1. general information

We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with the statutory national and European regulations as well as the requirements and recommendations of the Schleswig-Holstein state data protection authority responsible for us.

We reserve the right to implement published recommendations of other data protection authorities if, in our opinion, this can better ensure the protection of your personal data. The same applies to publications in literature and case law.

Please note, however, that the transmission of data is generally not secure. We cannot technically rule out the possibility of third parties accessing your data.

For the sole purpose of better readability, gender-specific spelling has been omitted. All personal designations in this "Data Protection Notice" (e.g. customer, controller, data subject, data protection officer) are therefore to be understood as gender-neutral.

(1) Applications

This privacy policy applies to all processing of personal data carried out by us or by third parties on our behalf, in particular

• for our online presence (websites, etc.);
• for our social media presences (e.g. LinkedIn, YouTube);
• for communication with you (e.g. messenger services such as WhatsApp or email)
• for data services that we make available to you (e.g. storage space or downloads).

On the one hand, this information relates to the processing of personal data on or through our website. On the other hand, you will receive information about the processing of your personal data in other internal and external processes of our company (e.g. when playing videos).

If necessary, you will receive additional information on further processing in an appropriate manner. For example, if we use your personal data to register your visit to us on site, you will also be informed on site.

(2) Contact details of the controller

The controller responsible for the processing of data on our website within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is

CS INSTRUMENTS GmbH & Co. KG
Zindelsteiner Str. 15
78052 VS-Tannheim
Germany

You can contact us at any time if you have questions about this privacy policy or wish to assert rights. You can also find the contact details in the legal notice.

(3) Contact details of the data protection officer

You - and any other data subject - can contact our data protection officer directly, verbally, in writing or by email at any time with any questions or suggestions regarding data protection

Bernd Jensen
CS INSTRUMENTS GmbH & Co. KG
Gewerbehof 14
D-24955 Harrislee
Harrislee, Germany
Phone +49 461 80 71 50 - 288
Fax +49 461 80 71 50 - 15
www.cs-instruments.com
E-mail b.jensen@cs-instruments.com

contact us.

2 Definitions

This privacy policy and these data protection notices use, among other things, the terms defined in the European General Data Protection Regulation (GDPR), OJ L 119 of May 4, 2016, p. 1-88 (in the version applicable at the time this data protection notice was prepared) and the German Federal Data Protection Act (BDSG) in the version of June 30, 2017; (BGBl. I p. 2097), last amended by Art. 12 G of November 20, 2019; (BGBl. I p. 1626, 1633).

Insofar as additional terms arise from other laws that are used in this privacy policy or the terms serve the understanding of this privacy policy, we have also explained these in the following text.

(1) Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (cf. Art. 4 No. 1 GDPR).

Personal data are, for example, the name, address, account or telephone number, but also the IP address or ID number.

(2) Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller (cf. Art. 4 No. 1 GDPR).

A data subject is, for example, the user of the website or the customer, client, patient, etc. of a company.

(3) Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (cf. Art. 4 no. 2 GDPR).

Processing therefore occurs when we collect, disclose, store or erase personal data.

(4) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of restricting its future processing (cf. Art. 4 No. 3 GDPR).

For example, if you contact us and inform us that your data is incorrect, we will restrict the processing of your data in order to check the accuracy of the data (cf. Art. 18 para. 1 lit. b GDPR).

(5) Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements (cf. Art. 4 No. 4 GDPR).

Profiling would be, for example, the assessment of your economic situation based on your purchasing behavior.

(6) Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (cf. Art. 4 No. 5 GDPR).

Pseudonymization is given, for example, if the personal data is replaced by a customer number, for example. Without knowing which customer number has been assigned to which customer, it is not possible to assign the data to a specific person (customer).

(7) Anonymization

Anonymization is the complete and irreversible removal of the personal reference of the data.

If, for example, all customer contact data is overwritten with random numbers and there is no record of which number was assigned to which customer, the data can no longer be assigned to a person.

Anonymized data is not subject to the rules of the GDPR and the BDSG due to the lack of personal reference (cf. Recital 26 GDPR).

(8) "Controller" or "controller responsible for the processing"

The controller or data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (cf. Art. 4 No. 7 GDPR).

The controller for the processing of data when using the website is the provider of this website (see (1) Contact details of the controller)

(9) Data processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (cf. Art. 4 No. 8 GDPR).

For example, we use a so-called hoster as a processor, i.e. a company that stores our website on its own servers. If, for example, you enter your personal data (e.g. name, email address, etc.) via a contact form, this data is stored by the hoster on its server. The hoster only processes the data in the way that we have contractually agreed with it. It therefore processes the data "on our behalf" and is therefore a "processor".

(10) Recipient

A recipient is a natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients (see Art. 4 No. 9 GDPR).

Recipients of this privacy policy are, for example, you.

(11) Third party

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

A third party is, for example, an authority that accesses data on the basis of a legal authorization (cf. Art. 4 No. 10 GDPR).

(12) Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (see Art. 4 No. 11, Art. 7 GDPR).

For example, you give us your consent when you place your order - you then consent to us processing the data you have provided so that we can process your order.

(13) Portable devices

By the term "mobile devices" we mean all Internet-enabled devices that are not stationary, but Portable, i.e. mobile. These can be smartphones, tablets, etc., for example.

(14) Website

By "website" (also: web presence, internet presence, web presence etc.) we mean the presence of a provider that can be reached under an individual web address. A website can be displayed with browsers. It is comparable to a "house" at a specific address (domain) and usually has several web pages (i.e. "rooms"). In addition to the web application (homepage), other services such as e-mail, storage space, etc. can be used.

(15) IP address

The IP address is the unique address (e.g. 216.58.190.0) of the computer or end device you are using, similar to a postal address. According to a decision of the European Court of Justice (judgment of 19.10.2016, ref.: C-582/14), IP addresses are personal data (see also recital 30 GDPR). It follows that the GDPR and the BDSG also apply to IP addresses.

The IP address is used to deliver data to your computer. You can find out the IP address of your computer in the network using the "ipconfig" command or research it online (e.g. at www.heise.de/netze/tools/meine-ip-adresse/) Your IP address is transmitted to the provider.

(16) Java, JavaScript

Java is a platform-independent programming language developed in 1995 by the US company Sun Microsystems Inc, Santa Clara, USA (now part of Oracle Corporation, Austin, USA), whose language specification is constantly being further developed. Today, Java is not only used by web browsers, but also in cars, hi-fi systems and other electronic devices.

JavaScript (JS for short) is a scripting language that was developed in 1995 by Brendan Eich for dynamic HTML in web browsers. JS extends the possibilities of HTML. JavaScript was developed independently of Java and differs in many ways.

(17) Cookies

Cookies are small data packages (small text files consisting of numbers and letters) that are used to store certain information locally on your end device for a certain period of time.

This can be used, for example, to recognize the user's computer when the page is called up again or to save the contents of a form or shopping basket. Tracking services use cookies to store collected information.

Some cookies are automatically deleted when you close your web browser (so-called transient cookies). These include session cookies in particular. These cookies store a so-called session ID, which can be used to assign various requests from your web browser to the current session. This makes it possible to recognize your device when you return to our website. Session cookies are deleted as soon as you log out or close the web browser.

In some cases, cookies are only deleted after a specified period of time (so-called persistent cookies). The storage period varies depending on the cookie.

Technically necessary cookies are required to display the website. These include, for example, shopping cart cookies, login cookies or cookies for language selection.

If you do not agree to the storage of cookies, you can deactivate the storage of cookies in the settings of your web browser. You can delete existing cookies in the settings of your web browser.

You can find help on the settings in the respective help menu of your browser under the following links:

• Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
• Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
• Chrome: http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647
• Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac
• Opera: https://help.opera.com/en/latest/web-preferences/#cookies

You can also object to the collection and forwarding of personal data or prevent the processing of this data by deactivating (""blocking"") the execution of Java Script in your browser. You can also install script blockers that prevent the execution of codes. You can find script blockers here, for example:

• addons.mozilla.org/en/firefox/addon/noscript/
• noscript.net
• www.ghostery.com
• chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf

Further information on cookies can be found, for example, at Bundesverband Digitale Wirtschaft (BVDW) e. V., Berliner Allee 57, 40212 Düsseldorf, www.bvdw.org. BVDW e. V. provides additional information on the website meine-cookies.org.

We use a separate tool to obtain and document any necessary consent to the processing of cookies. We will provide you with the necessary information for each cookie so that you can decide whether you consent to the use of the tool.

(18) Cookie Consent Tool

Cookie consent tools ("consent") manage the consents you have given for the use of certain technically unnecessary tools.

Before using tools that require cookies, you will be informed about the cookies you want in a pop-up window. You can then decide whether and with which cookies you agree or not.

Your decision will then be stored for a period of up to twelve months. Personal data, such as your IP address - as well as a pseudonymous user ID, the time of consent and the selection, etc.) are used. This data is stored either in a cookie on your end device or on the server we use.

You can adjust or revoke your consent at any time.

The use of the cookie consent tool is based on our legitimate interest in operating the website in an efficient and legally compliant manner. Without its use, it is not possible for us to request the necessary consent and document the user's decision. We require the documentation in accordance with Art. 5 para. 2 GDPR in order to be able to prove that we operate the website in accordance with the applicable law. Further information can be found in the explanations of the cookie consent tool used.

(19) Web beacons

Web beacons are not graphics in HTML emails or on websites. The image is usually only 1 × 1 pixel in size, often transparent or designed in the color of the background and therefore invisible or barely visible.

When the document is loaded, the web beacon is loaded from a server and the download is registered there. This can then be used to determine whether the document has been loaded, e.g. whether the e-mail has been opened.

You can prevent the use of web beacons if, for example, you open the email offline, do not open the email as an HTML email or block external graphics with your email program.

You can also use tools that recognize and block web beacons, e.g.

• Privoxy - www.privoxy.org
• Proxomitron - https://www.proxomitron.info/

Further information can be found in the explanations of the "web beacons" used.

(20) Third countries/third countries, transfer of data to third countries

The term "third countries" refers to all countries that do not belong to the European Union (i.e. Belgium, Bulgaria, Romania, Czech Republic, Denmark, Germany, Estonia, Greece, Spain, France, Ireland, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Slovenia, Slovakia, Finland and Sweden, as of 12/2022) or the European Economic Area (member states of the EU as well as Iceland, Liechtenstein and Norway, as of 12/2022).

According to the strict legal requirements (see Art. 44 ff. GDPR), data transfers to third countries/third countries are only lawful if

• either the European Commission has determined in accordance with Art. 45 para. 3 GDPR that an adequate level of data protection exists in the third country (decisions are available for Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and the United Kingdom),
• or if the data recipient provides appropriate safeguards to protect the personal data and the data subjects have enforceable and effective legal remedies (Art. 46 (1) GDPR).

According to Art. 46 (2) GDPR, such appropriate safeguards include the use of the Commission's standard data protection clauses (Art. 46 (2) lit. c, Art. 93 (2) GDPR). These standard data protection clauses or standard contractual clauses (SCCs) are templates provided by the EU Commission. You can find these clauses here: eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

The clauses used ensure that personal data is also processed in the third country concerned at a level of data protection that corresponds to the European level.

Data transfer is also permitted if the data subject has consented to the transfer in accordance with Art. 49 para. 1 lit. a GDPR or if the transfer is necessary for the conclusion or performance of a contract concluded by the controller with another natural or legal person in the interest of the data subject (Art. 49 para. 1 lit. c GDPR) or if another exception to Art. 49 GDPR applies.

If we work with providers that are either based in a third country or process data in a third country (e.g. in the USA), we ensure compliance with the legal requirements and check this regularly. We also only work with providers who have concluded the necessary contracts with us.

Should we need or wish to deviate from this in exceptional cases, we will inform you accordingly and seek your consent.

3 Rights of the data subject

The applicable data protection law grants you comprehensive data subject rights (information and intervention rights) vis-à-vis the controller with regard to the processing of your personal data, about which we inform you below:

(1) Right to information in accordance with Art. 15 GDPR

You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller ("right to confirmation"). Furthermore, you have a right to information about

• the purposes of the processing
• the categories of personal data being processed
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
• the existence of the right to lodge a complaint with a supervisory authority
• if the personal data are not collected from the data subject: All available information about the origin of the data
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject

Furthermore, you have a right to information as to whether personal data has been transferred to a third country or to an international organization. If this is the case, you also have the right to obtain information about the appropriate safeguards in the context of the transfer.

If you would like to exercise this right to information, you can contact us at any time.

(2) Right to rectification pursuant to Art. 16 GDPR

You have the right to immediate correction of incorrect data concerning you and/or the completion of your incomplete data stored by us; the correction or completion must take place immediately.

(3) Right to erasure pursuant to Art. 17 GDPR

You have the right to demand that the personal data concerning you be deleted immediately if one of the following reasons applies and insofar as the processing is not necessary:

• The personal data have been collected or otherwise processed for such purposes for which they are no longer necessary.
• The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.
• The personal data have been processed unlawfully.
• The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
• The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by us, he or she may contact us at any time.

If the personal data has been made public and our company is obliged to delete the personal data in accordance with Art. 17 para. 1 GDPR, we shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data controllers who process the published personal data, that the data subject has requested the deletion of all links to this personal data or of copies or replications of this personal data from these other data controllers, insofar as the processing is not necessary.

(4) Right to restriction of processing pursuant to Art. 18 GDPR

You have the right to demand the restriction of the processing of your personal data as long as the accuracy of your data, which you dispute, is being verified, if you refuse to delete your data due to inadmissible data processing and instead demand the restriction of the processing of your data, if you need your data to assert, exercise or defend legal claims after we no longer need this data after the purpose has been achieved or if you have lodged an objection for reasons of your particular situation, as long as it is not yet clear whether our legitimate reasons prevail;

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been restricted, you will be informed by the controller before the restriction is lifted.

(5) Right to information pursuant to Art. 19 GDPR

If you have exercised your right to rectification, erasure or restriction of processing, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You also have the right to be informed about these recipients.

(6) Right to data portability pursuant to Art. 20 GDPR

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller, insofar as this is technically feasible.

(7) Right of revocation pursuant to Art. 7 para. 3 GDPR

You have the right to object at any time to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

You also have the right to withdraw your declaration of consent under data protection law at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

If we process personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising. This also applies to profiling insofar as it is associated with such direct advertising. If you object to direct marketing, we will no longer process your personal data for these purposes.

You also have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You can contact us directly to exercise your right to object. You are also free to exercise your right to object in the context of the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

(8) Right to lodge a complaint pursuant to Art. 77 GDPR

Without prejudice to any other administrative or judicial remedy or appeal, you have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority of your place of residence, your place of work or the place of the alleged infringement if you believe that the processing of personal data concerning you is in breach of data protection regulations.

4 Processing of personal data

(1) Legal bases of the processing

The legal basis for processing based on your consent is Art. 6 para. 1 lit. a GDPR.

If the processing of personal data is necessary for the performance of a contract to which you are a party (e.g. a purchase or consulting contract), the processing is based on Art. 6 para. 1 lit. b GDPR. The same applies to such processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if you were injured during a visit to our company and we then had to pass on your name to a doctor, hospital or other third party. The processing would then be based on Art. 6 para. 1 lit. d GDPR.

The processing may also be based on a so-called legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company (e.g. intention to make a profit, presentation of the company, etc.) or of a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail.

The European legislator is of the opinion that a legitimate interest can be assumed if the data subject is a customer of the controller (Recital 47 Sentence 2 GDPR). The background to this is that a customer must reasonably assume that the data is being processed in the interests of the company if they have a (contractual) relationship with the company.

The same applies to the processing of personal data for the prevention of fraud, etc. (cf. EC 47 sentence 6) and for direct marketing purposes (cf. EC 47 sentence 7).

(2) Storage period

In principle, we only store personal data for as long as is necessary ("storage period"). After the period has expired, the data is automatically deleted.

The necessity of storage also depends on legally prescribed retention periods. These can be, for example, tax regulations or provisions of commercial law. Retention periods may also result from contractual regulations (e.g. information on the contractual partner).

Sometimes it may be necessary for a contract to be concluded for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with them. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.

5 Data processing when visiting our website

(1) Automated collection

Each time you visit our website, our system automatically collects data and information that your browser transmits to our server (so-called "server log files"). The following technically required data is collected

• Date and time at the time of access
• Amount of data sent in bytes
• Source/reference from which other website you came to our website
• Meta and communication data (information about the system used, operating system, browser used, IP addresses, etc.).

The legal basis for the processing is Art. 6 para. 1 lit. f GDPR due to our legitimate interest in improving the stability and maintaining the functionality of our website.

The data is not passed on or used in any other way. Temporary storage of the IP address by the system is necessary to enable delivery of our website to your computer ("client"). For this purpose, the user's IP address must remain stored for the duration of the session.

We reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use. The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

If the data is stored in log files, this is the case after seven days at the latest. Longer storage is possible. In this case, the IP addresses of the users are deleted or anonymized so that it is no longer possible to identify the accessing client. The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. There is therefore no possibility of objection. If you do not agree to the processing of this data, you therefore only have the option of not using and visiting our website at all.

If you still wish to place an order, please contact us using the contact details provided in the legal notice so that we can find a solution together.

(2) External hosting

Our website is technically hosted and stored by an external service provider ("hoster"). The personal data collected on this website is therefore stored directly on the hoster's servers and not on servers that we maintain directly.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in our interest in the secure, fast and efficient provision of our online offer and the presentation of our company and our services by a professional provider (so-called "legitimate interest" within the meaning of Art. 6 para. 1 lit. f GDPR).

When weighing our interests against your interests, in particular your right to informational self-determination, we have come to the conclusion that our interests prevail; the interference with your rights is minimal. You are also free to use our service and disclose data.

Our hoster processes your data only to the extent necessary to fulfill its contractual obligations. We have concluded a contract with the hoster for the processing of personal data on our behalf (so-called "order processing contract") and thus comply with the strict requirements of the General Data Protection Regulation, the Federal Data Protection Act and other laws (e.g. Telemedia Act, Telecommunications Act, Telecommunications Telemedia Data Protection Act). Data is only processed by the hoster on our instructions and within the framework of the applicable laws.

We work together with the hoster domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany.

(3) Cookie Consent Tool

(see above definitions)

We use a Typo3-based cookie consent tool on our website. Further information can be found on the manufacturer's website or under point 6 of this privacy policy.

(4) TLS encryption

For security reasons and to protect the transmission of confidential content that you send to us as the site operator, our website uses TLS encryption.

TLS (Transport Layer Security) is an encryption technology that enables secure access to the internet. TLS has so-called end-to-end encryption, i.e. the information is encrypted before being sent by the sender (e.g. a client) and only decrypted at the recipient (e.g. a web server). This is made possible by asymmetric encryption of the information and the exchange of a common symmetric session key between the communication partners. Only the communication partners can decrypt the information, as the encryption technologies also check the authenticity of the communication partners and they must first acquire the corresponding certificates from a special certification authority.

Data that you transmit via this website cannot be read by third parties thanks to SSL encryption. You can recognize the encryption of our website by the fact that you access it with "https://". You can also recognize the use of the technology by a small lock symbol in your browser."

The certificate we use was issued by the certification authority Let's Encrypt (LE), 548 Market St, PMB 77519, San Francisco, CA 94104-5401, USA.

The certification authority may process your IP address. Information on data protection and data processing can be found on the website of the certification authority letsencrypt.org/privacy/

6. website modular system

We use a content management system (CMS) from the TYPO3 Association, Gewerbestr. 10, 4450 Sissach, Switzerland, to design our website.

With the help of the CMS, we can use many functions for our website and our web store without any programming effort.

CMS process technical data such as operating system, browser, language and keyboard settings as well as personal data (e.g. IP address).

The legal basis for the processing of personal data is our legitimate interest in making our website efficient and effective (Art. 6 para. 1 lit. f GDPR). When weighing our interests against your interests, in particular your right to informational self-determination, we have come to the conclusion that our interests prevail; the interference with your rights is minimal. You are also free to use our website and disclose data. If the CMS uses cookies, you also have the option of objecting to their use.

Further information on data protection can be found on the website and in the privacy policy of the provider typo3.org.

7 Functions of the website

(1) Collection of general data and information

Our website collects a range of general data and information each time you or an automated system accesses the website. This general data and information is stored in the server log files. The following can be recorded

• Browser types and versions used,
• the operating system used by the accessing system
• the website from which an accessing system reaches our website (so-called referrer URL)
• the sub-websites which are accessed via an accessing system on our website
• the date and time of access to the website
• an internet protocol address (IP address),
• the internet service provider of the accessing system and
• other similar data and information used for security purposes in the event of attacks on our information technology systems.

This data is not merged with other data sources. The data is anonymized.

The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. If you do not conclude a contract with us or no pre-contractual measures are necessary, we process the data on the basis of Art. 6 para. 1 lit. f GDPR (so-called "legitimate interest").

We do not use the above-mentioned information to draw conclusions about the data subject, but to

• deliver the content of our website correctly
• optimize the content of our website and the advertising for it
• to ensure the long-term functionality of our information technology systems and the technology of our website, and
• to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

This anonymously collected data and information is therefore evaluated by us both statistically and with the aim of increasing data protection and data security in our company in order to ensure an optimal level of protection for the personal data processed by us.

The anonymous data of the server log files are stored separately from all personal data provided by you. It is therefore not possible to draw any conclusions about you. For example, we cannot determine which browser type you are using. We only have data on which browser types were used by visitors in a certain period of time.

If, for example, a visitor logs into the customer area incorrectly several times, we store the IP address - which is a personal date - in order to detect (hacker) attacks on our system and ward them off in good time.

(2) Contact form, contact options

Due to legal regulations, the website contains information that enables quick electronic contact with our company and direct communication with us, which also includes a general address for so-called electronic mail (e-mail address).

If a data subject contacts the controller by email or via a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the controller are stored for the purposes of processing or contacting the data subject. This personal data is not passed on to third parties.

If you contact us by e-mail, telephone or fax, we will store and process your request, including all resulting personal data (name, request) for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

The data you send to us via contact requests will be stored by us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

(3) Newsletter and email marketing

If you would like to receive the newsletter offered on this website, we require an e-mail address from you in order to send you the newsletter. The e-mail address is used by us to check whether you are the owner of the e-mail address provided and whether you agree to receive the newsletter (so-called "double opt-in procedure"). This means that we send you an e-mail after your registration and you confirm the lawfulness of the use of the data. No other data will be processed, or only with your consent. We use this data exclusively for sending our newsletter and do not pass this data on to third parties.

The processing of the data entered in the newsletter registration form is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, for example via the "Unsubscribe" link in the newsletter. We will then not send you any further newsletters in future.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter or the newsletter service provider and deleted from the newsletter distribution list after you unsubscribe from the newsletter or after the purpose no longer applies. We reserve the right to delete or block e-mail addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data.

This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

(4) Video

We use the platform of the provider Google Ireland Limited or Google Germany GmbH, ABC-Straße 19, 20354 Hamburg, Germany, for the integration and provision of videos.

Further information on the processing of your data and your rights can be found on the provider's website https://www.youtube.com/, in particular in the information on data protection https://policies.google.com/privacy.

We only embed videos with a "no-cookie" script. This is a code for embedding, including the corresponding URL, which allows website operators to integrate videos on their websites without tracking cookies. The code must be generated and inserted for each embedded video.

The use of YouTube Nocookie prevents the transfer of personal data to third parties (such as advertising services).

However, we cannot rule out the possibility that other cookies may continue to collect data and forward it to third parties, e.g. to Google servers.

The legal basis for processing is our legitimate interest (cf. Art. 6 para. 1 sentence 1 lit. f GDPR) in the effective and efficient provision of videos to present our company and our products. Where possible and appropriate, we only use the videos if you have given your express prior consent (cf. Art. 6 para. 1 sentence 1 lit. a GDPR). If this is not possible because, for example, a video is used to display our website - e.g. in the header of a page - we ensure that no other personal data is processed apart from your IP address, which is necessary for the delivery of the video. The contracts required under data protection law have been concluded by us; compliance with data protection regulations by the provider is regularly checked by us - usually annually by a data protection auditor commissioned by us.

Your data may also be processed in the USA; please note our information on this (No. 5 (21) above "Third countries/third countries, transfer of data to third countries").

(5) Appointment scheduler, appointment booking

You can book a suitable appointment for a meeting etc. via our website. We use the Microsoft Bookings tool from the provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, for online appointment scheduling. The processing takes place

The processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR); we have a legitimate interest in making appointment scheduling efficient. Further information on data protection can be found on the website https://privacy.microsoft.com/de-de/privacystatement We have concluded the contracts required under the GDPR (order processing contract).

If and insofar as you contact us to arrange an appointment as part of an existing or intended consulting contract, data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR (contract fulfillment and initiation),

If and to the extent that you communicate personal data that is not required for the mere establishment of contact, you provide this data voluntarily and expressly agree to the transfer - otherwise you prefer to omit the data.

In any case, make sure that you use as little personal data as possible - i.e. generally only the data that is required for us to contact you (surname, first name, e-mail address, telephone number). If possible, describe your request only roughly so that no personal data is communicated unnecessarily.

(6) Leak reporter registration

Registered users have access to various information via the website www.leak-reporter.com, e.g. learning programs, downloads such as software updates and products. They can also save or delete "Leak Reporter" data in a database. If additional products and authorizations are required for this, you can contact us at any time using the contact form.

If videos are integrated via YouTube for the presentation of information or to support learning, please also note the data protection information on YouTube here in the privacy policy.

To register with leak-reporter.com, the required contact details (email, company, etc.) that you provide during the registration process are processed to set up and secure the registration. The processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b and f (contract initiation, fulfillment, legitimate interest). The data will be deleted in compliance with the statutory retention periods.

Other personal data, e.g. the users, companies, roles and authorizations you have created, will be processed, in particular stored, as you have specified. Changes and solutions can be changed at any time within the scope of a valid access.

8. tools

(1) Google Fonts

We use Google Fonts from the US company Google LLC, 1600 Amphittheatre Parkway, Mountain View, 94043 California, United States of America (USA) on our website. Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, which is represented in Germany by Google Germany GmbH, ABC-Straße 19, 20354 Hamburg (phone +49 (0) 40 8081 79 000, e-mail support-deutschland@google.com), is responsible for the European area and is also authorized to accept service.

Google Fonts is a directory of around 800 fonts that are made available free of charge. The fonts are optimized for the web and for use on Portable devices.

When you visit our website, the required fonts are loaded via a Google server via the domains fonts.googleapis.com and fonts.gstatic.com if they are not already available on the device you are using.

By loading the fonts via Google's server or Content Delivery Network (CDN), we do not have to load the fonts on our server and thus save data volume. As a result, our website is displayed faster and we can also optimize the quality of the display of our website.

We also avoid errors occurring due to the use of different browsers, operating systems and Portable devices by visitors to our website and, for example, texts or web pages being visually distorted or not being displayed correctly.

To ensure that the fonts are displayed optimally in your browser, your IP address is transmitted to Google. In addition to the IP address, Google also recognizes which website you are visiting - i.e. for which website the fonts are requested. The Google request also includes information about the language used, the version and type of browser used and the screen resolution.

According to Google, it does not store any cookies in your browser or on your end device and stores the fonts separately from other Google services.

According to its own information, Google stores the requests for one day, fonts are stored for one year.

If you wish to delete or have the data deleted prematurely, you must contact Google support(https://support.google.com/?hl=de&tid=331623705112).

The legal basis for the processing of your personal data (in particular the IP address) is Art. 6 para. 1 lit. f GDPR (so-called legitimate interest). We have an interest in displaying our website optimally and quickly and reducing (chargeable) data volumes on our server.

If Google wants to store data on your end device (e.g. cookies), we ask for your consent before storing it. We use a consent tool for this purpose. Further information on this can be found in this privacy policy.

Further information from Google on the scope of the data collected and its use can also be found at policies.google.com/privacy/.

(2) Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables us to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data may be summarized by Google in a profile that is assigned to the respective user or their end device.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there.

The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the analysis of user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: privacy.google.com/businesses/controllerterms/mccs/.

We have activated the IP anonymization function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

You can prevent the collection and processing of your data by Google by downloading and installing the browser plug-in available at the following link: tools.google.com/dlpage/gaoptout. You can find more information on how Google Analytics handles user data in Google's privacy policy: support.google.com/analytics/answer/6004245.

We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics. However, we would like to point out that we have no actual influence on data processing by Google. Nor can we prevent US government authorities from accessing data without our or your knowledge or consent. Nor can we guarantee that you will be able to effectively defend yourself against government measures in the USA with legal assistance.

Data stored by Google at user and event level that is linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymized or deleted after 14 months. You can find details on this under the following link: support.google.com/analytics/answer/7667196

This website also uses the "demographic characteristics" function of Google Analytics. This allows reports to be generated that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google and visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described in the section "Objection to data collection".

(3) Google Tag Manager

We use the Google Tag Manager of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. According to the provider, Google Tag Manager itself does not create any user profiles, does not store any cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it.

The legal basis for processing is our legitimate interest in the effective and efficient integration and management of the tools used (Art. 6 para. 1 lit. f GDPR). If consent has been given via the Consent Management Tool (see section 7.2), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TTDSG, insofar as the consent allows the storage of cookies or access to information in the user's end device Consent can be revoked at any time with effect for the future. Further information can be found in section 5.7 and in the notes of the Consent Management Tool.

(4) Facebook Pixel

This website uses Facebook's visitor action pixel to measure conversions. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.

This allows the behavior of site visitors to be tracked after they have been redirected to the provider's website by clicking on a Facebook ad. This allows the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Usage Policy. This allows Facebook to place advertisements on Facebook pages and outside of Facebook. This use of the data cannot be influenced by us as the site operator.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook. The processing carried out by Facebook after forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

You can find further information on protecting your privacy in Facebook's data protection information: https://de-de.facebook.com/about/privacy/.

You can also deactivate the remarketing function "Custom Audiences" in the settings for advertisements at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook.

If you do not have a Facebook account, you can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

(5) Facebook Conversion API

We have integrated Facebook Conversion API on this website. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.

Facebook Conversion API enables us to record the website visitor's interactions with our website and pass them on to Facebook in order to improve advertising performance on Facebook.

In particular, the time of the call, the website called up, your IP address and your user agent and, if applicable, other specific data (e.g. products purchased, value of the shopping cart and currency) are recorded. You can find a complete overview of the data that can be collected here: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.

If personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook. The processing carried out by Facebook after forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

You can find further information on protecting your privacy in Facebook's privacy policy: https://de-de.facebook.com/about/privacy/.

(6) Leadinfo

We use the lead generation service of Leadinfo B.V., Rotterdam, Netherlands. This recognizes visits from companies to our website based on IP addresses and shows us publicly available information, such as company names or addresses. In addition, Leadinfo sets two first-party cookies to evaluate user behavior on our website and processes domains from form entries (e.g. "leadinfo.com") in order to correlate IP addresses with companies and improve services. Further information can be found at www.leadinfo.com. On this page: www.leadinfo.com/en/opt-out you have an opt-out option. If you opt out, your data will no longer be collected by Leadinfo.

Order processing

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

9. social media

(1) General information

Social media channels are platforms (website or apps) through which logged-in or registered users can provide content and share it with the general public or in groups to which only certain users have access and can also network with other users.

We use social media channels to present and optimize our business services, for advertising and marketing purposes and to maintain contact with our visitors, interested parties, applicants, partners and suppliers.

When you use our social media channel, personal data that you provide (e.g. title, gender, name, email addresses, contact details, etc.) and other personal data (e.g. data on usage behavior, IP address) is processed, i.e. collected, stored, evaluated, deleted, etc. If you share media, e.g. publish photos, texts or videos, these are generally stored by the provider. The processing is carried out by the provider of the social media channel.

The data is analyzed by the provider for the purpose of developing marketing and advertising strategies for the provider itself or for other companies and to draw conclusions about your interests, needs and purchasing behavior.

Cookies are usually stored on your Portable device for this purpose.

We therefore also provide you with information on cookies and your rights in this privacy policy; the information and notices (e.g. on the right to object) naturally apply.

We recommend that you also carefully read the provider's data protection notices and declarations. There you will also find the necessary information on what data is processed, how long data is stored and what rights you have vis-à-vis the provider. Only use the social media channel if you have read and understood the data protection information.

We ourselves have no significant influence on the processing of data by the respective provider. In particular, we do not know whether and how the data is processed, especially whether data is passed on to affiliated or third-party companies, but must rely on the information provided by the provider. We also cannot ensure that the data is not processed in third countries outside the EU for which an adequate level of protection for your data is not or cannot be guaranteed. Providers generally refuse to carry out checks or audits, including on site if necessary.

You should therefore inform yourself about other possible risks if you make your data available to third parties or the public (all users of a social media channel).

Often you can no longer delete data completely if you want to - e.g.

• because another user has stored the data in such a way (e.g. on their local storage medium) that you cannot access it or
• because you have no knowledge of the user, the storage and the storage location.

You should therefore handle your data and the data of other people (especially children) responsibly. If you yourself have a profile with a social media channel provider, the personal data generated through the use of our social media channel may also be linked to your profile by the provider.

Depending on the social media channel or provider, the personal data may also be used by other users of the channel and may also be processed for their own purposes. With some providers, you can decide for yourself which personal data can be seen by third parties in the settings provided for this purpose. Find out how you can protect your personal data.

We assume that you are aware that your personal data is always at risk when using the Internet. We therefore strongly recommend that you take care of your personal data yourself.

You should also only disclose personal data of third parties with their prior consent (e.g. in the case of images or texts).

(2) Contract with the provider to protect your personal data

In its judgment of 29.07.2019 (case number C-40/17 - Fashion ID - published in the ECJ's digital collection curia.europa.eu/juris/liste.jsf), the European Court of Justice ruled that in certain cases the operator of the social media platform is jointly responsible with the website operator within the meaning of Art. 26 GDPR.

Where this is the case, we have concluded a corresponding agreement with the provider. We process the personal data in compliance with the agreement. If the provider makes the contract text publicly accessible, we have linked it for you below. You can then also use the contract text to check whether you accept data processing. If you do not agree, please do not use the channel.

(3) Legal basis of the processing

If you have consented to the processing of your data, this consent is also the legal basis for data processing (Art. 6 para. 1 lit. a, Art. 4 no. 11, Art. 7 GDPR) when using the social media channel. In addition, your data is also processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or others. We have designed our website and the integration of social media channels in such a way that you are informed in good time (e.g. when you click on a button) that data will be transferred to the provider.

We only use social media channels in such a way that your data is only transferred to the provider once you have given your consent.

(4) Possible data processing in third countries

We cannot rule out the possibility that personal data may also be processed in third countries, in particular the USA. Please also note our information on data processing in third countries (see above).

(5) Channels used

In the following summary you will find further information on the channels we use:

i. xing

• Provider: Xing SE, Dammtorstraße 30, 20354 Hamburg, Germany
• Information on data processing and data protection:https://privacy.xing.com/de/datenschutzerklaerung

ii. LinkedIn

• Provider: LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California, CA 94043, USA
• Information on the standard contractual clauses:https://de.linkedin.com/legal/l/dpa,www.linkedin.com/legal/l/eu-sccs
• Information on data processing and data protection:https://www.linkedin.com/legal/privacy-policy

10. applications, recruitment

We offer you the opportunity to apply to us by

• e-mail
• Application form on our website
• Contact via social media
• by post
• personal visit
• by telephone

to apply. You can find the contact details in this privacy policy (above) and in the legal notice of this website.

If you apply to us, we will only process your associated personal data (e.g. surname, first name, communication data, application documents, etc.) insofar as this is necessary for the decision on the establishment of an employment relationship. The legal basis for this is § 26 para. 1 sentence 1 BDSG, Art. 6 para. 1 lit. b GDPR.

If the application is successful, your data will be processed by us on the basis of Section 26 para. 1 BDSG and Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

If we are unable to make you a contractual offer, you reject the offer or withdraw your application, we will retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed.

The retention serves in particular as evidence in the event of a legal dispute. If it is evident that the data will still be required after the deadline (e.g. due to an impending or existing legal dispute), the data will only be deleted when the purpose for further storage no longer applies and if there are no legal or officially ordered storage obligations to prevent deletion.

11. minors

Our services are not aimed at children under the age of 13. We do not knowingly collect data from children under the age of 13. If you are under the age limit, do not use the Services and do not provide us with your personal information. If you are a parent of a child under the age limit and you become aware that your child has provided us with personal data, please contact our data protection officer (see above for contact details) or us immediately.

12. copyright to the privacy policy

The data protection declaration was created by the data protection officer and lawyer Michael F. Ochsenfeld, Hildesheim, Germany www.ochsenfeld.com.

If you are of the opinion that the data protection declaration is incorrect, in particular incomplete, please contact us so that we can remedy the situation immediately.