Privacy Policy

Data protection/privacy statement

Preliminary note

This data protection/privacy statement informs you about

§ how we process your personal data (“data”) when you visit our website;

§ why and on what legal basis we process the data; and

§ what data protection rights and options you have.

The details are explained in the sections below. The structure of this statement follows that of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Section 17 explains a number of terms from data protection law.

Section overview

1. Whom do I contact if I have questions about data protection on this website?

(Contact details for the controller, obligation to provide information pursuant to point (a) of Article 13(1) GDPR)

2. Why do we process your data?

(Purposes of processing, obligation to provide information pursuant to point (c) of Article 13(1) GDPR)

3. What personal data do we process?

(Type of data processed, obligation to provide information pursuant to point (c) of Article 13(1) GDPR)

4. Why is this data processing permitted?

(Legal bases for processing and legitimate interest of the controller, obligation to provide information pursuant to point (c) of Article 13(1) GDPR)

5. To whom are my data disclosed?

(Recipients / categories of recipients, obligation to provide information pursuant to point (e) of Article 13(1) GDPR)

6. Who is the subject of the data processing?

(Data subjects, obligation to provide information pursuant to Article 13(1) GDPR)

7. Are my data transferred to a country outside the European Union (EU)?

(Transfers of data to third countries, obligation to provide information pursuant to point (f) of Article 13(1) GDPR)

8. How long are my data stored? When are they erased?

(Duration of data storage, obligation to provide information pursuant to point (a) of Article 13(2) GDPR)

9. What are my rights?

(Rights of the data subject, obligation to provide information pursuant to points (b) through (d) of Article 13(1) GDPR)

9.1 How do I exercise my right of access?

9.2 When and how can I have my data rectified?

9.3 When do my data have to be erased?

9.4 What does “right to restriction of processing” mean?

9.5 What does “right to data portability” mean?

9.6 How do I exercise my right to object?

9.7 How do I withdraw consent?

9.8 When and how do I complain to the supervisory authority?

10. Am I under a legal or contractual obligation to provide my data?

(Provision of data required by law or under a contract, obligation to provide information pursuant to point (e) of Article 13(2) GDPR)

11. Do automated decision-making processes take place in conjunction with my data?

(Existence of automated decision making, including profiling; obligation to provide information pursuant to point (f) of Article 13(2) GDPR)

12. What general functions and features does our website offer?

13. What special functions and features does our website offer?

13.1 Data processing on our website

Adobe Fonts

Google AdSense

Google Analytics

Google Tag Manager

Sketchfab

13.2 Data processing via social media plugins

Facebook

YouTube

13.3 Further data processing

Job applications

14. Does cooperation with processors and third parties take place?

15. What security measures do we take to protect your data?

16. Amendments to this data protection/privacy statement

17. Explanations of selected terms from data protection law

1. Whom do I contact if I have questions about data protection on this website?

The controller responsible for the processing of your data on this website is:

GRIP GmbH Handhabungstechnik

Alter Hellweg 70

44379 Dortmund, Germany

Phone: +49 (0)231 96 450-01

represented by: Hasan Canti (Managing Director)

This data protection/privacy statement informs you about which data are processed when you visit our website. You are also welcome to contact us at the following e-mail address if you have further questions about data protection and privacy:

datenschutz@grip-gmbh.com

Article 4(7) GDPR defines “controller” as follows:

“‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

2. Why do we process your data?

We process your data to ensure the proper operation of our website and to be able to provide you with our online offerings and the content of the site. The processing also takes place in order to be able to process your contact inquiries and communicate with you.

The specific further purposes of processing are stated under numbers 12 (What general functions and features does our website offer?) and 13 (What special functions and features does our website offer?).

We process your data for purposes other than as described there only

§ if a legal provision permits this, or

§ if you have consented to the changed purpose of data processing.

We will inform you before reusing or continuing to use your data for purposes other than those for which the data were originally processed. We will then provide you with all relevant information regarding these other purposes.

3. What personal data do we process?

If you contact us by e-mail or using the form on our website, we store the data you provide (your e-mail address, where applicable your name and phone number) in order to answer your questions. We erase the data involved in this process as soon as storage thereof is no longer needed or restrict the processing thereof if there are statutory obligations of storage.

Information on further data that we process when you visit our website is provided in numbers 12 and 13 of this statement.

4. Why is this data processing permitted?

As a basic principle, we are permitted to process your data only if and when permitted by law or you have given permission. Numbers 12 and 13 of this data protection/privacy statement provide information on when we process your data and on what basis this takes place.

As a basic principle, we base our processing of your data on the following legal bases set out in the GDPR:

§ Point (a) of Article 6(1), Article 7 GDPR: your consent;

§ Point (b) of Article 6(1) GDPR: processing of your data in order to be able to perform a contract with you or to carry out contractual measures or steps prior to entering into a contract;

§ Point (c) of Article 6(1) GDPR: data processing in order to comply with a legal obligation to which we are subject;

§ Point (d) of Article 6(1) GDPR: when your vital interests or those of another natural person must be protected;

§ Point (f) of Article 6(1) GDPR: our legitimate interest, if it overrides your interest or your fundamental rights and freedoms.

5. To whom are my data disclosed?

If your data are disclosed not only to us, but also to other recipients, they are listed under number 13 of this data protection/privacy statement (What special functions and features does our website offer?).

6. Who is the subject of the data processing?

We process the data of visitors and users of our online offering and the data of our customers, potential customers, and business partners who access it.

7. Are my data transferred to a country outside the European Union (EU)?

We also process your data in states outside the European Union (EU) if you have given us your consent to do so. This processing concerns the services described in section 13.

Note on data transfers to the United States

Our website incorporates tools provided by companies based in the United States, among others. If these tools are active, your personal data may be shared with the U.S. servers of the companies in question. Please note that the United States is not a secure third country within the meaning of EU data protection law. U.S. companies are obligated to disclose personal data to government security agencies without legal recourse for you as a data subject. It is therefore not impossible that U.S. government agencies may process, analyze, and permanently store your data that are present on U.S. servers for surveillance purposes. We have no influence over these processing activities.

8. How long are my data stored? When are they erased?

We erase or anonymize your data as soon as they are no longer needed for the purposes for which we have processed them and there are no statutory storage periods that conflict with the erasure thereof. If we require your data for other, legally permitted purposes, we do not erase the data. This is the case, for example, if we are required to store them for reasons of commercial or tax law. In these cases, however, we process these data on a restricted basis only, for example by blocking them.

With regard to your claim to erasure of data, we are guided by Article 17 GDPR (“right to be forgotten”) and Article 18 GDPR (right to restriction of processing).

9. What are my rights?

You have the following rights toward us with regard to your data:

- right of access, Article 15 GDPR

- right to rectification, Article 16 GDPR

- right to erasure, Article 17 GDPR

- right to restriction of processing, Article 18 GDPR

- right to object to processing, Article 21 GDPR

- right to data portability, Article 20 GDPR

- the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data

The following numbers 9.1 through 9.8 provide specific information about your rights.

9.1 How do I exercise my right of access?

You can request at any time that we provide information on what data concerning you we process. To do this, simply write us a letter or e-mail using the contact details provided in number 1 of this data protection/privacy statement.

The nature and scope of the right of access are in accordance with Article 15 GDPR.

9.2 When and how can I have my data rectified?

Are the data concerning you that we process incorrect? If so, you can request that we rectify them without delay. To do this, please contact us at the address provided in number 1.

9.3 When do my data have to be erased?

Under certain conditions, you have the right to request that we erase your data. For example, you can exercise this right if:

§ your data are no longer needed for the purposes for which they were processed;

§ processing is unlawful;

§ you have objected to processing; or

§ there is an obligation of erasure pursuant to European Union or German law.

If you would like us to erase your data, please contact us at the address provided in number 1.

Article 17 GDPR describes the prerequisites that must be met in order to request erasure of data.

9.4 What does “right to restriction of processing” mean?

Under certain conditions, you have the right to request that we restrict the processing of your data, for example if

§ there is a dispute between you and us regarding whether the data we process concerning you are correct: for the duration of the review, we are only permitted to process your data with restrictions;

§ you have a right to erasure (see above), but request that we restrict the processing of your data instead;

§ we no longer need your data for the purposes pursued by us, but you need them in order to be able to establish, exercise or defend legal claims; or

§ you have exercised your right to object, but there is still dispute regarding whether the objection was justified.

You can contact us at the address provided in number 1 to exercise your right to restriction of processing.

The right to restriction of processing follows from Article 18 GDPR.

9.5 What does “right to data portability” mean?

Pursuant to Article 20 GDPR, you have the right to receive your data that you have provided to us in a structured, commonly used and machine-readable format. To do this, please contact us at the address provided in number 1.

9.6 How do I exercise my right to object?

If we base the processing of your data on a weighing of interests, you can lodge an objection to the processing. If you exercise this kind of right to object, please state the reasons why we are not supposed to process your data as implemented by us. If your objection is legitimate, we will review the matter. We will then either discontinue or adjust the data processing or, where applicable, indicate to you our compelling legitimate grounds for continuing the processing.

Naturally, you can object to the processing of your data for purposes of marketing and data analysis at any time. You can inform us of your marketing objection via the contact information mentioned in number 1.

Point (f) of Article 6(1) GDPR stipulates when data processing is permissible based on a weighing of interests. This provision constitutes an exception for those cases in which processing is not possible pursuant to the alternatives in points (a) through (e) of Article 6(1). The controller’s legitimate interest in processing the data must override the data subject’s interest in this case.

The right to object to this kind of processing is stipulated in Article 21(1) GDPR.

9.7 How do I withdraw consent?

If you have given consent to the processing of your data, you can withdraw it at any time. If you withdraw your consent, the permissibility of processing of your data changes.

9.8 When and how do I complain to the supervisory authority?

If you do not agree with how we process your data or respond to your questions or concerns relating to data protection law, you can contact the supervisory authority with jurisdiction. The contact details for this authority are as follows:

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information

Postfach 20 04 44

40102 Düsseldorf, Germany

Phone: +49 (0)211 38 424-0

Fax: +49 (0)5211 38 424-10

e-mail: poststelle@ldi.nrw.de

10. Am I under a legal or contractual obligation to provide my data?

You are not obligated by law or a contract or for another reason to provide us with your data on our website.

We do not need the data processed as a result of visiting our website to enter into a contract, either, unless you wish to enter into a contract with us in this way.

If you do not provide us with the data we require from you, however, you may not be able to utilize our online offerings in full.

11. Do automated decision-making processes take place in conjunction with my data?

No automated decision making or profiling is used on our website.

12. What general functions and features does our website offer?

If you use our website exclusively for your information (and do not register or transfer information to us via the site), we collect only the data your browser transmits to our server. When you view the website, we collect the following data. These data are necessary in technical terms in order to be able to display our website to you and to ensure its stability and security:

- IP address

- Date and time of the query

- Time difference from Greenwich Mean Time (GMT)

- Content of the request (specific page)

- Access status/HTTP status code

- Volume of data transferred in each case

- Website from which the request comes

- Browser

- Operating system and interface

- Browser software language and version

The legal basis for the processing is point (f) of Article 6(1) GDPR.

In addition to these data, cookies are stored on your computer if you use our website. A cookie consists of a key-value pair with the elements “key” = cookie name (e.g., dt_id) and “value” = content of the cookie (e.g., hfcjakdf3424fnewl).

This sends certain information to us. Cookies cannot execute programs or transmit viruses to your computer. They serve to make our Internet offerings more user-friendly and more efficient on the whole.

Use of cookies:

a) This website uses the following types of cookies, whose scope and functionality are explained below:

- Transient cookies (see b)

- Persistent cookies (see c)

b) Transient cookies are automatically erased when you close the browser. These include session cookies in particular. These cookies store what is known as a session ID, which is used to associate various queries from your browser with the same session. This makes it possible to recognize your computer if you return to our website. Session cookies are deleted when you log out or close the browser.

c) Persistent cookies are automatically deleted after a predetermined span of time, which may vary by cookie. You can erase these cookies in your browser’s security settings at any time.

d) You can configure your browser settings according to your wishes and reject third-party cookies or all cookies, for example. Please note that you may not be able to use all functions of this website.

13. What special functions and features does our website offer?

Our website not only provides information, but also offers various functions and services that you can use if you are interested. Generally, further data must be processed in order to use the functions and services in question. Our principles regarding data processing as outlined above apply to these data as well.

We offer the following additional functions and features on our website:

13.1 Data processing on our website

Adobe fonts
To display fonts uniformly, we use what are known as Web fonts. These fonts are provided by Adobe. When you access a page, your browser loads the necessary Web fonts to your browser cache in order to be able to display texts and fonts correctly. To this end, the browser you use has to connect to Adobe’s servers. This lets Adobe know that our website was accessed from your IP address. Adobe fonts are used in the interest of ensuring a consistent and appealing visualization of our online offerings. The legal basis is point (f) of Article 6(1) GDPR.

The provider of this service is

Adobe Systems Incorporated, 345 Park Avenue, San Jose, California 95110-2704, USA;

Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West Business Campus, Saggart, Dublin 24, Ireland.

For further information on Adobe fonts, please consult the Adobe privacy policy: https://www.adobe.com/de/privacy/policies/typekit.html

You can configure your browser settings so that the fonts are not loaded from the Adobe servers (for example, by installing add-ons such as NoScript or Ghostery). If your browser does not support the Adobe fonts or you prohibit access to the Adobe servers, the text will be displayed in your system’s default font.

Google AdSense

(1) This website uses the online advertising service Google AdSense, which makes it possible to present you with ads aligned toward your interests. By doing this, we are pursuing our interest in displaying ads to you that could be of interest to you in order to make our website more interesting to you. To this end, we collect statistical information about you that is processed by our advertising partners. These ads are recognizable from the “Google Ads” notice in the ad in question.

(2) When you visit our website, Google learns that you have accessed our site. To do this, Google uses a Web beacon to place a cookie on your computer. The data mentioned in number 12 of this statement are transferred. We have no influence over the data that are collected, nor do we know the full extent of the collection of data or the duration for which data are stored. Your data are transferred to the United States and analyzed there. If you are logged into your Google account, your data can be associated directly with that account. If you do not wish this information to be associated with your Google profile, you have to log out. It is possible that these data may be shared with contracting partners of Google and/or with third parties and government agencies. The legal basis for the processing of your data is point (f) of Article 6(1) GDPR. This website does not serve ads from third-party providers via Google AdSense.

(3) You can prevent the installation of the Google AdSense cookies in various ways: a) by setting your browser software accordingly; in particular, suppressing third-party cookies will cause you not to receive any ads from third-party providers; b) by deactivating the interest-based ads on Google via the link https://adssettings.google.com/anonymous?hl=de&sig=ACi0TCgFRVLzITXIWK-UYr-ydpkmpm7JXhjPb_nRPXlXhjUbv28NQlBBgLul1fTm9pJ86deAN2Ox3S4AjsNPw4W0A9Bha4EPGg; this setting is deleted if and when you erase your cookies; c) by deactivating the interest-based ads of providers that are part of the “About Ads” self-regulation campaign via the link https://optout.aboutads.info; this setting is deleted if and when you erase your cookies; and d) by permanently disabling them in your browser (Firefox, Internet Explorer, or Google Chrome) via the link https://support.google.com/ads/answer/7395996. Please note that you may not be able to use all functions of this online presence in full in this case.

(4) For further information on the purpose and scope of data collection and data processing and further information on your rights in this regard and setting options to protect your privacy, please contact: Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA; privacy terms for advertising: https://policies.google.com/technologies/ads?hl=de&gl=de.

Google Analytics

(1) This website uses Google Analytics, a Web analytics service of Google Inc. (“Google”), if you have given us your consent to this in our cookie banner. Google Analytics uses “cookies,” which are text files stored on your computer that enable analysis of your use of the website. The information about your use of this website that is generated by the cookie is typically transferred to a Google server in the United States and stored there. However, if you have IP anonymization activated on this website, Google will truncate (shorten) your IP address beforehand within Member States of the European Union or in other states that are signatories to the Agreement on the European Economic Area. Only in isolated instances is the full IP address transferred to a Google server in the United States and truncated there. On behalf of the operator of this website, Google will use this information to analyze your use of the website, compile reports on website activity, and provide the website operator with other services associated with website use and Internet use.

(2) The IP address transmitted by your browser within the scope of Google Analytics is not combined with other Google data.

(3) You can prevent cookies from being stored by adjusting the settings of your browser software accordingly; we do, however, point out that in this case, you may not be able to use all of the functions of this website in full. You can also prevent the information generated by the cookie with regard to your use of the website (including your IP address) from being collected and provided to Google and from being processed by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

(4) This website uses Google Analytics with the addition "_anonymizeIp()." This truncates IP addresses before they are processed further, so there is no possibility of identifying individuals. To the extent that you are personally identifiable based on the data collected regarding you, this kind of identification is immediately ruled out and the personal data are thus erased right away.

(5) We use Google Analytics in order to analyze the use of our website and make regular improvements. The statistics gained allow us to improve our products and services and make them more interesting to you as a user. The legal basis for the use of Google Analytics is point (f) of Article 6(1) GDPR.

(6) Information on the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

Data protection/privacy overview: https://support.google.com/analytics/answer/6004245?hl=de, and the privacy policy: https://policies.google.com/privacy?hl=de&gl=de.

Google Tag Manager

We also use Google Tag Manager. This service can be used to manage website tags. Google Tag Manager only sets up tags, which are code used to measure visitor volumes and visitor behavior. The tags come from other services – in our case, Google Analytics (see above). Via Google Tag Manager, these tags are merely managed. No cookies are set, nor are any personal data collected. If tracking has been deactivated, this also applies to all tracking tags managed with Google Tag Manager.

Sketchfab Plugin

We use a plugin from the provider Sketchfab on this website that makes it possible to easily publish and find 3D content online. Headquarters:

Sketchfab, Inc., 1123 Broadway, Ste. 501, New York, NY 10010, USA

If you access a page that contains this type of plugin, your browser establishes a direct connection to the Sketchfab servers. This plugin transfers log data to the Sketchfab server in the United States in the process. These log data may include your IP address, the address of the websites visited, the type of browser and browser settings, date and time of your query, how you use Sketchfab, and cookies.

To be able to view our 3D models on this website, you are therefore required to actively accept marketing cookies or view the 3D content directly at Sketchfab.

These data are stored and analyzed on the basis of point (f) of Article 6(1) GDPR. The website operator has a legitimate interest in visualizing its products as extensively as possible. Where consent to this has been solicited, the processing takes place exclusively on the basis of point (a) of Article 6(1) GDPR; consent can be withdrawn at any time.

For further information on the purpose, scope, and further processing and use of the data by Sketchfab and on your rights in this regard and options for protecting your privacy, please see the Sketchfab privacy policy: https://sketchfab.com/privacy.

13.2 Data processing via social media plugins

Facebook

When you visit our Facebook page, via which we present our company or individual products from our product range, certain information about you is collected. The sole controller responsible for this processing of personal data is Facebook Ireland Ltd. (Ireland/EU – “Facebook”). For further information on the processing of personal data by Facebook, please see https://www.facebook.com/privacy/explanation.

Facebook offers the option to object to certain types of data processing; for information and opt-out options in this regard, please visit https://www.facebook.com/settings?tab=ads.

Facebook provides us, for our Facebook page, with anonymized statistics and insights we use to derive insight into the types of actions people take on our site (“page insights”). These page insights are created on the basis of certain information about persons who have visited our site. This processing of personal data is performed by Facebook and us as joint controllers. The processing serves our legitimate interest in analyzing the types of actions taken on our site and using these insights to improve our site. The legal basis for this processing is point (f) of Article 6(1) GDPR. We cannot associate the information obtained via the page insights with individual Facebook profiles that interact with our Facebook page. We have entered into an agreement with Facebook regarding processing as joint controllers in which the distribution of obligations under data protection law between us and Facebook is stipulated. For details of the processing of personal data to generate page insights and the agreement between us and Facebook, please see https://www.facebook.com/legal/terms/information_about_page_insights_data.

With regard to this data processing, you have the option to assert your rights as a data subject (on this point, see “Your rights”) toward Facebook as well. For more information on this, please see the Facebook privacy policy at https://www.facebook.com/privacy/explanation.

Please note that according to Facebook’s privacy policy, user data are also processed in the United States or other third countries.

As a basic principle, LinkedIn Ireland Unlimited Company (Ireland/EU – “LinkedIn”) is the sole controller responsible for the processing of personal data when you visit our LinkedIn page. For further information on the processing of personal data by LinkedIn, please see https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

If you visit our LinkedIn company page, follow this page, or interact with the page, LinkedIn processes personal data to provide us with anonymized statistics and insights. In this way, we learn how visitors act on our page (“page insights”). LinkedIn processes, in particular, data that you have provided in your profile, such as data on your position or title, country, industry, length of service, company size, and employment status. LinkedIn will also process information on how you interact with our LinkedIn company page (e.g., whether you are a follower of our LinkedIn company page). LinkedIn does not provide us with any personal data concerning you via the page insights. We can only access the summarized page insights. It is not possible to draw conclusions regarding individual members.

The processing of personal data within the scope of page insights takes place through LinkedIn and us as joint controllers. The processing serves the following legitimate interest: We analyze what actions are implemented on our LinkedIn company page and use the insights gleaned to improve our company page. The legal basis for this processing is point (f) of Article 6(1) GDPR. We have entered into an agreement with LinkedIn regarding processing as joint controllers in which the distribution of obligations under data protection law between us and LinkedIn is stipulated. This agreement is accessible at: https://legal.linkedin.com/pages-joint-controller-addendum. According to this agreement, the following applies:

§ LinkedIn is responsible for ensuring that you can exercise the rights to which you are entitled under the GDPR. To this end, you can contact LinkedIn online via the following link (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or using the contact details provided in the privacy policy. You can reach the data protection officer at LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also contact us using the contact details stated below to exercise your rights in conjunction with the processing of personal data within the scope of the page insights. In such a case, we will pass along your inquiry to LinkedIn.

§ The Irish Data Protection Commission is the lead supervisory authority responsible for monitoring the processing of the page insights. You have the right to lodge a complaint with the Irish Data Protection Commission (see http://www.dataprotection.ie/) or any other supervisory authority.

Please note that according to LinkedIn’s privacy policy, LinkedIn also processes personal data in the United States or other third countries.

YouTube

(1) We have embedded YouTube videos on our website. These videos are stored at http://www.YouTube.com and can be played directly from our website. All of these videos are embedded in “privacy-enhanced mode,” which means that no data concerning you as a user are transferred to YouTube if you do not play the videos. Only if you play the videos are the data mentioned in paragraph 2 transferred. We have no influence over this data transfer.

(2) When you visit the website, YouTube receives the information that you have accessed the corresponding subpage of our website. The data mentioned in number 12 of this statement are also transferred. This takes place regardless of whether YouTube provides a user account via which you are logged in or whether there is no user account. If you are logged in with Google, your data will be associated directly with your account. If you do not want this information to be associated with your profile with YouTube, you need to log out before activating the button. YouTube stores your data as use profiles and uses them for purposes of advertising, market research, and/or demand-driven design of their website. This kind of analysis takes place in particular (even for users who are not logged in) to provide demand-driven advertising and to inform other users of the social network of your activities on our website. You have the right to object to the formation of these user profiles, but must contact YouTube to exercise this right.

(3) For further information on the purpose and scope of collection of data and how the data are processed by YouTube, please see the privacy policy. This policy also contains further information on your rights and setting options to protect your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the United States.

13.3 Further data processing

Job applications

If you apply to work at our company, we process your job application data exclusively for purposes associated with your interest in current or future employment with us and the processing of your application. Within our organization, your application is viewed and processed only by the relevant contact persons. All employees entrusted with data processing are obligated to safeguard the confidentiality of your data. Should we be unable to offer you employment, we will store the data you have transferred for up to three months after a possible rejection for the purpose of answering questions associated with your application and rejection. This does not apply where statutory provisions conflict with the erasure thereof, further storage is necessary for evidentiary purposes, or you have expressly consented to the storage thereof for a longer period. The legal basis for the data processing is Sec. 26 (1), first sentence, BDSG. Should we store your applicant data for longer than six months, and if you have expressly consented thereto, please note that you can freely withdraw this consent at any time pursuant to Article 7(3) GDPR. Such a withdrawal of consent does not affect the lawfulness of processing based on consent up until its withdrawal.

14. Does cooperation with processors and third parties take place?

If we rely on contracted service providers for individual functions of our site or wish to use your data for advertising purposes, we will inform you in detail of the operations in question. In the process, we also mention the stipulated criteria for the duration of storage.

We transfer your data to third parties or processors only where we can rely on

§ statutory permission,

§ your consent,

§ the performance of a legal obligation, or

§ our legitimate interests.

We select our external service providers with care. They are bound by our instructions and are checked regularly.

We have entered into agreements regarding contract processing with regard to the services mentioned in section 13 of this data protection/privacy statement with Adobe and with Google.

Where we have entered into a “data processing agreement” with third parties and your data are processed within the scope of this agreement, we observe the provisions of Article 28 GDPR.

15. What security measures do we take to protect your data?

We have taken suitable technical and organizational measures to ensure that your data are protected.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential information, such as orders or inquiries that you transmit to us as the site operator. You can see that a connection is encrypted from the fact that your browser’s address bar switches from “http://” to “https://” and the lock symbol appears in the bar.

When SSL or TLS encryption is activated, the data you transfer to us cannot be read in transit by third parties.

We ensure the “appropriate level of protection” required by Article 32 GDPR and have taken the following factors into account in so doing:

§ state of the art

§ implementation costs

§ nature of processing

§ scope of processing

§ circumstances of processing

§ purposes of processing

§ likelihood of materialization of risk

§ severity of risk of

· destruction of data

· loss of data

· alteration of data

· unauthorized disclosure of personal data

· unauthorized access to personal data

By doing this, we have ensured the confidentiality, integrity, availability, and resilience of our systems and services.

16. Amendments to this data protection/privacy statement

We ensure that this data protection/privacy statement is always up to date. With this in mind, we reserve the right to adjust it as needed and to incorporate changes in the processing of your data into this statement.

17. Explanations of selected terms from data protection law

Anonymization

Anonymization exists when the connection between data and individuals has been eliminated such that it cannot be restored or can only be restored with disproportionate expenditure of time, costs, and labor.

Absolute anonymization that makes it impossible for anyone to restore the individual connection is often impossible and is typically not required under data protection law, either. In these cases, it is sufficient if re-identification is not feasible in practical terms because it would be associated with extraordinarily high levels of time, effort, and expense.

Processing on behalf of another

This term is defined in Article 4 No. 8 GDPR:

“‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The controller is required to ensure that the contractor takes the necessary and suitable technical and organizational measures to protect the processed data. The data processing must be congruent with the provisions of data protection law. In other words, the contractor must treat the data just as sensitively as the principal does.

Data protection by design

The technical design must be in accordance with applicable law. As a result, data protection must be taken into account as early as during the conceptual design of programs or the programming itself. Suitable technical and organizational measures for data protection by design include the following examples:

- pseudonymization or encryption of data (purpose: not easy to analyze in the case of abuse or loss, point (a) of Article 32(1) GDPR)

- anonymization of data without a connection to a specific individual (Article 32 GDPR gives examples only)

- technical inclusion of data protection information (purpose: transparency, point (a) of Article 5(1) GDPR)

- authentication procedures to ensure that only authorized users have access (for minimization of data, point (f) of Article 5(1) GDPR)

- special markings of data sets (electronic tagging; helpful for compliance with the principle of purpose limitation, point (b) of Article 5(1) GDPR)

Data protection by default

This provision in Article 25(2) GDPR is new and should relate in particular to Internet services and social networks. In principle, the intent of this is to implement, among other things, the principle of data minimization through technical default settings. According to this, technical systems must be aligned to the principles of data protection with regard to the following:

- limitation to the specific purpose of processing

- the amount of personal data collected

- the extent of processing thereof

- the period of storage thereof

- their accessibility

Default settings are the variables that the controller establishes by default for the users of its data processing system. The user must therefore enter these or select them by clicking them.

Data protection/privacy statement (website)

The data protection/privacy statement on a website is intended to provide consumers, as users of the site, with information on the scope in which data are processed, what actions are taken to protect the consumer’s privacy in the process, and what rights the consumer has.

The statement describes, among other things, how the operator collects and uses personal data or shares these with third parties. The GDPR requires clear and easily understandable language (not legal jargon).

Integrity of data

Term: Stored personal data must be protected against damage due to system malfunctions.

Protection: Backup concept (backup copies), secure storage of the data.

Control: Authorization to create data backups, sensitization, patch management (security gaps, updates).

Personal data

This term is defined in Article 4 No. 1 GDPR:

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Examples: Name, address, date of birth, employee ID number, IP addresses, cookies, location data, biometric data.

Pseudonymization (Article 4 No. 5, Article 25(1), point (a) of Article 32(1) GDPR)

Term:

The connection to a specific individual is partially eliminated (restricted) and cannot be restored without additional information (e.g., identification data).

Requirements:

- no association of the data without identification data

- identification data stored separately by the controller

- technical and organizational measures to protect the identification data (access)

Example:

Medical data and personal data are separated and can only be associated through the identification data.

Protection:

Suitable measures to ensure data security, especially where a higher degree of protection is needed (Articles 24, 25, 32 GDPR).

State of the art (Articles 25, 32 GDPR)

The state of the art encompasses the technological tools available to do things such as ensuring adequate encryption or reliable pseudonymization.

The security of processing must be in keeping with “the state of the art” and ensured through “appropriate technical and organizational measures” (TOMs) (Articles 24, 32 GDPR).

The GDPR also mentions “data protection by design” and “data protection by default.” The confidentiality, integrity, availability, and resilience of the data processing systems must be ensured by these measures.

It is not absolutely necessary to use the best available technologies. It is sufficient to use proven and efficient technology.

Concrete details:

- German Federal Office for Information Security (BSI) IT-Grundschutz Compendium, BSI Standard 200-2

- German Standard Data Protection Model (SDM)

- ISO-27000 standard series

- other recommendations by government bodies

Technical and organizational measures

The TOMs are measures that are intended to ensure an appropriate level of protection for personal data (Article 32 GDPR). Examples: Pseudonymization and encryption, security locks, firewalls, virus scanners, authorization concept, fire alarm system and extinguishing equipment, air conditioning system, security rooms, alarm systems, etc.

Last updated: September 2020