Stay informed. Subscribe to the VBM Newsletter.

  1. Home
  2. Privacy Policy

Privacy Policy

 

1. Introduction Data Protection

Thank you for your interest in our services.

The protection of your personal data when you visit our website is important to us.

We protect your privacy and your private data. We collect, process and use your personal data in accordance with the content of this Privacy Policy and the applicable data protection regulations, in particular the General Data Protection Regulation, the Federal Data Protection Act and the Telemedia Act.

These data protection provisions regulate which personal data we collect, process and use about you. We therefore ask you to read the following information carefully.

 

2. Contact

The controller for this data processing is:

VBM Medizintechnik GmbH
Represented by Volker Bertram, Carina Bertram, Frank Hägele, Jörn Kelch, Ruth Lebold
Einsteinstr. 1
72172 Sulz am Neckar, Germany
Legal disclosure: https://www.vbm-medical.de/en/legal-disclosure/

You can contact our data protection officer, Mr. José Enrique Gómez Asbeck, at the above postal address with the prefix “the data protection officer” or at: vbm-datenschutz@bitbasegroup.com

 

3. Data Collection on these Web Pages - Summary

3.1 Introduction

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use these pages, various personal data are collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible. The individual legal bases, purposes, additional recipients, transfers to third countries, storage periods and other special features can be found in the respective processing section after this summary.

3.2 Anonymous Data Processing

It is generally possible for every visitor to visit this website without disclosing who they are. Only the name of your Internet service provider, the website from which it was linked to us and your IP address are automatically determined. This transmitted information is collected and analyzed exclusively to combat abuse. An anonymized and shortened version of the IP address may be evaluated for statistical purposes.

3.3 Collection and Processing of Personal Data

Further personal data is only collected if you provide and transmit it to us of your own accord. We treat all data confidentially and only use it for the purpose for which it was transmitted.

The data you transmit to us in the context of an enquiry, an order or a business relationship will be stored and processed exclusively for the purpose for which this data was transmitted. We will not pass on any personal data transmitted to third parties unless this has been expressly authorised by you or is absolutely necessary for the purpose of providing the service.

We would like to point out that data transmission over the Internet (e.g. when communicating via e-mail) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible. Any use of the contact data published here by third parties for sending unsolicited advertising or information material is hereby expressly prohibited. We expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

3.4 How do we Collect your Data?

On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter in a contact form.

Other data is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you access this page.

3.5 What do we Use your Data for?

Some of the data is collected in order to ensure the error-free provision of the pages. Other data can be used to analyse your user behaviour.

3.6 What Rights do you have Regarding your Data?

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. You also have the right to lodge a complaint with the competent supervisory authority. You can contact us at any time if you have any further questions on the subject of data protection.

3.7 Analysis Tools and Services from Subcontractors

When you visit this website, your usage behaviour may be statistically evaluated. This is mainly done using so-called analysis programmes. If we engage third-party providers, we conclude data protection agreements with them that provide special protection for your data. If we use cookies for this purpose or if your consent is otherwise required, this is described below.

 

4. General Information and RIGHTS OF DATA SUBJECTS

4.1 Legal Basis for Data Processing on This Site

If you have consented to data processing, we process your personal data on the basis of Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR, provided that special categories of data are processed in accordance with Art. 9 (1) GDPR. In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 (1) a) GDPR. If you have consented to the storage of cookies or access to information on your end device (e.g. via device fingerprinting), data processing is also carried out on the basis of Section 25 (1) TDDDG. Consent can be revoked at any time. If your data is necessary for the performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6 (1) b) GDPR. Furthermore, we process your data if it is necessary to fulfil a legal obligation on the basis of Art. 6 (1) c) GDPR.

Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6 (1) (f) GDPR. The additional legal bases relevant in each individual case are explained in the following paragraphs of this privacy policy. Insofar as we process your data using the service providers described below in accordance with our instructions, we have concluded a contract with each of them for order processing (AVV) and, in the case of joint responsibility, a contract for this, which essentially safeguards your rights as a data subject.

4.2 Note on processing in ‘unsafe third countries’

Among other things, we use services provided by companies based in the United States or other third countries outside the EEA that do not have secure data protection laws. When these tools are active, your personal data may be transferred to these third countries and processed there. Please note that these countries cannot guarantee a level of data protection comparable to that of the EU.

For example, US companies are obliged to disclose personal data to security authorities without you, as the data subject, being able to take legal action against this. It cannot therefore be ruled out that US authorities (e.g. secret services) may process, evaluate and permanently store your data stored on US servers for surveillance purposes.

We have no direct influence on these processing activities, but the risk can be minimised by appropriate contractual arrangements (EU standard contractual clauses). The standard contractual clauses have been established by the EU and can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. In a data protection impact assessment for third countries (third country impact assessment, TIA), we regularly check whether the risk is adequately controlled. If you have any questions about the technical and organisational measures, please contact our data protection officer.

Since 11 July 2023, there has also been an adequacy decision by the EU Commission pursuant to Art. 45 GPDR, the EU-US data protection framework. Only in the event that a US company certifies itself in the associated database and joins this network has the EU determined that the US is considered a safe third country for these companies. We will note the transfer to unsafe third countries with the relevant processor. You can check for yourself at https://www.dataprivacyframework.gov/ whether the company is still registered there.

4.3 Storage Period

Unless a more specific storage period is specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods); in this case, the data will be deleted once these reasons no longer apply.

4.4 Withdrawal of Your Consent to Data Processing

Many data processing operations are only possible with your express consent in accordance with Art. 7 GDPR. You can revoke consent you have already given at any time in accordance with paragraph 3. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

4.5 Right to Object to Data Collection in Specific Cases and Direct Marketing Pursuant to Art. 21 GDPR

IF DATA PROCESSING IS BASED ON ART. 6 PAR. 1 E) OR F) GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS DATA PROTECTION DECLARATION. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA, UNLESS WE CAN PROVE THAT THERE ARE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING, INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

4.6 Right to Lodge a Complaint with the Competent Supervisory Authority Pursuant to Art. 57(1)(f) GDPR

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged violation. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedies.

4.7 Right to Data Portability Pursuant to Art. 20 GDPR

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically feasible.

4.8 SSL or TLS Encryption

When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

4.9 Information, Deletion and Correction

Within the framework of the applicable legal provisions, you have the right at any time under Art. 15 GDPR to obtain information free of charge about your stored personal data, its origin and recipients, and the purpose of data processing, and, if applicable, a right to correction under Art. 16 GDPR or deletion of this data under Art. 17 GDPR . You can contact us at any time if you have any further questions on this or other topics relating to personal data.

4.10 Right to Restriction of Processing

Under Art. 18 of the GDPR, you have the right to request the restriction of the processing of your personal data. You can contact us at any time to exercise this right. The right to restrict processing applies in the following cases: 

  • If you dispute the accuracy of your personal data stored by us, we will usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.
  • If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
  • If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of its deletion.
  • If you have lodged an objection pursuant to Art. 21 GDPR, a balance must be struck between your interests and ours. Until it has been determined whose interests prevail, you have the right to request that the processing of your personal data be restricted.

If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

4.11 Objection to Advertising E-Mails

The use of contact data published on these web pages, for example in the imprint or privacy policy, for the purpose of sending unsolicited advertising and information materials is hereby prohibited. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited advertising information being sent.

 

5. Provision of Network Content and Applications (Apps)

Here we describe the provision of network content (hosting). In simple terms, a website is transmitted from a computer (host) from one location. To do this, we need to process and log your IP address and other metadata. Processing is generally based on our legitimate interest in effective external communication. If the relevant consent has been requested, processing is carried out on the basis of Art. 6 (1) a) GDPR and in conjunction with § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. Content delivery networks (CDNs) are used to counter certain attacks and to accelerate and optimise access.These serve to ensure efficient and secure delivery worldwide by directing your page request to the country and computer that can process it most efficiently. Therefore, when using a content delivery network, we necessarily process your data in unsafe third countries, such as the USA; see section 4.2 Note on processing in ‘unsafe third countries’ for more information. If we offer applications (apps) for mobile devices, these usually also access this network content; see section 12. Other Services. The data is stored for as long as necessary, usually for a maximum of twelve months.

5.1 External Hosting

5.1.1 External Hosting GBC

We host our websites at GBC GmbH Internet Service Center Ingenieurgesellschaft für Systemsoftware und Kommunikationstechnik, Steingrüble 9, 72336 Balingen, Germany. For details about their company, please refer to their privacy policy: www.gbc.net/datenschutz

5.2 Content Delivery Networks (CDN)

This site uses content delivery networks (CDNs) based on our legitimate interest in providing popular online libraries and web fonts, thereby increasing effectiveness and making the site more secure against attacks. Access is then made directly to the operators' servers, so that data such as the calling IP address, referrer, browser information, etc. is collected there. The legal basis for this is our legitimate interest in presenting our site in a way that meets your needs and optimises the user experience. You can prevent CDN from collecting and processing your data by deactivating the execution of script code in your browser or installing a script blocker in your browser (you can find one at www.noscript.net, for example). However, the site will then no longer function properly.

 

6. Data Collection on these Web Pages in Detail

6.1 Server Logs

The provider (host) of the pages automatically collects and logs information in so-called server log files, which your browser automatically transmits to us with each request. These are:

  • Browser type, language and version of the browser,
  • operating system used and its interface,
  • page from which the request originates (referrer),
  • hostname of the accessing computer,
  • date and time of the request, time zone difference to Coordinated Universal Time (UTC),
  • IP address,
  • content of the request (specific page name),
  • access status/HTTP status code,
  • amount of data transferred each time

This data is not combined with other data sources.

This data is collected on the basis of a legitimate interest. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its pages – for this purpose, the server log files must be collected.

6.2 „Cookies in the Browser“

Our websites use so-called ‘cookies’. Cookies are small text files and do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or your browser automatically deletes them. The browser is the application you use to access and display certain websites. Smartphone applications can also use a browser to display websites.

In some cases, cookies from third-party companies may also be stored on your device when you visit our website (third-party cookies). These enable us or you to use certain services provided by the third-party company (e.g. cookies for processing payment services).

Cookies have various functions. Numerous cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or the display of videos). Other cookies are used to evaluate user behaviour or display advertising. They are used on the basis of our legitimate interest.

Cookies that are necessary for certain functions you have requested (e.g. for the shopping basket function) or for optimising the website (e.g. cookies for measuring and assigning page views) (necessary cookies) are stored on the basis of legitimate interest, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimised provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, processing is carried out exclusively on the basis of this consent in accordance with Art. 6 (1) a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time. Due to legal requirements, we must store your consent in accordance with Art. 6 (1) c) GDPR and § 25 (1) TDDDG. This is implemented via a consent technology in the form of cookies.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be restricted.

If cookies are used by third-party companies or for analysis purposes, we will inform you separately in this privacy policy and, if necessary, ask for your consent.

6.2.1 Consent with Real Cookie Banner for WordPress

Our website uses the Real Cookie Banner from devowl.io GmbH, Tannet 12, 94539 Grafling, which operates locally on WordPress, and cookies to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies and to document this in accordance with data protection regulations.

When you visit our websites, you will be asked to give your consent and other declarations regarding the use of cookies. We then store a cookie in your browser so that we can assign the consents you have given, your rejection or your revocation. The data collected in this way is stored until you request us to delete it, delete the cookie yourself or the purpose for data storage no longer applies, but for a maximum of one year. The collection and documentation of consent is required by law. The legal basis for processing is Art. 6 (1) (c) GDPR.

6.3 Contact Form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 (1) b) GDPR, provided that your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of enquiries addressed to us or on your consent in accordance with Art. 6 (1) a) GDPR, provided that this has been requested.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g. after your enquiry has been processed). Mandatory legal provisions – in particular retention periods – remain unaffected.

6.4 Enquiry by E-mail, Telephone or Fax

If you contact us by email, telephone or fax, your enquiry, including all personal data arising from it (name, enquiry), will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 (1) b) GDPR, provided that your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of enquiries addressed to us or on your consent (Art. 6 para. 1 a) GDPR), provided that this has been requested.

The data you send us via contact requests will remain with us until you request us to delete it, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions – in particular retention periods – remain unaffected.

 

7. Newsletters and Advertising Letters, with Data Analysis if Necessary

If you would like to receive the newsletter offered on the website, we need your email address and information that allows us to verify that you are the owner of the email address provided and that you agree to receive the newsletter. This is usually done by means of a confirmation email that you must click on (double opt-in). We store the data from this confirmation as proof of your consent. Further data is only collected on a voluntary basis. In order to be able to write to you personally, we ask you to provide your title and name. We use service providers described below to process the newsletter.

Data processing is based on your consent in accordance with Art. 6 I a) GDPR, which you may revoke at any time with future effect. To do so, we provide a link in every message that you can click on, or you can simply write to us. The legality of data processing operations that have already taken place remains unaffected by the revocation. If necessary, you can also unsubscribe from the newsletter directly on the website.

Only if we expressly and separately indicate this during registration does your consent also include the right to observe predefined actions in the newsletters through measures such as individualised links or downloaded graphics, for example, whether you read the newsletter, buy something, follow the links listed there (conversion rate), or which parts of it interest you, in order to make our newsletters more effective and, if necessary, to remind you to read them if you have not opened a newsletter. If necessary, we also personalise newsletters according to various interest categories, such as age, gender, place of residence, provided you have submitted this data.

Insofar as we send advertising letters to business entities based on our own research or from address sellers that are not based on your documented consent, the legal basis is the legitimate interest in advertising (see Recital 47 GDPR), which we have carefully checked to ensure that it meets the criteria for presumed consent under German law in accordance with Section 7 UWG. The additional analysis methods mentioned above are then not used due to the lack of consent. You can object to this use of your data at any time. In the cover letter, we will inform you where we obtained your address and, if applicable, how long we will use it. If you enter into an active business relationship, your contact details will then be stored for the duration of that relationship.

Your data will be deleted as soon as it is no longer required for the purpose for which it was collected. Your email address will therefore be stored for as long as your subscription is active. You can cancel your subscription at any time by revoking your consent or objecting to the sending of emails. For this purpose, a corresponding link is included in every newsletter.

After you unsubscribe from the newsletter distribution list, your email address will be stored in a Robinson list to prevent future mailings. The data from the Robinson list will only be used for this purpose and will not be merged with other data. This serves both your and our legitimate interest in complying with legal requirements when sending newsletters. There is no time limit on storage in the Robinson list, but for reasons of data minimisation, we reserve the right to review it regularly after ten years. You can object to the storage of your data, but in that case we cannot rule out the possibility that we will send you advertising letters again.

Due to the global distribution of emails, the newsletters are also processed in so-called unsafe third countries.

7.1 CleverReach

This site uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter referred to as ‘CleverReach’). The data you provide when subscribing to the newsletter will be processed on servers in Germany or Ireland.

Further information about CleverReach's data analysis services can be found at: www.cleverreach.com/de/funktionen/reporting-und-tracking

The data stored with us for the purpose of providing you with our newsletter will be stored until you unsubscribe from the newsletter or by the newsletter service provider and will be deleted from the distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this.

Further information can be found at: www.cleverreach.com/de/datenschutz

 

8. Social Media – Collaborative Media

8.1 General Information

We maintain publicly accessible profiles on so-called ‘social’ networks. The specific networks we use are listed below.

Networks such as Facebook, Twitter, etc. can usually analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (such as ‘likes’ or advertising banners). Visiting our social media sites triggers numerous data processing operations that are relevant to data protection. Specifically: If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies stored on your device or by recording your IP address.

With the help of the data collected in this way, the operators of social media portals can create user profiles that store your preferences and interests. This allows interest-based advertising to be displayed to you both within and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing operations on social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

Our social media presence is intended to ensure the most comprehensive presence possible on the Internet. This is a legitimate interest. The analysis processes initiated by social networks may be based on different legal grounds, which must be specified by the operators of the social networks, such as consent and contract in accordance with Art. 6 (1) a) or b) GDPR.

When you visit one of our social media sites, we are generally responsible, together with the operator of the social media platform, for the data processing operations triggered by this visit. You can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal.

Please note that despite our joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider and the joint responsibility agreements.

The data collected directly by us via our social media presence will be deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly.

8.2 Networks in Detail

We are active on the following networks:

  • www.facebook.com/vbmgermany
  • www.instagram.com/vbm_medical
  • www.instagram.com/vbm_ausbildung
  • www.linkedin.com/company/vbmgermany
  • www.xing.com/pages/vbmmedizintechnikgmbh

8.2.1 Meta Services Facebook and Instagram

We use the services of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

If consent has been obtained, the use of the above-mentioned services is based on Art. 6 (1) a) GDPR and § 25 TDDDG. Consent can be revoked at any time. If consent has not been obtained, the use of the service is based on our legitimate interest in achieving the widest possible visibility on social media and in relation to our joint responsibility with Meta on the basis of a contract to this effect.

The parent company of Facebook and Instagram, Meta Platforms, Inc., 1601 Willow Rd, Menlo Park, California 94025-1453, United States, is located in an unsafe third country. Data transfers to the United States are based on the standard contractual clauses of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.In addition, the US will continue to be considered safe as long as the EU Commission's adequacy decision remains in force and Meta participates in the TADPF. It currently does so: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active

We have entered into a joint processing agreement (Controller Addendum) with Facebook. This agreement specifies which data processing operations we and Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

For details, please refer to Facebook's privacy policy: https://www.facebook.com/about/privacy/

8.2.1.1 Meta Facebook Profile

We have a profile on Facebook. You can adjust your advertising settings yourself in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads

8.2.1.2 Meta Instagram Page

WWe have a profile on Instagram. Details on data processing can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381. For details on how they handle your personal data, please refer to Instagram's privacy policy: https://help.instagram.com/519522125107875.

8.2.2 LinkedIn Profile

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. As long as the EU Commission's adequacy decision remains in force and LinkedIn continues to be registered with the TADPF, the United States is considered a safe third country.

For details on how they handle your personal data, please refer to LinkedIn's privacy policy: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

8.2.3 XING Profile

We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. When you write entries on Xing, these and your metadata are processed there. We have concluded a joint responsibility agreement with XING. Your data will therefore be processed on the basis of your consent and this agreement. Details on how they handle your personal data can be found in XING's privacy policy: https://privacy.xing.com/de/datenschutzerklaerung

 

9. Analysis Tools and Advertising

9.1 Google General

We use Google services for many purposes, including analysis and advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The use of Google services is based on our legitimate interest in ensuring that our offerings function and are marketed as effectively as possible.

In rare cases, your data may be processed in so-called unsafe third countries, such as the USA. The transfer of data from Google Ireland Limited to Google's parent company in the USA, other subcontractors and other unsafe third countries is based on the standard contractual clauses of the EU Commission. The USA is not considered an unsafe third country as long as the Commission's current adequacy decision remains in force and Google LLC continues to participate in the EU-US data protection framework.

If consent has been requested, processing will take place exclusively on the basis of Art. 6 (1) a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's terminal device (e.g. digital fingerprint) within the meaning of the TDDDG. Consent can be revoked at any time.

You can prevent these cookies from being stored on your computer by adjusting your browser settings accordingly. However, this may mean that you will no longer be able to use the contents of this website to the same extent. By consenting to processing by Google, you agree to the processing of data collected about you in the manner and for the purpose described above.

If you have a Google account, you can opt out of personalised advertising by following this link: https://www.google.com/settings/ads/onweb/. For further information on how to object to the advertisements displayed by Google, please refer to the following links: https://policies.google.com/technologies/ads and https://adssettings.google.com/authenticated

You can prevent Google from collecting and processing your data by downloading and installing the browser extension (plugin) available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

For more information about how Google handles user data, please refer to Google's privacy policy at https://policies.google.com/privacy?hl=de, the legal framework for data export to so-called unsafe third countries: https://policies.google.com/privacy/frameworks and the standard contractual clauses in this context https://privacy.google.com/businesses/controllerterms/mccs

Data processing conditions specifically for advertising: https://business.safety.google/intl/de/adsprocessorterms

 

10. Extensions and other Services

10.1 Google

We use Google services. For general information, see section 9.1.

10.1.1 reCAPTCHA

We use Google's “reCAPTCHA” on this website to determine whether the data entered on this website (e.g., information entered in a contact form) originates from a human user or an automated program. To do this, reCAPTCHA analyzes the behavior of website visitors based on a variety of parameters. This analysis is triggered automatically as soon as the visitor accesses the page. For this analysis, reCAPTCHA evaluates various data (e.g., IP address, length of time the visitor stays on the page, or mouse movements made by the user). The data collected during such analyses is forwarded to Google. reCAPTCHA analyses usually run completely in the background. Visitors to the site are not specifically informed that an analysis is being performed. If reCAPTCHA does not reach a clear result, you must solve a puzzle, usually a picture puzzle. If a corresponding declaration of consent has been provided, the data will be processed exclusively on the basis of Art. 6 (1) (a) GDPR. Such consent can be revoked at any time.

10.2 Vimeo

This website embeds videos from the video portal Vimeo. The operator of the site is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.

We use Vimeo in the extended data protection mode ‘Do-not-Track’. This mode means that Vimeo does not set a cookie when you play a video via our website. When you visit one of our pages featuring a Vimeo video, a connection to the Vimeo servers is established. The Vimeo server is informed which of our pages you have visited. Vimeo also obtains your IP address. This applies even if you are not logged in to Vimeo or do not have a Vimeo account. The information collected by the provider is transmitted to its servers in the United States. If you are logged in to this provider, you enable it to assign your usage behaviour directly to your personal profile. You can prevent this by logging out there.

The use of Vimeo is in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 (1) a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's end device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data transfer to the US is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on “legitimate business interests.” For more information on how user data is handled, please refer to Vimeo's privacy policy at: vimeo.com/privacy

10.3 Web fonts (locally hosted)

This site uses web fonts, which we host locally, to ensure consistent font display. When you visit a page, your browser loads the required web fonts into your browser cache to display text and fonts correctly.

 

11. Telephone, Audio & Video

11.1 General

We use digital conference services, among other things, to communicate with our business partners. The specific services we use are listed below. When you communicate with us via video, chat or audio, your personal data is collected and processed by us and the provider of the respective (conference) service.

We collect all data that you disclose (e-mail address or telephone number, image, text, sound). We also process the duration, start and end of participation, number of participants and other ‘contextual information’ related to the communication process (metadata).

Furthermore, we process all technical data necessary for the processing of online communication. This includes, in particular, IP addresses, MAC addresses, device number, type, operating system type and version, client version, camera type, microphone or loudspeaker, and the type of connection. If content is exchanged, uploaded or otherwise made available within the service, it may be temporarily stored on the service provider's servers. Such content includes, in particular, cloud recordings, chat or instant messages, call recordings, uploaded photos and videos, files, drawings and other information shared while using the service.

Please note that we do not have full control over the data processing operations of the services used. Our options are largely determined by the corporate policy of the respective provider. For further information on data processing by the conference services, please refer to the individual descriptions listed below this text.

We use these services in accordance with Art. 6 (1) b) GDPR to communicate with prospective or existing contractual partners or to offer certain services to our customers, as well as to simplify and accelerate communication with us or our company in general (legitimate interest). If consent has been requested, for example to record a conference, the use of the relevant applications is based on this consent; consent can be revoked at any time with effect for the future. In this case, the application can no longer be used.

If and to the extent that you are notified of this statement before the start of the conference, your data will be recorded or processed by artificial intelligence for transcription or translation. This is usually done on the basis of legitimate interest. You can object to this. If you provide particularly sensitive data in accordance with Art. 9 f. GDPR, this is done on the basis of your consent. Employees who communicate privately are hereby informed that this is done on the basis of their consent. The storage of data on the basis of consent can be revoked at any time. In this case, the data will be deleted and can no longer be used, which may be contrary to the original purpose of storage.

The data collected directly by us via the video and conference services will be deleted from our systems as soon as you request us to do so, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the storage period of your data, which may be stored by the operators of the conference services for their own purposes or on your behalf. For details, please contact the operators of the conference services directly.

We use the following conference applications:

11.2 Microsoft Teams Ireland

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, registered office: 70 Sir Rogerson's Quay, Dublin 2, Ireland. In rare support cases, the parent company, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States of America, has access to your data as a sub-processor. The USA is generally considered an unsafe third country. This access is secured by standard data protection clauses. The USA is currently considered a safe third country because there is a valid adequacy decision and Microsoft meets the condition of participating in the TADPF. In addition, we use a data protection impact assessment to ensure that data processing in unsafe third countries also meets the requirements of the GDPR. For details on data processing, please refer to the Microsoft Teams privacy statement: https://privacy.microsoft.com/de-de/privacystatement

11.3 Video Surveillance

Insofar as reference is made to this privacy policy on a video sign, it serves to monitor publicly or non-publicly accessible areas in order to protect property rights, control access, deter and prosecute criminal offences to the detriment of visitors, employees or the operator.

The legal basis and purposes of processing are stated on the video sign. There is a legitimate interest in improving the security of the company. Insofar as sales stands or gaming machines are present, the legal basis for these areas is additionally Art. 6 I c) GDPR in conjunction with § 15 SGB VII, § 7 DGUV Regulation 25. Insofar as employees are affected, Art. 26 BDSG is additionally observed. This affects visitors on important routes and in areas that are particularly at risk, as well as potential offenders who gain access to parts of the company premises that are not open to the public.

Image and video data are recorded, but no audio recordings are made, no biometric analysis is carried out and filming never takes place in sanitary facilities or changing rooms. No data is transferred to third countries outside the EEA or to international organisations. If no incidents occur, the video data is deleted after 72 hours. The data is used for legal prosecution and handed over to law enforcement authorities in cases of justified requests. It is then deleted when it is no longer needed. You can object to this processing by contacting the controller, provided that it is based on a balancing of interests.

 

12. Other Services

12.1 Handling Applicant Data

We offer you the opportunity to apply for a position with us (e.g. by email, post or via our online application form). Below, we provide information about the scope, purpose and use of your personal data collected during the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other legal provisions, and that your data will be treated as strictly confidential.

When you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) to the extent necessary to decide whether to establish an employment relationship. The legal basis for this is Section 26 of the German Federal Data Protection Act (BDSG) (initiation of an employment relationship), Article 6(1)(b) of the GDPR (general contract initiation) and – if you have given your consent – Article 6(1)(a) of the GDPR. If you provide information on special categories of data pursuant to Art. 9 or 10 GDPR, such as health data, criminal offences, world views or political views, in accompanying documents, free text fields or similar, filling in this information constitutes your consent to our processing of this data. Your consent can be revoked at any time. Your personal data will only be passed on within our company to persons involved in processing your application.

If your application is successful, the data you submit will be stored in our data processing systems for the purpose of implementing the employment relationship on the basis of Art. 6 (1) b) GDPR (Art. 88 GDPR) and § 26 BDSG.

If we are unable to offer you a position, you decline a job offer or withdraw your application, we reserve the right to store the data you have provided for up to 6 months after the end of the application process (rejection or withdrawal of the application) on the basis of our legitimate interests for documentation purposes in accordance with the General Equal Treatment Act (AGG). The data will then be deleted and the physical application documents destroyed. The storage serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the expiry of the six-month period (e.g. due to an impending or pending legal dispute), deletion will only take place when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your consent in accordance with Art. 6 (1) a) GDPR or if statutory retention obligations prevent deletion. If we do not offer you a position, we may add you to our waiting list (applicant pool). If you are added to the waiting list, all documents and information from your application will be transferred to the waiting list so that we can contact you if a suitable vacancy arises. You will only be added to the waiting list if you have given your express consent (Art. 6 (1) (a) GDPR). Giving your consent is voluntary and is not related to the current application process. The data subject may revoke their consent at any time. In this case, the data will be irrevocably deleted from the waiting list, unless there are legal reasons for retention. The data from the waiting list will be irrevocably deleted no later than two years after consent has been given.

If we use subcontractors, we naturally ensure that the subcontractor has taken all necessary technical and organisational measures to ensure data protection for the online application process. All of their employees are also bound to maintain confidentiality regarding personal data. Subcontractors may commission so-called sub-contractors from so-called unsafe third countries and use necessary cookies in accordance with Art. 6 (1) f) GDPR to ensure smooth, worldwide access to the portal and the necessary maintenance work. This is safeguarded by appropriate guarantees such as the EU standard data contracts.

12.1.1 Applications with Perview

The technical processing of the online application procedure is handled for us by perview systems GmbH, Krohnstieg 41-43, 22415 Hamburg, in accordance with Art. 28 GDPR. HRworks GmbH, Waldkircher Str. 28, 79106 Freiburg, is solely responsible for the technical implementation and has no influence on the application process.

Your personal data and all processing steps related to your application will be stored securely on this service provider's computers exclusively within the EU/EEA. Data transmission is secured with SSL encryption. You can read more about data protection here: www.perview.de/datenschutz

12.2 kameon GRC (formerly kameon PLC)

The provision of kameon GRC is handled for us by kameon GmbH together with Microsoft Ireland Operations Limited as host (Azure Cloud). kameon GmbH, Gürtelstraße 30, 10247 Berlin, GERMANY, is solely responsible for technical implementation.

Use by our business partners at our invitation takes place within the framework of pre-contractual negotiations and, if necessary, additionally on the basis of consent. For basic functionality, we process your name, title, email address, password and, if desired, a second security factor. Depending on which module you have been invited to, additional data will be processed and service providers will be involved. The data will be stored for as long as necessary for the various purposes.

In GRC Drive, users can securely store and exchange data with any content via their computer or smartphone application, and their metadata is saved.

kameon GRC ACADAMY processes and documents data on how successfully a user has completed an online training course.

kameon GRC CONTRACT processes all inputs from contract negotiations, documents contracts, and organises and stores their signatures. If necessary, it performs auto-identification with the help of IDnow, for which video recordings of the user, their ID and their signature are processed.

The company may engage subcontractors from so-called unsafe third countries and use cookies that are necessary on the basis of legitimate interest to ensure smooth global access to the portal and the necessary maintenance work. This is safeguarded by appropriate guarantees and the EU standard data contracts.

Further information on data protection can be found at privacy.microsoft.com/de-de/privacystatement

Microsoft Ireland Operations Limited can be reached at: The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, IRELAND. In rare support cases, the parent company, Microsoft Corporation, One Microsoft Way, 98052-6399 Redmond WA, UNITED STATES OF AMERICA, may access the data. This constitutes processing in an unsafe third country, which we secure with standard data protection clauses.

 

13. Status:

Version 5.6.3.5 – 26.06.2025

WEB001_PID-Privacy_AB_EN

WordPress Cookie Notice by Real Cookie Banner