Data protection information

Privacy policy

Below we would like to inform you about our privacy policy. Here you will find information about the collection and use of personal data when using our website. We comply with the data protection law applicable in Germany. You can access this declaration at any time on our website.

Data protection information

1 Contact person

The controller within the meaning of the General Data Protection Regulation (GDPR) is

Initiative Offene Gesellschaft e.V.
Kärntener Str. 20
10827 Berlin
freunde@offenegesellschaft.org

You can also address questions about data protection directly to our data protection officer: Attorney David Heimburger, dh@davidheimburger.de, 040 / 22863648

2 Note on gender-neutral language

We make every effort to use gender-neutral language. In some cases, we only use the masculine form of terms such as user instead of user, user:inside or user. If we only use the masculine form, the term should nevertheless include all genders.

3 Your rights in general

Here we summarize the general rights to which you are entitled under the GDPR with regard to your personal data processed by us. For an explanation of the legal terms, please refer to the applicable definitions in the GDPR (see Article 4). If anything remains unclear, please do not hesitate to ask us.

You can revoke your consent to the processing or disclosure of your data at any time for the future (Article 7 (3) GDPR).

If the legal basis for processing your data is a legitimate interest in accordance with Article 6(1)(f) GDPR, you may object to the data processing in accordance with Article 21 GDPR. If the data processing in question is direct marketing, you do not have to justify your objection in any way; in all other cases, you must provide reasons for your objection that arise from your particular situation.

If we have stored incorrect information about you, you can request that we correct your data (Article 16 GDPR).

You can request information from us about which of your data we process (Article 15 GDPR, Section 34 BDSG).

You can request that we erase your data or restrict its processing, provided that your request does not conflict with any higher-ranking retention obligations (Article 17 or 18 GDPR, Section 35 BDSG).

You can request that we provide you with the data that you have provided to us yourself in a machine-readable format for forwarding to third parties (Article 20 GDPR).

You may complain to a data protection supervisory authority, e.g. the Berlin Data Protection Commissioner, about data protection issues with us.

4 Data processing by us in general

Any form of processing of personal data requires a legal basis that allows us to do so. The legal basis is primarily determined by the purpose for which the data is processed. The lawfulness within a legal basis is regularly determined by the specific scope of the data processing and the measures we have taken to protect your data.

The legal basis for data processing arises from Article 6(1) GDPR and, for particularly sensitive data such as health data, from Article 9(2) GDPR. These two provisions name the preparation or fulfillment of contractual, legal or social obligations as the most important legal basis for data processing. In addition, many data processing operations are carried out in our legitimate interest, unless the interests of the data subjects prevail in the specific circumstances. If one of the aforementioned types of legal basis is relevant, processing does not require any further consent from you.

In addition, data processing may be carried out on the basis of your consent (Article 7 GDPR) or, for persons under the age of 16, when using information society services (e.g. websites, online games, social media platforms) by children or adolescents in conjunction with the consent of a parent or guardian (Article 8 GDPR).

We would like to expressly point out at this point that none of our online offers requiring consent are aimed at persons under the age of 16.

In some cases, our obligation to ask for your consent does not arise from the GDPR, or not solely from the GDPR, but from the Telecommunications Digital Services Data Protection Act (TDDDG) or the Unfair Competition Act (UWG). We have taken into account the obligations arising from these laws without expressly referring to them below.

If data is transferred to a country outside the European Economic Area (EEA), we ensure that data protection is guaranteed within the meaning of Articles 44 – 49 GDPR. Such a transfer outside the EEA is called a third country transfer in data protection law.

5 General information on cookies

Cookies are a specific form of text entry that is stored on your device by your browser when you visit a website. Different information can be stored in a cookie. Sometimes a cookie only stores a yes or no (“true” or “false”) or a country identifier such as “de” for German; sometimes a character string is stored that enables the browser to be uniquely identified when the website is called up again (a so-called cookie ID).

The right to set cookies is not determined solely by the GDPR, but primarily by Section 25 TDDDG. The standard distinguishes between cookies that are absolutely necessary (essential) for the operation of the online offer and those that are not. Essential cookies may also be set without consent, but non-essential cookies always require consent – even if this is not required under the GDPR (e.g. if there is a legitimate interest as a legal basis or the data is not personal).

Before we store non-essential cookies on your end device, we ask for your consent in accordance with the provisions of § 25 TDDDG.

The purpose of each cookie and the legal basis for its use under the GDPR can be found in the following description of the individual data processing.

There are various ways for you to prevent the acceptance of cookies on your device:

The standard case with many online offers is that you decide which cookies you allow and which you do not allow via a consent manager when you access the offer. Since we operate our pages without cookies that require consent, we do not use a consent manager that is unnecessary for our offers.

In principle, you can set your browser so that it never accepts cookies. By completely excluding cookies in this way, you will most likely lose functions that are based on cookies and that you would actually like to allow or that do not require consent.

You can access websites in the private mode of your browser. Private mode also blocks the setting of cookies in your browser memory or automatically deletes all cookies at the end of the session.

Some browsers or browser plug-ins offer you the option of making more differentiated default settings as to which cookies you want to accept by default and which you do not.

A special case: Google offers a browser plug-in that prevents Google from setting the various cookies. You can find the corresponding plug-in here: https://tools.google.com/dlpage/gaoptout?hl=de

6 Specific data processing

6.1 Visiting our website

6.1.1 Provision of our Internet pages

Description: In order for a web server to make our website available to your browser, the server must collect technical data about the device you are using, your browser and your internet access. This is referred to as a log file or web log. This is the same data that you are required to leave behind on every website that you visit. The focus is on the IP address from which you access our pages. The web server sends the data you want to see to this Internet address.

Data categories: IP address from which our site was accessed; date and time of access; objects on our website that are accessed in the browser; type and version of Internet browser; type and version of operating system

Data recipient (third country transfer, if applicable): Our hosting service provider, which is bound to data protection by a data processing agreement. A transfer to a third country does not take place. In the event of attacks on our website, forwarding to forensic experts and investigating authorities commissioned by us. A transfer to a third country does not take place.

Purpose + legal basis: Provision of our website and investigations in the event of unlawful access to our website (e.g. a hacker attack). The legal basis is a legitimate interest, as it is not possible to operate a website without recording the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with evidence of how the attack took place.

Storage period: 7 days

6.1.2 Analysis of user behavior (Matomo) Description: We use the web analysis service Matomo on our website. On our behalf, Matomo uses the information collected to create statistical reports on the activities on our website, the regional origin of visitors and key technical data on the devices used to visit our pages.

We have set Matomo so that IP addresses are only processed in abbreviated form in order to limit direct personal identification. IP anonymization means that the end of your IP address is replaced by zeros immediately after it is recorded.

We use Matomo without cookies. However, Matomo uses the technical parameters of your end device and your browser to create a so-called digital fingerprint of your device as a so-called hash value. The digital fingerprint enables us to trace usage paths within our website. The hash value is given an additional value (called a salt) by Matomo and then only stored for 24 hours. This combination of hash value with salt and short storage time means that we can only recognize your device within 24 hours. If you return later than 24 hours, this is a completely unknown and therefore new visit for us.

It is also not possible for us to recognize a specific person behind the hash value if you do not inform us in parallel exactly when and how you used our website.

We do not pass on the data from Matomo to third parties. In particular, we do not merge the data with data from advertising networks or use it in any other way for marketing purposes.

In addition to the activities on our website, we also use Matomo to document which internet links you access in our newsletters. Here, too, we do not recognize you as a specific person, but can only track which Internet links motivate our newsletter recipients to click on them and which further route you subsequently take via our website.

You can find more information about Matomo at https://matomo.org/matomo-cloud-privacy-policy/.

Data categories: IP address via which the device goes online until it is immediately anonymized; location or country linked to the IP address and Internet service provider for Internet access; date and time of access; objects on our website that are called up (clicked on) in the browser; type and version of the Internet browser; type and version of the operating system; Internet pages that were previously and next clicked on; digital fingerprint of the end device with additional random value (salt)

Data recipient (third country transfer, if applicable): InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. InnoCraft (the operator of Matomo Cloud) is obliged to comply with data protection regulations via a data processing agreement in accordance with Article 28 GDPR. The information collected by the cookies is transferred to servers in the EEA and stored there, so that technically no third country transfer takes place. Legally, the third country transfer to InnoCraft as a New Zealand company is secured by the EU adequacy decision for New Zealand.

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our website on the basis of the analysis findings.

The legal basis is a legitimate interest, which arises from the fact that the personal reference of the collected data is greatly reduced by anonymizing the IP addresses and using the hash value with salt and short storage time and the data is not combined by us with other data collections.

Storage period: 24 hours (after which the hash value is no longer recognizable with Salt)

6.1.3 Bot protection mechanism (Google reCAPTCHA)

Description: When you register for our newsletter, we use Google’s reCAPTCHA service to check whether you are a human or a so-called bot. reCAPTCHA makes it possible to distinguish between human and automated, abusive entries. By using the reCAPTCHA service, data about you is transmitted to Google. Google places the cookies _GRECAPTCHA (expiry time: 6 months), AEC (expiry time: 6 months) and __Secure-ENID (expiry time: 1 year) in the memory of your browser and values for the keys r::a and r::f in the local memory of your browser.

Data processing by reCAPTCHA is carried out in accordance with Google’s data protection information: https://policies.google.com/privacy

We do not receive any data from Google about your usage behavior.

Data categories: IP address from which the page is accessed; date and time of access; type and version of Internet browser; type and version of operating system; Google IDs stored in cookies and local storage keys, but also mouse movements in the area of the reCAPTCHA checkbox

Data recipient (third country transfer, if applicable): Google LLC, contactable for us as a European organization via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. If Google transfers data to third countries, Google guarantees that it will handle the data in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Securing our newsletter registration against attacks by bots. The legal basis for the transfer of data is a legitimate interest, as there is a high level of interest in securing our infrastructure.

Storage period: Google is responsible for the storage period. It is not necessary for us to delete your data, as we do not collect any data from you through the use of reCAPTCHA.

6.1.4 Online fonts (Google Fonts)

Description: We use so-called web fonts to enable an individual design of our Internet pages. Your browser loads these fonts from the Internet to display our pages if the fonts have not yet been loaded into your browser’s memory from a previous visit to a page with this font.

In principle, fonts are available directly on our own server. In this respect, this does not constitute independent processing that goes beyond the processing of “providing our website”. In some cases, we access fonts from external servers, in our case when using the protection mechanisms via Google’s reCAPTCHA technology, which loads fonts from Google (Google Fonts).

To download the fonts from the Google font servers (gstatic.com), your IP address must be transmitted to Google, as it is not possible to transmit the data package otherwise. Google does not receive any further data from you in direct connection with the font download.

Data categories: IP address from which your device accesses the Internet, time

Purpose + legal basis: Provision of Google Fonts as part of the reCAPTCHA security mechanisms. The legal basis is a legitimate interest, as only the IP address of your device is transmitted as part of the font download without further references to your use of the Internet.

Storage period: Google is responsible for the storage period. It is not possible for us to delete your data, as we do not collect any data from you through the use of Google Fonts.

6.2 Newsletter and contact management

6.2.1 Newsletter registration

Description: You can subscribe to our e-mail newsletter. All you have to do is enter an e-mail address.

If you register online for the newsletter, you will receive an e-mail to the address you have provided in which we ask you to confirm your registration. This is to prevent you from being subscribed to our newsletter by someone who does not or should not have access to this address. This two-stage procedure is called double opt-in for double consent.

By registering for our newsletter, you consent to us sending you e-mails on the topics described on the registration page in accordance with both data protection and competition law.

You can revoke your registration and thus your consent at any time for the future. This is possible via the corresponding link at the end of every newsletter we send out.

We record the use of our newsletter via so-called tracking pixels and campaign URLs for the internet links in the newsletter. The tracking pixel calls up our newsletter server when you open the email. Access to the internet links in the newsletter is recorded via the campaign assignment in our web analysis (Matomo).

The registration form on our site sets a session cookie (automatically deleted when you close the browser) with the name __cfruid.

Data categories: E-mail address, documentation of e-mail verification (double opt-in), time of your registration; usage data (opening the e-mail + clicking on Internet links)

Data recipient (third country transfer, if applicable): Our service provider for sending the newsletter, which is bound to data protection by a data processing agreement. There is no transfer to third countries.

Purpose + legal basis: Provision of an e-mail newsletter and optimization of our newsletter content. The legal basis is your consent.

Storage period: Your data will be deleted immediately after you withdraw your consent.

6.2.2 Contact database (CRM)

Description: We maintain your data in a contact database in the sense of Customer Relationship Management (CRM). In the CRM, we store your contact data and the history of your customer relationship with us. We also use the CRM to manage communication with you via newsletters.

Data categories: Contact data (name, e-mail address, telephone number, address), event participation, newsletter consent

Data recipient (third country transfer, if applicable): Our service provider for the operation of the CRM, which is bound to data protection by a data processing agreement. A transfer to a third country does not take place.

Purpose + legal basis: Use of a CRM system that enables us to provide holistic support for our contacts, from establishing contact to event management and newsletter distribution. The legal basis is a legitimate interest, as the use of the CRM increases the level of service and reduces costs.

Storage period: Until you withdraw your newsletter consent or object to the storage of your data.

6.3 Webshop

(…)

6.4 Events

(…)

6.5 Our social media profiles

6.5.1 Facebook and Instagram

Description: We operate company profiles (also known as fan pages) on Facebook and Instagram. Such a fan page enables us to present our organization on Facebook or Instagram, to get in touch with you on this social media platform and to draw attention to our services and offers via advertisements on these platforms.

Meta provides us with analysis data about the use of our fan page (called Page Insights). This gives us an impression of how successful our individual communication measures are.

Meta’s data protection information applies to the details of data processing at Meta: https://www.facebook.com/about/privacy

In accordance with a ruling of the European Court of Justice, the use of this analysis data is carried out under joint responsibility with Meta in accordance with Article 26 GDPR. Meta has accordingly provided a joint controllership agreement (https://www.facebook.com/legal/terms/page_controller_addendum). In the agreement, Meta has assumed sole responsibility for all data processing issues. If you wish to exercise your rights under the GDPR with regard to the data processed in Page Insights, you should contact Meta directly via your Meta account. However, in accordance with the legal rules on joint responsibility, you are also free to contact us with your request. We would then forward your request to Meta.

Data categories: Meta user name; comments, likes and page views within Facebook or Instagram and time of the action

Data recipient (third country transfer, if applicable): Meta Platforms Inc, contactable for us as a European organization via Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta guarantees that data is handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Analysis of usage behavior on our fan page or Instagram profile. The legal basis is the consent you have given as part of your meta-registration.

Storage period: Meta is responsible for the storage period.

6.5.2 LinkedIn

Description: We operate a company profile on LinkedIn. Such a LinkedIn profile enables us to present our organization on LinkedIn, to get in touch with you on this social media platform and to draw attention to our services and offers via advertisements on this platform.

LinkedIn provides us with analysis data about the use of our profile page. This gives us an impression of how successful our individual communication measures are.

For details on data processing at LinkedIn, please refer to LinkedIn’s data protection information: https://www.linkedin.com/legal/privacy-policy

Data categories: LinkedIn user name; comments, likes and page views within LinkedIn and time of action

Data recipient (third country transfer, if applicable): LinkedIn Corp, contactable for us as a European organization via LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Analysis of usage behavior on our LinkedIn profile. The legal basis is the consent you have given as part of your LinkedIn registration. Storage period: The storage period is the responsibility of LinkedIn.

6.6 Suppliers and service providers

6.6.1 Business relationship

Description: As a customer, we process personal data from our suppliers and service providers who are self-employed persons or partnerships, or our contact persons at such organizations, in order to be able to communicate with you about the processing of the order. In addition to substantive communication, your data is typically processed in the separately described processing operations of our “General Infrastructure” (see there).

Data categories: Contact, contract and invoice data

Data recipients (third country transfer, if applicable): Tax consultants, auditors, lawyers in their capacity as holders of professional secrecy.

Purpose + legal basis: Proper business management. The legal bases are contract fulfillment as well as legal obligations and legitimate interests.

Storage period: According to tax law, invoice data must be stored for 10 years; contract data must be stored for different periods depending on the type of contract. In the case of copyrights, such periods extend up to 70 years beyond the death of the author.

6.6.2 Mention in publications

Description: In publications published by us, we mention authors by name in accordance with the authors’ right to be named. The naming also extends to the accompanying marketing and public relations work. If authors represent an institution relevant to the publication, their affiliation to this institution is also mentioned. In some publications, the authors’ professional contact details are also published as a service to readers.

Data categories: Name, academic title; partly institution and professional contact details

Data recipient (third country transfer, if applicable): none

Purpose + legal basis: Identification of authorship. The legal basis for the name is fulfillment of the author contract. The legal basis for the contact details is a legitimate interest, as only professional contact details of relevant contacts are published here.

Storage period: After delivery of printed publications, subsequent deletion by us is not possible.

6.7 Appointments

6.7.1 Applications

Description: If you apply for a job with us, we will process your application documents until the end of the application process exclusively for the purpose of deciding on your recruitment. We restrict access to your documents to those persons whom we reasonably involve in the decision to hire you.

If you are hired, your application documents will become part of your personnel file. If you are not hired, we will either ask you for your consent to be included in our candidate pool or return or destroy your documents as soon as there is no longer any reason to expect an objection to our decision under anti-discrimination law.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); information in the letter of application, CV, certificates and references, proof of training and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests if applicable

Data recipient (third country transfer, if applicable): Microsoft as our service provider for hosting our email inboxes and file storage. Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is bound to data protection by a data processing agreement. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp. or other Microsoft companies, Microsoft guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Basis for decisions on staffing. Legal basis is preparation of a contract fulfillment (employment contract) and subsequently a legitimate interest in defending against objections to negative decisions. Storage period: 6 months after completion of the original application process

6.7.2 Candidate pool

Description: If we are currently unable to offer you a suitable position, but would like to consider you again in the selection process for future vacancies, we ask for your consent to keep your application documents beyond the end of the current application process. If we are unable to get back to you for more than two years, we will ask for your consent to retain your documents again or return or delete them.

Purpose + legal basis: Basis for decision-making for future staffing. Legal basis is consent. Storage period: 2 years since last contact or last consent

6.8 General infrastructure

6.8.1 E-mail inbox, contact directory, calendar

Description: For email, contact directory and calendar, we use Exchange accounts that collect these data groups in a bundle. E-mails that you send us or receive from us, your contact details and appointments with you are stored both on the servers of our hosting provider and as a local copy on the end devices that we have connected to our corresponding accounts.

Data categories: Name, contact details (e-mail, telephone, address, fax), your company, your company’s business area, your job title, your area of responsibility, place, time and circumstances of the contact and, if applicable, special information on your availability or the business topics addressed; time of sending or receiving an e-mail; content of the e-mail (texts, documents, images, other files); other typical metadata of an e-mail

Data recipient (third country transfer, if applicable): Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via an order processing agreement. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp. or other Microsoft companies, Microsoft guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Use of synchronized e-mail inbox, calendar and contact directory. The legal basis is legitimate interest, as participation in modern business life would not be possible in a reasonably efficient manner without such a digital infrastructure.

Storage period: We store emails and entries for as long as is necessary to fulfill a purpose. Depending on the content of an e-mail, the business relationship with a contact or the background to an appointment, this can be for very different purposes; the retention periods are correspondingly varied.

For example: If your e-mail is used to prepare the conclusion of a contract, the obligation under the German Commercial Code (HGB) to retain business letters for six years applies.

6.8.2 Video conference (teams)

Description: If you participate in a video conference with us to which we have (technically) invited you, we are responsible for data processing through this communication. We use Microsoft Teams for video conferences. If we invite you to a conference, we will send you a Teams URL relating to the specific conference together with the appointment.

You can join a Teams video conference via the Teams app for mobile devices or desktop/laptop or via your internet browser.

Participation as a guest is possible, so you do not need your own Microsoft user account. When you dial in to the conference, you will be asked to enter a participant name for the conference so that, for example, messages in the chat during the conference can be assigned to you personally. You can also use fantasy names here.

Teams asks for your permission to access your microphone and camera. You can grant each of these authorizations, but you do not have to if you want to follow a conference without active participation, for example.

In addition to audio and video, Teams offers you supplementary functions: an accompanying chat for exchanging information in text form, messages via icons, profile maintenance (profile picture, other contact details), artificial background image. Conferences can be recorded. If a conference is to be recorded, we will inform all participants in advance and only start the recording once all participants have given their consent to the recording. Audio recordings can be transcribed into a text file for us by Microsoft.

Unless a recording has been expressly agreed, the conference will not be stored by us in any way. Once the conference has ended, the content of an unrecorded conference can no longer be accessed. In this respect, this corresponds to telephone conversations that were not recorded.

It is technically possible for any participant to make screenshots or a recording of the conference in whole or in part using means outside of Teams. Such behavior without the corresponding agreement of all participants constitutes a breach of data protection by the acting person and, if it is not one of our employees, is beyond our responsibility. Secret recordings of the spoken word may constitute a criminal offense under § 201 StGB. We reserve the right to take legal action of any kind against persons who use their participation in a video conference for conduct that is contrary to data protection.

As far as data processing is concerned that is not directly related to the specific conference, the responsibility does not lie with us but directly with Microsoft. This applies, for example, to the download of the Teams app. By downloading the Teams app to your end device, you establish an independent legal relationship between yourself and Microsoft. In some cases, responsibility also lies with you or the organization that provides you with your personal Teams user account.

The data transfer between your end device and the Teams server requires Microsoft to take note of the IP address you use to be online during the video conference. The servers also collect all types of data that are regularly generated when telemedia services are used.

Information on data protection at Microsoft can be found here: https://privacy.microsoft.com/de-de/privacystatement

Data categories: User name, participation times, video or audio signal, video or audio recording (only with consent), audio transcript (only after recording), actions in the chat, status of the request to speak, profile data (profile picture, contact data, background image), telephone number (when participating by telephone); other data categories such as IP address or e-mail address are processed by Microsoft under its own responsibility.

Purpose + legal basis: Use of a video conference. Depending on the content of the conversation, the legal basis is preparation or fulfillment of a contract or a legitimate interest in exchanging information with you. Consent is the legal basis for recordings.

Storage duration: If no recording takes place, all data will be deleted at the end of the conference. If the conference was recorded, the recording is deleted as soon as the last purpose for which the recording was made has been achieved.

6.8.3 IT administration

Description: We use service providers for the administration, maintenance and care of our information technology. These service providers do not deal with the content of the personal data processed by us. However, when maintaining databases and other system units, personal data may be accessed by the service providers. All our service providers are expressly bound to confidentiality by corresponding contracts and in accordance with the sensitivity of the data to which they may have access.

Data categories: Any type of data

Data recipients (third country transfer, if applicable): IT service providers who are bound to data protection via an order processing contract or another form of confidentiality obligation. Data is not transferred to third countries.

Purpose + legal basis: Use of competent service providers for professional IT administration. The legal basis is a legitimate interest, as the service providers have been bound to data protection by adequate confidentiality obligations.

Storage period: No independent storage takes place.

6.8.4 File storage

Description: In addition to recording data in individual databases (described above), we store documents on our storage media. This typically includes Office documents (Word, Excel, PowerPoint), PDF files, images, films, layouts, other formats of text, spreadsheets and presentation files and ultimately any type of file whose use is appropriate in the context of our business processes.

Data protection issues relating to the content of the files depend on the relevant processing purposes. At the same time, the storage of files and the metadata regularly attached to them (primarily the creator signature) results in independent processing. Office documents contain personal metadata in particular if they are worked on together (collaboration) and the comment and note functions as well as the change mode are used for this purpose.

We use Microsoft 365 as a cloud solution for file storage (in Teams, Sharepoint and OneDrive). Comprehensive information on the use of the data collected by Microsoft can be found in Microsoft’s data protection information (https://privacy.microsoft.com/de-de/privacystatement).

Data categories: Any type of data, but here focus on metadata: signature of the file creator, signatures of file editors (also in comments + notes); time of creation, editing or storage

Purpose + legal basis: File storage in a high-performance data center and use of modern search functionalities. The legal basis is a legitimate interest, as the processing is carried out as part of order processing. Storage duration: Depending on the storage time for the individual file

6.8.5 Prosecution

Description: In the event that we become involved in a legal dispute with you, we will pass on your personal data and the circumstances of the dispute to lawyers and, if necessary, to authorities or courts.

Data categories: Name, contact details, details of the subject matter of the dispute

Data recipients (third country transfer, if applicable): Lawyers, authorities, courts, bailiffs. All recipients are obliged to maintain confidentiality as state institutions or professional secrecy. Data is not transferred to third countries.

Purpose + legal basis: Legal prosecution. The legal basis is the legitimate interest in seeking legal advice from lawyers and, if necessary, authorities or courts.

Storage period: The named recipients process your data according to their own specifications to the extent necessary to fulfill the respective task. We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. If it is conceivable that a comparable dispute with you or other persons will be repeated, we will store at least the documents relevant to the proceedings – if necessary in anonymized form – for a correspondingly longer period.

6.8.6 Data protection management

Description: If you assert your data protection rights against us, we document the associated communication and processes in our data protection management application.

Data categories: Name, contact details, details of the data protection request

Data recipient (third country transfer if applicable): Our data protection officer, who is legally bound to confidentiality, is based in the EEA. Our service provider for the cloud application for data protection management, which is bound to data protection via an order processing contract, is based in the EEA. A third country transfer does not take place in this way.

Purpose + legal basis: Data protection management. Legal basis is the legal accountability from the GDPR.

Storage period: We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. If it is conceivable that a comparable dispute with you or other persons could be repeated, we will store at least the documents relevant to the proceedings – in anonymized form if necessary – for a correspondingly longer period.

Last update: July 2025