14 General information on data storage and deletion

 

We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is revoked or there is no longer any legal basis for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection information contains additional information on the storage and deletion of data that applies specifically to certain processing operations.

If there are several specifications regarding the retention period or deletion deadlines for a piece of data, the longest period shall always apply.

If a period does not expressly begin on a specific date and is at least one year, it shall automatically commence at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period shall be the date on which the termination or other termination of the legal relationship takes effect.

Data that is no longer required for the originally intended purpose but is retained due to legal requirements or other reasons will be processed by us exclusively for the reasons that justify its retention.

 

 

 

15 Further information on processing procedures, processes and services:

​

• Storage and deletion of data: The following general periods apply to storage and archiving in accordance with German law: 

  • 10 years - retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and the work instructions and other organisational documents necessary for their understanding (Section 147 (1) No. 1 in conjunction with (3) AO, Section 14b (1) UStG, Section 257 (1) No. 1 in conjunction with (4) HGB).

  • 8 years - Accounting documents, such as invoices and expense receipts (Section 147 (1) No. 4 and 4a in conjunction with (3) sentence 1 AO and Section 257 (1) No. 4 in conjunction with (4) HGB).

  • 6 years - Other business documents: commercial or business letters received, copies of commercial or business letters sent, other documents insofar as they are relevant for taxation, e.g. hourly wage slips, operating statement forms, calculation documents, price labels, but also payroll accounting documents, unless they are already accounting documents, and cash register receipts (Section 147 (1) No. 2, 3, 5 in conjunction with (3) AO, Section 257 (1) No. 2 and 3 in conjunction with (4) HGB).

  • 3 years - Data that is necessary to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related enquiries, based on previous business experience and customary industry practices, will be stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB)

​

​

 

16 Rights of data subjects

 

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

• Right to withdraw consent: You have the right to withdraw your consent at any time.

• Right to information: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with the legal requirements.

• Right to rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you in accordance with the statutory provisions.

• Right to erasure and restriction of processing: You have the right to request that data concerning you be erased immediately or, alternatively, to request that the processing of the data be restricted in accordance with legal requirements.

• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller in accordance with legal requirements.

• Complaint to a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence, the supervisory authority of your workplace or the place of the alleged infringement, if you believe that the processing of personal data relating to you violates the GDPR.

 

 

 

17 Provision of the online offer and web hosting

 

We process user data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.

• Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved); Log data (e.g. log files relating to logins or the retrieval of data or access times). Content data (e.g. textual or pictorial messages and contributions, as well as information relating to them, such as details of authorship or time of creation).

• Data subjects: Users (e.g. website visitors, users of online services). Service recipients and clients.

• Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures. Provision of contractual services and fulfilment of contractual obligations.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

​

 

18 Further information on processing operations, procedures and services:

 

• Provision of online services on rented storage space: To provide our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a server provider (also known as a "web host"); legal basis: legitimate interests (Art. 6(1)(f) GDPR).

• Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". The server log files may include the address and name of the websites and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes , e.g. to prevent server overload (especially in the case of malicious attacks, so-called DDoS attacks), and to ensure server utilisation and stability; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymised. Data that must be retained for further storage for evidence purposes is excluded from deletion until the respective incident has been finally clarified.

• Content delivery network: We use a "content delivery network" (CDN). A CDN is a service that helps deliver content from an online offering, especially large media files such as graphics or program scripts, faster and more securely using regionally distributed servers connected via the Internet; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Wix: Hosting and software for the creation, provision and operation of websites, blogs and other online services; service provider: Wix.com Ltd., Nemal St. 40, 6350671 Tel Aviv, Israel; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://de.wix.com/; privacy policy: https://de.wix.com/about/privacy; order processing agreement: https://www.wix.com/about/privacy-dpa-users. Basis for third-country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF).

• Sentry: Monitoring system stability and identifying code errors – information about the device or time of the error is collected pseudonymously and then deleted; Service provider: Functional Software Inc., Sentry, 132 Hawthorne Street, San Francisco, California 94107, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://sentry.io; Security measures: IP masking (pseudonymisation of the IP address); Privacy policy: https://sentry.io/privacy/; Data processing agreement: https://sentry.io/legal/dpa/. Basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses (https://sentry.io/legal/dpa/), Data Privacy Framework (DPF) standard contractual clauses (https://sentry.io/legal/dpa/).

 

 

 

19 Use of cookies

 

The term "cookies" refers to functions that store information on users' end devices and read it from them. Cookies can also be used for various purposes, such as to ensure the functionality, security and convenience of online services and to analyse visitor traffic. We use cookies in accordance with legal requirements. To do so, we obtain the consent of users in advance, where necessary. If consent is not necessary, we rely on our legitimate interests. This applies if the storage and retrieval of information is essential in order to provide expressly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about the scope of cookies and which cookies are used.

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes their end device (e.g. browser or mobile application).

• Permanent cookies: Permanent cookies remain stored even after the end device is closed. This allows, for example, the log-in status to be stored and preferred content to be displayed directly when the user revisits a website. The user data collected using cookies may also be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), they should assume that these are permanent and that the storage period may be up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also object to the processing in accordance with the legal requirements, including through the privacy settings of their browser.

• Types of data processed: Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved). Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

• Persons affected: Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of our online offering and user-friendliness.

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

20 Further information on processing operations, procedures and services:

• Processing of cookie data based on consent: We use a consent management solution that obtains the consent of users for the use of cookies or for the procedures and providers specified in the consent management solution. This procedure serves to obtain, log, manage and revoke consent, in particular with regard to the use of cookies and similar technologies ( ) that are used to store, read and process information on users' end devices. As part of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure. Users also have the option of managing and revoking their consent. The declarations of consent are stored in order to avoid repeated queries and to be able to provide proof of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (known as an opt-in cookie) or using comparable technologies in order to be able to assign the consent to a specific user or their device. If no specific information about the providers of consent management services is available, the following general information applies: The consent is stored for up to two years. A pseudonymous user identifier is created and stored together with the time of consent, information about the scope of consent (e.g. categories of cookies and/or service providers concerned) and information about the browser, system and terminal device used; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

• Cookie opt-out: In the footer of our website, you will find a link that allows you to change your cookie settings and revoke your consent.

 

 

 

21 Contact and enquiry management

 

When you contact us (e.g. by post, contact form, email, telephone or via social media) and within the framework of existing user and business relationships, the information provided by the person making the enquiry will be processed to the extent necessary to respond to the contact enquiry and any requested measures.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as information about authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Communication partners.

• Purposes of processing: Communication; organisational and administrative procedures; feedback (e.g. collection of feedback via online form). Provision of our online offering and user-friendliness.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

 

 

 

22 Further information on processing operations, procedures and services:

 

• Contact form: When you contact us via our contact form, by email or other means of communication, we process the personal data you provide to respond to and process your enquiry. This usually includes information such as your name, contact details and, if applicable, other information that you provide and that is necessary for the appropriate processing of your enquiry. We use this data exclusively for the stated purpose of establishing contact and communication; legal bases: fulfilment of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Microsoft Cloud Services: Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://microsoft.com/de-de; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter; Order processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Basis for third-country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA), Data Privacy Framework (DPF) Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

​

​

 

23 Communication via messenger

 

We use messengers for communication purposes and therefore ask you to note the following information regarding the functionality of messengers, encryption, the use of communication metadata and your options for objecting.

You can also contact us by alternative means, e.g. by telephone or email. Please use the contact options provided to you or those specified within our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that the communication content (i.e., the content of the message and attached images) is encrypted from end to end. This means that the content of messages cannot be viewed at , not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure that the content of your messages is encrypted.

However, we also inform our communication partners that although the messenger providers cannot view the content, they can find out that and when communication partners communicate with us, as well as technical information about the device used by the communication partners and, depending on the settings of their device, location information (so-called metadata).

Information on legal bases: If we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. Furthermore, if we do not ask for consent and you contact us on your own initiative, for example, we use messengers in relation to our contractual partners and in the context of contract negotiations as a contractual measure and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and in fulfilling the needs of our communication partners in communication via messenger. Furthermore, we would like to point out that we will not transfer the contact data provided to us to the messenger services without your consent.

Revocation, objection and deletion: You can revoke your consent at any time and object to communication with us via messenger at any time. In the case of communication via messenger, we will delete the messages in accordance with our general deletion guidelines (i.e., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.). and otherwise as soon as we can assume that we have answered any questions from the communication partner, if no reference to a previous conversation is to be expected and there are no legal retention obligations that prevent deletion.

Reservation of reference to other communication channels: To ensure your security, we ask for your understanding that we may not be able to respond to enquiries via messenger for certain reasons. This applies to situations in which, for example, contract details must be treated as particularly confidential or a response via messenger does not meet formal requirements. In such cases, we recommend that you use more appropriate communication channels.

• Types of data processed: Contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Communication partners.

• Purposes of processing: Communication. Direct marketing (e.g. by email or post).

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

 

 

24 Further information on processing operations, procedures and services:

​

• Microsoft Teams: Chat, audio and video conferencing, file sharing, integration with Office 365 applications, real-time collaboration on documents, calendar functions, task management, screen sharing, optional recording; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://www.microsoft.com/de-de/microsoft-365; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter. Basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA), Data Privacy Framework (DPF) Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

 

 

 

25 Video conferences, online meetings, webinars and screen sharing

 

We use platforms and applications from other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "conferences"). When selecting conference platforms and their services, we comply with the legal requirements.

Data processed by conference platforms: When you join a conference, the conference platforms process the personal data of participants listed below. How much data is processed depends on what data is needed for a specific conference (like login details or real names) and what optional info participants give. In addition to processing for the purpose of holding the conference, the conference platforms may also process participant data for security purposes or to optimise their services. The data processed includes personal data (first name, surname), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information about professional position/function, the IP address of the Internet access, information about the participants' end devices, their operating system, browser and its technical and language settings, information about the content of communication processes, i.e. entries in chats as well as audio and video data, and the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference provider. If participants are registered as users on the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.

Logging and recording: If text entries, participation results (e.g. from surveys) and video or audio recordings are logged, participants will be informed of this in advance and, where necessary, asked for their consent.

Data protection measures taken by participants: Please refer to the data protection information provided by the conference platforms for details on how your data is processed and select the security and data protection settings that are best for you in the conference platform settings. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by informing roommates, locking doors and, where technically possible, using the function to blur the background). Links to the conference rooms and access data must not be passed on to unauthorised third parties.

Information on legal bases: If, in addition to the conference platforms, we also process user data and ask users for their consent to the use of the conference platforms or certain functions (e.g. consent to the recording of conferences), the legal basis for processing is this consent. Furthermore, our processing may be necessary to fulfil our contractual obligations (e.g. in participant lists, in the case of processing meeting results, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions); Image and/or video recordings (e.g. photographs or video recordings of a person); sound recordings. Log data (e.g. log files relating to logins or the retrieval of data or access times).

• Data subjects: Communication partners; users (e.g. website visitors, users of online services). Persons depicted.

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication. Office and organisational procedures.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

• Microsoft Teams: Audio and video conferencing, chat, file sharing, integration with Office 365 applications, real-time collaboration on documents, calendar functions, task management, screen sharing, optional recording; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://www.microsoft.com/de-de/microsoft-teams/; privacy policy: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter. Basis for transfers to third countries: Data Privacy Framework (DPF), standard contractual clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA), Data Privacy Framework (DPF) Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

​

​

​​​

26 Management, organisation and support tools

 

We use services, platforms and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organisation, administration, planning and the provision of our services. When selecting third-party providers and their services, we comply with the legal requirements.

In this context, personal data may be processed and stored on the servers of third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact details of users, data on transactions, contracts, other processes and their contents.

If users are referred to third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection information of the respective third-party providers.

• Types of data processed: Content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time stamps, identification numbers, persons involved).

• Data subjects: Communication partners. Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations. Office and organisational procedures.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

 

 

 

27 Processing of data in the context of employment relationships

 

In the context of employment relationships, personal data is processed for the purpose of effectively establishing, implementing and terminating such relationships. This data processing supports various operational and administrative functions necessary for the management of employee relationships.

Data processing covers various aspects ranging from contract initiation to contract termination. This includes the organisation and administration of daily working hours, the management of access rights and authorisations, and the handling of personnel development measures and employee appraisals. Processing also serves the purpose of accounting and administering wage and salary payments, which are critical aspects of contract execution.

In addition, data processing takes into account the legitimate interests of the responsible employer, such as ensuring safety in the workplace or recording performance data for the evaluation and optimisation of operational processes. Furthermore, data processing includes the disclosure of employee data in the context of external communication and publication processes, where this is necessary for operational or legal purposes.

This data is always processed in compliance with the applicable legal framework, with the aim of creating and maintaining a fair and efficient working environment. This also includes taking into account the data protection of the employees concerned, anonymising or deleting data after the purpose of processing has been fulfilled or in accordance with statutory retention periods.

• Types of data processed: Employee data (information about employees and other persons in an employment relationship); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. subject matter of the contract, term, customer category); Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. text or image messages and posts, as well as information relating to them, such as details of authorship or time of creation); Social data (data subject to social secrecy and processed, for example, by social security institutions, social welfare agencies or pension authorities); Log data (e.g. log files relating to logins or the retrieval of data or access times); Performance and behaviour data (e.g. performance and behaviour aspects such as performance reviews, feedback from superiors, training participation, compliance with company guidelines, self-assessments and behaviour assessments); Working time data (e.g. , start of working time, end of working time, actual working time, target working time, break times, overtime, vacation days, special leave days, sick days, absences, home office days, business trips); Salary data (e.g. basic salary, bonus payments, premiums, tax class information, allowances for night work/overtime, tax deductions, social security contributions, net pay); Image and/or video recordings (e.g. photographs or video recordings of a person); Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).

• Special categories of personal data: Health data; religious or philosophical beliefs. Trade union membership.

• Data subjects: Employees (e.g. employees, applicants, temporary staff and other employees).

• Purposes of processing: Establishment and performance of employment relationships (processing of employee data in the context of establishing and performing employment relationships); business processes and business procedures; provision of contractual services and fulfilment of contractual obligations; public relations; security measures. Office and organisational procedures.

• Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR). Processing of special categories of personal data relating to health, professional and social security matters (Art. 9(2)(h) GDPR).

 

 

 

28 Further information on processing operations, procedures and services:

​

• Working time recording: Procedures for recording employees' working hours include both manual and automated methods, such as the use of time clocks, time recording software or mobile apps. Activities such as entering arrival and departure times, break times, overtime and absences are carried out. The verification and validation of the recorded working hours includes comparison with work schedules or shift schedules, checking absences and the approval of overtime by supervisors. Reports and analyses are generated on the basis of the recorded working hours in order to provide time sheets, overtime reports and absence statistics for management and the human resources department. Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Authorisation management: Procedures required for defining, managing and controlling access rights and user roles within a system or organisation (e.g. creation of authorisation profiles, role- and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Special categories of personal data: Special categories of personal data are processed within the scope of the employment relationship or to fulfil legal obligations. The special categories of personal data processed include data concerning the health, trade union membership or religious affiliation of employees. This data may be passed on to health insurance companies, for example, or processed for the purpose of assessing the fitness for work of employees, for occupational health management or for providing information to the tax authorities. Legal basis: Fulfilment of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Sources of the processed data: Personal data obtained in the context of the application and/or employment relationship of the employees is processed. In addition, personal data is collected from other sources if required by law. These may include tax authorities for tax-related information, the relevant health insurance fund for information on incapacity to work, third parties such as employment agencies or publicly accessible sources such as professional social networks in the context of application procedures. Legal basis: Legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Purposes of data processing: The personal data of employees is primarily processed for the establishment, implementation and termination of the employment relationship. In addition, the processing of this data is necessary to fulfil legal obligations in the area of tax and social security law. In addition to these primary purposes, employee data is also used to fulfil regulatory and supervisory requirements, to optimise electronic data processing processes and to compile internal or cross-company data, possibly including statistical data. Furthermore, employee data may be processed for the assertion of legal claims and for defence in legal disputes. Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Transfer of employee data: Employee data is only processed internally by those departments that require it to fulfil operational, contractual and legal obligations.
  Data will only be passed on to external recipients if this is required by law or if the employees concerned have given their consent. Possible scenarios for this include requests for information from authorities or in the case of capital formation benefits. Furthermore, the controller may transfer personal data to other recipients to the extent necessary to fulfil its contractual and legal obligations as an employer. These recipients may include: a) Banks b) Health insurance companies, pension insurance companies, pension providers and other social insurance providers c) Authorities, courts (e.g. tax authorities, labour courts, other supervisory authorities within the scope of fulfilling reporting and information obligations) d) Tax and legal advisors e) Third-party debtors in the event of wage and salary garnishments f) Other bodies to which legally binding declarations must be made.
  In addition, data may be passed on to third parties if this is necessary for communication with business partners, suppliers or other service providers. Examples of this are information in the sender field of emails or letterheads and the creation of profiles on external platforms; legal bases: fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Transfer of employee data to third countries: Employee data will only be transferred to third countries, i.e. countries outside the European Union (EU) and the European Economic Area (EEA), if this is necessary for the fulfilment of the employment relationship, is required by law or if employees have given their consent. Employees will be informed separately about the details, where required by law; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Business trips and travel expense reports: Procedures required for planning, executing and accounting for business trips (e.g. booking trips, organising accommodation and transport, managing travel expense advances, submitting and reviewing travel expense reports, checking and posting incurred costs, complying with travel guidelines, handling travel expense management); Legal basis: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Payroll accounting and payroll administration: Procedures required for the calculation, payment and documentation of wages, salaries and other remuneration of employees (e.g. recording working hours, calculating deductions and allowances, paying taxes and social security contributions, preparing wage and salary statements, maintaining wage accounts, reporting to tax authorities and social security institutions); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR).

• Deletion of employee data: Employee data is deleted in accordance with German law if it is no longer required for the purpose for which it was collected, unless it must be retained or archived due to legal obligations or the interests of the employer. The following retention and archiving obligations must be observed in this regard: 

• • General personnel records - General personnel records (such as employment contracts, employment references, supplementary agreements) are retained for up to three years after the end of the employment relationship (Section 195 of the German Civil Code (BGB)).
    Tax-related documents - Tax-related documents in the personnel file shall be retained for six years (Section 147 of the German Fiscal Code (AO), Section 257 of the German Commercial Code (HGB)).
    Information on remuneration and working hours – Information on remuneration and working hours for (accident) insured persons with proof of earnings must be retained for five years (Section 165 I 1, IV 2 SGB VII).

  • Salary lists including lists for special payments - Salary lists including lists for special payments, provided that a booking document is available, are retained for ten years (Section 147 AO, Section 257 HGB).

  • Wage lists for interim, final and special payments – Wage lists for interim, final and special payments are retained for six years (Section 147 AO, Section 257 HGB).

  • Documents relating to employee insurance - Documents relating to employee insurance, provided that accounting documents are available, must be retained for ten years (Section 147 AO, Section 257 HGB).

  • Contribution statements to social security institutions - Contribution statements to social security institutions must be retained for ten years (Section 165 SGB VII).
    Payroll accounts - Payroll accounts are retained for six years (Section 41 I 9 EStG).

  • Applicant data - Retained for a maximum of six months from receipt of the rejection.

  • Working time records (for more than 8 hours on working days) - These are kept for two years (Section 16 II of the Working Hours Act (ArbZG)).

  • Application documents (following online job advertisement) - These are retained for three to a maximum of six months after receipt of the rejection (Section 26

  • Federal Data Protection Act (BDSG) as amended, Section 15 IV General Equal Treatment Act (AGG)).

  • Certificates of incapacity for work (AU) - These are kept for up to five years (Section 6 I of the Expense Compensation Act (AAG)).

  • Documents relating to company pension schemes - These are retained for 30 years (Section 18a of the German Company Pension Scheme Improvement Act (BetrAVG)).

  • Employee sickness data - Retained for twelve months after the onset of the illness if the absences do not exceed six weeks in a year.

  • Documents relating to maternity protection - These are retained for two years (Section 27 (5) MuSchG).

Legal basis: Contract performance and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), processing of special categories of personal data relating to health, profession and social security (Art. 9 para. 2 lit. h) GDPR).

• Personnel file management: Procedures necessary for the organisation, updating and management of employee data and documents (e.g. recording of personnel master data, storage of employment contracts, references and certificates, updating of data in the event of changes, compilation of documents for employee appraisals, archiving of personnel files, compliance with data protection regulations); Legal basis: Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR), processing of special categories of personal data relating to health, professional and social security (Art. 9(2)(h) GDPR).

• Personnel development, performance evaluation and employee appraisals: Procedures that are necessary in the area of promoting and developing employees, as well as in assessing their performance and in the context of employee appraisals (e.g. needs analysis for further training, planning and implementation of training measures, preparation of performance evaluations, conducting target agreement and feedback meetings, career planning and talent management, succession planning); Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), processing of special categories of personal data relating to health, profession and social security (Art. 9 para. 2 lit. h) GDPR).

• Obligation to provide data: The controller informs employees that the provision of their data is necessary. This is generally the case if the data is necessary for the establishment and performance of the employment relationship or if its collection is required by law. The provision of data may also be necessary if employees assert claims or if claims are due to employees. The implementation of these measures or the performance of services is dependent on the provision of this data (e.g. the provision of data for the purpose of receiving wages). Legal basis: Fulfilment of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

• Publication and disclosure of employee data: Employee data will only be published or disclosed to third parties if this is necessary for the performance of work tasks in accordance with the employment contract. This applies, for example, if employees are named as contact persons in correspondence, on the website or in public registers in accordance with an agreement or agreed job description, or if the job description includes representative functions. This may also be the case if, in the course of performing their duties, employees are presented or communicate with the public, such as in the context of public relations work. Otherwise, employee data will only be published with their consent or on the basis of the employer's legitimate interests, for example in the case of stage or group photographs taken during a public event. Legal basis: Fulfilment of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

​

​

 

29 Application

 

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required is specified in the job description or, in the case of online forms, in the information provided there.

As a rule, the required information includes personal details such as name, address, contact details and proof of the qualifications required for a position. Upon request, we will be happy to provide further information on the details required.

If available, applicants are welcome to submit their applications via our online form, which is encrypted using the latest technology. Alternatively, it is also possible to send applications to us by email. However, we would like to point out that emails are generally not encrypted when sent over the Internet. Although emails are usually encrypted during transmission, this is not the case on the servers from which they are sent and received. We therefore cannot accept any responsibility for the security of your application during transmission between the sender and our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services provided by third parties in accordance with the statutory requirements.

Applicants are welcome to contact us regarding the method of submitting their application or send us their application by post.

Processing of special categories of data: If special categories of personal data (Art. 9 para. 1 GDPR, e.g. health data, such as severe disability or ethnic origin) are requested from applicants or provided by them, this data will be processed so that the controller or the data subject can exercise their rights under employment law and social security and social protection law and fulfil their obligations in this regard, in the case of the protection of the vital interests of the applicants or other persons or for the purposes of health care or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, for the provision of care or treatment in the health or social sector or for the management of systems and services in the health or social sector.

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job vacancy is unsuccessful, the applicant's data will be deleted. The applicant's data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicant, the data will be deleted at the latest after a period of six months so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence in accordance with the regulations on equal treatment of applicants. Invoices for any travel expenses will be archived in accordance with tax regulations.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can withdraw their consent at any time in the future.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or pictorial messages and posts, as well as information relating to them, such as details of authorship or time of creation). Applicant data (e.g. personal details, postal and contact addresses, documents relating to the application and the information contained therein, such as cover letters, CVs, references and other information provided by applicants in relation to a specific position or voluntarily provided by applicants about themselves or their qualifications).

• Data subjects: Applicants.

• Purposes of processing: Application process (justification and any subsequent implementation and possible subsequent termination of the employment relationship).

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal basis: Application process as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b) GDPR).

 

 

 

30 Changes and updates

 

We ask you to regularly review the content of our privacy policy. We will amend the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information for companies and organisations in this privacy policy, please note that these addresses may change over time and check the details before contacting them.

The supervisory authority responsible for us is: 

 

State Commissioner for Data Protection and Freedom of Information
Schwerin Castle
Lennéstraße 1
19053 Schwerin
Phone: +49 385 59494 0
Email: info@datenschutz-mv.de

​