PRIVACY POLICY

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as ‘data’) that we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as ‘online offer’).

The terms used are not gender-specific.

Status: 17 October 2024

Table of contents

  • Preamble
  • Person responsible
  • Contact data protection officer
  • Overview of the processing operations
  • Relevant legal bases
  • Transfer of personal data
  • International data transfers
  • General information on data storage and erasure
  • Rights of the data subjects
  • Business services
  • Business processes and procedures
  • Provision of the online offering and web hosting
  • Use of cookies
  • Contact and enquiry management
  • Video conferencing, online meetings, webinars and screen sharing
  • Cloud services
  • Newsletter and electronic notifications
  • Promotional communication via email, post, fax or telephone
  • Web analysis, monitoring and optimisation
  • Online marketing
  • Presence in social networks (social media)
  • Plug-ins and embedded functions and content
  • Application procedure

Responsible party

FORLIANCE GmbH

Eifelstr. 20

D-53119 Bonn

Germany

Persons authorised to represent the company: Dirk Walterspacher, Andreas Schnall

E-mail address: info@forliance.com

Telephone: 0049 228 969 119-0

Imprint: https://forliance.com/imprint

Contact data protection officer

We have appointed an external data protection officer for our company. You can contact our data protection officer Dr Marschall and his deputy Mr Blazy(www.gdpc.de) at the above address with the addition - Data Protection Officer - or by e-mail: datenschutz@forliance.com.

Relevant legal bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given their consent to the processing of their personal data for a specific purpose or several specific purposes.
  • Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Application procedure as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are processed as part of the application procedure (e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise their rights under labour law and social security and social protection law and fulfil their obligations in this regard, their processing is carried out in accordance with Art. 9 para. 2 lit. b. GDPR. GDPR, in the case of the protection of vital interests of applicants or other persons pursuant to Art. 9 para. 2 lit. c. GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee's fitness for work, for medical diagnosis, health or social care or treatment or for the management of health or social care systems and services pursuant to Art. 9 para. 2 lit. h. GDPR. GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 para. 2 lit. a. GDPR.
  • National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.
  • Reference to the validity of the GDPR and Swiss FADP: This data protection notice serves to provide information in accordance with both the Swiss FADP and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to the broader geographical application and comprehensibility. In particular, instead of the terms ‘processing’ of ‘personal data’, ‘overriding interest’ and ‘sensitive personal data’ used in the Swiss DPA, the terms ‘processing’ of ‘personal data’, ‘legitimate interest’ and ‘special categories of data’ used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DPA within the scope of application of the Swiss DPA.

  • Transmission of personal data

  • As part of our processing of personal data, it may be transmitted to other bodies, companies, legally independent organisational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

  • International data transfers

  • Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements. If the level of data protection in the third country has been recognised by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data will only be transferred if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), express consent or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). In addition, we will inform you of the basis for third country transfers with the individual providers from the third country, whereby the adequacy decisions take precedence. Information on third country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. As part of the so-called ‘Data Privacy Framework’ (DPF), the EU Commission has also recognised the level of data protection for certain companies from the USA as secure as part of the adequacy decision of 10 July 2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. As part of the data protection information, we will inform you which service providers we use are certified under the Data Privacy Framework.

General information on data storage and erasure

We delete personal data that we process in accordance with the statutory provisions as soon as the underlying consents are revoked or there is no further legal basis for the processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. There are exceptions to this rule if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be stored for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection information contains additional information on the retention and deletion of data that applies specifically to certain processing operations.

If there is more than one indication of the retention period or deletion period for a date, the longest period is always decisive.

If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the date on which the cancellation or other termination of the legal relationship takes effect.

We only process data that is no longer stored for the originally intended purpose, but due to legal requirements or other reasons, for the reasons that justify its storage.

Further information on processing processes, procedures and services:

  • Retention and deletion of data: The following general periods apply to retention and archiving under German law:
    • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the work instructions and other organisational documents required for their understanding, accounting vouchers and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, para. 4 HGB).
    • 6 years - Other business documents: commercial or business letters received, reproductions of commercial or business letters sent, other documents insofar as they are of significance for taxation, e.g. contracts, accounting sheets, calculation documents, price labelling and other accounting documents (§ 147 para. 1 HGB). Accounting documents (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 and 3, para. 4 HGB).
    • 3 years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights and to process related enquiries based on previous business experience and standard industry practices are stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).

Rights of the data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
  • Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you in accordance with the legal requirements.
  • Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the legal requirements.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request that it be transferred to another controller.
  • Complaint to the supervisory authority: In accordance with the statutory provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you are habitually resident, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Business services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as ‘contractual partners’), in the context of contractual and comparable legal relationships and related measures and with regard to communication with the contractual partners (or pre-contractual), for example to respond to enquiries.

We use this data to fulfil our contractual obligations. These include, in particular, the obligations to provide the agreed services, any updating obligations and remedies in the event of warranty and other service disruptions. In addition, we use the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and the company organisation. In addition, we process the data on the basis of our legitimate interests both in proper and efficient business management and in security measures to protect our contractual partners and our business operations from misuse, jeopardising their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfil legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, as part of this privacy policy.

We inform the contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special marking (e.g. colours) or symbols (e.g. asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons (e.g. for tax purposes, generally ten years). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications and generally after the end of the order.

  • Processed data types: inventory data (e.g. full name, address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers). Contract data (e.g. subject matter of the contract, term, customer category).
  • Data subjects: Customers and clients; interested parties. Business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; organisational and administrative procedures. Business processes and business management procedures.
  • Storage and deletion: Deletion in accordance with the information in the section ‘General information on data storage and deletion’.
  • Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures and services:

  • Consulting

We process the data of our clients, as well as prospective clients and other contractors or business partners (collectively referred to as "clients"), to provide them with our services. The processes within and for the purposes of consulting include: contacting and communicating with clients, conducting needs and requirements analyses, planning and implementing projects, documenting project progress and outcomes, collecting and managing client-specific information and data, scheduling and organizing appointments, providing consulting resources and materials, billing and payment management, post-project follow-up and review, and quality assurance and feedback processes. The type, scope, purpose, and necessity of data processing are determined by the underlying contractual and client relationship.

  • If it is necessary for our contractual fulfillment, to protect vital interests, or if required by law, or if there is consent from the clients, we disclose or transfer the data of the clients, in compliance with professional regulations, to third parties or agents such as authorities, subcontractors, or in the field of IT, office or similar services;
    Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
  • Business Processes and Procedures

Personal data of service recipients and contractors – including customers, clients, or, in special cases, clients, patients, or business partners, as well as other third parties – are processed within contractual and similar legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payments, accounting, and project management.

The collected data serves to fulfill contractual obligations and to design business processes efficiently. This includes the processing of business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal accounting and financial processes. Additionally, the data aids in safeguarding the rights of the controller and supports administrative tasks as well as the organization of the company.

Personal data may be shared with third parties if necessary for fulfilling the stated purposes or legal obligations. After the expiration of statutory retention periods or when the purpose of the processing ceases, the data will be deleted. This also includes data that must be retained longer due to tax law and legal proof obligations.

  • Types of Processed Data: Inventory data (e.g., full name, address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and contributions, and related information, such as details of authorship or time of creation); contract data (e.g., contract subject, duration, customer category); log data (e.g., log files related to logins or data access or access times); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); credit data (e.g., received credit score, estimated probability of default, corresponding risk classification, historical payment behavior). Meta-, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons).
  • Affected Persons: Service recipients and contractors; prospective clients; communication partners; business and contract partners; third parties; users (e.g., website visitors, users of online services); employees (e.g., employees, applicants, temporary workers, and other staff). Customers.
  • Purposes of Processing: Providing contractual services and fulfilling contractual obligations; office and organizational procedures; business processes and economic procedures; communication; marketing; sales promotion; public relations; assessment of creditworthiness and financial standing; financial and payment management; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Retention and Deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion."
  • Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR).

 

Further Notes on Processing Operations, Procedures, and Services:

Customer Management and Customer Relationship Management (CRM):

We perform procedures necessary for customer management and Customer Relationship Management (CRM) (e.g., customer acquisition in compliance with data protection regulations, measures to foster customer loyalty and retention, effective customer communication, complaint management and customer service with consideration for data protection, data management and analysis to support the customer relationship, management of CRM systems, secure account management, customer segmentation, and target audience development);
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Contact Management and Maintenance:

Procedures required for organizing, maintaining, and securing contact information (e.g., setting up and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restoring contact data, training employees in effective contact management software use, regularly reviewing communication history, and adjusting contact strategies);
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

General Payment Transactions:

Procedures required for conducting payment transactions, monitoring bank accounts, and controlling payment flows (e.g., creating and reviewing transfers, handling direct debits, controlling account statements, monitoring incoming and outgoing payments, managing returned direct debits, account reconciliation, and cash management);
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Accounting, Accounts Payable, and Accounts Receivable:

Procedures required for recording, processing, and controlling business transactions in the area of accounts payable and accounts receivable (e.g., creating and reviewing incoming and outgoing invoices, monitoring and managing outstanding balances, conducting payment transactions, managing dunning procedures, reconciling accounts in the context of receivables and payables);
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Financial Accounting and Taxes:

Procedures required for recording, managing, and controlling finance-related business transactions, as well as for calculating, reporting, and paying taxes (e.g., posting and booking of business transactions, creating quarterly and annual financial statements, conducting payment transactions, managing dunning procedures, account reconciliation, tax consulting, preparing and submitting tax returns, and handling tax matters);
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Marketing, Advertising, and Sales Promotion:

Procedures required in the context of marketing, advertising, and sales promotion (e.g., market analysis and target audience determination, development of marketing strategies, planning and execution of advertising campaigns, designing and producing promotional materials, online marketing including SEO and social media campaigns, event marketing and trade show participation, customer loyalty programs, promotional activities, performance measurement and optimization of marketing activities, budget management and cost control);
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Public Relations:

Procedures required in the context of public relations and public communication (e.g., developing and implementing communication strategies, planning and conducting PR campaigns, creating and distributing press releases, maintaining media contacts, monitoring and analyzing media resonance, organizing press conferences and public events, crisis communication, creating content for social media and corporate websites, managing corporate branding);
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Provision of the Online Offer and Web Hosting:

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

  • Types of Processed Data: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); Log data (e.g., log files related to logins or data access or access times). Content data (e.g., textual or visual messages and contributions and related information such as details of authorship or the time of creation).
  • Affected Persons: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures; Content Delivery Network (CDN); Firewall.
  • Retention and Deletion: Deletion according to the information provided in the section "General Information on Data Retention and Deletion."
  • Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Further Notes on Processing Operations, Procedures, and Services:

  • Provision of Online Offer on Rented Storage Space: To provide our online offer, we use storage space, computing power, and software that we rent or otherwise obtain from an appropriate server provider (also called "web host");
    Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of Access Data and Log Files: Access to our online offer is recorded in the form of so-called "server log files." Server log files may include the address and name of the retrieved websites and files, date and time of retrieval, transmitted data volumes, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure server stability and reliability;
    Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
    Deletion of Data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is excluded from deletion until the final resolution of the respective incident.
  • Content Delivery Network: We use a "Content Delivery Network" (CDN). A CDN is a service that enables content from an online offer, especially large media files such as graphics or program scripts, to be delivered faster and more securely using regionally distributed servers connected via the internet;
    Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Tänzermedien GmbH, Bonn: Services in the field of providing IT infrastructure and associated services (e.g., storage space and/or computing capacities); Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR); Website: Impressum – tänzer

(taenzer.de); Privacy Policy: Privacy Policy – tänzer

(taenzer.de). Data Processing Agreement: available/closed.

  • Cloudflare: Content-Delivery-Network (CDN) – Service that helps to deliver online content, especially large media files such as graphics or program scripts, faster and more securely via regionally distributed servers connected via the Internet; Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for Third-Country Transfers: Data Privacy Framework (DPF).
  • Sucuri: Firewall and security functions, as well as error detection to identify and prevent unauthorized access attempts and technical vulnerabilities that could enable such access. Cookies and similar storage methods necessary for this purpose may be used, and security logs may be created during the review process, particularly in the event of unauthorized access. In this context, users' IP addresses, user identification numbers, and their activities, including the time of access, are processed and stored, and matched with the data provided by the firewall and security function provider and transmitted to them; Service Provider: Sucuri LLC., Parent Company: GoDaddy Media Temple, Inc. d/b/a Sucuri, 6060 Center Dr. Suite 500, Los Angeles CA 90045, USA; Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR); Privacy Policy: https://sucuri.net/privacy; Data Processing Agreement: https://sucuri.net/dpa/. Basis for Third-Country Transfers: Standard Contractual Clauses (https://sucuri.net/dpa/).

Use of Cookies The term "cookies" refers to functions that store and retrieve information on users' end devices. Cookies can be used for various purposes, such as ensuring the functionality, security, and convenience of online services and analyzing visitor traffic. We use cookies in accordance with legal regulations. When required, we obtain users' prior consent. If consent is not necessary, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide explicitly requested content and functions. This includes storing settings and ensuring the functionality and security of our online services. Consent can be withdrawn at any time. We provide clear information on the scope and types of cookies used.

Notes on Data Protection Legal Basis: Whether we process personal data using cookies depends on obtaining consent. If consent is obtained, it serves as the legal basis. Without consent, we rely on our legitimate interests as outlined in this section and the context of the respective services and procedures.

Storage Duration: Regarding storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their end device (e.g., browser or mobile application).
  • Permanent Cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved, and preferred content can be displayed directly when the user revisits a website. User data collected with the help of cookies can also be used for reach measurement. If we do not provide users with explicit information about the type and duration of cookies (e.g., during consent collection), they should assume that these are permanent cookies with a storage duration of up to two years.

General Notes on Withdrawal and Objection (Opt-out): Users can withdraw their given consent at any time and also object to the processing as per legal regulations, including through their browser’s privacy settings.

Cookie Settings/Objection Option: [Insert short link to the cookie banner here so users can manage their cookie settings]

  • Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Affected Persons: Users (e.g., website visitors, users of online services).
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR). Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Processing of Cookie Data Based on Consent: We use a consent management solution where users' consent to use cookies or the procedures and providers mentioned within the consent management solution is obtained. This procedure serves the collection, logging, management, and withdrawal of consents, particularly regarding the use of cookies and similar technologies for storing, reading, and processing information on users' devices. Within this procedure, users' consents for the use of cookies and associated information processing, including the specific processes and providers mentioned in the consent management procedure, are collected. Users also have the option to manage and withdraw their consent. Consent statements are stored to avoid repetitive queries and to demonstrate compliance with legal requirements. Storage is server-side and/or in a cookie (known as an Opt-in Cookie) or using similar technologies to assign the consent to a specific user or their device. Unless otherwise specified regarding providers of consent management services, the following general information applies: The storage duration of consent lasts up to two years. A pseudonymous user identifier is created and stored with the consent's timestamp, the details of the consent (e.g., concerning cookie categories and/or service providers), as well as information about the browser, system, and device used; Legal Basis: Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR).
  • KLARO!: Consent Management: Procedure for obtaining, logging, managing, and withdrawing consents, particularly for the use of cookies and similar technologies for storing, reading, and processing information on users' end devices, as well as their processing; Service Provider: KIProtect GmbH, Bismarckstr. 10-12, 10625 Berlin, Germany; Website: Imprint | Company (klaro.org); Privacy Policy: Privacy | Resources (klaro.org).

Contact and Inquiry Management When contacting us (e.g., by mail, contact form, email, phone, or via social media) and within the context of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

  • Processed Data Types: Inventory data (e.g., full name, address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or visual messages and contributions and the information concerning them, such as authorship or time of creation); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Affected Persons: Communication partners.
  • Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online services and user-friendliness.
  • Storage and Deletion: Deletion as per information provided in the section "General Information on Data Storage and Deletion."
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR). Contract Fulfillment and Pre-Contractual Inquiries (Art. 6 para. 1 sent. 1 lit. b) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Contact Form: When contacting us via our contact form, email, or other communication methods, we process the personal data provided to respond to and handle the respective concern. This usually includes information such as name, contact details, and, if applicable, other information provided to us and necessary for appropriate handling. We use this data exclusively for the stated purpose of contact and communication; Legal Basis: Contract Fulfillment and Pre-Contractual Inquiries (Art. 6 para. 1 sent. 1 lit. b) GDPR), Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR).

Video Conferences, Online Meetings, Webinars, and Screen Sharing 

We use platforms and applications from other providers (hereafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereafter collectively referred to as "conference"). When selecting the conference platforms and their services, we comply with legal requirements. Data processed by conference platforms: When participating in a conference, conference platforms process the following personal data of participants. The scope of the processing depends, on the one hand, on the specific data required for a conference (e.g., provision of access data or real names) and on the optional information provided by participants. In addition to processing for the purpose of conducting the conference, participants' data may also be processed by conference platforms for security purposes or service optimization. The data processed includes personal information (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, details about professional positions/functions, the IP address of the internet connection, details about participants' end devices, their operating system, browser, and its technical and language settings, information about the content of communications (e.g., chat entries, audio, and video data), and the use of other available features (e.g., surveys). The contents of communications are encrypted to the extent technically provided by the conference providers. If participants are registered as users on the conference platforms, additional data may be processed according to the agreement with the respective conference provider.

Logging and Recordings: If text entries, participation results (e.g., from surveys), as well as video or audio recordings are logged, participants will be transparently informed in advance and asked for consent if required.

Data Protection Measures for Participants: Please refer to the conference platforms' privacy notices for details about the processing of your data and choose the optimal security and privacy settings within the conference platforms. During a video conference, ensure the protection of your data and privacy in the background of your recording (e.g., by informing housemates, locking doors, and using, if technically possible, the feature to blur the background). Links to conference rooms and access data should not be shared with unauthorized third parties.

Notes on Legal Basis: If we process users' data in addition to the conference platforms' processing, and users are asked for their consent to the use of the conference platforms or specific features (e.g., consent to a recording of conferences), the legal basis for the processing is that consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g., in participant lists, in the case of follow-ups on meeting results, etc.). Otherwise, users' data will be processed based on our legitimate interests in efficient and secure communication with our communication partners.

  • Types of Data Processed: Inventory data (e.g., full name, address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and contributions, as well as related information such as authorship or time of creation); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features); Image and/or video recordings (e.g., photographs or video recordings of a person); Audio recordings. Protocol data (e.g., log files regarding logins or data retrieval or access times).
  • Affected Persons: Communication partners; users (e.g., website visitors, users of online services). Depicted individuals.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; communication. Office and organizational procedures.
  • Retention and Deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion."
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

Cloud Services We use software services accessible over the internet and operated on the servers of their providers (so-called "cloud services," also referred to as "Software as a Service") for storing and managing content (e.g., document storage and management, exchange of documents, content, and information with specific recipients, or publishing content and information).

In this context, personal data may be processed and stored on the providers' servers to the extent that this is part of communication processes with us or is otherwise processed by us as outlined in this privacy policy. This data may include, in particular, users' inventory and contact data, data related to transactions, contracts, and other processes, and their content. The providers of the cloud services also process usage data and metadata used for security purposes and service optimization.

If we provide forms or other documents and content for other users or publicly accessible websites using cloud services, the providers may store cookies on users' devices for purposes of web analysis or to remember user settings (e.g., in the case of media control).

  • Types of Data Processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or visual messages and contributions as well as related information such as authorship or time of creation); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
  • Affected Persons: Interested parties; communication partners. Business and contractual partners.
  • Purposes of Processing: Office and organizational procedures. IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
  • Retention and Deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion."
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

 

Newsletters and Electronic Notifications 

We send newsletters, emails, and other electronic notifications (hereinafter referred to as "Newsletters") only with the recipients' consent or based on a legal basis. If the content of the newsletter is specified in the context of registration, this content is relevant for users' consent. Typically, providing your email address is sufficient for signing up for our newsletter. However, to offer you a personalized service, we may request your name for a personal greeting in the newsletter or other information if necessary for the purpose of the newsletter.

Deletion and Restriction of Processing: We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove previously given consent. The processing of these data is limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently respect objections, we reserve the right to store the email address solely for this purpose in a blacklist (so-called "blocklist").

The logging of the registration process is carried out based on our legitimate interests to prove its proper execution. If we commission a service provider with sending emails, this is done based on our legitimate interests in an efficient and secure email delivery system.

Contents: Information about us, our services, promotions, and offers. [please supplement]

  • Types of Data Processed: Inventory data (e.g., full name, address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and features).
  • Affected Persons: Communication partners.
  • Purposes of Processing: Direct marketing (e.g., via email or postal service).
  • Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Opt-Out Option: You can cancel the receipt of our newsletter at any time, i.e., withdraw your consent or object to further receipt. A link to unsubscribe from the newsletter can be found at the end of each newsletter or, alternatively, you can use one of the above contact options, preferably email, to do so.

Further Notes on Processing Procedures, Methods, and Services:

  • Measurement of Open and Click Rates: The newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from our or, if we use a mailing service provider, their server when opening the newsletter. During this retrieval, technical information such as information about your browser and system, your IP address, and the time of retrieval are initially collected. This information is used to improve our newsletter technically based on the technical data or the target groups and their reading behavior, determined by their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until it is deleted. The evaluations serve to identify the reading habits of our users and to adapt our content to them or send different content according to our users' interests. The measurement of open and click rates, as well as the storage of the measurement results in user profiles and their further processing, is carried out based on the user's consent. A separate revocation of success measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or objected to. In such cases, the stored profile information will be deleted; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
  • Mailchimp: Email marketing, automation of marketing processes, collection, storage, and management of contact data, measurement of campaign performance, recording and analysis of recipients' interactions with content, content personalization; Service provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://mailchimp.com; Privacy Policy: https://mailchimp.com/legal/; Data Processing Agreement: https://mailchimp.com/legal/; Basis for Third-Country Transfers: Data Privacy Framework (DPF). Further information: Special security measures: https://mailchimp.com/de/help/mailchimp-european-data-transfers/.

Advertising Communication via Email, Post, Fax, or Telephone We process personal data for advertising communication purposes through various channels, such as email, telephone, postal mail, or fax, in accordance with legal requirements. Recipients have the right to withdraw their consent at any time or to object to advertising communication at any time.

After withdrawal or objection, we store the data necessary to prove previous authorization for contacting or sending for up to three years after the end of the year of withdrawal or objection based on our legitimate interests. The processing of these data is limited to the purpose of potentially defending against claims. Based on the legitimate interest in permanently respecting users' withdrawal or objection, we also store the necessary data to prevent renewed contact (e.g., depending on the communication channel, the email address, telephone number, or name).

  • Types of Data Processed: Inventory data (e.g., full name, address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers). Content data (e.g., textual or visual messages and contributions, as well as related information such as authorship or time of creation).
  • Affected Persons: Communication partners.
  • Purposes of Processing: Direct marketing (e.g., via email or postal service); marketing; sales promotion.
  • Retention and Deletion: Deletion according to the information provided in the section "General Information on Data Storage and Deletion."
  • Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Web Analysis, Monitoring, and Optimization 

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows to our online offerings and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With reach analysis, we can recognize, for example, the times when our online offering or its features and content are most frequently used or invite repeated use. We can also identify which areas need optimization.

In addition to web analysis, we may also use testing procedures to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles may be created for these purposes, i.e., data aggregated from a usage process, and information may be stored in a browser or on a device and then read from it. The collected data includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system, and information about usage times. If users have consented to the collection of their location data with us or the providers of the services we use, location data processing is also possible.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of the users (such as email addresses or names) are stored as part of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the software providers know the actual identity of the users, only the information stored in their profiles for the respective procedures.

Notes on Legal Basis: If we ask users for their consent to the use of third-party services, the legal basis for processing the data is consent. Otherwise, the user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of Data Processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
  • Affected Persons: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creating user profiles). Provision of our online offering and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of up to two years).
  • Security Measures: IP masking (pseudonymization of IP address).
  • Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain any unique data such as names or email addresses. It serves to associate analysis information with a device to understand which content users have accessed within one or several usage processes, which search terms they used, revisited, or interacted with in our online offering. The usage time and duration, as well as the sources referring users to our online offering, and technical aspects of their devices and browsers, are also stored.

Pseudonymous profiles of users are created with information from using various devices, and cookies may be used in the process. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides general geographic location data by deriving the following metadata from IP addresses: city (and derived city latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is exclusively used for this location determination before being immediately deleted. They are not logged, accessible, or used for other purposes. When Google Analytics collects measurement data, all IP queries are carried out on EU-based servers before traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: marketingplatform.google.com/intl/en/about/analytics/; Security measures: IP masking (pseudonymization of IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-out option: Opt-out plugin: tools.google.com/dlpage/gaoptout, Ad personalization settings: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (types of processing and data processed).

  • Google as a Recipient of Consent: The consent given by users as part of a consent dialog (also known as "cookie opt-in/consent," "cookie banner," etc.) serves multiple purposes. Firstly, it helps us fulfill our duty to obtain consent for storing and reading information on and from users' devices (in accordance with ePrivacy guidelines). Secondly, it covers the processing of users' personal data following data protection regulations. Additionally, this consent also applies to Google, as the company is required by digital markets law to obtain consent for personalized services. Therefore, we share the status of the consents given by users with Google. Our consent management software informs Google about whether consent has been granted or not. The goal is to ensure that the users' granted or not granted consents are respected when using Google Analytics and when integrating features and external services. This allows user consents and their revocation to be dynamically adjusted within Google Analytics and other Google services in our online offering depending on the user's choice; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: support.google.com/analytics/answer/9976101. Privacy Policy: https://policies.google.com/privacy.
  • Google Tag Manager: We use Google Tag Manager, a software from Google that allows us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that help capture and analyze visitor activities. This technology supports us in improving our website and the content offered. The Google Tag Manager itself does not create user profiles, store cookies with user profiles, or conduct independent analyses. Its function is limited to facilitating the integration and management of tools and services we use on our website and making them more efficient. However, when using Google Tag Manager, the IP address of users is transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set in the process. However, this data processing only occurs if services are integrated via the Tag Manager. For more detailed information on these services and their data processing, we refer to the further sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms. Basis for third-country transfers: Data Privacy Framework (DPF).
    • HubSpot Analytics: Web analysis, reach measurement, and analysis of user behavior related to the use of features, content, and their duration of use based on a pseudonymous user identification number and profile building;
      Service provider: HubSpot, Inc., 25 First St., 2nd Floor, Cambridge, Massachusetts 02141, USA;
      Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR);
      Website: https://www.hubspot.com/products/marketing/analytics;
      Privacy policy: https://legal.hubspot.com/privacy-policy;
      Data processing agreement: https://legal.hubspot.com/dpa;
      Basis for third-country transfers: Data Privacy Framework (DPF).

 

Online Marketing 

We process personal data for the purpose of online marketing, which may include, in particular, the marketing of advertising spaces or the presentation of advertising and other content (collectively referred to as "content") based on potential user interests and the measurement of their effectiveness.

For these purposes, user profiles are created and stored in a file (known as a "cookie") or similar methods are used to store information relevant to the presentation of the aforementioned content. This may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information, such as the browser used, the computer system, and information about usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

In addition, users' IP addresses are stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored as part of the online marketing process, but pseudonyms are used. This means that neither we nor the providers of online marketing methods know the actual identity of the users, only the information stored in their profiles.

The statements in the profiles are usually stored in cookies or similar methods. These cookies can generally also be read on other websites that use the same online marketing method and analyzed for the purpose of presenting content, and may be supplemented with additional data and stored on the server of the online marketing provider.

In exceptional cases, it is possible to associate clear data with profiles, primarily when users are members of a social network whose online marketing method we use, and the network connects the user profiles with the aforementioned information. We ask you to note that users may make additional agreements with the providers, such as by giving consent during registration.

We generally only have access to aggregated information about the success of our advertisements. However, within the framework of so-called conversion measurements, we can determine which of our online marketing methods have led to a conversion, e.g., a contract conclusion with us. Conversion measurement is used solely for analyzing the success of our marketing activities.

Unless otherwise stated, please assume that the cookies used are stored for a period of two years.

Legal Basis Information: If we ask users for their consent to the use of third-party services, the legal basis for data processing is permission. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Information on Withdrawal and Objection: We refer to the privacy notices of the respective providers and the opt-out options provided by them. If no explicit opt-out option is provided, you may disable cookies in your browser settings. However, this may limit the functionality of our online offering. Therefore, we additionally recommend the following opt-out options, which are offered collectively for specific regions: a) Europe: https://www.youronlinechoices.eu.
b) Canada: https://www.youradchoices.ca/choices.
c) USA: https://www.aboutads.info/choices.
d) Cross-regional: https://optout.aboutads.info.

  • Types of Data Processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties).
  • Affected Persons: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest-/behavior-based profiling, use of cookies); audience formation; marketing; profiles with user-related information (creating user profiles). Conversion measurement (measurement of the effectiveness of marketing measures).
  • Retention and Deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of up to two years).
  • Security Measures: IP masking (pseudonymization of IP address).
  • Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • Google Ads and Conversion Measurement: Online marketing method for placing content and advertisements within the provider's advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who are likely interested in the advertisements. In addition, we measure the conversion of advertisements, i.e., whether users have interacted with the advertisements and used the advertised offers (so-called conversions). However, we only receive anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); More information: Types of processing and processed data: https://business.safety.google/adsservices/. Controller-to-controller data processing conditions and standard contractual clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.

Social Media Presence We maintain online presences within social networks and process user data in this context to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the territory of the European Union. This can pose risks to users, for example, making it more difficult to enforce user rights.

Moreover, user data within social networks is typically processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and resulting interests. These profiles may then be used to display advertisements within and outside the networks that presumably match the users' interests. For this purpose, cookies are usually stored on users' devices, in which the user behavior and interests are saved. Additionally, data may also be stored in user profiles regardless of the devices used by the users (especially if they are members of the respective platforms and logged in).

For a detailed description of the respective forms of processing and the opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

In cases of information requests and the assertion of data subject rights, we point out that these can be most effectively exercised with the providers. Only they have access to the user data and can directly take appropriate measures and provide information. If you still need help, you can contact us.

  • Types of Data Processed: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and contributions as well as related information, such as authorship details or creation time). Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features).
  • Affected Persons: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Communication; feedback (e.g., collecting feedback via online form). Public relations.
  • Retention and Deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion."
  • Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Notes on Processing Procedures, Methods, and Services:

  • LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for collecting (but not further processing) visitor data used to create "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with and the actions they take. Additionally, details about the devices used are collected, such as IP addresses, operating systems, browser types, language settings, and cookie data, as well as information from user profiles such as job title, country, industry, hierarchy level, company size, and employment status. Privacy information about LinkedIn's processing of user data can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.
    We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum," https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates which security measures LinkedIn must observe and in which LinkedIn agrees to fulfill the rights of data subjects (i.e., users can, for example, submit requests for information or deletion directly to LinkedIn). The rights of users (especially the right to information, deletion, objection, and complaint with the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint responsibility is limited to collecting and transmitting the data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, especially concerning the transfer of the data to the parent company, LinkedIn Corporation, in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-Out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • Vimeo: Social network and video platform; Service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street, New York, New York 10011, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy.

Plug-ins and Embedded Functions as well as Content
We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can include graphics, videos, or city maps (collectively referred to as "content").
The integration always requires that the third-party providers of this content process the IP address of the users, as they cannot send the content to their browser without the IP address. Therefore, the IP address is necessary for displaying these contents or functions. We strive to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These "pixel tags" can evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and include technical information about the browser and operating system, referring websites, visit times, and other details about the use of our online offering. This data may also be combined with information from other sources.
Legal Basis Information: If we ask the users for their consent to use third-party providers, the legal basis for data processing is the granted permission. Otherwise, the users' data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

  • Processed Data Types: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data Subjects: Users (e.g., website visitors, online service users).
  • Purpose of Processing: Provision of our online offering and user-friendliness; marketing; profiles with user-related information (creating user profiles).
  • Storage and Deletion: Deletion according to the specifications in the "General Information on Data Storage and Deletion" section. Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users' devices for up to two years).
  • Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing, Procedures, and Services:

  • Integration of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g., functional libraries used for the presentation or user-friendliness of our online offering). In this case, the respective providers collect the IP address of the users and may process it for delivering the software to the users’ browsers as well as for security purposes, evaluation, and optimization of their offerings; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Google Fonts (self-hosted): Provision of font files for a user-friendly presentation of our online offering; service provider: The Google Fonts are hosted on our server, and no data is transmitted to Google; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • LinkedIn Plugins and Content: LinkedIn plugins and content—This can include content such as images, videos, texts, and buttons with which users can share content from this online offering within LinkedIn; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; data processing agreement: https://legal.linkedin.com/dpa; basis for third-country transfers: Data Privacy Framework (DPF); opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Management, Organization, and Auxiliary Tools
We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organization, administration, planning, and provision of our services. When selecting third-party providers and their services, we adhere to legal requirements.
In this context, personal data may be processed and stored on the servers of third-party providers. This can include various data that we process according to this privacy policy. Such data may include basic and contact information of users, data on transactions, contracts, other processes, and their contents.
If users are referred to third-party providers or their software or platforms within the context of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We, therefore, ask you to pay attention to the respective privacy notices of the third-party providers.

  • Processed Data Types: Content data (e.g., text or image messages and contributions, and the information concerning them, such as authorship details or the time of creation); usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons); contact data (e.g., postal and email addresses or phone numbers).
  • Data Subjects: Communication partners; users (e.g., website visitors, online service users); service recipients and contractors; interested parties; business and contractual partners.
  • Purpose of Processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; communication.
  • Storage and Deletion: Deletion according to the specifications in the "General Information on Data Storage and Deletion" section.
  • Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

Further Information on Processing, Procedures, and Services:

Recruitment Procedure

The recruitment process requires applicants to provide the necessary data for their evaluation and selection. The required information is derived from the job description or, in the case of online forms, from the details provided therein.
In general, the required information includes personal details such as name, address, contact information, and proof of qualifications necessary for a position. Upon request, we are happy to specify which details are needed.
If available, applicants can submit their applications via our online form, which is encrypted according to the latest technological standards. Alternatively, applications can be sent to us by email. However, please be aware that emails sent over the internet are generally not encrypted. While emails are typically encrypted during transmission, this is not the case on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the security of the application during its transmission between the sender and our server.
For the purpose of finding candidates, submitting applications, and selecting applicants, we may utilize applicant management or recruitment software and third-party services, provided they comply with legal requirements.
Applicants are welcome to contact us regarding the method of submission or to send their application by post.
Processing of Special Categories of Data: If, in the course of the recruitment process, special categories of personal data (Art. 9 para. 1 GDPR, e.g., health data such as disability status or ethnic origin) are requested or disclosed by applicants, the processing of such data occurs so that the data controller or the affected person can exercise the rights arising from labor law, social security law, and social protection or fulfill corresponding obligations. Processing may also be necessary to protect vital interests, for preventive healthcare, for the assessment of work capacity, for medical diagnostics, or for the management of healthcare or social services.
Data Deletion: Data provided by applicants may be further processed by us in the event of a successful application for the purpose of the employment relationship. Otherwise, if the application for a job is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion occurs no later than six months after the end of the application process unless a legitimate revocation by the applicant occurs sooner. This timeframe allows us to respond to any follow-up questions about the application and fulfill our obligations regarding equal treatment. Any invoices for travel cost reimbursements are archived according to tax regulations.
Inclusion in an Applicant Pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, does not impact the ongoing recruitment process, and can be revoked at any time for the future.

  • Processed Data Types: Master data (e.g., full name, address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and contributions, including information related to authorship and creation time). Applicant data (e.g., personal information, postal and contact addresses, application documents, and related information such as cover letters, CVs, certificates, and any other relevant or voluntarily provided information related to a specific job or qualification).
  • Data Subjects: Applicants.
  • Purpose of Processing: Recruitment process (establishing and potentially later executing or terminating an employment relationship).
  • Storage and Deletion: Deletion according to the specifications in the "General Information on Data Storage and Deletion" section.
  • Legal Basis: Recruitment process as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing, Procedures, and Services:

  • Personio: Recruitment platform and applicant management services (job postings, applicant search, and recruitment process); Service provider: Personio SE & Co. KG, Seidlstraße 3, 80335 Munich, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.personio.de/. Privacy policy: https://www.personio.de/datenschutzerklaerung/.

By submitting your message, you confirm that you have read and agree to the Privacy Policy.

Do you have any questions?
We are happy to help.

Contact

FORLIANCE GmbH
+49 (0) 228-969 119 – 0
info@forliance.com

Address

Eifelstraße 20
53119 Bonn
Germany