Privacy policy

1     Contact person

The responsible person in the sense of the Basic Data Protection Regulation (DSGVO) is:

VRtual X GmbH, Hegestraße 40, 20251 Hamburg, Germany.
x@vrtual-x.com, +49 40 32318846

Questions regarding data protection can also be addressed directly to our data protection officer: Attorney David Heimburger, dh@davidheimburger.de, +49 40 22863648

2     Your rights in general

At this point, we summarize the general rights to which you are entitled under the GDPR with regard to your personal data processed by us. For an explanation of the legal terms, we refer to the applicable definitions in the GDPR (see Article 4 there). If anything remains incomprehensible, please feel free to ask us.

  • You may revoke any consent given to us to process or share your data at any time for the future (Article 7(3) DSGVO).
  • Should the legal basis for processing your data be a legitimate interest pursuant to Article 6(1)(f) DSGVO, you may lodge an objection to the data processing pursuant to Article 21 DSGVO. Insofar as the relevant data processing is direct marketing, you do not have to justify your objection in any way; in all other cases, you would have to provide reasons for your objection that arise from your particular situation.
  • If we have stored incorrect information about you, you can request us to correct your data (Article 16 DSGVO).
  • You can request information from us about which of your data we process (Article 15 DSGVO, Section 34 BDSG).
  • You can demand that we delete your data or restrict its processing, provided that your request does not conflict with any higher-ranking retention obligations (Article 17 or 18 DSGVO, Section 35 BDSG).
  • You may request that we provide you with the data you have provided to us yourself in a machine-readable format for disclosure to third parties (Article 20 DSGVO).
  • You may complain to a supervisory authority for data protection, e.g. the Hamburg Data Protection Commissioner, about data protection issues with us.

3     Data processing by us in general

Any form of processing of personal data requires a legal basis that allows us to do so. The legal basis is primarily derived from the purpose for which the data is processed. The lawfulness within a legal basis is regularly measured according to the specific scope of the data processing and the measures we have taken to protect your data.

Legal bases for data processing arise from Article 6(1) DSGVO and for data requiring special protection, such as health data, from Article 9(2) DSGVO. These two regulations name the preparation or fulfillment of contractual, legal or even social obligations as the most important legal bases for data processing. In addition, many data processing operations are carried out in our legitimate interest, unless, in view of the specific circumstances, the interests of the data subjects prevail. If one of the previously mentioned types of legal basis is relevant, the processing does not require any further consent from you.

In addition, data processing may be carried out on the basis of consent from you (Article 7 of the GDPR) or for persons under 16 years of age when using information society services (e.g. websites, online games, social media platforms) by the children or adolescents in conjunction with the consent of a legal guardian (Article 8 of the GDPR).

At this point, we expressly point out that none of our offers are directed at persons under the age of 16.

In part, our obligation to ask you for your consent does not or not solely result from the GDPR but from the stricter law under the EU ePrivacy Directive of 2002 (often called the „Cookie Directive“). The provisions of this directive apply in Germany via the German Telemedia Act (TMG) and the Unfair Competition Act (UWG). We have taken into account the obligations arising from these laws without expressly referring to them below.

If a data transfer to a state outside the European Economic Area (EEA) takes place, we ensure that data protection in the sense of Articles 44 – 49 DSGVO is secured.

4     General information about cookies

Cookies are text files that are stored by your browser on your device when you visit a website. Different information can be stored in a cookie. In some cases, a cookie only stores a yes or no („true“ or „false“), in other cases a character string is stored that enables the browser to be uniquely identified when the website is called up again (a so-called cookie ID).

The right to set cookies is not determined solely by the GDPR, but also by the EU ePrivacy Directive and Section 15 of the German Telemedia Act (TMG). The ePrivacy Directive distinguishes between cookies that are absolutely necessary (essential) for the operation of the online offer and those that are not. Essential cookies may also be set without consent, but non-essential cookies always require consent – even if this is not required under the GDPR (and, for example, there is a legitimate interest as a legal basis).

Before we store non-essential cookies on your terminal device, we ask for your consent in accordance with the requirements of the ePrivacy Directive.

The purpose of each cookie and the legal basis for its use under the GDPR can be found in the following description of the individual data processing.

There are various ways for you to prevent the acceptance of cookies on your device:

The standard case is likely to be that you decide which cookies you allow and which you do not allow via our consent manager when you call up one of our websites. In some cases, we can only offer you a blanket acceptance or rejection of all cookies or cookie groups.
In principle, you can set your browser so that it never accepts cookies. By such a complete exclusion, you will most likely lose functions that are based on cookies and that you would actually like to allow or that do not require consent at all.
You can access Internet pages in the private mode of your browser. Private mode also blocks the setting of cookies in your browser memory or automatically deletes all cookies at the end of the session.
Some browsers or browser plug-ins offer you the possibility to make more differentiated default settings as to which cookies you generally want to accept by default and which you do not.
A special case: Google offers a browser plug-in that prevents the setting of the various cookies from Google. You can find the corresponding plug-in here: https://tools.google.com/dlpage/gaoptout?hl=de

5     Concrete data processing

5.1   Visiting a virtual room

5.1.1   Personal user account

Description: In order to visit a virtual room or event provided by us, you must create a user account.

Data categories: Login data (name, title, email address, password), status data (organization/company, job title, own website), activity history (timestamp, browser actions).

Data recipient (third country transfer, if applicable): Our service provider for hosting the user database, which is bound to data protection via an order processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: The operation of your user account serves the fulfillment of our corresponding user agreement. The legal basis is accordingly the fulfillment of our contractual obligations to you.

Storage period: Your user data remains active until you or we close your user account and delete the associated data.

5.1.2 Providing the virtual rooms

Description: In order for a web server to make our virtual rooms available to your browser as Internet pages, the server must collect technical data about the device you are using for this purpose, your browser and your Internet access. This is called the logfile or weblog. This is the same data that you necessarily leave behind with every Internet page that you call up. At the center is the IP address from which you call up our pages. To this Internet address, the web server sends you the data you want to see.

Data categories: IP address from which our site was accessed; date and time of access; objects on our website accessed in the browser; type and version of Internet browser; type and version of operating system.

Data recipient (third country transfer, if applicable): Our service provider for hosting the user database, which is bound to data protection via a contract processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

In the event of attacks on our pages, transfer to forensic experts and investigative authorities commissioned by us. A transfer to third countries does not take place in this case.

Purpose + legal basis: Provision of our website as well as investigations in the event of unlawful access to our websites (e.g. a hacker attack). Legal basis is a legitimate interest, as the operation of a website is not possible without the collection of the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with circumstantial evidence of how the attack took place.

Storage period: 7 days

5.1.3   Cookie management

Description: For all cookies requiring consent, we ask for your consent before storing them in your browser cache. The decisions you make will in turn be stored in a cookie on your device, so that we do not have to ask for your consent again when you visit our web pages again. You can revise your decision at any time by deleting the corresponding cookie from your device via your browser settings.

Data categories: Consent status (yes/no)

Data recipients (third country transfer, if applicable): None.

Purpose + legal basis: legally compliant consent management for cookies. Legal basis is a legitimate interest, as storing the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits. This cookie may also be set without your consent according to the ePrivacy Directive, as the language choice is considered an essential function.

Storage period: until the corresponding cookie is deleted from your browser cache or until the cookie expiration date is reached.

5.1.4   Analysis of user behavior (Matomo)

Description: We use the web analysis service Matomo on the web pages for our virtual rooms. On our behalf, Matomo uses the information collected to create statistical reports about the activities on our website, the regional origin of visitors and technical key data of the devices used to visit our pages.

We have set Matomo in such a way that IP addresses are only processed in abbreviated form in order to limit direct personal reference. Through IP anonymization, the end of your IP address is replaced by zeros immediately after collection.

We have set Matomo in such a way that Matomo stores cookies in your browser when you call up our website in order to be able to assign your activities on our website to a user. This gives us the possibility to determine the quota of returning visitors or to be able to trace usage paths within our internet pages. The cookie does not allow us to identify who you are. The cookie assigns you to a cookie ID as a pseudonym.

We do not pass on the data from Matomo to any third parties. In particular, we do not merge the data with data from advertising networks or use it in any other way for marketing purposes.

You can recognize Matomo’s analytics cookies by the abbreviation pk in their name (Matomo used to be called Piwik).

For more information about Matomo, please visit https://matomo.org/matomo-cloud-privacy-policy/.

Data categories: IP address via which the device goes online; location or country linked to the IP address as well as Internet service provider for Internet access; date and time of access; objects on our website called up (clicked on) in the browser; type and version of Internet browser; type and version of operating system; Internet pages clicked on before and next; Matomo ID stored in the cookie.

Data recipient (third country transfer if applicable): InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. InnoCraft (the operator of Matomo Cloud) is obligated to us to observe data protection via an order processing contract. The information collected by the cookies is transferred to servers in the EEA and stored there, so that technically no third country transfer takes place. Legally, the third country transfer to InnoCraft as a New Zealand company is secured via the EU adequacy decision for New Zealand.

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our Internet offering based on the analysis findings.

The legal basis is a legitimate interest arising from the fact that the personal reference of the collected data is greatly reduced, for example, by anonymizing the IP addresses, that the data is not combined by us with other data collections. Regardless of this, with regard to the requirements of the ePrivacy Directive, we ask for your consent for the setting of Matomo cookies via our cookie manager.

Storage period: 14 months (Reason: This storage period allows us to export annual reports).

5.1.5    Video Streaming (YouTube)

Description: In some cases, films are shown in our virtual spaces via a video player from YouTube, a subsidiary of Google. When you call up a page equipped with a YouTube player, a connection to YouTube’s servers is established and cookies from Google are set in your browser. This tells Google which of our pages you have visited and which film you have watched. Google sets the following cookies via the YouTube player, for example: CONSENT, GPS, Visitor_Info1_Live, YSC, IDE.

We do not receive any data about your usage behavior with regard to this data collection from Google.

If you are logged into your YouTube or Google account while visiting our site, you enable Google to associate your usage behavior directly with your personal profile. You can prevent this by logging out of your account.

For more information on how Google handles your data, please see Google’s privacy policy at https://www.google.de/intl/de/policies/privacy.

Data categories: IP address from which our site was accessed; date and time of access; films accessed; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system; Google ID stored in cookies.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected as part of the YouTube use is transferred to Google servers in the USA and processed there. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: We use the YouTube player to provide you with powerful video streaming. The legal basis for the data transfer to Google is your cookie consent for the YouTube player.

Storage period: The storage period is the responsibility of Google. It is not possible to delete data from us, as we do not collect any data from you through the use of YouTube.

5.1.6    Online Chat (tawk.to)

Description: You can contact us or other organizations in our virtual spaces via online chat. The chat function of tawk.to as a cloud provider is integrated into our website. To start the chart, click on the chat widget. This is a standalone program that is launched in your browser window for the chat.

Tawk.to sets cookies after your appropriate consent, so that a continuous conversation with you can be secured: __tawkuuid (6 months), TawkConnectionTime (session).

Details about data protection at tawk.to can be found here: https://www.tawk.to/privacy-policy/

Data categories: Time of the chat; IP address; browser type/version, operating system; URL of the website from which the chat is started; contents of the chat (e.g. name, email address, questions and answers discussed).

Data recipient (if applicable, third country transfer): Tawk.to as cloud provider for the chat widget, which is obligated to data protection via an order processing agreement, is located in the USA. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Provision of an online chat as a communication channel. The legal basis is your consent, which you grant as part of the cookie consent.

Storage period: (variable, depending on the settings of the exhibitor’s user account. Please contact the respective exhibitor).

5.1.7 Online fonts (Google Fonts)

Description: To enable an individual design of the virtual spaces, we use so-called web fonts. Your browser loads these fonts from the Internet to display our pages if the fonts have not yet been loaded in your browser’s memory from a previous visit to a page with this font.

In some cases, fonts are available directly on our own server. In this respect, it is not an independent processing that goes beyond the processing „providing the virtual spaces“. In some cases, we use fonts from Google (Google Fonts). Google enables an outstandingly fast provision of the font files and guarantees the provision of the currently optimal font set.

For the download of the fonts from the Google font servers (gstatic.com), your IP address must be transmitted to Google, as otherwise a transmission of the data package is not possible. Google does not receive any other data from you in connection with this processing.

Data categories: IP address from which your device accesses the Internet, time.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected within the scope of Google Fonts is transferred to Google servers in the USA and processed there. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Provision of Google Fonts in a fast and up-to-date form. The legal basis is a legitimate interest, as only the IP address of your device is transferred as part of this processing, without any further references to your use of the Internet.

Storage period: The storage period is the responsibility of Google. It is not possible to delete data from us, as we do not collect any data from you through the use of Google Fonts.

5.1.8 Contact form

Description: Our virtual rooms have contact forms. You can use them to send messages to us or to the specific organizations presented in the virtual space. Your voluntary input will technically be sent to the recipient as an e-mail. If you write to another organization in the virtual space, that organization becomes the recipient of your data for further processing.

Data categories: See the processing operations „Provision of virtual spaces“ and „E-mail communication“.

Data recipients (if applicable, third country transfer): See the processing operations „Providing the virtual rooms“ and „E-mail communication“.

Purpose + legal basis: providing a contact form as an additional way to contact us or other organizations in the virtual space. The legal basis is, depending on the content of your contact, the preparation of a contract performance or a legitimate interest.

Storage period: See the processing operations „Provision of a website“ and „E-mail communication“.

5.2 Direct communication with us

5.2.1 E-mail communication

Description: When you send us an e-mail, it arrives in at least one of our e-mail inboxes. The content of your e-mail and the metadata accompanying it (sender, time of sending, etc.) are stored on the e-mail servers of our hosting provider. In addition, after retrieval from the server, they may be stored in the email programs on the devices that have access to the mailbox (computers, smartphones, tablets). The same applies to e-mails that we send to you.

The specific processing of personal data in an e-mail depends on the thematic content of the e-mail. Obviously, we include your data in our contact directory for customers, business partners and other contacts.

Data categories: Name, e-mail address; time of delivery or dispatch; other metadata that typically arise during e-mail communication; other personal information in the content of the e-mail, such as other contact data in e-mail signatures, inquiries, orders, offers or complaints by e-mail.

Data recipient (third country transfer, if applicable): our service provider for email hosting, which is bound to data protection via an order processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses. As far as you use a hosting service provider outside the EEA for your mailbox or retrieve our emails from outside the EEA, this is not our responsibility.

Purpose + legal basis: communication by e-mail. Legal basis is, depending on the content of the correspondence, preparation or fulfillment of a contract or a legitimate interest in answering your e-mail.

Storage period: Depending on the content of the correspondence; for example, commercial law requires business letters to be stored for six years, but other documentation requirements may result in longer storage periods.

5.2.2 Telephone calls

Description: If we call each other via our central number or a mobile number, our devices record your number and the time of the call.

If we call each other using the extension number of one of our employees, our cloud-based telephone system in conjunction with our softphones (apps for making phone calls) records your number and the time of the call.

If the content of the call suggests this, we create a call note and document it in the appropriate place (e.g., for applicants and employees in HR). It is conceivable that we will include your data in our contact directory for further communication.

Audio recordings of conversations will only take place in exceptional circumstances and after we have obtained your explicit consent to do so.

Data categories: Telephone number; time of conversation; content of conversation, if applicable.

Data recipients (if applicable, transfer to third countries): Telecommunications providers who are subject to telecommunications secrecy. In this respect, a transfer to third countries only takes place in the case of corresponding international telephone calls.

Our service provider for the cloud-based telephone system for the extension numbers, which is obligated to data protection via an order processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: communication by telephone call. Depending on the content of the conversation, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depending on the content of the conversation. Individual call notes may be subject to the six-year retention requirement for business letters under commercial law.

5.2.3 Letter mail

Description: If you send us a letter, we regularly respond to it with a letter that we create on the computer and save as a file. We often scan your letter in order to archive it as part of digital office management. The specific processing of personal data in our correspondence depends on the thematic content of the letters and the resulting retention obligations. It is conceivable that we may include your data in our contact directory for further communication.

Data categories: Name + address; personal data in the content of the letters such as further contact data in your letterhead, inquiries, orders, offers, complaints or other topics.

Data recipient (if applicable, transfer to third countries): postal service provider. A transfer to third countries only takes place if the shipment goes to an address outside the European Economic Area. In these cases, data protection is guaranteed by international agreements on postal secrecy.

Purpose + legal basis: communication by letter. Depending on the content of the correspondence, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depending on the content of the correspondence; in principle, commercial law requires business letters to be stored for six years.

5.2.4 Video conference

Description: If you take part in a video conference with us to which we have (technically) invited you, the responsibility for data processing through this communication lies with us. When we invite you to a conference, we send a URL related to the specific conference with the appointment. Based on the concrete URL, you can see whether we have invited you to a conference in a video conferencing system operated by us (via Jitsi as an application) or via an external cloud provider such as Microsoft Teams or Zoom.

You can participate in a video conference via an app from the chosen provider or via your internet browser.

Participation as a guest is possible, so you do not need your own user account with the selected provider. When dialing into the conference, you will be asked to give yourself a participant name, for example, to be able to assign verbal messages in the chat to your person. You can also use fantasy names here.

The conference application asks for your permission to access your microphone and camera. You can give any of these permissions, but you don’t have to if you want to follow a conference without active participation, for example.

Conferencing applications provide you with complementary features in addition to audio and video: an accompanying chat for textual exchanges, word messages via iconicons, artificial background image. Conferences can be recorded. If a conference is to be recorded, we inform all participants in advance and only start the recording when all participants have given their consent to the recording. Audio recordings can be transcribed into a text file.

Unless there is an expressly agreed recording, the conference will not be stored by us in any way. After the conference has ended, the contents of an unrecorded conference can no longer be accessed. In this respect, this corresponds to telephone conversations that were not recorded.

It is technically possible for any participant to make screenshots or a recording of the conference in whole or in part using means outside the conference application. Such behavior without appropriate coordination with all participants constitutes a data protection violation by the acting person and, if it is not one of our employees, is beyond our responsibility. Surreptitious recording of the spoken word may constitute a criminal offense under Section 201 of the German Criminal Code (StGB). We reserve the right to take legal action of any kind against persons who use their participation in a video conference to engage in conduct that is hostile to data protection.

As the host (moderator) of the conference, we have the technical means to mute you or render you imageless/black, to change your user name and to exercise other moderator functions without your involvement. We only use such possibilities if there is a need to do so.

As far as data processing is concerned that is not directly related to the specific conference, the responsibility does not lie with us but directly with the cloud providers. This applies, for example, to the download of the video conference app. By downloading an app to your end device, you establish an independent legal relationship between yourself and the cloud provider. In some cases, responsibility also lies with the organization (e.g. your employer) that provides you with your personal user account.

The data transfer between your terminal device and the conference server requires that the provider takes note of the IP address through which you are online during the video conference. The servers also collect all types of data that are regularly generated during the use of telemedia services.

Data categories: User name, participation times, video or audio signal, video or audio recording (only with consent), audio transcript (only after recording), actions in the chat, status request to speak, profile data (profile picture, contact data, background picture), telephone number (if participating by telephone); further data categories such as IP address or e-mail address may be processed by the provider under its own responsibility.

Data recipient (if applicable, third country transfer): If we use our own video conferencing application, our hosting service provider is located in the EEA; there is no third country transfer.

If we use a cloud service provider that is bound by a data protection order processing agreement, they are located in the EEA, but are part of an international group of companies with headquarters in the USA and further subcontractors in various third countries, or are located directly in the USA. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Use of a video conference. Depending on the content of the conversation, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you. For recordings, consent is the legal basis.

Storage period: If no recording takes place, all data is deleted at the end of the conference. If the conference was recorded, the recording is deleted as soon as the last purpose for which the recording was made has been achieved.

5.2.5 Contact directory + business cards

Description: If we are likely to be in contact with you again in the future, we will store your contact details in our contact directory so that we can recognize you as a known contact when you call or e-mail us, or so that we can continue to contact you. If you give us your business card, we will add your information to our contact directory.

Data categories: Name, contact details (address, telephone, fax, e-mail), your company, your company’s business area, your job title, your area of responsibility, place, time and circumstance of contact, as well as any special notes on your availability or the business topics addressed.

Data recipient (if applicable, third country transfer Our service provider for hosting our contact directory, which is obligated to data protection via an order processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: maintaining contacts. Legal basis is a legitimate interest, as you have voluntarily given us your business card.

Storage period: We store your data until you ask us to delete it – unless a business relationship has arisen between us in the meantime, from which independent storage obligations arise for us regarding your contact data.

5.3 Visiting our Internet pages

5.3.1 Providing our Internet pages

Description: In order for a web server to make our Internet pages available to your browser, the server must collect technical data about the device you are using, your browser and your Internet access. This is referred to as the log file or web log. This is the same data that you necessarily leave behind with every Internet page that you call up. At the center is the IP address from which you call up our pages. To this Internet address, the web server sends you the data you want to see.

Data categories: IP address from which our site was accessed; date and time of access; objects on our website accessed in the browser; type and version of Internet browser; type and version of operating system.

Data recipients (third country transfer, if applicable): Our hosting service provider, which is bound to data protection via an order processing agreement, is located in the EEA. There is no data transfer outside the EEA. In the event of attacks on our pages, data is passed on to forensic experts and investigating authorities commissioned by us. A transfer to third countries does not take place.

Purpose + legal basis: Provision of our website as well as investigations in the event of unlawful access to our websites (e.g. a hacker attack). Legal basis is a legitimate interest, as the operation of a website is not possible without the collection of the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with circumstantial evidence of how the attack took place.

Storage period: 7 days

5.3.2 Cookie management

Description: For all cookies requiring consent, we ask for your consent before storing them in your browser cache. The decisions you make will in turn be stored in a cookie on your device, so that we do not have to ask for your consent again when you visit our web pages again. You can revise your decision at any time by deleting the corresponding cookie from your device via your browser settings.

Data categories: Consent status (yes/no)

Data recipients (third country transfer, if applicable): None.

Purpose + legal basis: legally compliant consent management for cookies. Legal basis is a legitimate interest, as storing the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits. This cookie may also be set without your consent according to the ePrivacy Directive, as the language choice is considered an essential function.

Storage duration: Until the corresponding cookie is deleted from your browser cache or until the cookie expiration date is reached.

5.3.3 Contact form
Description: Our Internet pages have a contact form. You can use it to send us messages, e.g. if you do not have your own e-mail address or do not want to use it for the message to us. Your voluntary input is technically sent to us as an e-mail (even if you have not entered an e-mail address as sender).

As soon as you send your message, the data processing corresponds to sending an e-mail to our central contact address. While you are on the website and enter your information in the form, the data processing corresponds to calling up any of our websites.

Data categories: See the processing operations „Provision of a website“ and „E-mail communication“.

Data recipients (transfer to third countries, if applicable): See the processing operations „Provision of a website“ and „E-mail communication“.

Purpose + legal basis: Provision of a contact form as an additional way to contact us. Depending on the content of your contact, the legal basis is the preparation of a contract performance or a legitimate interest.

Storage period: See the processing operations „Provision of a website“ and „E-mail communication“.

5.3.4 Online fonts (Google Fonts)

Description: To enable an individual design of our internet pages, we use so-called web fonts. Your browser loads these fonts from the Internet to display our pages if the fonts have not yet been loaded in your browser’s memory from a previous visit to a page with this font.

In some cases, fonts are available directly on our own server. In this respect, it is not an independent processing that goes beyond the processing „providing our Internet pages“. In some cases, we use fonts from Google (Google Fonts). Google enables an outstandingly fast provision of the font files and guarantees a provision of the currently optimal font set.

For the download of the fonts from the Google font servers (gstatic.com), your IP address must be transmitted to Google, as otherwise a transmission of the data package is not possible. Google does not receive any other data from you in connection with this processing.

Data categories: IP address from which your device accesses the internet, time

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected within the scope of Google Fonts is transferred to Google servers in the USA and processed there. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Provision of Google Fonts in a fast and up-to-date form. The legal basis is a legitimate interest, as only the IP address of your device is transferred as part of this processing, without any further references to your use of the Internet.

Storage period: The storage period is the responsibility of Google. Data deletion on our part is not possible, as we do not collect any data from you through the use of Google Fonts.

5.3.5 Video streaming (YouTube)

Description: Our website shows movies via a video player from YouTube, a subsidiary of Google. When you call up a page equipped with a YouTube player, a connection is established to YouTube’s servers and cookies from Google are set in your browser. This tells Google which of our pages you have visited and which film you have watched. Google sets the following cookies via the YouTube player, for example: CONSENT, GPS, Visitor_Info1_Live, YSC, IDE.

We do not receive any data about your usage behavior with regard to this data collection from Google.

If you are logged into your YouTube or Google account while visiting our site, you enable Google to associate your usage behavior directly with your personal profile. You can prevent this by logging out of your account.

For more information on how Google handles your data, please see Google’s privacy policy at https://www.google.de/intl/de/policies/privacy.

Data categories: IP address from which our site was accessed; date and time of access; films accessed; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system; Google ID stored in cookies.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected as part of the YouTube use is transferred to Google servers in the USA and processed there. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: We use the YouTube player to provide you with powerful video streaming. The legal basis for the data transfer to Google is your cookie consent for the YouTube player.

Storage period: The storage period is the responsibility of Google. It is not possible to delete data from us, as we do not collect any data from you through the use of YouTube.

5.4 Marketing communication

5.4.1 Google My Business

Description: We operate a company profile on Google My Business („GMB“). Via GMB, we publish information about us, from which the presentation of our company in various services of Google is fed. This applies in particular to the presentation of our company in the results display for Google Search and in Google Maps. Google provides us with statistical data on the use of our information published on GMB. In addition, you can contact us directly through GMB – e.g. call our phone number directly – or post comments on our company profile. When you contact us or comment on our profile, we receive data about you from Google, such as your Google username that you were logged in with during your interaction with GMB.

We have no possibility to influence the data processing at Google. The provision of GMB as well as Google Search and Google Maps are the responsibility of Google. Legally, we as the operator of the GMB profile are considered jointly responsible for these data processing operations, so we have concluded a joint responsibility agreement with Google in this regard (see: https://privacy.google.com/businesses/controllerterms/). The contract divides the responsibility between Google and us in such a way that we are responsible for the creation of a relationship between your data and our GMB profile and Google is responsible for the further processing of the data. You should exercise all your rights with respect to Google’s processing of your data directly with Google. You should contact us regarding the processing of your data in direct communication with us. Legally, you are free to contact both Google and us with any of your concerns at any time, and the recipient will forward your request to the appropriate party as appropriate.

For details of Google’s data processing, please refer to Google’s privacy information (https://policies.google.com/privacy).

We use the personal data we receive from you through GMB to respond to your inquiries or to respond to your comments.

Data categories: For the categories of data processed by Google, see Google’s privacy information. We process your name or username provided to Google, your contact requests and the comments you post on GMB.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organization addressable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google is committed to data protection via a shared responsibility agreement. Data transfers outside the EEA are secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: answering your inquiries and responding to your comments on Google My Business. The legal basis for processing by us is a legitimate interest, as you yourself have visited our GMB profile in a Google service and entered into an exchange with us there.

Storage period: The storage period is the responsibility of Google. Data deletion by us is not necessary, as we do not store any data from you independently through the use of GMB.

5.5 Our social media profiles

5.5.1 Facebook and Instagram

Description: We operate company profiles (also called fan pages) on Facebook and Instagram. Such a fan page enables us to present our organization on Facebook or Instagram, to get in touch with you on this social media platform and to refer to our services and offers via ads on these platforms.

Facebook provides us with analytics data about the use of our Fanpage (called Page Insights or Page Insights). This gives us an impression of how successful each of our communication measures is.

For details of data processing by Facebook, please refer to Facebook’s data protection information: https://www.facebook.com/about/privacy.

In accordance with a ruling of the European Court of Justice, the use of this analytics data is carried out under shared responsibility with Facebook pursuant to Article 26 DSGVO. Facebook has provided a shared responsibility agreement accordingly (https://www.facebook.com/legal/terms/page_controller_addendum). In the agreement, Facebook has assumed sole responsibility for all data processing issues. If you wish to exercise your rights under the GDPR with respect to data processed in Page Insights, you should contact Facebook directly through your Facebook account. However, in accordance with the legal rules on shared responsibility, you are also free to contact us with your concern. We would then pass your concern on to Facebook.

Data categories: Facebook username; comments, likes and page views within Facebook or Instagram, as well as time of action.

Data recipient (if applicable, third country transfer): Facebook Inc, for us as a European organization addressable via Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Data transfer outside the EEA are secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Analysis of usage behavior on our fan page or Instagram profile. The legal basis is the consent that you have given in the context of your Facebook registration.

Storage period: The storage period is the responsibility of Facebook.

5.5.2 Twitter

Description: We operate a company profile on Twitter. Such a Twitter profile enables us to present our organization on Twitter, to contact you on this social media platform and to refer to our services and offers via advertisements on these platforms.

Twitter provides us with analytics data about the use of our profile page (Twitter Analytics). This gives us an impression of how successful each of our communication measures is.

For details of data processing at Twitter, please refer to Twitter’s data protection information: https://twitter.com/de/privacy

Data categories: Twitter user name; comments, likes and page views within Twitter as well as time of action.

Data recipient (if applicable, third country transfer): Twitter Inc, addressable to us as a European organization via Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. Data transfer outside the EEA are secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Analysis of usage behavior on our Twitter profile. The legal basis is the consent you have given as part of your Twitter registration.

Storage period: The storage period is the responsibility of Twitter.

5.5.3 LinkedIn

Description: We operate a company profile on LinkedIn. Such a LinkedIn profile enables us to present our organization on LinkedIn, to contact you on this social media platform and to refer to our services and offers via advertisements on these platforms.

LinkedIn provides us with analytics data about the use of our profile page. This gives us an impression of how successful each of our communication measures is.

The data protection information of LinkedIn applies to the details of data processing at LinkedIn: https://www.linkedin.com/legal/privacy-policy

Data categories: LinkedIn username; comments, likes and page views within LinkedIn as well as time of action.

Data recipient (if applicable, third country transfer): LinkedIn Corp, addressable to us as a European organization via LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Data transfer outside the EEA are secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Analysis of usage behavior on our LinkedIn profile. The legal basis is the consent you have given as part of your LinkedIn registration.

Storage period: The storage period is the responsibility of LinkedIn.

5.6 Clients, suppliers and service providers

5.6.1 Business relationship

Description: From our suppliers and service providers who are self-employed persons or partnerships, or our contacts at such organizations, we process personal data as a customer in order to be able to communicate with you about the processing of the order.

In addition to the substantive communication, your data is typically processed in the separately described processing operations for „communication with us“ (see there).

Data categories: Contact, contract and invoice data

Data recipients (if applicable, third country transfer): tax consultants, auditors, lawyers in their function as professional secrecy holders.

Purpose + legal basis: Proper business management. Legal bases are contract fulfillment as well as legal obligations and legitimate interests.

Storage period: In accordance with tax law, invoice data must be stored for 10 years; contract data must be stored for different periods depending on the type of contract. In the case of copyrights, such periods extend up to 70 years beyond the death of the author.

5.6.2 Project management

Description: We use project management applications, mostly as cloud applications, to collaborate with our clients and service providers. In some cases, we also provide our business partners with access to project management in order to jointly manage project communication.

Images can be uploaded in the user profiles. This is done voluntarily and the upload is to be understood as consent to the processing of the photo.

Data categories: Login data (email address, password), profile data (name, title, organization/company, job title, profile photo), content data (comments, messages, project descriptions), activity history (timestamp, browser actions).

Data recipients (third country transfer, if applicable): Our service providers for the project management applications, who are obligated to data protection via an order processing agreement, are located in the USA. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: project management based on modern applications. Legal basis is a legitimate interest, as only project-related data of business partners flows in here. For the processing of profile pictures, consent expressed through the upload is the legal basis. This consent can be revoked at any time by removing one’s own picture.

Storage period: After completion of a project, it is stored for 6 years in accordance with the retention obligations under commercial law for business letters.

5.7 Job applications

5.7.1 Applications

Description: If you apply for a job with us, we will process your application documents until the application process is completed exclusively for the purpose of deciding whether to hire you. We limit access to your documents to those persons whom we reasonably involve in the decision about your hiring. If you are hired, your application documents will become part of your personnel file. If hiring does not occur, we will either ask for your consent to be included in our candidate pool or return or destroy your records as soon as it is no longer reasonable to expect opposition to our decision under anti-discrimination law.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, educational certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipient (if applicable, third country transfer): Our service provider for e-mail hosting, which is bound to data protection via an order processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Decision-making basis for filling a position. Legal basis is preparation of a contract performance (employment contract) and subsequently a legitimate interest in the defense of objections against negative decisions.

Storage period: 6 months after completion of the original application process.

5.7.2 Candidate pool

Description: If we are unable to offer you a suitable position at present, but would like to consider you again in the selection process for future vacancies, we request your consent to retain your application documents beyond the end of the current application process. If we are unable to get back to you for more than two years, we will ask for your consent to keep them again or return or delete your documents.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, training certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipient (if applicable, third country transfer): Our service provider for e-mail hosting, which is bound to data protection via an order processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Decision-making basis for future staffing. Legal basis is consent.

Storage period: 2 years since last contact or last consent.

5.8 General infrastructure

5.8.1 Invoicing and financial accounting

Description: Insofar as our customers are self-employed or part of a partnership, we process personal data from you when we send you our invoices. We create our invoices in a cloud application for accounting and bookkeeping.

All payments are recorded in the financial accounting system. In the process, the person of the payer or payee is documented. In the case of legal entities, this sometimes also includes the names and contact details of contacts for the transaction. In some cases, the reason for payment also results in statements about persons or the activity of a person (e.g., in the case of salary/fee payments, travel bookings, expense reimbursements)

Data categories: Name, address, date, customer/supplier and invoice number, invoice amount and invoice content, bank details or credit card data, reason for payment, travel data (time, destination, accommodation, means of transport, costs), hospitality (date, place/hospitality establishment, persons hosted, reason for hospitality, costs), information on other expenses (purchases, gifts)

Data recipient (if applicable, third country transfer): Our service provider for the cloud application for bookkeeping and accounting, which is committed to data protection via a data processing contract, is located in the EEA. Tax consultants, auditors, lawyers in their function as professional secrecy holders. There is no data transfer outside the EEA.

Purpose + legal basis: administration of all payment transactions. Legal basis is contract performance or legal obligation (tax and commercial law).

Storage period: We keep the data in the financial accounting system for 10 years.

5.8.2 Payment transfers

Description: Payments via a bank or credit card account from us are documented accordingly in the account statements.

Data categories: Name, bank details, payment date, payment amount, reason for payment (posting text).

Data recipient (if applicable, third country transfer): Our account-holding financial institutions, which are legally bound to data protection via banking secrecy and banking supervision. A third country transfer does not take place.

Purpose + legal basis: Cashless payment transactions; legal basis is contract fulfillment.

Storage period: We keep account statements for 10 years.

5.8.3 File storage

Description: In addition to data collection in individual databases (described previously), we store documents on our storage media. This typically includes Office documents (Word, Excel, PowerPoint), PDF files, images, movies, layouts, other formats of text, spreadsheet and presentation files, and ultimately any type of file whose use is appropriate in the context of our business processes.

The data protection issues relating to the content of the files depend on the relevant processing purposes in each case. In parallel, the storage of the files and the metadata regularly attached to them (primarily the creator signature) results in independent processing. Office documents in particular contain personal metadata when they are worked on jointly (collaboration) and the comment and note functions as well as the change mode are used for this purpose.

We use both local servers for file storage and cloud solution for this at the same time.

Data categories: Any kind of data, but here focus on metadata: signature of file creator, signatures of file editors (also in comments + notes); time of creation, editing or storage.

Data recipient (third country transfer, if applicable): Our primary service provider for the cloud storage, which is bound to data protection via an order processing agreement, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. Other service providers used in isolated cases who are bound by a data protection order processing agreement are located in the USA. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: file storage in a high-performance data center and use of modern search functionalities. Legal basis is a legitimate interest, as processing is carried out as part of order processing.

Storage period: Depending on the storage period for the individual file.

5.8.4 Disposal of data carriers and documents

Description: The deletion or destruction of data also constitutes data processing. Paper documents with personal data requiring corresponding protection are shredded at our company or occasionally disposed of via the sealed garbage cans of a professional document shredder. The quality level of the shredder used or the level of document destruction agreed with the service provider corresponds to the risk or confidentiality classification of the documents to be destroyed.

Storage media (hard drives e.g. from servers, computers, smartphones, tablets, USB sticks, memory cards) on which personal data worthy of protection was previously stored will be securely deleted by our IT administration by multiple, at least triple, complete overwriting if they are no longer to be used for storing this data. The level of erasure or destruction will be commensurate with the risk or confidentiality rating of the data previously stored on the media.

Data Categories: Any type of data

Data recipients (third-country transfer, if applicable): Service providers for the professional destruction of paper documents and storage media who are obligated to comply with data protection via order processing contracts. A third country transfer does not take place.

Purpose + legal basis: Risk-compliant destruction or deletion of personal data. The legal basis is the legal obligation to minimize and delete data from the DSGVO:

Storage duration: Storage beyond the deletion/destruction does not take place.

5.8.5 Legal prosecution

Description: In the event that we become involved in a legal dispute with you, we will disclose data about you and the circumstances of the dispute to attorneys and, if necessary, to courts.

Data categories: Name, contact details, details of the subject matter of the dispute

Data recipients (third country transfer if applicable): lawyers, courts, bailiffs. All recipients are bound to confidentiality as a state institution or as a professional secrecy holder. A third country transfer does not take place so.

Purpose + legal basis: legal prosecution. The legal basis is the legitimate interest in seeking legal assistance from lawyers and, if necessary, courts, if required.

Storage period: The named recipients of your data process the according to their own specifications to the extent necessary to fulfill the respective task. We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. Should a repetition of a comparable dispute with you or other employees be conceivable, we will store at least the documents that are decisive for the proceedings – if necessary in anonymized form – for a correspondingly longer period.

5.8.6 Data protection management

Description: If you assert your data protection rights against us, we document the associated communication and processes in our data protection management application.

Data categories: Name, contact data, information on the data protection request.

Data recipients (third country transfer, if applicable): Our data protection officer, who is legally bound to confidentiality, is located in the EEA. Our service provider for the cloud application for data protection management, who is obligated to data protection via an order processing agreement, is located in the EEA. A third country transfer does not take place so.

Purpose + legal basis: data protection management. Legal basis is the legal accountability from the DSGVO.

Storage period: We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. Should the repetition of a comparable dispute with you or other employees be conceivable, we will store at least the documents that are decisive for the proceedings – if necessary in anonymized form – for a correspondingly longer period.

Last updated: January 2021