We collect information that you provide when using our website. We collect it for the purpose of processing and initiating business relationships, including when you contact us. This includes accessing your user account (if you have one) in our Service Portal and Careers Portal. If you create a user account within our Service Portal or Careers Portal, we collect and process your login information and the information you enter.

We also process the data you provide if you handed us out your business card (e.g. at a trade fair).

Personal data that we collect and store in this way may include:

• IP address and usage data created when you access our website (the domain name or IP address of the requesting computer, access date, client file request (file name and URL), HTTP response code and website from which you visit us, and number of bytes transferred via the connection);
• Name and address and other contact details (phone numbers, email address, fax number, etc.), register numbers, account information and the details of the relevant contact persons, if you maintain a business relationship with us, register with us on the Service Portal or Careers Portal or maintain a user account with us, and the data required for the provision of services.
• Name and other contact details (such as phone number, postal address and email address) if you provide them during a call or via another method of contact with us.

All personal data will be collected only where legally permissible or if you have given your consent respectively.

We use your personal data to enable you to use our website.

We generally use your personal data when you create a customer account in the Service Portal or Careers Portal and we process the data required for the use of your account. We also process the data that arises when a business relationship is established or performed and/or when you contact us.

In addition, we use data that has become lawfully known to us within the scope of art. 21 GDPR. We use it for the purpose of advertising our own products by post, email or telephone, unless you have objected under art. 21 (3) GDPR.

We will not sell or market your personal data to third parties.

Data is not transferred to non-EU countries unless such transfer is permissible under GDPR and BDSG.

We process the aforementioned personal data in accordance with GDPR and BDSG.

Your personal data is processed so that you can use our website. We also process your data when you log into our Service Portal or Careers Portal and for the maintenance and design of these portals and our services. The purpose of the data processing and the necessity for it are primarily determined by the purposes provided for under the aforementioned legal relationships.

Your data is also processed to enable us to respond to your queries and to initiate commercial or similar relationships.

For the aforementioned purposes, we may also have to pass on your data to affiliated companies within the meaning of sections 15 et seq. Stock Corporation Act (AktG)or external service providers respectively.

To the extent necessary for our purposes, and in order to safeguard our legitimate interests or those of third parties, we will process your data beyond the actual performance of the contract or preliminary contract, unless your interests outweigh our interest in doing so.

• Anonymisation of IP addresses for statistical purposes when you use our website; data security and optimisation of our website.
• Measures that may be taken for the data security of our website (e.g. storage of IP addresses) if deemed appropriate given the level of risk.
• If we have informed you that we will use your email address, as provided by you when registering for the Service Portal or Careers Portal or otherwise lawfully collected under Art. 21 (2) to (4) GDPR, for the direct advertising of our products and you have not objected, then we may send you advertising via email.
• Establishing and performing relationships for purposes of expediency and beyond those strictly necessary (e.g. answering inquiries).
• Establishing and performing a business relationship as part of provision of service.

If you give us consent to process your personal data for a specific purpose in accordance with existing guidelines, we will process this data in accordance with the consent provided.

We will process your personal data to the extent that we are legally obliged to do so (e.g. under statutory provisions for the retention of data, monitoring purposes or providing information to official bodies).

We use cookies, device identifiers and other information that is collected from your device or stored on it in the form of small text files for a limited period of time and that may also contain personal data (e.g. IP address, location-related data, login data) (Art. 6 (1a), (b), (c), (f) GDPR, §§ 13 (7), (14), (15) Telemedia Act (TMG), § 98 Telecommunications Act (TKG)). We may combine this data with data from offline data sources if you have given us your consent (Art. 6 (1a) GDPR). We process this data in order to:

• A) Improve systems and software and develop new products (Art. 6 (1) (f) GDPR);
• B) Monitor and prevent fraudulent activity and ensure that systems and processes function properly and safely (Art. 6 (1b), (c), (f) GDPR, § 13 (7) TMG); and
• C) Measure the performance of advertisements and content and gain insights about target groups in order to personalize advertisements and content (Art. 6 (1a) (f) GDPR).

For these purposes, various devices can be classified as belonging to you or your household (Art. 6 (1a) (f) GDPR). As the case may be, we share this information with third parties, which you can see in the options (Art. 6 (1a) (f) GDPR).

We process all data for web tracking purposes based on the IAB Europe Transparency and Consent Framework (TCF). Developed by IAB Europe, the TCF establishes a binding framework for all stakeholders to comply with GDPR and Directives 2002/58/EC (ePrivacy Directive) and 2009/136/EC (Cookie Directive) and to create maximum transparency for users.

Based on the TCF, we process data for the following purposes and on the following legal grounds:

1. Storing and/or collecting information on a device (Art. 6 (1) (f) GDPR, Art. 5 (3) Directive 2002/58/EC)
   • This purpose serves solely for storing or accessing information on a device via, for example, cookies and device identifiers for the purposes specified below.

1. Selection of advertisements (Art. 6 para. 1a GDPR)

1. • To select advertisements and display them to you, we or our affiliated service providers (vendors) may:
     • use real-time information about the context in which an advertisement is shown, including content and device information such as device type and features, user agent, URL and IP address;
     • use approximate (i.e. within a radius of at least 500 meters) geolocation data from a user;
     • control the frequency of ads displayed to a user;
     • arrange the order in which advertisements are displayed to a user;
     • prevent an advertisement from being displayed in an inappropriate editorial context.
   • Neither we nor vendors may:
     • unless legally permitted, use this information to create a personalized advertisement profile for the selection of future advertisements.

1. Creating a personalized advertisement profile (Art. 6 (1a) GDPR)

1. • For the purposes of creating a personalized advertisement profile, we and our vendors may:
     • collect information about a user, including activity, interests, website or app visits, demographic information or location, to create or edit a user profile for personalized advertising purposes;
     • combine this information with other previously collected information, including from other websites and apps, to create or edit a user profile for personalized advertising purposes.

1. Selection of personalized advertisements (Art. 6 (1a) GDPR)

1. • To select personalized advertisements, we and our vendors may:
     • select personalized advertisements based on a user profile or other historical user data, including a user’s previous activity, interests, website or app visits, location or demographic information.

1. Creation of personalized content profiles (Art. 6 (1f) GDPR)

1. • To create a personalized content profile, we and our vendors may:
     • collect information about a user, including activity, interests, website or app visits, demographic information or location to create or edit a user profile for personalized content purposes;
     • combine this information with other previously collected information, e.g. from different websites and apps, in order to create or edit a user profile for personalized content purposes.

1. Selection of personalized content (Art. 6 (1f) GDPR)

1. • To select personalized content, we and vendors may:
     • select personalized content based on a user profile or other historical user data, including a user’s previous activity, interests, website or app visits, location or demographic information.

1. Measuring exposure of advertisements (Art. 6 (1f) GDPR)

1. • To measure exposure of advertisements, we and vendors may:
     • measure how ads have been displayed and whether and how users interact with them;
     • provide reports on ads, including their effectiveness and performance;
     • provide reports on users who have interacted with ads, using data collected during the user’s interaction with those advertisements;
     • create reports on the advertisements displayed via telemedia;
     • measure whether an advertisement is displayed in a brand-safe editorial environment;
     • determine the percentage of views of an advertisement and for how long it was viewed;
     • combine this information with other previously collected information, including from other websites and apps.
   • Neither we nor vendors may:
     • without legal grounds apply to advertisement metrics user group insight data derived from panels or similar sources in order to apply market research to generate audience insights.

1. Measuring exposure of advertisements (Art. 6 (1f) GDPR)

1. • To measure exposure of content, we and vendors may:
     • measure and report how content is delivered to and interacted with by users;
     • provide reports containing directly measurable or known information on users who have interacted with the content;
     • combine this information with other previously collected information, including from other websites and apps.
   • Neither we nor vendors may:
     • without legal grounds measure whether and how users have received and interacted with advertisements (including native advertisements);
     • without legal grounds apply to advertisement reach measurements audience insight data derived from panels or similar sources in order to apply market research to generate audience insights.

1. Application of market research to gain audience insights (Art. 6 (1a) GDPR)

1. • For the application of market research in order to gain audience insights, we and vendors may:
     • provide advertisers or their representatives with aggregated reports on audiences reached by their advertisements;
     • using panel-based and similarly derived insights, provide aggregated reports on target audiences who have been served with or have interacted with content and/or advertisements on telemedia;
     • link offline data to an online user for market research purposes in order to gain audience insights, provided vendors have stated they match and combine offline data sources;
     • combine this information with other previously collected information, including from other websites and apps.
   • Neither we nor vendors may:
     • without legal grounds measure the reach and effectiveness of advertisements displayed to or interacted with by a specific user;
     • without legal grounds measure the reach of content, which content was provided to a specific user or how they interacted with it.

1. Development and improvement of products (Art. 6 (1f) GDPR)

1. • To develop and improve products, we and vendors may:
     • use information to improve existing products by adding new features and to develop new products;
     • develop new models and algorithms through machine learning.
   • Neither we nor vendors may:
     • perform other data processing operations permitted for purposes other than this.

On the basis of the listed legal grounds, data can also be processed on the basis of the TCF for the following special purposes:

1. ensuring security, preventing fraud and troubleshooting (Art. 6 (1b), (c), (f) GDPR, §§ 13 (7) TMG)
   • To ensure security, prevent fraud and troubleshoot, we and vendors may:
     • ensure that data is transmitted securely;
     • detect and prevent malicious, fraudulent, invalid or illegal activity;
     • ensure the correct and efficient operation of systems and processes, including monitoring and improving the performance of systems and processes used for permitted purposes.
   • Neither we nor vendors may:
     • carry out other data processing operations permitted for purposes other than these.

Data collected and used to ensure security, prevent fraud or and troubleshoot may without separate disclosure or activation include automatically sent device properties for identification purposes, accurate geolocation data and data collected via the active scanning of device properties for identification purposes.

1. Display of ads or content (Art. 6 (1a) (f) GDPR, §§ 14, 15 TMG)

1. • In order to display information and respond to inquiries of a technical nature, we and vendors may:
     • use a user’s IP address to display an advertisement over the Internet;
     • respond to a user’s interaction with an advertisement by directing the user to a landing page;
     • use a user’s IP address to provide content over the Internet;
     • respond to a user’s interaction with content by sending the user to a landing page;
     • gather information about the device type and the prerequisites for providing advertisements or content (e.g. to provide a logo or video file in the correct size in a format supported by the device).
   • Neither we nor vendors may:
     • perform other data processing operations permitted for purposes other than these.

For the following features data can be processed on the basis of the TCF based on the listed regulations:

1. Comparing and combining offline data sources (Art. 6 (1a) GDPR)
   • In order to compare and combine offline data sources, we and vendors may:
     • combine data collected offline with data collected online in pursuit of one or more purposes or special purposes.

1. Connection of different devices (Art. 6 (1f) GDPR)

1. • In order to connect different devices, we and vendors may:
     • determine that two or more devices belong to the same user or household;
     • determine the likelihood that two or more devices belong to the same user or household.

1. Use of precise geolocation data (Art. 6 (1a) GDPR, § 98 TKG)

1. • In order to use precise geolocation data, we and vendors may:
     • collect and process precise geolocation data for one or more purposes.

 

Determining precise location means that the accuracy of a user’s location is not impaired. This can be accurate to a few meters.

Within our organization, persons entrusted with the processing of data will have access to your data insofar as is necessary or reasonable. Service providers and agents engaged by us can also gain access to personal data for these purposes, provided that, when processing orders, they comply with our written data protection instructions and basic confidentiality principles.

Otherwise we will not transfer personal data to third parties for the purposes of advertising or the sale of contact details.

Data will be transferred to countries outside the EU or the EEA („Non-EU/EEA Country“) only if permitted under GDPR and BDSG.

In the case of service relationships, such as a contact relationship, such data transmission will take place only for the fulfilment of this contractual relationship or insofar as is exceptionally appropriate due to legitimate interest. The same applies to the use of our website from locations outside the EU or EEA.

As part of your use of this website, we will store your IP address and usage data for the duration of the usage. In addition, your IP address will be stored insofar as is appropriate for data security and clarification or for prevention of security or data breaches, whereby the appropriateness will depend on the specific risk. In such cases, your IP addresses will be stored only for as long as is appropriate for the aforementioned purposes (usually seven days). In the event of a reported offence or prosecution or the enforcement of claims against persons who violate security or data protection, the data may be stored and used until such time as the claim is definitively clarified or enforced.

In order to establish, design and provide services relating to your account in the Service Portal, we will store your data until the end of the contract and beyond, namely until the end of the calendar year following the year in which the contract is terminated. On expiry of this period, the data will not be deleted but blocked, as under commercial and tax law we are obliged to store the data for up to ten years.

In the context of business relationships, we will store your data until the end of the contract and beyond, specifically until the end of the third calendar year following the year in which the contract is terminated. On expiry of this period, the data will not be deleted but blocked, as under commercial and tax law we are obliged to store the data for up to ten years.

We will store the data collected from the Careers Portal until the recruitment process is completed or – should an employment relationship come into force – for the duration of employment and beyond until the end of the third calendar year following the year in which employment is terminated. On expiry of this period, the data will not be deleted but blocked, as under commercial and tax law we are obliged to store the data for up to ten years. Your data will be stored for longer only in exceptional cases if appropriate under Art. 6 para. 1 lit f) (e.g. troubleshooting or clarification and prevention of misuse).

Within the framework of a contact relationship, your contact data and communication data will be stored and used insofar as is necessary for communication purposes or is expedient and appropriate.

On our website we use links to draw attention to information provided for the use of SlideShare, Twitter, YouTube, Xing, LinkedIn etc. If you click on these links, you will reach the website pages of these providers. Please note that we are responsible solely for the content that we have posted with these providers or their portals. We are not responsible for the content provided by these providers or for the operation of these portals.

Please note that we have included only the aforementioned links and not the „plug-ins“. Data will therefore be exchanged with these providers and their portals only if you click on the relevant link.

Should we integrate further links to other providers on our website, the above will apply. If we integrate a link to another provider, the service provided by that provider is not our own service. We do not constantly check the content that can be accessed via the link. Therefore the content accessible via the link does not necessarily reflect our opinion of it.

Every data subject has the right of access pursuant to Article 15 GDPR, the right of correction pursuant to Article 16 GDPR, the right of deletion pursuant to Article 17 GDPR, the right of restriction of processing pursuant to Article 18 GDPR, the right of objection pursuant to Article 21 GDPR and the right of data portability pursuant to Article 20 GDPR. For the right of access and the right of deletion, Sections 34 and 35 BDSG apply. You also have the right of appeal to a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent made prior to the entry into force of GDPR (i.e. prior to 25 May 2018). Please note that revocation of consent will not have retroactive effect. Processing that took place prior to revocation of consent will remain unaffected.