The data processing by the WordPress plugin “Borlabs Cookie” is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in meeting and fulfilling the legal requirements for cookie consent management. The access to and storage of information in the end device is absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

    3.2.3. Revocation of your consent or changing your selection

    You can revoke your consent for certain tools at any time. To do so, click on the following link: Cookie-Settings. There you can also change the selection of the tools you wish to consent to using, as well as obtain additional information about the cookies and the respective storage period. Alternatively, you can assert your revocation for certain tools directly with the provider.

    3.3. Necessary tools

    We use certain tools to enable the basic functions of our web application (“necessary tools”). These include ensuring the security of our web application. Without these tools, we could not provide our service. Therefore, necessary tools are used without consent.

    The legal basis for necessary tools is the necessity to fulfill our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in the provision of the respective basic functions and the operation of our website. In cases where the provision of the respective website functions is necessary for the fulfillment of a contract or for the performance of pre-contractual measures, the legal basis for data processing is Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the terminal device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

    In the event that personal data is transferred to third countries (such as the USA), we refer to Section 6 (“Data transfer to third countries”) in addition to the information provided below.

    3.3.1. Google Tag Manager

    Our website uses Google Tag Manager, a service provided for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”).

    The Tag Manager is used exclusively to manage website tools through integration and other services, so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by the Google Tag Manager with your consent. The Google Tag Manager uses JavaScript and does not require the use cookies.
    The legal basis is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest to integrate and manage multiple tags on our website in a straightforward manner.

    Google collects information about which tags are integrated by our website for the purpose of ensuring stability and functionality in the context of using the Google Tag Manager. However, the Google Tag Manager does not store any personal data beyond the mere establishment of the connection, in particular no data about user behavior or the pages visited.

    We have concluded a data processing agreement with Google Ireland Limited. In the event that personal data is transferred by Google Ireland Limited to the USA or other third countries, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46 para. 2 lit. c GDPR.

    For more information, please see Google’s Information on the Tag Manager.

    3.4. Analytics tools

    In order to improve our website, we use optional tools to recognize visitors and to statistically collect and analyze general usage behavior based on access data (“analytics tools”). We also use analytics services to evaluate the use of our various marketing channels. The usage information collected is processed in aggregated form and enables us to track usage behavior of our visitors. This is used to adapt and optimize the design of our website and to make the user experience more pleasant.

    The legal basis for the analysis tools is – unless otherwise stated – your consent pursuant to Art. 6 para. 1 lit. a GDPR. The access to and the storage of information in the terminal equipment is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. For revocation of your consent, see 3.2.3.: “Revocation of your consent or changing your selection”.

    In the event that personal data is transferred to the USA or other third countries, your consent expressly extends to the data transfer (Art. 49 para. 1 lit. a GDPR). Please refer to section 6 (“Data transfer to third countries”) for the associated risks.

    3.4.1. Google Universal Analytics

    Our website uses the web analytics service Google Universal Analytics (“Google Analytics”), a service provided for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”).

    Google Analytics uses JavaScript and pixels to read information on your terminal device and cookies to store information on your terminal device. This is used to analyze your usage behavior and to improve our website. We will process the information obtained to evaluate your use of the website and to compile reports on website activities for the website operators. The data generated in this context may be transferred by Google to a server in the USA for evaluation and stored there.

    We have made the following privacy setting for Google Analytics:

    • IP anonymization (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity);
    • Automatic deletion of old logs / limitation of the storage period;
    • Deactivated advertising function (including target group remarketing by GA Audience);
    • Disabled personalized ads;
    • Disabled measurement protocol;
    • Disabled cross-page tracking (Google Signals);
    • Disabled data sharing with other Google products and services.

    The following data is processed by Google Analytics:

    • Anonymized IP address;
    • Referrer-URL (previous visited site);
    • Pages viewed (date, time, URL, title, time spent);
    • Downloaded files;
    • Clicked links to other websites;
    • Achievement of specific goals (conversions), if applicable;
    • Technical information: operation system; browser type, version and language; device type, brand, model and resolution;
    • Approximate location (country and city (if applicable), based on anonymized IP address).

    Google Analytics sets the following cookies for the specified purpose with the respective storage period:

    • „_ga“ für 2 Jahre und“_ga” for 2 years, “_gid” for 24 hours (both for recognizing and distinguishing website visitors by a user ID);
    • “_gat” for 1 minute (to reduce queries to the Google servers) and possibly “IDE” for 13 months (third party cookie for recognizing and distinguishing website visitors by a user ID, for recording the interaction with advertising and in the context of playing out personalized advertising).

    The legal basis for this data processing is your consent pursuant to Art. 6 Para. 1 lit. a GDPR. The access to and the storage of information in the end device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

    We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46 para. 2 lit. c gdpr. In addition, we also obtain your express consent for the transfer of your data to third countries in accordance with Art. 49 (1) a DSGVO.

    You can find more information about Google Analytics in Google’s privacy statement and in the Google Analytics privacy statement.

    3.5. Functional tools

    We also use optional tools to improve the user experience on our website and to offer you more functions (“functional tools”). While these are not strictly necessary for the basic functions of the website, they can bring significant benefits to visitors, especially in terms of providing additional communication channels.

    The legal basis for the functional tools is your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you provide via the consent banner or with the respective tool itself by individually allowing its use and via a banner (overlay) placed over it. The access to and the storage of information in the terminal equipment then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. For revocation of your consent, see 3.2.3: “Revocation of your consent or changing your selection”.

    In the event that personal data is transferred to third countries, your consent expressly extends to the transfer of data (Art. 49 para. 1 lit. a GDPR). Please refer to section 6 (“Data transfer to third countries”) for the associated risks.

    3.5.1. Userlike

    Our website uses the Userlike service of Userlike UG (haftungsbeschränkt) (“Userlike”), Probsteingasse 44-46, 50670 Cologne, Germany. This tool is used for the provision of a real-time chat for fast and uncomplicated communication with you. The legal basis for the data processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR. The access to and the storage of information in the terminal device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany § 25 para. 1 TTDSG.

    The following data may be processed:

    • If specified: name and email address
    • Chat content: chat transcript, pre and post chat survey, chat topic, chat status, chat rating, duration and date of chat;
    • IP address;
    • if applicable: location (country and city);
    • Information about your terminal equipment (type, brand, model, resolution, operating system);
    • Informationen about your browser (type, version, language);
    • Number of page views and page visits, page viewed at the beginning of the chat, time of call, referrer URL (previous visited page).

    For more information on the data processed, please visit: https://userlike-de.helpscoutdocs.com/article/303-um-welche-personenbezogenen-daten-verarbeitet-userlike.

    The following cookies are set for the specified purpose with the specified storage period and filled with information after the chat is called up:

    • “uslk_s” to store the current session, the application status and for chat statistics (session);
    • “uslk_e” to store the user information, such as the user ID, the name, the email address and the number of visits (30 days).

    For more information on the cookies, please visit: https://userlike-de.helpscoutdocs.com/article/305-verwendet-userlike-cookies.

    To protect your privacy, we have made the following privacy settings:

    • Privacy chat mode to minimize data collection and display to what is absolutely necessary;
    • Disabling the live preview function so that texts that have not yet been sent are not displayed;
    • Deactivation of the identity query, so that no data such as profile pictures or links are determined on the basis of the email address from public online profiles;
    • Confirmation and linking of the privacy policy before starting the chat.

    For more information on the data privacy settings, please visit: https://userlike-de.helpscoutdocs.com/article/650-um-wie-konnen-wir-die-erhebung-von-personenbezogenen-daten-von-userlike-einschranken.

    The data is generally stored and processed by the service provider Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. For certain functions, however, other service providers are used who have their headquarters outside of the European Union (so-called third countries):

    • Amazon AWS EMEA SARL, 38 Avenue John F. Kennedy L-1855, Luxembourg (“Amazon”): for playing out the technical components (DNS, images, JavaScript, code, stylesheet files) to provide the software (chat widget, chat window, chat buttons), for which the following data may be transmitted and stored and processed worldwide: IP address; information about your terminal equipment (type, brand, model, resolution, operating system); information about your browser (type, version, language); time of the call, referrer-URL (previous visited page).
    • Amazon AWS EMEA SARL, 38 John F. Kennedy L-1855, Luxembourg (“Amazon”) and Mailgun Technologies, Inc., 112 Pecan St 1135, San Antonio, Texas, 78205, USA (“Mailgun”): for email notifications to the operator or to you about unread chat messages, for which the following data may be transmitted and stored and processed within the EU: email address; user generated content; IP address; information about your terminal device (type, brand, model, resolution, operating system); information about your browser (type, version, language); time of call, referrer URL (previously visited page).

    Amazon and Mailgun have their headquarters in the USA. Therefore, standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) have been concluded for the transfer of the data in accordance with Art. 46 para. 2 lit. c GDPR. The basis for the transfer is your consent for Userlike, which also extends to the transfer of this data (Art. 49 para. 1 lit. a GDPR). For more information about the transfer of data to third countries and the possible associated risks, please refer to section 6 (“Data transfer to third countries”).

    For more information on the data processing location, please visit: https://userlike-de.helpscoutdocs.com/article/304-wie-und-wo-verarbeitet-userlike-personenbezogene-daten.

    For the rest, you can find more detailed information about the tool and data processing under: https://www.userlike.com/de/data-privacy.

    3.6. Marketing tools

    We also use optional tools for advertising purposes (“marketing tools”). Some of the access data collected when using our website is used to create usage profiles, which store in particular your usage behavior, the advertisements you have viewed or clicked on and, based on this, the classification into advertising categories, interests and preferences. By analyzing and evaluating this access data, we are able to present you with personalized advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites and services of other providers. In doing so, we also analyze your usage behavior in order to recognize you on other sites and to address you in a personalized manner based on your use of our site (so-called retargeting). In addition, we evaluate the effectiveness and success of our advertising campaigns (especially so-called conversions and leads).

    Marketing tools also include optional social network tools that are used to share posts and content via these networks (“social media plugins”).

    The legal basis for the marketing tools is your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you give via the consent banner or with the respective tool itself by individually allowing its use via a banner (overlay) placed over it. The access to and the storage of information in the terminal equipment is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. For revocation of your consent, see 3.2.3: “Revocation of your consent or changing your selection”.

    In the event that personal data is transferred to third countries (such as the USA), your consent expressly extends to the data transfer (Art. 49 para. 1 lit. a GDPR). Please refer to section 6 (“Data transfer to third countries”) for the associated risks.

    In the following section, we would like to explain the tools and the providers used for this in more detail. The data collected may include in particular:

    • IP address;
    • Information of a cookie and of the local or session storage;
    • Device identifier of mobile devices (e.g. device ID, advertising ID);
    • Referrer-URL (previous visited page);
    • Pages viewed (date, time, URL, title, time spent);
    • Downloaded files;
    • Clicked links to other websites;
    • Achievement of specific goals (conversions), if applicable;
    • Technical information: operating system; browser type, version and language; device type, brand, model and resolution;
    • Approximate location (country and city, if applicable).

    However, the collected data is stored exclusively pseudonymized, so that no direct conclusions can be drawn about individuals.

    3.6.1. Linkedin Insight Tag

    Our website uses the LinkedIn Insight Tag service of LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn”). This enables us to collect statistical data about your visit and the use of our website and to evaluate it. Thereby it enables us to show you interest-based and relevant offers, recommendations and advertising on LinkedIn (retargeting). In addition, an analysis of the effectiveness of advertisements (conversion tracking) is carried out in this context. For this purpose, LinkedIn uses cookies, pixels and JavaScript.

    The following cookies are set and read by LinkedIn:

    • “lang” (Session): storage of the language setting;
    • “lidc” (24 hours): optimization of data center selection;
    • “lissc” (180 days): cookie by means of which all cookies in the same browser use the same SameSite attribute;
    • “bcookie” (2 years): prevention of misuse;
    • “UserMathHistory” (30 days): usage analysis, synchronization of IDs with LinkedIn Ads;
    • “li_gc” (2 years): storage of user consent;
    • “AnalyticsSyncHistory” (30 days): storage for synchronization of information about LinkedIn members.

    For more information about cookies, see: https://www.linkedin.com/legal/l/cookie-table.

    The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR. The access to and the storage of information in the terminal equipment is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

    If you are logged in to LinkedIn while visiting our website, LinkedIn may link the collected information to your member account and use it for targeted advertising on LinkedIn. You can view your privacy settings on LinkedIn at the following link: https://www.linkedin.com/psettings/enhanced-advertising.

    We have concluded a data processing agreement with LinkedIn in accordance with Art. 28 GDPR. The data generated in this context may be transmitted by LinkedIn to a server in the USA and stored there. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with LinkedIn (Implementing Decision (EU) 2021/914, Module 2) pursuant to Art. 46 para. 2 lit. c GDPR. In addition, we also obtain your express consent for the transfer of your data to third countries pursuant to Art. 49 para. 1 lit. a GDPR.

    For further information, please refer to LinkedIn’s privacy policy: https://de.linkedin.com/legal/privacy-policy?.

    4. Online presence in social networks

    We maintain online presences in social networks in order to communicate on these platforms with customers and interested parties, among others, and to provide information about our products and services.

    The users’ data is generally processed by the social networks concerned for market research and advertising purposes. In this way, usage profiles can be created based on the interests of the users. For this purpose, cookies and other identifiers are stored on the users’ computers. Based on these usage profiles, advertisements, for example, are then placed within the social networks but also on third-party websites.

    As part of the operation of our online presences, it is possible that we may access information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g., age, gender, region, country) as well as data on interaction with our online presences (e.g., likes, subscription, sharing, viewing of images and videos) and the posts and content distributed via them. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presence and optimize it for our audience. Please see the list below for details and links to the social network data that we, as operators of the online presences, can access. The collection and use of these statistics is generally subject to joint responsibility. Where applicable, the relevant agreement is listed below.

    The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in effectively informing users and communicating with users, or Art. 6 para. 1 lit. b GDPR, in order to stay in contact with and inform our customers and to carry out pre-contractual measures with future customers and interested parties.

    If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. For example, this may be through direct messages or posted articles. The content communication via the social network and the processing of the content data are thereby subject to the responsibility of the social network as a messenger and platform service. As soon as we transfer or further process personal data from you into our own systems, we are independently responsible for this and this is done to carry out pre-contractual measures and to fulfill a contract in accordance with Art. 6 para. 1 lit. b GDPR.

    For the legal basis of the data processing carried out by the social networks under their own controllership, please refer to the data protection notices of the respective social network. The links below also provide you with further information on the respective data processing and the options to object.

    We would like to point out that data protection requests can be asserted most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly.

    Below is a list with information on the social networks on which we operate online presences:

     

    5. Disclosure of data

    In principle, we will only pass on the data we collect if:

    • you have given your explicit consent pursuant to Art. 6 para. 1 lit. a GDPR;
    • the disclosure is necessary for the assertion, excercise or defense of legal claims in accordance with Art. 6 para. 1 lit. fGDPR and there is no reason to assume that you have an overriding interest not having your data disclosed;we are legally obliged to disclose your data according to Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution of enforcement due to administrative inquiries, court orders and legal proceedings, or
    • this is legally permissible and necessary according to Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request.

    Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy statement, this may in particular include data centers that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass data on to our service providers, they may use the data exclusively for the fulfillment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organizational measures in place to protect the rights of data subjects and are carefully monitored by us.

    6. Data transfers to third countries

    As explained in this privacy notice, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.

    Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your expressed consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.

    If a third country transfer is provided for and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it and that enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the cookie banner, you will also be informed of this.

    7. Storage period

    In principle, we only store personal data for as long as necessary to fulfill contractual or legal obligations for which we have collected the data. We then delete the data without delay, unless we still require the data until the end of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations or there is another legal basis under data protection laws in the specific case for the continuing standard limitation period at this point in time at the earliest.

    For evidence purposes, we must keep contract data for another three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.

    Even after that, we are still required to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise on the basis of the German Commercial Code, the Fiscal Code, the Banking Act and the Money Laundering Act. The periods specified there for retaining documents range from two to ten years.

    8. Your rights

    You are entitled to the data subject rights formulated in Art. 15 – 21, Art. 77 GDPR at any time:

    • Right to withdraw your consent;
    • Right to object to the processing of your personal data (Art. 21 GDPR);
    • Right of access to your personal data processed by us (Art. 15 GDPR);
    • Right to rectify your personal data stored by us that is incorrect (Art. 16 GDPR);
    • Right to erasure of your personal data (Art. 17 GDPR);
    • Right to restrict the processing of your personal data (Art. 18 GDPR);
    • Right to data portability of your personal data (Art. 20 GDPR);
    • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

    To exercise your rights described here, you can contact us at any time using the contact details above. This also applies if you would like to receive copies of guarantees to prove an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request.

    Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, even longer for the assertion, exercise or defense of legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5 (2) GDPR.

    Finally, you have the right to complain to the data protection supervisory authority responsible for us. You can assert this right at a supervisory authority in the member state of your place of residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

    9. Right of withdrawal and objection

    You have the right to withdraw the consent you gave us at any time. As a result of this, we will cease the data processing based on this consent with future effect. This withdrawal of your consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.
    Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If your objection is to data processing for direct marketing purposes, you have a general right of objection, which we will implement without requiring you to give reasons.
    If you would like to make use of your right of withdrawal or objection, it is sufficient to simply notify us using the contact details provided above.

    10. Changes to this privacy statement

    We will update this privacy statement from time to time, for example if we adapt our website or there is a change in the legal or regulatory requirements.

    Last amendment: November 2022