Data Protection
Data privacy statement
We are pleased that you have visited our website and thank you for your interest in DS-Mineralöl GmbH and what we have to offer. We attach particular importance to the protection and safety of the data owned by our customers and visitors. The following privacy statement explains what information we collect during your visit to our website and what parts of that information may be used and how.
Introduction
With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as ‘data’) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as ‘online offer’).
The terms used are not gender-specific.
The controller responsible for data processing on this website is:
DS-Mineralöl GmbH
Cuxhavener Street 42/44
28217 Bremen
Phone +49 (0) 421 396 99 0
E-mail: info@ds-mineraloel.de
Persons authorised to represent the company:
Managing directors: Ian Petri, Maximilian Brockmann
For further information about us, please refer to the imprint and the contents of this website. We reserve the right to adapt this data protection declaration to changes in legislation or business processes at any time.
Our company has appointed a data protection officer with the following contact details:
Sicdata Unternehmensberatung
Tobias Erdmann e.K.
Heiligenstock 34c
42697 Solingen
Phone: +49212 73 87 24 – 0
E-mail: info@sicdata.de
Overview of Processing
The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.
- Types of data processed
- Inventory data.
- Contact data.
- Content data.
- Usage data.
- Meta/communication data.
Categories of affected persons
- Communication partner.
- Users.
Purposes of processing
- Provision of contractual services and customer Service.
- Contact requests and communication.
- Security measures.
- Direct marketing.
- Reach measurement.
- Tracking.
- Office and organisational procedures.
- Managing and responding to enquiries.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online services and user-friendliness.
- Information technology infrastructure.
Relevant legal bases
Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.
Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR):
The data subject has given their consent to the processing of their personal data for a specific purpose or several specific purposes.
Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR):
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR):
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. These include, in particular, the German Data Protection Act (Bundesdatenschutzgesetz - BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. It also regulates data processing for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships and the consent of employees. The data protection laws of the individual federal states may also apply. In addition, the Telecommunications Digital Services Data Protection Act (TDDDG) applies, which regulates provisions on telecommunications secrecy and data protection for telecommunications and telemedia services.
Security measures
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes in accordance with the principle of data protection, through technology design and data protection-friendly default settings.
Shortening of the IP address: If IP addresses are processed by us or by the service providers and technologies used and the processing of a full IP address is not required, the IP address is truncated (also known as ‘IP masking’). In this process, the last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. The shortening of the IP address is intended to prevent or significantly complicate the identification of a person based on their IP address.
SSL encryption (https): We use SSL encryption to protect your data transmitted via our online offering. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.
Transfer of personal data
I As part of our processing of personal data, data may be transferred to other bodies, companies, legally independent organisational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
Data transfer within the group of companies: We may transfer personal data to other companies within our group of companies or grant them access to this data. If this transfer takes place for administrative purposes, the transfer of the data is based on our legitimate business and commercial interests or takes place if it is necessary to fulfil our contractual obligations or if the consent of the data subjects or legal permission has been obtained.
Data processing in third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to express consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
We would like to point out that the USA, as a safe third country, generally has a level of data protection comparable to that of the EU. Data transfer to the USA is therefore permitted if the recipient is certified under the ‘EU-US Data Privacy Framework’ (DPF) or has suitable additional guarantees.
Deletion of data
The data processed by us will be deleted in accordance with the legal requirements as soon as the consent given for processing is revoked or other authorisations cease to apply (e.g. if the purpose for processing this data no longer applies or it is no longer required for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defence of legal claims or to protect the rights of another natural or legal person.
As part of our data protection information, we can provide users with further information on the erasure and retention of data that applies specifically to the respective processing operations.
Use of Cookies
Cookies are small text files or other storage notes that store information on end devices and read information from the end devices. For example, to store the login status in a user account, the contents of a shopping basket in an e-shop, the content accessed or the functions used on an online offer. Cookies can also be used for various purposes, e.g. to ensure the functionality, security and convenience of online offers and to create analyses of visitor flows.
Notes on consent: We use cookies in accordance with the statutory provisions. We therefore obtain prior consent from users, unless this is not required by law. In particular, consent is not required if the storage and reading of information, including cookies, is absolutely necessary in order to provide the user with a telemedia service expressly requested by them (i.e. our online offering). The revocable consent is clearly communicated to the users and contains the information on the respective use of cookies.
Information on legal bases under data protection law: The legal basis under data protection law on which we process users' personal data with the help of cookies depends on whether we ask users for their consent. If users consent, the legal basis for processing their data is the consent they have given. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g. in the commercial operation of our online offering and improving its usability) or, if this is done as part of the fulfilment of our contractual obligations, if the use of cookies is necessary to fulfil our contractual obligations. We explain the purposes for which we process cookies in the course of this privacy policy or as part of our consent and processing procedures.
Storage period: With regard to the storage period, a distinction is made between the following types of cookies:
- Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).- Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or favourite content can be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.
General information on revocation and objection (opt-out): Users can revoke the consent they have given at any time and also object to the processing in accordance with the legal requirements in Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g. by deactivating the use of cookies (although this may also restrict the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Cookie settings / objection option
Cookie policy of DS-Mineralöl GmbH
What types of cookies we use?
Strictly necessary cookies: These cookies are essential for the proper functioning of our website and enable a good user experience. These cookies do not collect any data that would allow us to identify you.
Preference cookies: These cookies allow a website to remember information that affects the behaviour or appearance of the website, such as your preferred language or the region you are in.
Statistics cookies: By using these cookies, we can improve the way our website works. For example, we receive information about which parts of our website are the most popular, which sites you go to from our website, which site you came from and how long you stay on our website.
Marketing cookies: These cookies help us to make the content of the website as personalised as possible and thus, for example, to display targeted advertising and content based on previous online behaviour. DS-Mineralöl uses marketing cookies, which are managed by third parties, to present its products both on its own website and on third-party websites. The third-party plugins integrated into the DS-Mineralöl website are downloaded from third-party servers so that the third-party provider can install its own cookies on the user's device and collect information about the activities of a visit.
Further information on processing operations, procedures and services
HubSpot Consent Management: Opt-in management for cookies and other content requiring consent or access to user devices.
Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Consent management/consent management; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures;
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR and Section 25 para. 1 TDDDG); Consent can be revoked at any time.
Deletion of consent management information: The storage period of cookies varies depending on the type of cookie. Session cookies are deleted when you close the browser. Permanent cookies generally have a storage period that varies from two months to two years. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified;
Service provider: HubSpot CMS: Marketing software for lead generation, marketing automation and analysis; HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal basis: Overriding legal provision (Art. 6 para. 1 sentence 1 lit. c) GDPR) Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data Processing Agreement: https://legal.hubspot.com/dpa; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://legal.hubspot.com/dpa.
Service provider: Cookiebot consent management tool, Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. Legal basis: Overriding legal provision (Art. 6 para. 1 sentence 1 lit. c) GDPR); Website: https://usercentrics.com/de/
Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which the user's consent to the use of cookies or the processing and providers named in the cookie consent management procedure can be obtained, managed and revoked by the user. The declaration of consent is stored so that it does not have to be requested again and the consent can be proven in accordance with the legal obligation. Consent can be stored on the server and/or in a cookie (so-called opt-in cookie or with the help of comparable technologies) in order to be able to assign the consent to a user or their device. Subject to individual information on the providers of cookie management services, the following information applies: Consent may be stored for up to two years. A pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used.
Provision of online services and web hosting
We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.
Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles).
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures and services:
Provision of online offer on rented storage space:
For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called ‘web host’);
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Collection of access data and log files: Access to our online offering is logged in the form of so-called ‘server log files’. The server log files may include the address and name of the websites and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files may be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the utilisation of the servers and their stability;
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR);
Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
HubSpot:
Social media publishing, reporting (e.g. traffic sources, access figures, web analytics), contact management (e.g. contact forms, direct communication and user segmentation), landing pages;
Service provider: HubSpot, Inc, 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA;
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.hubspot.de;
Privacy Policy: https://legal.hubspot.com/de/privacy-policy;
Data processing agreement: https://legal.hubspot.com/dpa;
Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://legal.hubspot.com/dpa.
Cloudflare:
We use the ‘Cloudflare’ service. The provider is Cloudflare Inc, 101 Townsend St., San Francisco, CA 94107, USA The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.cloudflare.com/privacypolicy/.
Further information on security and data protection at Cloudflare can be found here: https://www.cloudflare.com/privacypolicy/.
The company is certified according to the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnZKAA0&status=Active
Contact and request management
When contacting us (e.g. by contact form, email, telephone or via social media) and in the context of existing user and business relationships, the details of the enquiring persons are processed insofar as this is necessary to answer the contact enquiries and any requested measures.
The response to contact enquiries and the management of contact and enquiry data in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre)contractual enquiries and otherwise on the basis of legitimate interests in responding to enquiries and maintaining user or business relationships.
Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
Data subjects: Communication partners.
Purposes of Processing: Provision of contractual services and customer support; contact requests and communication; Managing and responding to enquiries; Feedback (e.g. collecting feedback via online form); Provision of our online services and usability.
Legal bases: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.
Further information on processing operations, procedures and services
Contact form:
When users contact us via our contact form, we process the data communicated to us in this context to process the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships, insofar as this is necessary for their fulfilment and otherwise on the basis of our legitimate interests and the interests of the communication partners in responding to the requests and our statutory retention obligations;
Legal bases: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Deletion of data: The data you send to us via contact enquiries will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.
HubSpot:
Software for customer management, process and sales support (multi-channel communication, i.e. management of customer enquiries from different channels, sales, process management, analyses, feedback and survey functions); Service provider: HubSpot, Inc, 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA;
Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR), Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR);
Website: https://www.hubspot.de;
Privacy Policy: https://legal.hubspot.com/de/privacy-policy;
Data processing agreement: https://legal.hubspot.com/dpa;
Standard contractual clauses (guaranteeing the level of data protection for processing in third countries): https://legal.hubspot.com/dpa.
Data transmission within the group of companies for the processing of enquiries
If we are unable to process your enquiry ourselves, we will pass on your personal data to our sister companies within Diersch & Schröder GmbH & Co. KG. This data transfer takes place exclusively for the purpose of processing your enquiry in the best possible way and providing the requested information, services or products.
The data passed on may include the following information
- Name
- Contact details (e-mail address, telephone number)
- Enquiry content
- Other relevant information that you have provided to us as part of your enquiry
The legal basis for the transfer of data is your express consent in accordance with Art. 6 para. 1 lit. a GDPR. You have the right to withdraw your consent at any time with effect for the future at (https://www.ds-mineraloel.de/en/contacts). The revocation does not affect the legality of the processing carried out up to that point on the basis of the consent.
We also ensure that suitable technical and organisational measures are taken within the group of companies to protect your personal data.
Newsletter and electronic notifications
We only send newsletters, emails and other electronic notifications (hereinafter ‘newsletter’) with the consent of the recipient or with legal authorisation. If the contents of the newsletter are specifically described when registering for the newsletter, they are decisive for the user's consent. Otherwise, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name so that we can address you personally in the newsletter, or other information if this is necessary for the purposes of the newsletter.
Double opt-in procedure: Registration for our newsletter is always carried out in a so-called double opt-in procedure. This means that after registering you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no-one can register with other people's e-mail addresses. Subscriptions to the newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored by the mailing service provider are also logged.
Deletion and restriction of processing: We may store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to prove that consent was previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blacklist solely for this purpose.
The registration process is logged on the basis of our legitimate interests for the purpose of proving that it has been carried out properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.
Contents: Information about us, our services, promotions and offers.
Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Meta/communication data (e.g. device information, IP addresses); Usage data (e.g. websites visited, interest in content, access times).
Data subjects: Communication partners.
Purposes of processing: Direct marketing (e.g. by email or post).
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Possibility of objection (opt-out): You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or you can use one of the contact options listed above, preferably email.
Further information on processing operations, procedures and services
Measurement of opening and click rates: The newsletters contain a so-called ‘web-beacon’, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a dispatch service provider, from their server. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected. This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined with the help of the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The analyses help us to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of opening rates and click rates as well as the storage of the measurement results in the user profiles and their further processing are carried out on the basis of the user's consent. Unfortunately, it is not possible to revoke the performance measurement separately; in this case, the entire newsletter subscription must be cancelled or objected to.
HubSpot: Email marketing platform
Service provider: HubSpot, Inc, 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA;
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR);
Website: https://www.hubspot.de;
Privacy Policy: https://legal.hubspot.com/de/privacy-policy;
Data processing agreement: https://legal.hubspot.com/dpa;
Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://legal.hubspot.com/dpa.
Processing of customer and contract data
We collect, process and use personal customer and contract data to establish, organise the content of and amend our contractual relationships. We collect, process and use personal data about the use of this website (usage data) only insofar as this is necessary to enable the user to use the service or to bill the user. The legal basis for this is Art. 6 para. 1 lit. b GDPR.
The customer data collected will be deleted after completion of the order or termination of the business relationship and expiry of any existing statutory retention periods. Statutory retention periods remain unaffected.
Processed data types: Customer and contract data
Data subjects: Customers (e.g. website visitors, users of online services).
Purposes of processing: Establishment, content design and amendment of our contractual relationships
Legal basis: Processing of data for the fulfilment of a contract or pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Web Analysis, monitoring and optimisation
Web analysis (also referred to as ‘reach measurement’) is used to evaluate the flow of visitors to our online offering and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognise at what time our online offering or its functions or content are most frequently used or invite visitors to reuse them. We can also understand which areas require optimisation.
In addition to web analysis, we may also use test procedures, e.g. to test and optimise different versions of our online offering or its components.
Unless otherwise stated below, profiles, i.e. data summarised for a usage process, may be created for these purposes and information may be stored in a browser or end device and read from it. The information collected includes, in particular, websites visited and the elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, location data may also be processed.
The IP addresses of users are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored in the context of web analysis, A/B testing and optimisation, but pseudonyms. This means that we and the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.
Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (Creating user profiles).
Security measures: IP masking (pseudonymisation of the IP address).
HubSpot: Email marketing platform
Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA;
Legal basis: Consent (Art. 6 para. 1 lit. a GDPR and § 25 TDDDG); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR);
Website: https://www.hubspot.de;
Privacy Policy: https://legal.hubspot.com/de/privacy-policy;
Data processing agreement: https://legal.hubspot.com/dpa;
Standard Contractual Clauses (Safeguarding the level of data protection for processing in third countries): https://legal.hubspot.com/dpa.
Online Marketing
We process personal data for online marketing purposes, which may include in particular the marketing of advertising space or the presentation of advertising and other content (collectively referred to as ‘content’) based on the potential interests of users and the measurement of its effectiveness.
For these purposes, so-called user profiles are created and stored in a file (so-called ‘cookie’) or similar procedures are used, by means of which the information about the user relevant to the presentation of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on usage times and functions used. If users have consented to the collection of their location data, this can also be processed.
The IP addresses of users are also stored. However, we use available IP masking procedures (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored as part of the online marketing process, but pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profiles.
The information in the profiles is usually stored in cookies or by means of similar procedures. These cookies can generally also be read later on other websites that use the same online marketing process and analysed for the purpose of displaying content as well as supplemented with further data and stored on the server of the online marketing process provider.
In exceptional cases, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing processes we use and the network links the user profiles with the aforementioned data. Please note that users can make additional agreements with the providers, e.g. by giving their consent during registration.
In principle, we only receive access to summarised information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing processes have led to a so-called conversion, i.e. e.g. to the conclusion of a contract with us. The conversion measurement is used solely to analyse the success of our marketing measures.
Unless otherwise stated, we ask you to assume that cookies used are stored for a period of two years.
Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); content data (e.g. entries in online forms); event data (Facebook) (‘event data’ is data that can be transmitted by us to Facebook via Facebook pixels (via apps or other means), for example, and relates to people or their actions; the data includes, for example Information about visits to websites, interactions with content, functions, app installations, product purchases, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (custom audiences); event data does not include the actual content (such as comments written), no login information and no contact information (i.e. no names, email addresses and telephone numbers). Event data is deleted by Facebook after a maximum of two years, the target groups formed from them are deleted when our Facebook account is deleted)
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Targeting (e.g. profiling based on interests and behaviour, use of cookies); Marketing; Profiles with user-related information (Creating user profiles); Conversion tracking (Measurement of the effectiveness of marketing activities); Custom Audiences; Custom Audiences (Selection of relevant target groups for marketing purposes or other output of content); Provision of our online services and usability.
Security measures: IP masking (pseudonymisation of the IP address).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR and § 25 para. 1 TDDDG).
Possibility of objection (opt-out): We refer to the data protection notices of the respective providers and the objection options specified for the providers (so-called ‘opt-out’). If no explicit opt-out option has been specified, you have the option of switching off cookies in your browser settings. However, this may restrict the functions of our online offering. We therefore recommend the following additional opt-out options, which are summarised for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territory: https://optout.aboutads.info.
Further information on processing operations, procedures and services:
LinkedIn: Insights Tag / Conversion measurement;
Service provider: LinkedIn Irland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland;
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR and § 25 para. 1 TDDDG). Consent can be revoked at any time;
Website: https://www.linkedin.com;
Privacy Policy: https://www.linkedin.com/legal/privacy-policy,
Cookie policy: https://www.linkedin.com/legal/cookie_policy;
Standard contractual clauses (guaranteeing the level of data protection for processing in third countries): https://legal.linkedin.com/dpa;
Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Meta pixel and target group formation (custom audiences):
With the help of the Facebook pixel (or comparable functions, for the transmission of event data or contact information by means of interfaces in apps), Facebook is able, on the one hand, to determine the visitors to our online offering as a target group for the display of adverts (so-called ‘Facebook ads’). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those users on Facebook and within the services of the partners cooperating with Facebook (so-called ‘Audience Network’ https://www.facebook.com/audiencenetwork/) who have also shown an interest in our online offer or who have certain characteristics (e.g. interest in certain topics or products that can be seen from the websites visited) that we transmit to Facebook (so-called ‘Custom Audiences’). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. With the help of the Facebook pixel, we can also track the effectiveness of Facebook adverts for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Facebook advert (so-called ‘conversion measurement’);
Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;
Legal basis: Consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time);
Website: https://www.facebook.com;
Privacy Policy: https://www.facebook.com/about/privacy;
Further information: Users‘ event data, i.e. behavioural and interest data, is processed for the purposes of targeted advertising and targeting on the basis of the joint controllership agreement (’Controller Addendum’, https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)
Google Ads:
Google Ads enables us to display adverts in the Google search engine or on third-party websites when the user enters certain search terms in Google (keyword targeting). Furthermore, targeted adverts can be displayed based on the user data available at Google (e.g. location data and interests) (target group targeting). As the website operator, we can evaluate this data quantitatively by analysing, for example, which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.
Service provider: Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time);
Further information on data protection: https://policies.google.com/privacy/frameworks und https://privacy.google.com/businesses/controllerterms/mccs/.
DPF certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active
Google AdSense:
With the help of Google AdSense, we can display targeted adverts from third-party companies on our website. The content of the advertisements is based on your interests, which Google determines based on your previous user behaviour. Furthermore, contextual information such as your location, the content of the website you have visited or the Google search terms you have entered are also taken into account when selecting the appropriate adverts. Google AdSense uses cookies, web beacons (invisible graphics) and comparable recognition technologies. This allows information such as visitor traffic on these pages to be analysed. The information collected by Google AdSense about the use of this website (including your IP address) and the delivery of advertising formats is transmitted to a Google server in the USA and stored there. This information may be passed on by Google to contractual partners of Google. However, Google will not merge your IP address with other data stored by you.
Service Provider: Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time);
Further information on data protection: https://policies.google.com/privacy/frameworks und https://privacy.google.com/businesses/controllerterms/mccs/.
DPF certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active
Google Ads Remarketing: With Google Ads Remarketing, we can assign people who interact with our online offering to specific target groups in order to subsequently show them interest-based advertising in the Google advertising network (remarketing or retargeting). Furthermore, the advertising target groups created with Google Ads Remarketing can be linked to Google's cross-device functions. In this way, interest-based, personalised advertising messages that have been adapted to you depending on your previous usage and surfing behaviour on one end device (e.g. mobile phone) can also be displayed on another of your end devices (e.g. tablet or PC). If you have a Google account, you can object to personalised advertising by clicking on the following link: https://www.google.com/settings/ads/onweb/.
Service Provider: Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time);
Further information on data protection: https://policies.google.com/privacy/frameworks und https://privacy.google.com/businesses/controllerterms/mccs/.
DPF certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active
Google Conversion Tracking:
With the help of Google conversion tracking, Google and we can recognise whether the user has carried out certain actions. For example, we can analyse which buttons on our website were clicked how often and which products were viewed or purchased particularly frequently. This information is used to create conversion statistics. We find out the total number of users who have clicked on our adverts and what actions they have taken. We do not receive any information with which we can personally identify the user. Google itself uses cookies or comparable recognition technologies for identification purposes.
Service provider: Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time);
Further information on data protection: https://policies.google.com/privacy/frameworks und https://privacy.google.com/businesses/controllerterms/mccs/.
DPF certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active
Management, organisation and support tools
We use services, platforms and software from other providers (hereinafter referred to as ‘third-party providers’) for the purposes of organising, managing, planning and providing our services. When selecting third-party providers and their services, we observe the legal requirements.
In this context, personal data may be processed and stored on the servers of the third-party providers. This may affect various data that we process in accordance with this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their content.
If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.
Processed data types: Content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: Communication partners; users (e.g. website visitors, users of online services).
Purposes of Processing: Provision of contractual services and customer support; Office and organisational procedures; Web Analytics (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (Creating user profiles).
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
Further information on processing operations, procedures and services
HubSpot:
Social media publishing, reporting (e.g. traffic sources, access figures, web analysis), contact management (e.g. contact forms, direct communication and user segmentation), landing pages;
Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA;
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.hubspot.de;
Privacy Policy: https://legal.hubspot.com/de/privacy-policy;
Data processing agreement: https://legal.hubspot.com/dpa;
Standard contractual clauses (guaranteeing the level of data protection for processing in third countries): https://legal.hubspot.com/dpa.
Google Tag Manager:
Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store any cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google's parent company in the United States.
Service provider: Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); consent pursuant to Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TDDDG. Consent can be revoked at any time.
Further information on data protection: https://policies.google.com/privacy?hl=de and https://privacy.google.com/businesses/controllerterms/mccs/.
DPF certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active
Handling applicant data
We offer you the opportunity to apply to us (e.g. by e-mail, post or online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.
Scope and purpose of data collection
If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and - if you have given your consent - Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.
If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG and Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.
Storage period of the data
If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The retention serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.
Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations prevent deletion.
Inclusion in the applicant pool
If we do not make you a job offer, it may be possible to include you in our applicant pool. If you are accepted, all documents and details from your application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.
Inclusion in the applicant pool takes place exclusively on the basis of your express consent (Art. 6 para. 1 lit. a GDPR). Giving consent is voluntary and is not related to the current application process. The data subject can withdraw their consent at any time. In this case, the data will be irrevocably deleted from the applicant pool, provided there are no legal grounds for retention.
The data from the applicant pool will be irrevocably deleted no later than two years after consent has been given.
Changes and updates to the privacy policy
We ask you to inform yourself regularly about the content of our privacy policy. We will amend the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your co-operation (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.
Provision of online services and web hosting
As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
Right of objection:
If data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims (objection pursuant to Art. 21 (1) GDPR).
If your personal data are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is associated with such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct marketing (objection pursuant to Art. 21 para. 2 GDPR).
Right to withdraw consent: Many data processing operations are only possible with your express consent. You can revoke any consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to information: You have the right to request confirmation as to whether the data in question is being processed and to receive information about this data as well as further information and a copy of the data in accordance with the legal requirements.
Right to rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you in accordance with the legal requirements.
Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the legal requirements.
Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request that it be transferred to another controller.
Complaint to the supervisory authority: In accordance with the statutory provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you are habitually resident, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority responsible for us:
The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen
Arndtstraße 1
27570 Bremerhaven
Germany