Imprint
Media owner, domain owner and administrative contact
Austrian Fashion Association
Association for the promotion of Austrian fashion design
ZVR-number: 598463304
VAT: ATU 68311409
Authorized representative bodies
Chairwoman: Camille Boyer
Treasurer: Karin Hirschberger
Office
Lindengasse 27/1
A-1070 Vienna
+43 660 44 00 027
contact@AFA.co.at
Bank details
Erste Bank
KTO-NO.: 823492378/00
SORT CODE: 20111
IBAN: AT93 20111 82349237800
BIC: GIBAATWWXXX
Website
Design
exex – branding and design
EXEX OG
Florianigasse 34
A-1080 vienna
hello@exex.at
www.exex.at
Technical implementation
MUEVO ⋆ Wir machen’s digital!
MUEVO OG
Schönaugasse 10/9
8010 Graz
www.muevo.at
Privacy Policy
Status: January 29, 2024
Responsible Party
Austrian Fashion Association
Camille Boyer
Lindengasse 27/1
1070 Wien
E-Mail-address: contact@afa.co.at
Imprint: https://www.austrianfashionassociation.at/impressum-datenschutz/
Overview of Processing Activities
The following overview summarizes the types of data processed, the purposes of their processing, and refers to the individuals concerned.
Types of Processed Data
Personal Data
Payment Data
Contact Data
Content Data
Contract Data
Usage Data
Meta-, Communication, and Procedural Data
Categories of Affected Persons
Customers
Employees
Prospects
Communication Partners
Users
Members
Business and Contract Partners
Individuals depicted in images
Purposes of Processing
Provision of contractual services and fulfillment of contractual obligations
Handling contact inquiries and communication
Security measures
Direct marketing
Reach measurement
Office and organizational processes
Management and response to inquiries
Feedback
Marketing
Profiles with user-related information
Provision of our online services and user-friendliness
IT infrastructure
Relevant Legal Grounds
Relevant Legal Grounds under the GDPR: Below is an overview of the legal grounds under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If, in individual cases, more specific legal grounds are relevant, we will inform you of these in the privacy policy.
Consent (Article 6(1)(a) GDPR) – The data subject has given their consent to the processing of their personal data for one specific purpose or several specific purposes.
- Contract fulfillment and pre-contractual inquiries (Article 6(1)(b) GDPR) – The processing is necessary for the fulfillment of a contract to which the data subject is a party, or for the execution of pre-contractual measures that are taken at the request of the data subject.
- Legal Obligation (Article 6(1)(c) GDPR) –
The processing is necessary for the fulfillment of a legal obligation to which the data controller is subject. - Legitimate Interests (Article 6(1)(f) GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, override those interests.
National Data Protection Regulations in Austria: In addition to the data protection regulations of the GDPR, national data protection laws in Austria also apply. This includes particularly the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains specific provisions regarding the right to access, the right to rectification or deletion, the processing of special categories of personal data, processing for other purposes, data transfer, and automated decision-making in individual cases.
Notice on the Applicability of the GDPR and Swiss Data Protection Act (DSG):
These privacy notices serve to inform you in accordance with both the Swiss Federal Act on Data Protection (Swiss DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that the terms used are those of the GDPR due to its broader geographic applicability and clarity. Specifically, instead of the terms “processing” of “personal data,” “legitimate interest,” and “sensitive personal data” used in the Swiss DSG, the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. However, the legal meaning of these terms will continue to be determined in accordance with the Swiss DSG within the framework of its applicability.
Security Measures
We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the likelihood and extent of potential threats to the rights and freedoms of natural persons, to ensure a level of protection commensurate with the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access, input, transmission, availability, and segregation of the data. Additionally, we have implemented procedures to facilitate the exercise of data subject rights, data deletion, and responses to data security risks. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principle of privacy by design and privacy by default.
IP Address Truncation: If IP addresses are processed by us or by the service providers and technologies used, and processing the full IP address is not necessary, the IP address will be truncated (also known as “IP masking”). This involves removing the last two digits or the last part of the IP address after a dot, or replacing it with placeholders. The purpose of truncating the IP address is to prevent or significantly hinder the identification of a person based on their IP address.
TLS/SSL Encryption (https): To protect the data of users transmitted through our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) is shown in the URL when a website is secured with an SSL/TLS certificate.
Transmission of Personal Data
As part of our processing of personal data, there may be cases where data is transmitted to other entities, companies, legally independent organizational units, or individuals, or where it is disclosed to them. Recipients of this data may include, for example, service providers assigned to IT tasks or providers of services and content integrated into a website. In such cases, we adhere to legal requirements and enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.
Data Transfer Within the Organization: We may transfer personal data to other departments within our organization or grant them access to this data. If this data transfer is for administrative purposes, it is based on our legitimate business and operational interests, or is necessary for the fulfillment of our contractual obligations, or is made with the consent of the data subject or based on a legal allowance.
Deletion of Data
The data we process will be deleted in accordance with legal requirements as soon as the consent for processing is revoked or other permissions no longer apply (e.g., when the purpose of processing these data no longer exists or the data are no longer necessary for that purpose). If the data are not deleted because they are required for other legally permissible purposes, their processing will be restricted to those purposes. This means that the data will be locked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person. In our privacy notice, we may provide users with further information about data deletion and retention that specifically applies to the respective processing processes.
Rights of the Data Subject
Rights of the Data Subject under the GDPR: As data subjects, you have various rights under the GDPR, particularly as outlined in Articles 15 to 21 of the GDPR:
- Right to Object: You have the right to object at any time to the processing of your personal data based on Article 6(1)(e) or (f) of the GDPR, for reasons related to your particular situation. This also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling related to such direct marketing.
- Right of Withdrawal for Consents: You have the right to withdraw any consent given at any time.
- Right of Access: You have the right to request confirmation as to whether your data is being processed, and to obtain information about this data, as well as further details and a copy of the data, in accordance with legal requirements.
- Right to Rectification:
You have the right, in accordance with legal requirements, to request the completion of your data or the correction of inaccurate data concerning you. - Right to Deletion and Restriction of Processing: You have the right, in accordance with legal requirements, to request the immediate deletion of your personal data, or alternatively, to request a restriction of the processing of your data, in accordance with legal provisions.
- Right to Data Portability: You have the right, in accordance with legal requirements, to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request the transmission of such data to another controller.
- Right to Lodge a Complaint with a Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, particularly with the authority in the member state where you usually reside, where you work, or where the alleged infringement occurred, if you believe that the processing of your personal data violates the GDPR.
Use of Cookies
Cookies are small text files or other storage notes that store information on devices and retrieve information from those devices. For example, they are used to store login status in a user account, the contents of a shopping cart in an online store, the pages visited, or the functions used on an online platform. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as creating analyses of visitor traffic.
Notice on Consent WWe use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless this is not legally required. Consent is not necessary, particularly when storing and retrieving information, including cookies, is strictly necessary to provide a telemedia service explicitly requested by the user (i.e., our online offer). Essential cookies typically include those that serve functions related to the display and functionality of the online service, load balancing, security, storing user preferences and choices, or similar purposes associated with providing the main and secondary functions of the online service requested by the user. The revocable consent is clearly communicated to users and includes information about the specific use of cookies.
Information on Data Protection Legal Bases: The legal basis for processing users’ personal data using cookies depends on whether we request consent from the users. If users provide consent, the legal basis for processing their data is the given consent. Otherwise, the data processed through cookies will be based on our legitimate interests (e.g., for the business operation of our online service and improving its usability) or, when required to fulfill our contractual obligations, if the use of cookies is necessary to meet our contractual commitments. The specific purposes for which we process cookies will be explained in this privacy policy or within our consent and processing procedures.
Speicherdauer: Im Hinblick auf die Speicherdauer werden die folgenden Arten von Cookies unterschieden:
- Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest once a user leaves an online service and closes their device (e.g., browser or mobile application).
- Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, they can store login status or display preferred content directly when the user revisits a website. Additionally, data collected through cookies may be used for measuring reach. If we do not provide explicit information to users about the type and storage duration of cookies (e.g., during the consent process), users should assume that the cookies are permanent, with a storage duration of up to two years.
This website uses only temporary cookies to store the closure of the cookie banner and the newsletter sign-up, ensuring they are not displayed again once closed. Cookie names: cookie_policy_accept and cookie_newsletter_hide. For playing Vimeo videos, users are asked separately. The cookie cookie_vimeo_accept is retained either for the session or for 1 year (the user can choose). To provide the correct language information, the current language is stored for the session using wp-wpml_current_language.
General Information on Withdrawal and Objection (so-called “Opt-Out”):Users can withdraw their consent at any time and object to the processing of their data in accordance with legal requirements. To do this, users can, among other things, limit the use of cookies in their browser settings (though this may also limit the functionality of our online service). Objection to the use of cookies for online marketing purposes can also be expressed through the following websites.https://optout.aboutads.info und https://www.youronlinechoices.com/
- Legal Grounds Legitimate Interests (Article 6(1)(f) GDPR)
Performance of Tasks in Accordance with Statutes or Bylaws:
We process the data of our members, supporters, interested parties, business partners, or other individuals (collectively referred to as “data subjects”) when we are in a membership or other business relationship with them and perform our tasks, as well as when they are recipients of services or contributions. In addition, we process the data of data subjects based on our legitimate interests, for example, when it involves administrative tasks or public relations work.
The data processed, including the type, scope, purpose, and necessity of its processing, is determined by the underlying membership or contractual relationship, from which the necessity of providing certain data also arises (we will point out required data as necessary).
We delete data that is no longer necessary for the fulfillment of our statutory and business purposes. This is determined according to the respective tasks and contractual relationships. We retain the data as long as it is relevant for business operations, as well as in relation to any warranty or liability obligations based on our legitimate interest in addressing these issues. The necessity for retaining the data is regularly reviewed; in addition, statutory retention obligations apply.
- Types of Processed Data: Master Data: (e.g., names, addresses), Payment Data: (e.g., bank account details, invoices, payment history), Contact Data: (e.g., email addresses, phone numbers),Contract Data: (e.g., subject of the contract, duration, customer category)
- Affected Individuals Users: (e.g., website visitors, users of online services)
Members: Individuals who are members of the organization.Business and Contract Partners: Companies or individuals with whom the organization has business or contractual relationships. - Purposes of Processing: Provision of Contractual Services and Fulfillment of Contractual Obligations: To deliver services and fulfill the terms of agreements with members, business partners, and users.
Handling Contact Inquiries and Communication: To process and respond to inquiries from members, users, and business partners, ensuring effective communication.Management and Response to Requests: To organize, manage, and provide responses to any requests or inquiries from affected individuals. - Legal Grounds: Contract Fulfillment and Pre-Contractual Inquiries (Article 6(1)(b) GDPR), Legitimate Interests (Article 6(1)(f) GDPR)
Business Services
We process data of our contractual and business partners, such as customers and prospects (collectively referred to as “contract partners”), within the framework of contractual and similar legal relationships, as well as related measures and communication with contract partners (or pre-contractual communication), for example, to respond to inquiries.
We process this data to fulfill our contractual obligations. This includes, in particular, obligations to provide agreed-upon services, updating requirements, and remedying defects and other performance issues. Furthermore, we process the data to safeguard our rights and for administrative tasks and business organization associated with these obligations.
In addition, we process the data based on our legitimate interests in proper and efficient business management, as well as for security measures to protect our contract partners and business operations from misuse, threats to their data, secrets, information, and rights (e.g., for involving telecommunications, transport, and other service providers, subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities).
Within the scope of applicable law, we only disclose the data of contract partners to third parties insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations. Further forms of processing, such as for marketing purposes, will be communicated to contract partners within this privacy statement.
For the aforementioned purposes, we inform our contract partners, either prior to or during the data collection process, about which data is required. This is done, for example, through online forms, special markings (e.g., colors), symbols (e.g., asterisks, etc.), or in person.
We delete the data after the statutory warranty and comparable obligations have expired, i.e., generally after 4 years, unless the data is stored in a customer account, for example, as long as they need to be retained for legal archival purposes. The statutory retention period for tax-relevant documents, as well as for commercial books, inventories, opening balances, annual financial statements, and the necessary working instructions and other organizational documents and accounting records, is ten years. For received commercial and business correspondence and copies of sent commercial and business correspondence, the retention period is six years.
The retention period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance, the annual financial statement, or the management report was prepared, the commercial or business letter was received or sent, or the accounting record was created, as well as when the recording was made or the other documents were created.
To the extent that we use third-party providers or platforms to deliver our services, the terms and conditions and privacy policies of the respective third-party providers or platforms apply in the relationship between the users and the providers.
- Types of Processed Data Master Data: Such as names, addresses.
Payment Data: Including bank account details, invoices, payment history.Contact Data: Such as email addresses, phone numbers.
Contract Data: Including the subject of the contract, contract duration, customer category. - Special Categories of Personal Data: Health Data, Data on Sexual Life or Sexual Orientation, Religious or Philosophical Beliefs, Data Revealing Racial or Ethnic Origin
- Data Subjects Affected Persons:
Prospective Clients, Business Partners, Contract Partners - Purposes of Processing: Provision of Contractual Services and Fulfillment of Contractual Obligations, Handling Contact Inquiries and Communication, Office and Organizational Procedures, Management and Response to Inquiries
- Legal Bases Contract Fulfillment and Pre-Contractual Inquiries (Article 6(1)(b) GDPR), Legal Obligation (Article 6(1)(c) GDPR), Legitimate Interests (Article 6(1)(f) GDPR)
Further Information on Processing Processes, Procedures, and Services:
- Agency Services We process the data of our clients as part of our contractual services, which may include:Conceptual and Strategic Consulting, Campaign Planning, Software and Design Development/Consulting or Maintenance, Campaign and Process Implementation, Handling and Server Administration, Data Analysis/Consulting Services, Training Services.These services involve processing personal data to ensure the proper execution and management of the services provided, in line with the agreed contract terms.
- Legal Bases Contract Fulfillment and Pre-Contractual Inquiries (Article 6(1)(b) GDPR)
- Coaching: We process the data of our clients, prospective clients, and other contractors or business partners (referred to collectively as “clients”) to provide the agreed-upon services. The processed data, including the type, scope, purpose, and necessity of processing, depends on the underlying contractual and client relationship.
As part of our activities, we may also process special categories of data, such as health information related to our clients, possibly with reference to their sexual life or sexual orientation, as well as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. In these cases, we obtain explicit consent from the clients, unless the processing is necessary for the protection of the client’s health, the data is publicly available, or other legal permissions apply.
If it is required for contract fulfillment, to protect vital interests, or is legally mandated, or if the client has given consent, we may disclose or transfer the client’s data to third parties or processors, such as authorities, billing entities, or in the fields of IT, office, or similar services, while adhering to professional and legal regulations.
- Legal Bases Contract Fulfillment and Pre-Contractual Inquiries (Article 6(1)(b) GDPR)
- Consulting: WWe process the data of our clients, mandatees, as well as interested parties and other contractors or business partners (collectively referred to as “clients”) in order to provide them with our consulting services. The processed data, the nature, scope, purpose, and necessity of their processing are determined by the underlying contractual and client relationship.If necessary for the performance of our contract, the protection of vital interests, or if legally required, or if the client has given consent, we may disclose or transmit the client’s data to third parties or service providers, such as authorities, subcontractors, or in the fields of IT, office, or similar services, while adhering to professional regulations.
- Legal Bases: Contract Fulfillment and Pre-Contractual Inquiries (Article 6(1)(b) GDPR).
- Online courses and online training: We process the data of participants in our online courses and online training (collectively referred to as “participants”) in order to provide them with our course and training services. The data processed in this context, the nature, scope, purpose, and necessity of their processing are determined by the underlying contractual relationship. The data generally include information about the courses and services used by participants and, if part of our service offering, personal specifications and results of the participants. Processing methods also include performance assessment and evaluation of our services and those of course and training instructors;
The data is primarily used to conduct the course and to evaluate the learning outcomes; the legal basis for the processing of this data results from the fulfillment of the contract pursuant to Art. 6 para. 1 sentence 1 lit. b) GDPR. In cases where special categories of personal data are processed, this is done on the basis of the consent of the participants or on the basis of another legal permission, such as to protect vital interests or to fulfill legal obligations; - Legal Bases: Contract Fulfillment and Pre-Contractual Inquiries (Article 6(1)(b) GDPR).
Provision of the online offer and web hosting
We process user data to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.
- Processed Data Types: Usage Data (e.g., visited websites, interest in content, access times) Meta, Communication, and Procedure Data (e.g., IP addresses, timestamps, identification numbers, consent status)
- Affected Persons: Users (e.g., website visitors, users of online services)
- Purposes of Processing:: Provision of our online offers and user-friendliness
Information technology infrastructure (operation and provision of information systems and technical devices such as computers and servers).Security measures. - Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures and services:
- Provision of online services on rented storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called “web host”);
- Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the utilization of the servers and their stability;
- Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
- Hetzner: Services in the area of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz. Order processing contract: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
Contact and inquiry management
When contacting us (e.g. by post, contact form, email, telephone or via social media) and in the context of existing user and business relationships, the data of the inquiring persons are processed insofar as this is necessary to answer the contact inquiries and any requested measures.
- Processed data types: Contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
- Affected Persons: Communication partners; users (e.g. website visitors, users of online services). Business and contractual partners.
- Purposes of the processing: Contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form). Provision of our online services and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Further information on processing operations, procedures and services:
- Contact form: If users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the communicated request;
- Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- WPForms: Creation of online forms, collection of user input, transmission of data to the server, storage and management of submitted information; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Further information: https://wpforms.com/introducing-new-gdpr-enhancements-for-your-wordpress-forms; Service provider:Execution on servers and/or computers under own data protection responsibility; Website: https://wpforms.com/.
Video conferences, online meetings, webinars and screen sharing
We use platforms and applications of other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as “conference”). When selecting the conference platforms and their services, we observe the legal requirements.
Data processed by conference platforms: As part of participation in a conference, the conference platforms process the participants’ personal data listed below. The scope of the processing depends on which data is required in the context of a specific conference (e.g. specification of access data or clear names) and which optional information is provided by the participants. In addition to processing for the purpose of holding the conference, the conference platforms may also process participants’ data for security purposes or service optimization. The processed data includes personal data (first name, surname), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the participants’ end devices, their operating system, the browser and its technical and language settings, information on the content of the communication processes, i.e. entries in chats and audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.
Logging and recordings: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, this will be communicated transparently to the participants in advance and – if necessary – they will be asked for their consent.
Data protection measures of the participants: For details on the processing of your data by the conferencing platforms, please refer to their data protection notices and select the optimum security and data protection settings for you in the settings of the conferencing platforms. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by informing roommates, locking doors and, if technically possible, using the function to make the background unrecognizable). Links to the conference rooms and access data must not be passed on to unauthorized third parties.
Notes on legal bases: If, in addition to the conference platforms, we also process users’ data and ask users for their consent to use the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. in participant lists, in the case of processing of conference results, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.
- Processed data types: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
- Affected Persons: Communication partners; users (e.g. website visitors, users of online services). Persons depicted.
- Purposes of the processing: Provision of contractual services and fulfillment of contractual obligations; contact requests and communication. Office and organizational procedures.
- Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures and services:
- Slack: Messenger and conference software; Service provider: Slack Technologies Limited, Level 1, Block A Nova Atria North, Sandyford Business District, Dublin 18, Irland; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://slack.com/intl/de-de/; Privacy Policy: https://slack.com/intl/de-de/legal; Order processing contract: https://slack.com/intl/de-de/terms-of-service/data-processing. Basis for third country transfer: EU-US Data Privacy Framework (DPF), Standardvertragsklauseln (https://slack.com/intl/de-de/terms-of-service/data-processing).
- Zoom: Conference and communication software; Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://zoom.us; Datenschutzerklärung: https://explore.zoom.us/docs/de-de/privacy-and-legal.html; Auftragsverarbeitungsvertrag: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA). Basis for third country transfer: EU-US Data Privacy Framework (DPF), Standard contract terms (https://zoom.us/docs/de-de/privacy-and-legal.html (Bezeichnet als Globale DPA)).
Cloud-Services
We use software services accessible via the Internet and running on the servers of their providers (so-called “cloud services”, also referred to as “software as a service”) for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients or publication of content and information).
In this context, personal data may be processed and stored on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their content. The cloud service providers also process usage data and metadata that they use for security purposes and to optimize their services.
If we use the cloud services to provide other users or publicly accessible websites with forms or other documents and content, the providers may store cookies on users’ devices for the purposes of web analysis or to remember user settings (e.g. in the case of media control).
- Processed data types: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
- Affected persons Customers; employees (e.g. employees, applicants, former employees); interested parties. Communication partners.
- Purposes of processing: Office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.).
- Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures and services:
- Dropbox: Cloud storage service; Service provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; Rechtsgrundlagen: Berechtigte Interessen (Art. 6 Abs. 1 S. 1 lit. f) DSGVO); Website: https://www.dropbox.com/de; Privacy Policy: https://www.dropbox.com/privacy; Auftragsverarbeitungsvertrag: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf. Grundlage Drittlandübermittlung: EU-US Data Privacy Framework (DPF), Standard contract terms (https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf).
- Nextcloud (Hosting on own server): Cloud storage service in which the operation and storage of the processed data takes place on a server managed by us; Service provider: Nextcloud GmbH, Hauptmannsreute 44a, 70192 Stuttgart, Germany; Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://nextcloud.com/de/ Datenschutzerklärung: https://nextcloud.com/de/privacy/
Newsletter and electronic notifications
We only send newsletters, emails and other electronic notifications (hereinafter “newsletter”) with the consent of the recipient or with legal permission. If the contents of the newsletter are specifically described when registering for the newsletter, they are decisive for the user’s consent. Otherwise, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name so that we can address you personally in the newsletter, or other information if this is necessary for the purposes of the newsletter.
Double opt-in procedure: Registration for our newsletter is always carried out in a so-called double opt-in procedure. This means that after registering you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can register with other people’s e-mail addresses. Subscriptions to the newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored by the mailing service provider are also logged.
Erasure and restriction of processing: We may store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove that consent was previously given. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the e-mail address in a block list solely for this purpose.
The registration process is logged on the basis of our legitimate interests for the purpose of proving that it has been carried out properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure sending system.
Contents:
Information about us, our services, promotions and offers.
- Processed data types: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status); usage data (e.g. websites visited, interest in content, access times).
- Affected Persons Communication partners.
- Purpose of processing: Direct marketing (e.g. by e-mail or post).
- Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
- Possibility of objection (opt-out): You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably e-mail.
Further information on processing procedures, methods, and services:
- Measurement of opening and click rates: The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our server, or, if we use a mailing service provider, from their server when the newsletter is opened. As part of this retrieval, technical information such as browser information and your system, as well as your IP address and the time of retrieval, are initially collected. This information is used for the technical improvement of our newsletter based on technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until they are deleted. The evaluations help us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of opening rates and click rates as well as the storage of the measurement results in the profiles of users and their further processing are based on the consent of the users. A separate revocation of the success measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled, or objection must be raised to it. In this case, the stored profile information will be deleted;
- Legal Bases: Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
. - Mailchimp: Email delivery and automation services;Service provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Legal Basis: Legitimate interests (Art.6 para. 1 sentence 1 lit. f) GDPR); Website: https://mailchimp.com; Privacy Policy: https://mailchimp.com/legal/; Data processing agreement:: https://mailchimp.com/legal/; Basis for third country transfer:: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (Provided by the service provider). Further Information: Special security measures: https://mailchimp.com/de/help/mailchimp-european-data-transfers/
Web analysis, monitoring and optimization/span>
Web analysis (also known as “reach measurement”) is used to evaluate the visitor flows of our online offering and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine at what time our online offering or its functions or content are most frequently used or invite reuse. We can also understand which areas need optimization.
In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components, for example.
Unless otherwise stated below, profiles, i.e., data summarized for a usage process, can be created for these purposes and information can be stored in a browser or on an end device and read from it. The collected information includes, in particular, visited websites and elements used there as well as technical information such as the browser used, the operating system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data can also be processed.
The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. In general, no clear data of the users (such as email addresses or names) are stored within the scope of web analysis, A/B testing, and optimization, but rather pseudonyms. That is, we and the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.
- Processed data types: NUsage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Affected persons: Users (e.g., website visitors, users of online services).
- Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors). Profiles with user-related information (creating user profiles).
- Security measures: : IP masking (pseudonymization of the IP address).
- Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing procedures, methods, and services:
- Matomo (without Cookies): Matomo is a privacy-friendly web analysis software that is used without cookies and where the recognition of recurring users is based on a so-called “digital fingerprint” that is stored anonymously and changed every 24 hours; In the “digital fingerprint,” user movements within our online offering are recorded using pseudonymized IP addresses in combination with user-side browser settings in such a way that conclusions about the identity of individual users are not possible. The data collected from the use of Matomo by users are processed only by us and not shared with third parties; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).Website: https://matomo.org/.
Social Media Presences
We maintain online presences within social networks and process data of users within this framework in order to communicate with the users active there or to offer information about us.
We would like to point out that data of users can be processed outside the European Union. This may result in risks for users because, for example, enforcing the rights of users could be more difficult.
Furthermore, data of users within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and resulting interests of the users. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers, in which the user behavior and interests are stored. Furthermore, data can also be stored in the user profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
For a detailed presentation of the respective processing methods and the possibilities of objection (opt-out), we refer to the data protection declarations and information of the operators of the respective networks.
Even in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, you can contact us.
- Processed data types: Contact details (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Affected persons: Users (e.g., website visitors, users of online services).
- Purposes of processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online form). Marketing.
- Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing procedures, methods, , and services:
- Instagram: Social Network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Irland; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy. Facebook-pages: Profiles within the social network Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Irland; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; G Basis for third country transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further Information: We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data of visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content that users view or interact with, or the actions they take (see “Things you and others do and provide” in the Facebook data policy:https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in the Facebook data policy: https://www.facebook.com/policy). As explained in the Facebook data policy under “How do we use this information?” Facebook also collects and uses information to provide analytics services, so-called “Page Insights,” for page operators to understand how people interact with their pages and associated content. We have entered into a special agreement with Facebook (“Page Insights Data Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, among other things, the security measures Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to Facebook). The rights of users (especially to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which includes, in particular, the transmission of data to the parent company Meta Platforms, Inc. in the USA.
- LinkedIn: Social Network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third country transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa); Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out; Further Information We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data of visitors to our LinkedIn profiles for the purpose of creating “Page Insights” (statistics).
This data includes information about the types of content that users view or interact with, or the actions they take, as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and information from the users’ profiles, such as job function, country, industry, hierarchy level, company size, and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policyWe have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum (the ‘Addendum’),” https://legal.linkedin.com/pages-joint-controller-addendum), which regulates, among other things, the security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to LinkedIn). The rights of users (especially to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint responsibility is limited to the collection of data by and transmission to Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of Ireland Unlimited Company, which includes, in particular, the transmission of data to the parent company LinkedIn Corporation in the USA.
- Vimeo: Social network and video platform; Service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://vimeo.com. Privacy Policy: https://vimeo.com/privacy.
Plugins and embedded functions as well as contents
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These can include, for example, graphics, videos, or maps (hereinafter uniformly referred to as “content”).
The integration always requires that the third-party providers of this content process the IP address of the users, since they could not send the content to their browser without the IP address. The IP address is therefore required for the display of this content or functions. We endeavor to use only content whose respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, referring web pages, visit times, and other information about the use of our online offering, as well as may be linked to such information from other sources.
- Processed data types Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status); Contact details (e.g., email, phone numbers); Content data (e.g., entries in online forms).
- Purposes of processing: Provision of our online offering and user-friendliness. Profiles with user-related information (creating user profiles).
- Legal Basis Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing procedures, methods, and services:
- Vimeo-Videoplayer: Integration of a video player; Service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Legal basis: Legitimate interests (Art.6 para. 1 sentence 1 lit. f) GDPR); Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy; Data processing agreement: https://vimeo.com/enterpriseterms/dpa. Basis for third country transfer: Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa).
Change and Update of the privacy policy
We kindly ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing we carry out require it. We will inform you as soon as the changes require your cooperation (e.g., consent) or any other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time, and we ask you to verify the information before contacting them.
Competent supervisory authority for us: