Preamble
In accordance with Law 13.709/2018 (Brazilian General Data Protection Law (LGPD)), the GDPR (European General Data Protection Regulation), as well as the Swiss Federal Data Protection Act (“Swiss DPA”), we are strongly committed and always attentive to the security and protection of personal data collected when conducting business or when visiting our website, always respecting the confidentiality and privacy of all those who have entrusted Waelzholz with their personal data, as well as all legal provisions and this Privacy Policy.
Last updated: April 2024
Table of contents
- Controller
- Contact information of the data protection officer
- Overview of processing operations
- Legal bases for processing
- Security precautions
- Transmission of personal data
- International data transfers
- Erasure of data
- Use of cookies
- Business operations
- Provision of online services and web hosting
- Contact and inquiry management
- Newsletter and electronic communications
- Commercial communication by email, postal mail, fax, or telephone
- Web analysis, monitoring, and optimization
- Online marketing
- Profiles on Social Networks (Social Media)
- Plugins and embedded functions and content
- Job application process
- Changes and updates to the privacy policy
- Rights of data subjects according to the GDPR
- Rights of data subjects according to the LGPD
- Rights of data subjects according to the Swiss DPA
- Terminology and definitions
1. Controller
C.D. Wälzholz GmbH & Co. KG
Feldmühlenstr. 55
58093 Hagen
Email address:
info@ waelzholz.com
2. Contact information of the data protection officer
dataprotection@ waelzholz.com
3. Overview of processing operations
The following table summarizes the types of data processed, the purposes for which they are processed, and the concerned data subjects.
Categories of processed data
- User data
- Payment data
- Contact data
- Content data
- Contract data
- Usage data
- Metadata/communication data
Categories of data subjects
- Prospective customers
- Communication partners
- Users
- Business and contractual partners
Purposes of processing
- Provision of contractual services and customer support
- Contact requests and communication
- Direct marketing
- Web analytics
- Office and organizational procedures
- Conversion tracking
- Managing and responding to inquiries
- Feedback
- Marketing
- Profiles with user-related information
- Provision of our online services and usability
- Information technology infrastructure
4. Legal bases for processing
Below you will find an overview of the legal bases defined in the GDPR as well as the LGPD, on the basis of which we process personal data. If, in addition, more specific legal bases are relevant in individual cases, we will inform you of these in this Privacy Policy.
- Consent (Article 6(1)(a) of the GDPR and Article 7(I) of the LGPD) – The data subject has granted consent to the processing of their personal data for one or more specific purposes
- Performance of a contract and precontractual inquiries (Article 6(1)(b) of the GDPR and Article 7(V) of the LGPD) – Performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract
- Compliance with a legal obligation (Article 6(1)(c) of the GDPR and Article 7(II) LGPD) – Processing is necessary for compliance with a legal obligation to which the controller is subject
- Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
If you are located in Switzerland, we process your data based on the Federal Data Protection Act (abbreviated as ”Swiss DPA,” effective from September 1, 2023). This also applies if our processing of your data otherwise affects you in Switzerland and you are affected by the processing. The Swiss DPA does not generally stipulate that a legal basis for processing of personal data must be stated (unlike, for example, the GDPR). We process personal data only when the processing is lawful, is conducted in good faith, and is proportionate (Article 6(1) and (2) of the Swiss DPA). Furthermore, we only collect personal data for a specific purpose that is recognizable to the person concerned and process it only in a manner that is compatible with these purposes (Article 6(3) of the Swiss DPA).
5. Security precautions
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security commensurate with the risk.
The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to, entry, transmission, securing the availability of the data, and separation of the data. In addition, we have established procedures to ensure that data subjects’ rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software, and service providers, in accordance with the principles of privacy by design and privacy by default.
IP address masking: If IP addresses are processed by us or by the service providers and technologies we use and it is not necessary to process a complete IP, the IP address is shortened (also referred to as “IP masking”). In this process, the last two digits or the last part of the IP address after a period are removed or replaced by wildcards. IP address masking is intended to prevent the identification of a person by means of their IP address or to make such identification significantly more difficult.
SSL encryption (https): In order to protect your data transmitted via our online services in the best possible way, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
6. Transmission of personal data
In the context of our processing of personal data, we may transfer the data to other locations, companies, or individuals or disclose it to them. Recipients of this data may include, for example, service providers hired to carry out IT tasks or providers of services and content that are embedded in a website. In such a case, we observe and adhere to the legal requirements and, in particular, will enter into corresponding contracts or agreements with the recipients of your data which serve to ensure that your data is protected.
Data transmission within the group of companies: We may transfer personal data to other companies within our group of companies or otherwise grant them access to this data. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and financial interests or otherwise, if it is necessary to fulfill our contractual obligations or if the data subjects have granted their consent or we have a legal right to do so.
7. International data transfers
If we process data concerning data subjects within the scope of the GDPR in a third country within the meaning of the GDPR and within the scope of the LGPD in a foreign country within the meaning of the LGPD, or if such processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities, or companies, this will only take place in accordance with the legal requirements (Articles 44 – 49 of the GDPR, or 33 – 36 of the LGPD).
Subject to express consent or contractually or legally required transfer, we process or allow the data to be processed only in third countries or foreign countries with a recognized level of data protection, contractual obligation through standard contractual clauses, or if applicable certifications or binding internal data protection regulations exist.
Within the context of what is known as the EU – US "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA within the framework of an adequacy decision. The list of certified companies as well as additional information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. Information in German and other languages can be found on the website of the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en. We will inform you which of our service providers are certified under the Data Privacy Framework as part of our data protection notices.
8. Erasure of data
The data processed by us will be erased in accordance with the statutory provisions as soon as consent to its processing is withdrawn or other permissions no longer apply (e.g., if the purpose of processing this data no longer applies or it is no longer required for the original purpose).
If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be saved due to the requirements of commercial or tax law or in order to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person.
In the context of our data protection notices, we may provide users with further information on the deletion and retention of data that is specific to the respective processing operation.
9. Use of cookies
Cookies are small text files or other data records that save information on users’ devices and read information from the devices. This includes, for example, to save the login status of a user account, the contents of a shopping cart in an online store, content accessed, or specific functions used. Cookies can also be used for various other purposes, e.g., for purposes of enhancing the functionality, security, and convenience of websites as well as creating analyses of visitor flows.
Information on consent: We use cookies in accordance with the statutory provisions. As such, we obtain prior consent from users except when it is not required by law. In particular, consent is not required if saving and reading information, including cookies, is strictly necessary in order to provide an online service explicitly requested by the subscriber or user. The ability to withdraw consent will be clearly communicated to the user and will contain information on how the respective cookie is used.
Information on legal bases under data protection law: The legal basis under data protection law on which we process users' personal data with the use of cookies depends on whether we ask users for consent. If users grant their consent, the legal basis for processing their data is their granted consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g., within the framework of providing our online services and improving their usability) or, if this is done in the context of the fulfillment of our contractual obligations, if the use of cookies is necessary to fulfill such contractual obligations. We outline our reasons for processing cookies in the course of this privacy policy or in the context of our consent and processing procedures.
Retention period: With respect to the retention period, we differentiate between the following types of cookies:
- Temporary cookies (also known as "session cookies"): Temporary cookies are deleted, at the latest, after a user has left a website and closed their device (i.e., browser or mobile application).
- Permanent cookies: Permanent cookies remain saved even after the device has been closed. These cookies are used, for example, to save the user’s login or directly display preferred content when the user visits a website again. Likewise, user data collected with the help of cookies can be used to measure reach. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent, and that the storage period can be up to two years.
General information on withdrawal of consent and objection (opt-out): Users can withdraw the consent they have granted at any time and also file an objection to processing in accordance with the legal requirements (further information related to withdrawing consent is provided later in this privacy policy). Users can also object via their browser settings.
Cookie settings/ Opt-out:
You can change the cookie selection using the link to the cookie settings in the footer of our website and thus change or withdraw your consent.
Further information on processing methods, procedures, and services used:
- Processing cookie data on the basis of consent: We use a cookie management solution that allows users to view, manage, and withdraw their consent to the use of cookies or the procedures and providers specified in the cookie management solution. The declaration of consent is saved so that it does not have to be retrieved again and the consent can be proven in accordance with the legal obligation. Storage can take place on the server and/or in a cookie (known as an “opt-out cookie” or with the aid of comparable technologies) in order to be able to assign the consent to a user or and/or their device. Subject to individual details of the providers of cookie management services, the following information applies: The duration of the storage of consent can be up to two years. In this case, a pseudonymous user identifier is created and saved together with the date/time of consent, information on the scope of the consent (e.g., which categories of cookies and/or service providers) as well as the browser, system, and device used.
- Cookiebot: cookie consent manager; Service provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark; Website: https://www.cookiebot.com/en; Privacy policy: https://www.cookiebot.com/en/privacy-policy/; Further information: Saved data (on the server of the service provider): The IP address of the user in anonymous form (the last three digits are set to 0), date and time of consent, user agent of the user's browser, the URL from which consent was sent, an anonymous, random, and encrypted key value; the consent status of the user.
- Quantcast: cookie consent manager; Service provider: Quantcast Corp., 795 Folsom Street, San Francisco, CA, 94107, USA; Website: https://www.quantcast.com/gdpr/consent-management-solution/; Privacy policy: https://www.quantcast.com/privacy/.
10. Business operations
We process data from our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners") within the context of contractual and comparable legal relationships as well as associated activities and communication with the contractual partners or prior to entering into a contract, e.g., to respond to inquiries.
We process this data in order to fulfill our contractual obligations. These include, in particular, the obligations to provide the contractually stipulated services, any update obligations, and remedies in the event of warranty and other service disruptions. In addition, we process this data to protect our rights and for the purpose of administrative tasks associated with these obligations and company organization. Furthermore, we process this data on the basis of our legitimate interests in proper and economical business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transportation, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the framework of applicable law, we only disclose contractual partners’ data to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.
We inform our contractual partners of which data is necessary for the aforementioned purposes prior to or in the context of data collection, e.g., in online forms via highlighting (e.g. with special colors), and/or symbols (e.g., asterisks or the like), or personally.
We delete this data after statutory warranty and comparable obligations have expired, i.e., in general after 4 years have passed, unless the data is saved in a customer account or must be retained for legal archiving reasons (e.g., 10 years for tax purposes in normal cases). In the case of data disclosed to us by the contractual partner within the context of an order, we delete the data in accordance with the specifications of the order, in general after completing the order.
If we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms will apply within the relationship between users and said providers.
- Processed data types: User data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email addresses, telephone numbers); contract data (e.g., contract subject, duration, customer category)
- Data subjects: Prospective customers; business and contractual partners
- Purposes of processing: Fulfilling the terms of a contract and providing customer support; contact requests and communication; office and organizational procedures; managing and responding to inquiries
- Legal basis: Performance of a contract and precontractual inquiries (Article 6(1)(b) of the GDPR and Article 7(V) of the LGPD); compliance with a legal obligation (Article 6(1)(c) of the GDPR and Article 7(II) of the LGPD); legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD)
11. Provision of online services and web hosting
In order to provide our online services securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers they manage) the online services can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services, as well as security and technical maintenance services.
The data processed within the framework of the provision of such hosting services may include all information relating to the users of our online services that is collected during use and communication. This regularly includes the user’s IP address, which is necessary to be able to deliver the contents of online services to browsers, and all data entered into or from our websites.
- Processed data types: Content data (e.g., text input, photographs, videos); usage data (e.g., websites visited, interest in content, access times); metadata/communication data (e.g., device information, IP addresses)
- Data subjects: Users (e.g., website visitors, users of online services)
- Purposes of processing: Provision of our online services and usability; information technology infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.)
- Legal Basis: Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD)
Further information on processing methods, procedures, and services used:
- Collection of access data and log files: We and/or our web hosting provider collect data on the basis of each access to the server (known as server log files). Server log files may include the address and name of the web pages and files accessed, the date and time of access, the quantity of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of malicious attacks, known as DDoS attacks) and to ensure the stability and optimal load balancing of the servers; Retention period: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data that needs to be retained for a longer period in order to serve as evidence is excluded from deletion until the respective incident has been resolved.
- Amazon Web Services (AWS): Services in the field of the provision of information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA, 98109, USA; Website: https://aws.amazon.com/en; Privacy policy: https://aws.amazon.com/en/privacy/?nc1=f_pr; Data processing agreement: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf; Basis for third-country transfer: EU – US Data Privacy Framework (DPF), Standard contractual clauses (https://aws.amazon.com/en/service-terms/).
- Hetzner: Services in the field of the provision of information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Website: https://www.hetzner.com; Privacy policy: www.hetzner.com/legal/privacy-policy; Data processing agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
12. Contact and inquiry management
When contacting us (e.g., via contact form, email, telephone, or via social media) as well as in the context of existing user and business relationships, we process information about the inquiring individuals to the extent necessary to respond to the contact requests and any requested measures.
The response to such contact inquiries as well as the management of contact and inquiry data in the context of contractual or precontractual relationships is carried out to fulfill our contractual obligations or to respond to contractual and precontractual inquiries and otherwise on the basis of our legitimate interest in responding to the inquiries and maintaining user or business relationships.
- Processed data types: User data (e.g., names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. text input, photographs, videos)
- Data subjects: Communication partner (recipients of emails, letters, etc.)
- Purposes of processing: Contact requests and communication; provision of contractual services and customer support
- Legal basis: Performance of a contract and precontractual inquiries (Article 6(1)(b) of the GDPR and Article 7(V) of the LGPD); legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD); compliance with a legal obligation (Article 6(1)(c) of the GDPR and Article 7(II) of the LGPD).
Further information on processing methods, procedures, and services used:
- Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to process the communicated request. For this purpose, we process personal data in the context of precontractual and contractual business relationships to the extent necessary for their fulfillment and otherwise on the basis of our legitimate interests as well as the interests of the communication partners in us responding to their concerns and our legal archiving requirements.
13. Newsletter and electronic communications
We send newsletters, emails, and other electronic communications (hereinafter referred to as "newsletters") only with the recipient’s consent or a legal right to do so. Insofar as the contents of the newsletter are specifically outlined within the framework of signing up for the newsletter, the users grant their consent to specifically receive such content. . Otherwise, our newsletters contain information about our products/services and our company.
As a general rule, you only need to provide us with your email address in order to subscribe to our newsletter. We may, however, ask you to provide a name for the purpose of addressing you personally in the newsletter or to provide further information if this is required for the purposes of the newsletter.
Double opt-in procedure: We use what is known as the double opt-in method in the context of subscribing to our newsletter. This means that you will receive an email after subscribing asking you to confirm that you signed up to receive our newsletter. This confirmation is necessary so that no one can subscribe to our newsletter using other peoples’ email addresses.
Subscriptions to the newsletter are logged in order to be able to document the sign-up process according to the legal requirements. This includes saving the login and confirmation times as well as the IP address. Similarly, we also log changes to your data saved with the email service provider.
Deletion and restriction of processing: We may save unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to provide evidence of prior consent. The processing of this data is limited to the purpose of a possible defense against legal claims. A user can request to be unsubscribed from the newsletter at any time, provided we confirm that they had previously granted their consent. In the case of an obligation to permanently observe an objection to processing, we reserve the right to save the email address on a blocklist solely for this purpose.
Information on legal bases: We send the newsletter to recipients on the basis of their granted consent, or, if consent is not required, on the basis of our legitimate interests in direct marketing. Insofar as we engage a service provider for the purpose of sending emails, this is done on the basis of our legitimate interests in the efficient and secure sending of said emails. The subscription process is recorded on the basis of our legitimate interests for the purpose of demonstrating that it has been conducted in accordance with the law.
Contents:
Information on the automotive, energy, and industrial applications sectors as well as on the Waelzholz Group and its products and services
- Processed data types: User data (e.g., names, addresses); contact data (e.g., email, telephone numbers); metadata/communication data (e.g., device information, IP addresses); usage data (e.g., websites visited, interest in content, access times)
- Data subjects: Communication partners (recipients of emails, letters, etc.)
- Purposes of processing: Direct marketing (e.g., by email or postal mail); web analytics (e.g., access statistics, recognition of returning visitors); conversion tracking (measuring the effectiveness of marketing activities); profiles with user-related information (creating user profiles)
- Legal basis: Consent (Article 6(1)(a) of the GDPR and Article 7(I) of the LGPD); legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD)
- Opt-out: You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to further receiving the newsletter. You will find a link to unsubscribe to the newsletter either at the end of each newsletter or you can otherwise use one of the contact options listed above, preferably email.
Further information on processing methods, procedures, and services used:
- Measurement of opening rates and click rates: The newsletters contain what is known as a "web beacon i.e., a pixel-sized file that is accessed from our server when the newsletter is opened or, if we use a email service provider, from its server. Within the scope of this access, technical information such as information about the browser and your system, as well as your IP address and time of access are initially collected. This information is used for the technical improvement of our newsletter on the basis of technical data or target audiences and their reading behavior on the basis of their access points (which can be determined with the help of the IP address) or access times. This analysis also includes determining whether newsletters are opened, when they are opened, and which links are clicked. This information is linked to the individual newsletter recipients and saved in their profiles until the profiles are deleted. These analyses help us better understand our users reading habits and adapt our content to them or to send them different content according to the interests of our users. The measurement of opening rates and click rates as well as saving the measurement results in users’ profiles and their further processing are carried out on the basis of users’ consent. It is not possible for recipients to receive the newsletter yet separately object to the aforementioned processing of performance data – in this case the user must unsubscribe from the newsletter entirely. In this case, the saved profile information will be deleted.
- Brevo: Email sending and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Website: https://www.brevo.com/en/; Privacy policy: https://www.brevo.com/en/legal/privacypolicy/; Data processing agreement: Provided by the service provider.
14. Commercial communication by e-mail, postal mail, fax, or telephone
We process personal data for the purposes of promotional communications which may be carried out via various channels, such as email, telephone, postal mail, or fax, in accordance with the legal requirements.
The recipients have the right to withdraw their consent at any time or to object to such advertising communications at any time.
After withdrawal or objection, we will save the data required to prove the user previously granted us their consent to contact them or send them such communications for up to three years from the end of the year of withdrawal or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against legal claims. Based on our legitimate interest to permanently observe users’ withdrawal of consent or objection to processing, we further save the data necessary to avoid contacting them once again (e.g., depending on the communication channel, the email address, telephone number, name).
- Processed data types: User data (e.g., names, addresses); contact data (e.g., email address, telephone numbers)
- Data subjects: Communication partners (recipients of emails, letters, etc.)
- Purposes of processing: Direct marketing (e.g., by email or postal mail)
- Legal Basis: Consent (Article 6(1)(a) of the GDPR and Article 7(I) of the LGPD); Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD).
15. Web analysis, monitoring, and optimization
Web analysis is used to evaluate the visitor traffic on our website and may include the behavior, interests, or demographic information of users, such as age or gender, as pseudonymous values. With the help of web analysis, we can, for example, recognize at which time our online services or their functions or contents are most frequently used or accessed repeatedly, as well as which areas require optimization.
In addition to web analysis, we can also use testing procedures, e.g., to test and optimize different versions of our online services or their components.
Unless otherwise stated below, profiles, i.e., data aggregated for a usage process, can be created for these purposes and information can be stored in a browser or in a device and read from it. The information collected includes, in particular, websites visited and elements used there as well as technical information such as the browser used, the computer system used, and information on usage times. If users have agreed to the collection of their location data by us or by the providers of the services we use, we may also process location data.
The IP addresses of users are also saved. However, we use any existing IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the user. In general, within the framework of web analysis, A/B testing, and optimization, no user data (such as email addresses or names) is saved, but instead pseudonymized data. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information saved in their profiles for the purposes of the respective processes.
Information on legal basis: If we ask the users for their consent to the use of third-party providers, the legal basis of the processing is consent. Furthermore, processing can be a component of our contractual and precontractual activities, provided that the use of the third party was agreed upon within this context. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in the provision of efficient, economical, and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.
- Processed data types: Usage data (e.g., websites visited, interest in content, access times); metadata/communication data (e.g., device information, IP addresses)
- Data subjects: Users (e.g., website visitors, users of online services)
- Purposes of processing: Web analytics (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creating user profiles)
- Security measures: IP masking (pseudonymization of IP addresses)
- Legal Basis: Consent (Article 6(1)(a) of the GDPR and Article 7(I) of the LGPD); Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD).
Further information on processing methods, procedures, and services used:
- Matomo: Matomo is a software solution that is used for the purposes of web analysis and reach measurement. As part of our use of Matomo, cookies are generated and saved on the user's device. User data collected through the use of Matomo is processed only by us and is not shared with third parties. These cookies are saved for a maximum period of 13 months: https://matomo.org/faq/general/faq_146/; Retention period: The cookies have a maximum storage period of 13 months.
- Google Tag Manager: We utilise the Google Tag Manager, a tool by Google, to manage website tags via a central user interface. Tags are small code elements on our website that serve, among other things, to measure and analyse visitor activities. This technology assists us in improving our website and the services offered on it.The Google Tag Manager itself does not create user profiles, store cookies, or perform any independent analyses. It is solely used to integrate the tools and services we use for our website more simply and efficiently. However, when using the Google Tag Manager, users' IP addresses are transmitted to Google, which is technically necessary to execute the various services we utilise.It is important to note that this data processing only occurs when services are integrated through the Tag Manager that require it. For details on these services and how they process data, we refer you to the subsequent sections of this privacy policy; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Basis for third-country transfers: Adequacy decision (Ireland).
16. Online marketing
We process personal data for the purposes of online marketing, which may include, in particular, the marketing of advertising space or displaying advertising and other content (collectively referred to as "content") based on the potential interests of users and the measurement of their effectiveness.
For these purposes, user profiles are created and saved in a file (known as a cookie) or similar procedure in which the user information relevant to the display of the aforementioned content is saved. This information may include, for example, content viewed, websites visited, online networks used, communication partners, and technical information such as the browser used, computer system used, and information on usage times and used functions. If users have consented to the collection of their location data, we may also process this data.
The IP addresses of users are also saved. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to ensure that users’ personal data is protected via the use of a pseudonym. In general, within the framework of the online marketing process, we do not collect any data that can be used to identify a user personally, but instead pseudonymized data. This means that we, as well as the providers of online marketing procedures, do not know the actual identity of the users, but only the information saved in their profiles.
The information in the profiles is usually saved in cookies or similar procedures. These cookies can later, generally also on other websites that use the same online marketing technology, be accessed and analyzed for purposes of displaying content, as well as combined with other data and saved on the server of the online marketing technology provider.
In some exceptional cases, data that can be used to identify a user may be saved in the aforementioned profiles. This is the case, for example, if the users are members of a social network whose online marketing technology we use and the network links the profiles of the users to the aforementioned data. Please note that users may enter into additional agreements with the social network providers or other service providers, e.g., by granting consent as part of a registration process.
As a general rule, we only gain access to aggregated information about the performance of our advertisements. However, within the framework of what is known as conversion measurement, we can check which of our online marketing processes have led to what is known as a conversion, i.e., to the conclusion of a contract with us. This conversion measurement is used solely to analyze the performance of our marketing activities.
Unless otherwise stated, we kindly ask you to consider that the cookies used will be saved for a period of two years.
Information on legal basis: If we ask users for their consent (e.g., in the context of a what is known as "cookie banner consent"), the legal basis for processing data for online marketing purposes is this consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and economical operation of our online services. In this context, we would also like to refer you to the information on the use of cookies in this Privacy Policy.
- Processed data types: Usage data (e.g., websites visited, interest in content, access times); metadata/communication data (e.g., device information, IP addresses)
- Data subjects: Users (e.g., website visitors, users of online services)
- Purposes of processing: Marketing; profiles with user-related information (creating user profiles)
- Security measures: IP masking (pseudonymization of IP addresses).
- Legal Basis: Consent (Article 6(1)(a) of the GDPR and Article 7(I) of the LGPD); Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD)
- Opt-out: We refer to the privacy policies of the respective service providers and the ability to object to data processing specified therein (i.e., opting out). If no explicit opt-out option has been specified, it is possible to deactivate cookies in the settings of your browser. However, this may restrict the functions of our online services. We therefore recommend the following additional opt-out options, which are offered collectively for each region: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.
Further information on processing methods, procedures, and services used:
- LinkedIn: e.g., Insights tag/conversion tracking; Service provider: LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA, 94043, USA; Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy, cookie policy: https://www.linkedin.com/legal/cookie-policy; Basis for third-country transfer: Standard contractual clauses (https://legal.linkedin.com/dpa); Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
17. Profiles on Social Networks (Social Media)
We maintain online profiles on social networks and process user data in this context in order to communicate with the users active there or to provide information about our company.
We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g., by making it more difficult to enforce users' rights.
In addition, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behavior and the associated interests of users. The user profiles can then be used, for example, to display advertisements within and outside the networks which are presumed to correspond to the interests of the users. For these purposes, cookies are usually saved on the user's computer that contain information about the user's usage behavior and interests. Furthermore, data can be saved in the user profiles independently of the devices used by the users (especially if the users are members of the respective networks or will become members later on).
For a detailed description of the respective processing operations and the opt-out options, please refer to the respective privacy policies and information provided by the providers of the respective social networks.
We would like to point out that also in the case of requests for information and to exercise data subjects’ rights, the most effective course of action is to contact the social network providers directly. Only the providers have access to their users’data and can directly take appropriate measures and provide information. If you still need help, however, please do not hesitate to contact us.
- Processed data types: Contact data (e.g., email, telephone numbers); content data (e.g., text input, photographs, videos); usage data (e.g., websites visited, interest in content, access times); metadata/communication data (e.g., device information, IP addresses)
- Data subjects: Users (e.g., website visitors, users of online services)
- Purposes of processing: Contact requests and communication; feedback (e.g., collecting feedback via online form); marketing
- Legal Basis: Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD)
Further information on processing methods, procedures, and services used:
- LinkedIn: Social network; Service provider: LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085, USA; Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa; Basis for third-country transfer: Standard contractual clauses (https://legal.linkedin.com/dpa); Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
18. Plugins and embedded functions and content
Our online services utilize functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may, for example, include graphics, videos, or city maps (hereinafter uniformly referred to as "content").
This integration always presupposes that the third-party providers of this content process the IP address of the user, since they could not transmit the content to the user’s browser without the user’s IP address. The IP address is therefore required for the purpose of displaying such content or functions. We strive to only use content from providers that use users’ IP addresses only for the purpose of transmitting the content. Third parties may also use what are known as pixel tags (i.e., invisible graphics also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visit times, and other information about the use of our website, as well as may be linked to such information from other sources.
Information on legal basis: If we ask users for their consent (e.g., in the context of a "cookie banner consent"), the legal basis for processing is this consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and economical operation of our online services. We refer you to the note on the use of cookies in this Privacy Policy.
- Processed data types: Usage data (e.g., websites visited, interest in content, access times); metadata/communication data (e.g., device information, IP addresses); user data (e.g., names, addresses); contact data (e.g., email addresses, telephone numbers); content data (e.g., text input, photographs, videos)
- Data subjects: Users (e.g., website visitors, users of online services)
- Purposes of processing: Provision of our online services and usability; provision of contractual services and customer support; web analytics (e.g., access statistics, recognition of returning visitors); information technology infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.)
- Legal basis: Consent (Article 6(1)(a) of the GDPR and Article 7(I) of the LGPD); performance of a contract and precontractual inquiries (Article 6(1)(b) of the GDPR and Article 7(V) of the LGPD); Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD)
Further information on processing methods, procedures, and services used:
- Google Maps: We have integrated maps from the service "Google Maps" from the provider Google. The data processed in conjunction with this may include, in particular, users’ IP addresses and location data which are not collected without their consent (usually within the framework of the settings of their mobile devices); Service provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Privacy policy: https://policies.google.com/privacy; Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, ad display settings: https://adssettings.google.com/authenticated.
- reCAPTCHA: We have integrated the "reCAPTCHA" function into our website to be able to recognize whether entries (e.g., in online forms) are from humans and not devices operating automatically (commonly referred to as "bots"). The data processed in conjunction with this system may include IP addresses; information on operating systems, devices, or browsers used; language settings; location; mouse movements; keystrokes; time spent on websites; previously visited websites; interactions with ReCaptcha on other websites; possibly cookies; and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). Data processing is carried out based on our legitimate interest to protect our online services from abusive automated crawling and spam; Service provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA; Website: https://www.google.com/recaptcha/; Privacy policy: https://policies.google.com/privacy; Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, ad display settings: https://adssettings.google.com/authenticated; Basis for third-country transfer: EU : – US Data Privacy Framework (DPF).
- YouTube videos: Video content; Service provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA; Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, ad display settings: https://adssettings.google.com/authenticated; Basis for third-country transfer: EU – US Data Privacy Framework (DPF).
- Search function and anonymous storage of search terms: We offer a search function within our website and process the entered data to provide the search results according to the entered parameters. We store the entered search terms for the purpose of improving our offer, but only anonymously as a term, i.e., without reference to personal data.
- Issuu: Online service for electronic publishing of content; Service provider: Issuu Inc., 131 Lytton Ave, Palo Alto, CA, 94301 USA; Website: https://issuu.com/; Privacy policy: https://issuu.com/legal/privacy.
19. Job application process
The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information contained therein. Generally speaking, the information required includes personal information such as the applicant’s name, address, a way to contact them, and proof of the qualifications required for a particular position. We will be happy to provide you with additional information upon request.
In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant's data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified objection by the applicant, the applicant’s data will be deleted at the latest after a period of six months so that we can answer any follow-up questions regarding the application and comply with our duty of proof under the regulations governing the equal treatment of applicants. Invoices for any reimbursed travel expenses are archived in accordance with applicable tax regulations.
- Processed data types: User data (e.g., names, addresses); contact data (e.g., email, telephone numbers); content data (e.g., text input, photographs, videos); job applicant details (e.g., personal data, postal address and contact addresses and the documents pertaining to the application and the information contained therein, such as cover letter, curriculum vitae, certificates, etc., as well as other information on the person or qualifications of applicants provided with regard to a specific job or voluntarily by applicants)
- Data subjects: Job applicants
- Purposes of processing: Job application process (establishment and possible later execution as well as possible later termination of the employment relationship)
- Legal basis: Performance of a contract and precontractual inquiries (Article 6(1)(b) of the GDPR and Article 7(V) of the LGPD); Legitimate interests (Article 6(1)(f) of the GDPR and Article 7(IX) of the LGPD)
20. Changes and updates to this privacy policy
We kindly ask you to regularly review the content of our Privacy Policy. We will update the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this Privacy Policy, we ask you to note that addresses may change over time and to verify the information before contacting us.
21. Rights of data subjects according to the GDPR
As a data subject, you are entitled to various rights under the GDPR, which arise, in particular, from Articles 15 to 21 of the GDPR:
- Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right to withdraw your consent: You have the right to withdraw consent you have granted at any time.
- Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
- Right to rectification: You have the right, in accordance with the law, to request the completion of the data concerning you or the rectification of incorrect data concerning you.
- Right to erasure and right to restriction of processing: In accordance with the statutory provisions, you have the right to obtain the immediate erasure or, alternatively, the restriction of processing in accordance with the statutory provisions.
- Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, commonly used, and machine-readable format in accordance with the legal requirements, or to request its transfer to another controller.
- Right to lodge a complaint with the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
22. Rights of data subjects according to the LGPD
As a data subject, in relation to the processing of your personal data in accordance with the LGPD, you may, in particular, exercise the following rights against us or request the following:
- Confirmation of the existence of processing
- Access to the data
- The rectification of incomplete, inaccurate, or outdated data
- Anonymization, restriction of processing, or deletion of unnecessary or excessive data or data that has not been processed in accordance with the law
- Transfer of data to another service provider or product supplier, while maintaining commercial and industrial confidentiality
- Deletion of personal data processed with the consent of users
- Information about public and private entities with which we have shared data
- Information about the possibility to refuse consent and the consequences of such refusal
- Withdrawal of consent
- File a complaint with the competent supervisory authority
- Object to processing carried out on the basis of a legal authorization without consent if the legal provisions are not complied with
- Request review of decisions based solely on automated processing of personal data affecting the interests of users, including decisions intended to determine their personal and/or professional consumer/credit profile or aspects of their personality
23. Rights of data subjects according to the Swiss DPA
As the data subject, you have the following rights in accordance with the provisions of the Swiss DPA:
- Right to information: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary for you to assert your rights under the Swiss DPA and to ensure transparent data processing
- Right to data release or transfer: You have the right to request the release of your personal data which you have provided to us in a commonly used electronic format, as well as its transfer to another controller, provided this does not require disproportionate effort
- Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you
- Right to object, deletion, and destruction: You have the right to object to the processing of your data as well as to request that personal data concerning you be deleted or destroyed
24. Terminology and definitions
This section provides an overview of the terms used in this privacy policy. Many of the terms are drawn from the law. The legal definitions are binding. The following explanations, on the other hand, are intended, above all, for the purpose of comprehension. The terms are sorted alphabetically.
- Controller: "Controller" refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- Conversion tracking: Conversion tracking is a method used to evaluate the effectiveness of marketing measures. For this purpose, a cookie is usually saved on the devices of the users within the websites on which the marketing measures take place and then accessed again on the target website (e.g., we can thus track whether our advertisements displayed on other websites were successful)
- Personal data: The term "personal data" refers to any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
- Processing: The term "processing" covers a wide range and practically every form of handling data, be it collection, evaluation, storage, transmission, or erasure
- Profiles with user-related information: The processing of "profiles with user-related information," or "profiles" for short, includes any kind of automated processing of personal data that consists of using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior and interests, such as interaction with websites and their content, etc.) (e.g., an interest in certain content or products, click behavior on a website, or location). Cookies and web beacons are often used for profiling purposes
- Web analytics: Web analytics serves the evaluation of visitor traffic of online services and can determine their behavior or interests in certain information, such as content of websites. With the help of web analytics, website owners, for example, can recognize at what time visitors visit their website and what content they are interested in. This allows them, for example, to optimize the content of the website to better meet the needs of their visitors. For purposes of web analytics, pseudonymous cookies and web beacons are frequently used in order to recognize returning visitors and thus obtain more precise analyses of the use of an online service