back-to-top

Privacy Policy

With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as “data”) we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online services”).
The terms used are not gender-specific.

Last Update: 12. November 2024

Table of Contents

Preamble

With the following privacy policy, we provide details on the types of personal data processed, purposes, and scope. This policy applies to all processing activities related to our services, including websites, mobile applications, and external online presences such as social media profiles.

Controller

Alejandro Gavino
Linking Phi GmbH
Marokkanergasse 7
1030 Vienna, Austria
Authorised Representatives: Alejandro Gavino, Managing Partner
E-mail address: alejandrogavino@linkingphi.com
Phone: +43 676 3279768

Overview of Processing Operations

Categories of Processed Data

  • Inventory data
  • Employee data
  • Payment data
  • Location data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication, and process data
  • Social data
  • Job applicant details
  • Images and/or video recordings
  • Audio recordings
  • Event data (Facebook)
  • Log data
  • Performance and behavioural data
  • Working hours data
  • Salary data

Special Categories of Data

  • Health data
  • Religious or philosophical beliefs
  • Trade union membership

Categories of Data Subjects

  • Service recipients and clients
  • Employees
  • Prospective customers
  • Communication partners
  • Users
  • Job applicants
  • Members
  • Business and contractual partners
  • Persons depicted
  • Third parties
  • Whistleblowers
  • Customers

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Direct marketing
  • Web analytics
  • Targeting
  • Office and organisational procedures
  • Remarketing
  • Conversion tracking
  • Affiliate tracking
  • Organisational and administrative procedures
  • Job application process
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of online services and usability
  • Assessment of creditworthiness
  • Establishment and execution of employment relationships
  • Information technology infrastructure
  • Whistleblower protection
  • Financial and payment management
  • Public relations
  • Sales promotion
  • Business processes and management procedures
  • Artificial Intelligence (AI)

GDPR Articles

  • Consent (Article 6 (1)(a)): Consent for specific purposes.
  • Performance of a contract (Article 6 (1)(b)): Necessary for fulfilling contractual obligations.
  • Compliance with legal obligation (Article 6 (1)(c)): Required for legal compliance.
  • Legitimate interests (Article 6 (1)(f)): Necessary for legitimate interests, provided fundamental rights of data subjects do not prevail.
  • Job application process (Article 6 (1)(b)): Pre-contractual or contractual relationships for job applications.

National Regulations in Austria

  • Data Protection Act (DSG): Special provisions on access, rectification, or cancellation.

Swiss DPA

Applicable for data protection aligned with GDPR terminology.

Security Precautions

  • Safeguarding confidentiality, integrity, and availability of data.
  • TLS/SSL Encryption: Ensuring secure online connections (HTTPS).

Transmission of Personal Data

  • Data Sharing: Within the group of companies or external service providers under legal agreements.
  • International Transfers: Based on GDPR adequacy decisions or other safeguards like standard contractual clauses.

International Data Transfers

  • Based on adequacy decisions (Article 45 GDPR).
  • Utilizing Data Privacy Framework (DPF) for certain U.S. companies.

General Information on Data Retention and Deletion

  • Data deleted when no longer needed or legal basis ceases.
  • Exceptions for tax or legal obligations.

Retention Deadlines (Austria)

  • 10 Years: Financial and organizational records.
  • 6 Years: Business documents and correspondence.
  • 3 Years: Warranty and compensation claims.

Rights of Data Subjects

Under GDPR (Articles 15–21)

  • Right to Object: Objection to processing based on Article 6(1)(e) or (f).
  • Right to Withdraw Consent
  • Right of Access
  • Right to Rectification
  • Right to Erasure
  • Right to Data Portability
  • Complaint to Supervisory Authority

Business Processes and Operations

Processed Data Types

  • Inventory data
  • Payment data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Log data
  • Meta, communication, and process data

Purposes of Processing

  • Customer management
  • Communication
  • Marketing and sales promotion
  • Financial and payment management
  • Information technology infrastructure

Retention and Deletion

  • Based on legal requirements or purpose expiration.
  • Performance of a contract (Article 6 (1)(b) GDPR)
  • Legitimate interests (Article 6 (1)(f) GDPR)

Provision of Online Services and Web Hosting

We process user data to provide online services. This includes processing the IP address of the user, which is necessary for transmitting content and features of our online services to the user’s browser or device.

Processed Data Types

  • Usage data: Page views, duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features.
  • Meta, communication, and process data: IP addresses, timestamps, identification numbers, involved parties.
  • Log data: Log files related to logins, data retrieval, or access times.
  • Content data: Textual or pictorial messages and contributions, as well as authorship details and time of creation.

Data Subjects

  • Users: Website visitors, users of online services.
  • Business and contractual partners.

Purposes of Processing

  • Provision of online services and usability.
  • Operation and provision of IT infrastructure (e.g., computers, servers, etc.).
  • Security measures.

Retention and Deletion

Data is deleted according to the information provided in the section “General Information on Data Retention and Deletion.”

  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Processing Methods, Procedures, and Services Used

Provision of Online Offer on Rented Hosting Space

For online services, we use rented storage space, computing capacity, and software from server providers (web hosters).
Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).

Collection of Access Data and Log Files

Access to online services is logged via “server log files,” including details like accessed web pages, date and time of access, data volumes, browser type, operating system, referrer URL, IP addresses, and provider details. This data is used for security purposes, such as preventing server overload (e.g., DDoS attacks) and ensuring stability.
Retention Period: Log files are stored for up to 30 days, then deleted or anonymized. Data needed for evidence purposes is retained until resolved.
Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).

E-mail Sending and Hosting

Our web hosting services include sending, receiving, and storing e-mails. This involves processing recipient/sender addresses, email contents, and SPAM detection. Please note that email transmissions are generally not fully encrypted unless end-to-end encryption is used.
Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).

Content-Delivery-Network (CDN)

We use a Content Delivery Network (CDN) to deliver large media files (e.g., graphics, scripts) faster and more securely using regionally distributed servers.
Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).

Amazon Web Services (AWS)

We use AWS for IT infrastructure services (e.g., storage and computing capacity).
Service Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, 1855, Luxembourg.
Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
Website: AWS
Privacy Policy: AWS Privacy Policy
Data Processing Agreement: AWS GDPR Center
Third-Country Transfers: Data Privacy Framework (DPF).

Amazon CloudFront

A CDN service by AWS for delivering large media files faster and more securely via regionally distributed servers.
Service Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, 1855, Luxembourg.
Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
Website: Amazon CloudFront
Privacy Policy: AWS Privacy Policy
Data Processing Agreement: AWS GDPR Center
Third-Country Transfers: Standard Contractual Clauses.

Use of Cookies

Cookies store and retrieve information on users’ devices for various purposes, such as functionality, security, convenience, and visitor traffic analysis. We use cookies in compliance with legal regulations and obtain users’ consent where necessary. If not required, we rely on legitimate interests.

Storage Duration

  • Temporary cookies (session cookies): Deleted after the user leaves the online service and closes their device.
  • Permanent cookies: Persist after the device is closed (e.g., saving login status). Unless specified, assume a storage duration of up to two years.

Withdrawal and Objection (Opt-Out)

Users can withdraw consent or object to processing via browser privacy settings or cookie settings on our website.

Processed Data Types

  • Meta, communication, and process data: IP addresses, timestamps, identification numbers, involved parties.
  • Usage data: Page views, duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features.

Data Subjects

  • Users: Website visitors, users of online services.

Purposes of Processing

  • Provision of online services and usability.
  • Legitimate Interests (Article 6 (1)(f) GDPR).
  • Consent (Article 6 (1)(a) GDPR).

Further Information on Processing Methods, Procedures, and Services Used

We use a consent management solution to obtain and log users’ cookie preferences. This process enables users to manage or withdraw consent. Data retention for this purpose is up to two years.
Legal Basis: Consent (Article 6 (1)(a) GDPR).

Users can change cookie settings or revoke consent via the link in the footer of our website.

Blogs and Publication Media

We use blogs or comparable online communication and publication platforms (hereinafter “publication medium”). Readers’ data is processed only to the extent necessary for presenting the publication medium, facilitating communication between authors and readers, or for security purposes. Additional information on data processing is outlined in this privacy policy.

Processed Data Types

  • Inventory data: Full name, residential address, contact information, customer number, etc.
  • Contact data: Postal and email addresses or phone numbers.
  • Content data: Textual or pictorial messages and contributions, including authorship details and time of creation.
  • Usage data: Page views, duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features.
  • Meta, communication, and process data: IP addresses, timestamps, identification numbers, involved parties.

Data Subjects

  • Users: Website visitors, users of online services.

Purposes of Processing

  • Feedback (e.g., collecting feedback via online forms).
  • Provision of online services and usability.
  • Security measures.
  • Organisational and administrative procedures.

Retention and Deletion

Data is deleted in accordance with the information provided in the section “General Information on Data Retention and Deletion.”

  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Processing Methods, Procedures, and Services Used

Comment Subscriptions

  • IP addresses of users may be stored based on legitimate interests for safety purposes, such as identifying the author of illegal content (e.g., insults, forbidden political propaganda) in comments or contributions.
  • User data may also be processed for SPAM detection.
  • IP addresses may be stored during surveys to prevent multiple votes.
  • Personal information provided through comments and contributions, including contact and website information, will be stored permanently until the user objects.
    Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).

Contact and Inquiry Management

When contacting us (e.g., via mail, contact form, email, telephone, or social media) or in the context of existing user and business relationships, the information of inquiring persons is processed as necessary to respond to their requests and any requested measures.

Processed Data Types

  • Inventory data: Full name, residential address, contact information, customer number, etc.
  • Contact data: Postal and email addresses or phone numbers.
  • Content data: Textual or pictorial messages and contributions, including authorship details and time of creation.
  • Usage data: Page views, duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features.
  • Meta, communication, and process data: IP addresses, timestamps, identification numbers, involved parties.

Data Subjects

  • Communication partners: Recipients of emails, letters, etc.

Purposes of Processing

  • Communication.
  • Organisational and administrative procedures.
  • Feedback (e.g., collecting feedback via online forms).
  • Provision of online services and usability.

Retention and Deletion

Data is deleted in accordance with the information provided in the section “General Information on Data Retention and Deletion.”

  • Legitimate Interests (Article 6 (1)(f) GDPR).
  • Performance of a contract and prior requests (Article 6 (1)(b) GDPR).

Further Information on Processing Methods, Procedures, and Services Used

Contact Form

  • Personal data transmitted through contact forms, email, or other communication methods is processed for responding to and handling inquiries.
  • This typically includes name, contact information, and any additional necessary information provided.
  • Data is used exclusively for the stated purpose of contact and communication.
    Legal Basis: Performance of a contract and prior requests (Article 6 (1)(b) GDPR), Legitimate Interests (Article 6 (1)(f) GDPR).

Communication via Messenger

We use messenger services for communication and request that you review the following details regarding their functionality, encryption, metadata usage, and your options to object.

Encryption

  • The content of your messages and attachments is encrypted end-to-end, ensuring that even messenger service providers cannot access the content.
  • Ensure you use the latest version of the messenger service with encryption enabled.

Metadata

While the content remains encrypted, messenger service providers may process metadata, such as:

  • When communication occurs.
  • Technical details about the device used.
  • Potentially, location information depending on device settings.

Alternative Communication

You can also contact us via telephone or email using the contact information provided on our platforms.

  • Consent (Article 6 (1)(a) GDPR): When consent is requested before initiating communication.
  • Performance of a contract (Article 6 (1)(b) GDPR): For communication with contractual partners or during contract initiation.
  • Legitimate Interests (Article 6 (1)(f) GDPR): For efficient communication without prior consent.

Withdrawal, Objection, and Deletion

  • Consent can be withdrawn, and communication objections can be raised at any time.
  • Messages are deleted in accordance with our data retention policy after resolving inquiries or when no further reference to prior communication is expected.

Reservation for Alternative Communication Means

  • We may opt not to respond via messenger for reasons like confidentiality or formal requirements and recommend using alternative channels.

Processed Data Types

  • Contact data: Email addresses, phone numbers, etc.
  • Content data: Textual or pictorial messages, attachments, authorship details, timestamps.
  • Usage data: Page views, device details, interactions with content.
  • Meta, communication, and process data: IP addresses, timestamps, identification numbers, etc.

Data Subjects

  • Communication partners: Recipients of emails, messages, or other communications.

Purposes of Processing

  • Communication.
  • Direct marketing (e.g., via email or postal).

Retention and Deletion

Data is deleted as described in the section “General Information on Data Retention and Deletion.”

Further Information on Processing Methods, Procedures, and Services Used

Instagram

  • Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Instagram
  • Privacy Policy: Instagram Privacy Policy.

Facebook Messenger

  • Features: Text messages, voice and video calls, group chats, file sharing, location transmission, encryption.
  • Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Facebook
  • Privacy Policy: Facebook Privacy Policy
  • Data Processing Agreement: Facebook Data Processing Terms.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Telegram

  • Features: Messaging, voice and video calls, group and channel creation, file sharing, secret chat encryption, multi-device sync.
  • Service Provider: European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Telegram
  • Privacy Policy: Telegram Privacy Policy.

WhatsApp

  • Features: Text messages, voice and video calls, media and document sharing, group chat, end-to-end encryption.
  • Service Provider: WhatsApp Ireland Limited, Merrion Road 4, D04 X2K5 Dublin, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: WhatsApp
  • Privacy Policy: WhatsApp Privacy Policy
  • Third-Country Transfers: Data Privacy Framework (DPF).

Chatbots and Chat Functions

We provide online chats and chatbot functions (together referred to as “Chat Services”) to facilitate communication. A chat is an online conversation with immediacy, while a chatbot is software designed to answer user questions or share information.

Data Collection and Use

  • Identification: If you use our Chat Services within an online platform, your identification number is stored on that platform.
  • Interaction Data: We may collect information about user interactions with our Chat Services, including timestamps.
  • Conversation Logs: The content of conversations is stored, including registration and consent processes for legal compliance.
  • Metadata: Platform providers may collect metadata, including technical device information and location data, for service optimization and security purposes.

Purpose of Data Use

We use the collected data to:

  • Address users personally.
  • Respond to inquiries.
  • Transmit requested content.
  • Improve Chat Services by teaching chatbots or identifying unanswered inquiries.
  • Consent (Article 6 (1)(a) GDPR): When users grant explicit permission (e.g., for regular chatbot messages).
  • Performance of a contract (Article 6 (1)(b) GDPR): For contractual and pre-contractual communication.
  • Legitimate Interests (Article 6 (1)(f) GDPR): For optimization and efficient operation of Chat Services.

Withdrawal and Deletion

  • Consent can be withdrawn at any time, and objections to data processing can be raised.
  • Conversations are deleted as per the “General Information on Data Retention and Deletion” section.

Processed Data Types

  • Inventory data: Name, address, contact details, etc.
  • Contact data: Email addresses, phone numbers, etc.
  • Content data: Messages and contributions, including timestamps.
  • Usage data: Page views, device details, interactions.
  • Meta, communication, and process data: IP addresses, identifiers, timestamps, etc.

Data Subjects

  • Communication partners: Users interacting with Chat Services.

Further Information on Services Used

LiveChat

  • Service Provider: LiveChat Inc., One International Place, Suite 1400, Boston, MA 02110, USA.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: LiveChat
  • Privacy Policy: LiveChat Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Push Notifications

We send push notifications to users with their consent. These messages are displayed on screens, devices, or browsers even when our online services are not actively in use.

  • Users must confirm their browser or device requests for push notifications. This process is documented and stored to verify consent.

Use Cases

  • Push messages may fulfill contractual obligations or provide technical and organizational updates.
  • Users can change notification preferences through device or browser settings.
  • Consent (Article 6 (1)(a) GDPR): For user-approved notifications.
  • Legitimate Interests (Article 6 (1)(f) GDPR): For improving service usability and communication.

Retention and Deletion

Data is deleted as per the “General Information on Data Retention and Deletion” section or after termination of use.

Processed Data Types

  • Usage data: Page views, device details, interactions.
  • Meta, communication, and process data: IP addresses, timestamps, identifiers.
  • Location data: Geographic location of devices.

Data Subjects

  • Communication partners: Users receiving push notifications.

Further Information on Services Used

Location-Dependent Delivery

Push notifications may depend on users’ location data transmitted by their devices.
Legal Basis: Consent (Article 6 (1)(a) GDPR).

Analysis and Performance Measurement

  • Push notifications are evaluated for performance, including delivery, interaction, and usage habits.
  • This analysis helps improve push notifications and adapt them to user preferences.
  • Opt-Out: Users can unsubscribe from push notifications to stop analysis. Note: Analysis cannot be canceled separately from notifications.
    Legal Basis: Consent (Article 6 (1)(a) GDPR).

Artificial Intelligence (AI)

We use artificial intelligence (AI) systems for processing personal data in compliance with legal requirements, adhering to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, integrity, and confidentiality. AI systems are designed to operate autonomously, producing outputs such as predictions, recommendations, or decisions that can influence various environments.

Compliance and Oversight

  • Legal Foundation: The processing of personal data is based on user consent or statutory permissions.
  • Transparency and Fairness: We ensure users are informed about the use of AI in processing their data.
  • Human Oversight: All AI-supported decisions are monitored to maintain fairness and accountability.
  • Technical and Organizational Measures: Robust safeguards are implemented to protect data integrity and confidentiality.
  • AI Providers: External AI providers are carefully selected, and their compliance with legal and ethical standards is regularly reviewed.

Processed Data Types

  • Content data: Textual or pictorial messages, authorship details, timestamps.
  • Usage data: Page views, device details, interactions, operating systems used.

Data Subjects

  • Users: Website visitors, users of online services.
  • Third Parties: Other entities involved in AI-related interactions.

Purposes of Processing

  • Artificial Intelligence (AI) applications.

Retention and Deletion

Data is deleted in accordance with the “General Information on Data Retention and Deletion” section.

  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on AI Services Used

ChatGPT

  • Features: Natural language understanding and generation, information analysis, predictions.
  • Service Provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: ChatGPT
  • Privacy Policy: OpenAI Privacy Policy
  • Opt-Out: OpenAI Opt-Out Form.

DeepL

  • Features: Language translation, synonym suggestions, context-based text corrections.
  • Service Provider: DeepL SE, Maarweg 165, 50825 Köln, Germany.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: DeepL
  • Privacy Policy: DeepL Privacy Policy.

Microsoft Copilot

  • Features: Text creation, data analysis, task automation, and integration with Microsoft Office applications.
  • Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Microsoft Copilot
  • Privacy Policy: Microsoft Privacy Statement
  • Data Processing Agreement: Microsoft DPA.
  • Third-Country Transfers: Data Privacy Framework (DPF).

OpenAI API

  • Features: Language and image models for text generation, language processing, and image analysis.
  • Service Provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: OpenAI API
  • Privacy Policy: OpenAI Privacy Policy
  • Data Processing Agreement: OpenAI DPA.
  • Third-Country Transfers: Data Privacy Framework (DPF).
  • Opt-Out: OpenAI Opt-Out Form.

Video Conferences, Online Meetings, Webinars, and Screen-Sharing

We use platforms and applications provided by third parties (“Conference Platforms”) for video and audio conferences, webinars, and other types of online meetings (“Conference”). All usage complies with legal requirements.

Data Processed by Conference Platforms

During Conferences, the following participant data may be processed:

  • Personal Information: First name, last name.
  • Contact Information: Email address, telephone number.
  • Access Data: Access codes or passwords.
  • Profile Information: Profile pictures, professional position/function.
  • Technical Information: IP address, end device details, operating system, browser, technical and linguistic settings.
  • Communication Content: Entries in chats, audio/video data, survey results, and use of additional functions.
  • Log Data: Login information, data retrieval, access times.

The scope of data processing depends on the specific Conference requirements and optional information provided by participants. Content communications are encrypted to the extent supported by the platform providers.

Logging and Recording

If any text entries, participation results (e.g., surveys), or video/audio recordings are made, participants are informed in advance and their consent is sought if necessary.

Data Protection Measures for Participants

  • Review the data privacy policies of the Conference Platforms.
  • Use available security and privacy settings on the platforms.
  • Ensure privacy during Conferences (e.g., notify others in your location, use background masking).
  • Do not share links or access data with unauthorized third parties.
  • Consent (Article 6 (1)(a) GDPR): When explicit permission is requested for specific features like recording.
  • Performance of a Contract (Article 6 (1)(b) GDPR): For fulfilling contractual obligations, e.g., participant lists or reprocessing Conference results.
  • Legitimate Interests (Article 6 (1)(f) GDPR): For efficient and secure communication.

Retention and Deletion

Data is deleted in accordance with the “General Information on Data Retention and Deletion” section.

Processed Data Types

  • Inventory Data: Full name, residential address, contact details, etc.
  • Contact Data: Email addresses, phone numbers.
  • Content Data: Textual or pictorial messages, chat entries, timestamps.
  • Usage Data: Page views, duration of visits, device details, interactions.
  • Media: Images, video recordings, audio recordings.
  • Log Data: Login information, access times.

Data Subjects

  • Communication Partners: Recipients of emails, letters, etc.
  • Users: Website visitors, users of online services.
  • Persons Depicted: Participants in images or recordings.

Purposes of Processing

  • Provision of contractual services and fulfillment of obligations.
  • Communication.
  • Office and organizational procedures.

Further Information on Services Used

Microsoft Teams

  • Features: Audio/video conferencing, chat, file sharing, collaboration on documents, task management, screen sharing, optional recording.
  • Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Microsoft Teams
  • Privacy Policy: Microsoft Privacy Statement
  • Security Information: Microsoft Trust Center.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Skype

  • Features: Messaging, audio/video conferencing.
  • Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Skype
  • Privacy Policy: Microsoft Privacy Statement
  • Security Information: Microsoft Trust Center.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Zoom

  • Features: Video conferencing, online meetings, webinars, screen sharing, session recording, chat, calendar integration.
  • Service Provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Zoom
  • Privacy Policy: Zoom Privacy Policy
  • Data Processing Agreement: Zoom DPA.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Audio Content

We utilize hosting services provided by third-party platforms for uploading, storing, and distributing audio content for listening and downloading.

Processed Data Types

  • Usage Data: Page views, duration of visits, click paths, device types, operating systems, interactions with content.
  • Meta, Communication, and Process Data: IP addresses, timestamps, identification numbers, involved parties.
  • Log Data: Login details, data retrieval, and access times.

Data Subjects

  • Users: Website visitors, users of online services.

Purposes of Processing

  • Web analytics (e.g., access statistics, recognition of returning visitors).
  • Conversion tracking (measuring the effectiveness of marketing activities).
  • User profiles (creating user-related profiles).
  • Provision of online services and usability.

Retention and Deletion

Data is deleted in accordance with the “General Information on Data Retention and Deletion” section.

  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Services Used

Spotify

Cloud Services

We use cloud-based software services (“cloud services” or “Software as a Service”) for document storage, management, and sharing.

Processed Data Types

  • Inventory Data: Full name, residential address, contact details, etc.
  • Contact Data: Email addresses, phone numbers.
  • Content Data: Textual or pictorial messages, document details.
  • Usage Data: Page views, device details, click paths, interactions with content.

Data Subjects

  • Prospective Customers: Individuals engaging with our services.
  • Communication Partners: Email recipients, letter correspondents, etc.
  • Business and Contractual Partners: Entities in professional or contractual relationships.

Purposes of Processing

  • Office and organizational procedures.
  • IT infrastructure operations and management.

Retention and Deletion

Data is deleted in accordance with the “General Information on Data Retention and Deletion” section.

  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Services Used

Microsoft Cloud Services

  • Features: Cloud storage, infrastructure services, and cloud-based application software.
  • Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Microsoft
  • Privacy Policy: Microsoft Privacy Statement
  • Security Information: Microsoft Trust Center
  • Data Processing Agreement: Microsoft DPA.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Newsletter and Electronic Communications

We send newsletters and other electronic notifications exclusively with user consent or based on a legal basis.

Data Collection and Use

  • Registration: Email addresses are required; names may also be requested for personalized greetings.
  • Retention: Unsubscribed email addresses may be retained for up to three years based on legitimate interests to demonstrate prior consent. This data is limited to defending claims and preventing unauthorized contacts.

Contents of Newsletters

  • Information about our services, promotions, and offers.

Processed Data Types

  • Inventory Data: Full name, address, contact information.
  • Contact Data: Email addresses, postal addresses.
  • Meta, Communication, and Process Data: IP addresses, timestamps, identification numbers.
  • Usage Data: Device types, page views, interactions with content.

Data Subjects

  • Communication Partners: Recipients of newsletters and other notifications.

Purposes of Processing

  • Direct marketing (e.g., by email or postal).

Retention and Deletion

Data is deleted in accordance with the “General Information on Data Retention and Deletion” section.

  • Consent (Article 6 (1)(a) GDPR).

Opt-Out

  • Recipients can cancel newsletters at any time via the link provided in the email or by contacting us directly.

Further Information on Services Used

Measurement of Opening and Click Rates

  • Newsletters may include “web beacons” for tracking technical information (e.g., browser details, IP addresses) and user behavior (e.g., open times, link clicks).
  • This analysis is based on user consent and serves to improve newsletter content and delivery.
  • Opt-out from success measurement requires unsubscribing from the newsletter.
    Legal Basis: Consent (Article 6 (1)(a) GDPR).

Commercial Communication by Email, Postal Mail, Fax, or Telephone

We process personal data for promotional communications via various channels in accordance with legal requirements.

Data Subjects

  • Communication Partners: Email recipients, telephone contacts, postal correspondents.

Purposes of Processing

  • Direct marketing.
  • Sales promotion.

Retention and Deletion

Data is retained as outlined in the “General Information on Data Retention and Deletion” section.

  • Consent (Article 6 (1)(a) GDPR).
  • Legitimate Interests (Article 6 (1)(f) GDPR).

Withdrawal and Objection

  • Recipients can withdraw consent or object to communications at any time.
  • Data necessary for proving prior authorization may be retained for up to three years after withdrawal.
  • Contact details may be stored to prevent unauthorized future communications.

Web Analysis, Monitoring, and Optimization

Web analytics, also known as “reach measurement,” evaluates visitor interactions with our online services. It includes analyzing visitor behavior, interests, and demographic information such as age or gender to improve usability and optimize performance.

Processed Data Types

  • Usage Data: Page views, duration of visits, click paths, device types, operating systems, interactions.
  • Meta, Communication, and Process Data: IP addresses (pseudonymized via IP masking), timestamps, identifiers.

Data Subjects

  • Users: Visitors and users of online services.

Purposes of Processing

  • Web analytics (e.g., access statistics, recognition of returning visitors).
  • Creating user profiles for usability and optimization purposes.

Retention and Deletion

  • Data is deleted as outlined in the “General Information on Data Retention and Deletion” section.
  • Cookies may be stored for up to two years unless stated otherwise.

Security Measures

  • IP masking (pseudonymization by shortening the IP address).
  • Consent (Article 6 (1)(a) GDPR): When consent is obtained for third-party services.
  • Legitimate Interests (Article 6 (1)(f) GDPR): For efficient and user-friendly services.

Further Information on Services Used

  • Purpose: To fulfill ePrivacy Directive requirements and process user data in compliance with data protection laws. Consent status is shared with Google to ensure dynamic adjustment of features and services.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Consent (Article 6 (1)(a) GDPR).
  • Website: Google Analytics Support
  • Privacy Policy: Google Privacy Policy.

Online Marketing

We process personal data for online marketing, including advertising space marketing, content display based on user interests, and measuring ad effectiveness.

Processed Data Types

  • Usage Data: Content viewed, websites visited, online networks used, device types, operating systems.
  • Meta, Communication, and Process Data: IP addresses (pseudonymized via IP masking), timestamps, identifiers.

Data Subjects

  • Users: Visitors and users of online services.

Purposes of Processing

  • Targeting and profiling based on interests and behavior.
  • Conversion tracking (measuring marketing effectiveness).
  • Remarketing and affiliate tracking.

Retention and Deletion

  • Data is deleted as outlined in the “General Information on Data Retention and Deletion” section.
  • Cookies may be stored for up to two years unless stated otherwise.

Security Measures

  • IP masking (pseudonymization by shortening the IP address).
  • Consent (Article 6 (1)(a) GDPR).
  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Services Used

Facebook Ads

  • Purpose: Placing ads on Facebook and analyzing ad performance.
  • Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
  • Legal Basis: Consent (Article 6 (1)(a) GDPR).
  • Website: Facebook
  • Privacy Policy: Facebook Privacy Policy
  • Third-Country Transfers: Data Privacy Framework (DPF).
  • Additional Information: Data is processed jointly with Meta Platforms for behavioral advertising and audience building under a joint controllership agreement. Data transfers to Meta Platforms, Inc. in the USA are based on standard contractual clauses.
  • Purpose: Real-time ads based on presumed user interests and ad performance analysis.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Google Marketing Platform
  • Privacy Policy: Google Privacy Policy
  • Third-Country Transfers: Data Privacy Framework (DPF).
  • Purpose: Placing ads and measuring conversion rates (e.g., contracts concluded following ad interactions).
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Consent (Article 6 (1)(a) GDPR), Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Google Ads
  • Privacy Policy: Google Privacy Policy
  • Third-Country Transfers: Data Privacy Framework (DPF).
  • Purpose: Adding users to pseudonymous remarketing lists to display relevant ads on other services.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Consent (Article 6 (1)(a) GDPR).
  • Website: Google Ads
  • Privacy Policy: Google Privacy Policy
  • Third-Country Transfers: Data Privacy Framework (DPF).

Opt-Out Options

Cookies can also be deactivated in browser settings, though this may limit online service functionality.

Customer Reviews and Ratings

We participate in review and rating systems to evaluate, optimize, and promote our services. User ratings are governed by the providers’ terms and privacy policies. Registration with the respective rating platform may be required.

Processed Data Types

  • Contract Data: Contract details, customer categories, order numbers.
  • Usage Data: Page views, click paths, device types, frequency of use.
  • Meta, Communication, and Process Data: IP addresses, timestamps, identifiers.

Data Subjects

  • Service Recipients and Clients: Individuals using our services.
  • Users: Website visitors and users of online services.

Purposes of Processing

  • Feedback collection (e.g., via online forms).
  • Marketing.
  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Services Used

Rating Widget

  • Functionality: Displays ratings as dynamic widgets within our online services.
  • Provider Access: Providers retrieve technical data (e.g., IP address) to display widgets and may use cookies to track user interactions.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).

Google Customer Reviews

  • Functionality: Collects customer satisfaction ratings.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Google
  • Privacy Policy: Google Privacy Policy
  • Third-Country Transfers: Data Privacy Framework (DPF).

kununu

  • Functionality: Review and rating platform.
  • Service Provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: kununu
  • Privacy Policy: XING Privacy Policy.

Profiles in Social Networks (Social Media)

We maintain social media profiles to communicate with users and share information. User data may be processed outside the EU, which could affect user rights enforcement.

Processed Data Types

  • Contact Data: Email addresses, phone numbers.
  • Content Data: Posts, messages, comments, multimedia content.
  • Usage Data: Page views, interaction patterns, device information.
  • Inventory Data: Names, addresses, customer numbers.
  • Meta, Communication, and Process Data: IP addresses, timestamps, identifiers.

Data Subjects

  • Users: Social media platform visitors and members.

Purposes of Processing

  • Communication and public relations.
  • Feedback collection.
  • Usability and content provision.

Retention and Deletion

Data is deleted in accordance with the “General Information on Data Retention and Deletion” section.

  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Services Used

Instagram

  • Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Instagram
  • Privacy Policy: Instagram Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Facebook Pages and Groups

  • Functionality: Public and group profiles for communication and analytics.
  • Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Facebook
  • Privacy Policy: Facebook Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

LinkedIn

  • Functionality: Public profiles for professional networking and analytics.
  • Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: LinkedIn
  • Privacy Policy: LinkedIn Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Telegram Groups and Channels

  • Functionality: Interest groups and content-sharing channels.
  • Service Provider: European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
  • Website: Telegram
  • Privacy Policy: Telegram Privacy Policy.

X (formerly Twitter)

  • Functionality: Social networking and content sharing.
  • Service Provider: Twitter International Company, One Cumberland Place, Dublin 2, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: X
  • Privacy Policy: X Privacy Policy.

Vimeo

  • Functionality: Video hosting and sharing.
  • Service Provider: Vimeo Inc., 555 West 18th Street, New York, NY, USA.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Vimeo
  • Privacy Policy: Vimeo Privacy Policy.

YouTube

  • Functionality: Video hosting and sharing.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Privacy Policy: YouTube Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Xing

  • Functionality: Professional networking platform.
  • Service Provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Xing
  • Privacy Policy: Xing Privacy Policy.

Plugins and Embedded Functions and Content

We integrate functional and content elements (e.g., graphics, videos, maps) from third-party providers within our online services. These elements may process user data, such as IP addresses, to enable content delivery and optimize usability.

Processed Data Types

  • Usage Data: Page views, duration of visits, click paths, device and operating system types.
  • Meta, Communication, and Process Data: IP addresses, timestamps, identification numbers.
  • Inventory Data: Names, addresses, contact information, customer numbers.
  • Contact Data: Email addresses, phone numbers.
  • Content Data: Textual or pictorial contributions, authorship, timestamps.
  • Location Data: Geographical position of devices or users.
  • Event Data (Facebook): Actions (e.g., visits, interactions) used for creating Custom Audiences.

Data Subjects

  • Users: Website visitors and users of online services.

Purposes of Processing

  • Provision of online services and usability.
  • Marketing.
  • Creating user-related profiles.
  • Fulfillment of contractual obligations.

Retention and Deletion

Data is deleted as per the “General Information on Data Retention and Deletion” section. Cookies may be stored for up to two years unless otherwise specified.

  • Consent (Article 6 (1)(a) GDPR).
  • Legitimate Interests (Article 6 (1)(f) GDPR).

Further Information on Services Used

Facebook Plugins and Content

  • Purpose: Social plugins for sharing content; Event Data for targeted advertising.
  • Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland.
  • Legal Basis: Consent (Article 6 (1)(a) GDPR).
  • Website: Facebook
  • Privacy Policy: Facebook Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Google Fonts

  • Purpose: Secure and efficient font provision for consistent display.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Google Fonts
  • Privacy Policy: Google Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Google Maps

  • Purpose: Display of maps and location data.
  • Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland.
  • Legal Basis: Consent (Article 6 (1)(a) GDPR).
  • Website: Google Maps
  • Privacy Policy: Google Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

reCAPTCHA

  • Purpose: Protection against spam and automated attacks.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: reCAPTCHA
  • Privacy Policy: Google Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

X Plugins and Content

  • Purpose: Sharing content and interacting with the X platform.
  • Service Provider: Twitter International Company, One Cumberland Place, Dublin 2, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: X
  • Privacy Policy: X Privacy Policy.

YouTube Videos

  • Purpose: Embedding video content.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Consent (Article 6 (1)(a) GDPR).
  • Website: YouTube
  • Privacy Policy: Google Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Vimeo Video Player

  • Purpose: Embedding video content.
  • Service Provider: Vimeo Inc., 555 West 18th Street, New York, NY, USA.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Vimeo
  • Privacy Policy: Vimeo Privacy Policy.
  • Third-Country Transfers: Standard Contractual Clauses.

Google Hosted Libraries

  • Purpose: Optimization of website loading times via JavaScript libraries.
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Website: Google Hosted Libraries
  • Privacy Policy: Google Privacy Policy.

Management, Organization, and Utilities

We use services, platforms, and software from third-party providers for organizing, administering, planning, and delivering our services. Personal data may be processed and stored on third-party providers’ servers in compliance with legal requirements.

Processed Data Types

  • Content Data: Messages, contributions, authorship details.
  • Usage Data: Page views, click paths, duration of visits, devices, and interactions.
  • Meta, Communication, and Process Data: IP addresses, timestamps, and identification numbers.
  • Contact Data: Email addresses, phone numbers, and postal addresses.
  • Contract Data: Contract details like duration and category.
  • Inventory Data: Names, addresses, and contact information.

Data Subjects

  • Communication partners (email, letters, etc.).
  • Users of online services.
  • Business and contractual partners.
  • Employees, including job applicants and temporary workers.

Purposes of Processing

  • Contractual services and obligations.
  • Office and organizational procedures.
  • Web analytics and creating user profiles.
  • Feedback collection.

Retention and Deletion

Data is deleted as outlined in the “General Information on Data Retention and Deletion” section.

  • Legitimate Interests (Article 6 (1)(f) GDPR).

Third-Party Services Used

Bitly

  • Purpose: URL shortening and link management.
  • Service Provider: Bitly, Inc., New York, USA.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Privacy Policy: Bitly Privacy Policy.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Calendly

  • Purpose: Online scheduling and calendar management.
  • Service Provider: Calendly LLC, Atlanta, USA.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Privacy Policy: Calendly Privacy Policy.
  • Third-Country Transfers: Standard Contractual Clauses.

DocuSign

  • Purpose: Electronic document signature and tracking.
  • Service Provider: DocuSign, Inc., San Francisco, USA.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Privacy Policy: DocuSign Privacy Policy.
  • Third-Country Transfers: Standard Contractual Clauses and Binding Corporate Rules.

Doodle

  • Purpose: Online scheduling and calendar management.
  • Service Provider: Doodle AG, Zürich, Switzerland.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Privacy Policy: Doodle Privacy Policy.
  • Third-Country Transfers: Adequacy decision (Switzerland).

Mentimeter

  • Purpose: Real-time feedback and presentations.
  • Service Provider: Mentimeter AB, Stockholm, Sweden.
  • Legal Basis: Legitimate Interests (Article 6 (1)(f) GDPR).
  • Privacy Policy: Mentimeter Privacy Policy.

Processing of Data in Employment Relationships

The processing of employee data ensures the effective management of employment relationships, supporting various operational and administrative functions.

Processed Data Types

  • Employee Data: Contact details, job history, and personal records.
  • Payment Data: Bank details, payment history.
  • Contract Data: Employment agreements.
  • Usage Data: System interactions, click paths, and operating systems.
  • Special Categories: Health data, religious beliefs, union membership.

Data Subjects

  • Employees, including job applicants and contractors.

Purposes of Processing

  • Establishment and execution of employment relationships.
  • Payroll management and wage accounting.
  • Workplace safety and performance evaluations.
  • Performance of a Contract (Article 6 (1)(b) GDPR).
  • Compliance with Legal Obligations (Article 6 (1)(c) GDPR).
  • Legitimate Interests (Article 6 (1)(f) GDPR).
  • Special Categories (Article 9 (2)(h) GDPR).

Examples of Processing Activities

  • Time Recording: Tracking hours worked for payroll and compliance.
  • Authorization Management: Managing system access rights.
  • Payroll Accounting: Calculating and disbursing salaries.
  • Employee Evaluations: Conducting appraisals and development planning.

Retention and Deletion

Data is retained in compliance with legal obligations (e.g., tax and labor laws). Examples:

  • Personnel Records: Up to three years post-employment (§195 BGB).
  • Tax-Relevant Documents: Six years (§147 AO).
  • Payrolls: Ten years (§257 HGB).

Transmission of Employee Data

Data is shared only when legally required or with consent, e.g.:

  • Internal Departments: HR, payroll, and management.
  • External Recipients: Tax authorities, social security agencies, and banks.

General Information on Third-Country Transfers

Transfers to third countries (outside the EU/EEA) occur only when necessary for the employment relationship, legally required, or with consent. Legal safeguards like the Data Privacy Framework (DPF) or Standard Contractual Clauses ensure data protection compliance.

Job Application Process

We process applicant data to evaluate their suitability for open positions and for the selection process.

Required Applicant Data

Applicants must provide the following data, as specified in the job description or online forms:

  • Personal Information: Name, address, and contact details.
  • Proof of Qualifications: Relevant documents like CVs, cover letters, certificates, and other supporting materials.

Applicants can submit applications securely via:

  • Online Forms: Encrypted to the latest security standards.
  • Email: Though convenient, email transmission is not inherently secure. Emails are generally encrypted in transit but may lack encryption on the sender’s and receiver’s servers.

Processing Special Categories of Data

In some cases, applicants may share or be required to provide special categories of personal data (e.g., health data or ethnic origin). This data is processed under:

  • Article 9(2)(b) GDPR: Rights under employment law or social security.
  • Article 9(2)(c) GDPR: Protection of vital interests.
  • Article 9(2)(h) GDPR: Occupational medicine or employee capability assessment.

Data Retention and Deletion

  • Successful Applications: Data may be retained for employment purposes.
  • Unsuccessful Applications: Data will be deleted no later than six months after application closure, unless justified revocation by the applicant occurs earlier.
  • Travel Expense Reimbursements: Stored in accordance with tax regulations.

Talent Pool Admission

If offered, applicants may consent to be included in a talent pool for future opportunities. Consent is voluntary, does not influence the current process, and can be revoked at any time.

Processed Data Types

  • Inventory Data: Names, addresses, contact information.
  • Contact Data: Email, phone, and postal addresses.
  • Content Data: Messages, CVs, and certificates.
  • Job Applicant Details: All application documents, including voluntary information about the applicant.

Data Subjects

  • Job Applicants: Individuals applying for roles.

Purposes of Processing

  • To manage the job application process, including employment relationship initiation and termination.

Retention and Deletion

  • As specified under “General Information on Data Retention and Deletion.”
  • Pre-Contractual or Contractual Relationships: Article 6(1)(b) GDPR.
  • Legitimate Interests: Article 6(1)(f) GDPR.

Third-Party Services

LinkedIn Recruiter

  • Purpose: Job search and application-related services.
  • Service Provider: LinkedIn Ireland Unlimited Company, Dublin, Ireland.
  • Legal Basis: Legitimate Interests (Article 6(1)(f) GDPR).
  • Privacy Policy: LinkedIn Privacy Policy.
  • Data Processing Agreement: LinkedIn DPA.
  • Third-Country Transfers: Data Privacy Framework (DPF).

Privacy Information for Whistleblowers

Purpose of Whistleblower Data Processing

We provide secure and confidential channels for individuals (whistleblowers) to report potential misconduct by our employees, service providers, or organization. Data processing supports:

  • Investigation and resolution of reports.
  • Legal compliance with whistleblower protection laws.
  • Ethical and lawful conduct.

Germany:

  • Article 6(1)(c) GDPR: Compliance with the Whistleblower Protection Act (HinSchG).
  • Article 9(2)(g) GDPR & §22 BDSG: Processing special categories of data.
  • Article 6(1)(f) GDPR: Legitimate interests in legal and ethical operations.
  • Article 6(1)(a) GDPR: Consent for specific purposes.

Austria:

  • Article 6(1)(c) GDPR: Compliance with the Austrian Whistleblower Protection Act (HSchG).
  • Article 9(2)(g) GDPR: Processing special categories of data.
  • Article 6(1)(f) GDPR: Legitimate interests in lawful and ethical operations.
  • Article 6(1)(a) GDPR: Consent for specific purposes.

Processed Data Types

Data Provided by Whistleblowers:

  • Name, contact details, and location.
  • Information about witnesses or individuals involved.
  • Details of alleged misconduct.
  • Any additional relevant details.

Data Processed During Investigations:

  • Unique identification of reports.
  • Contact details of involved individuals.
  • Data concerning individuals indirectly affected.
  • Additional relevant data.

Special Categories of Data:

  • Health-related information.
  • Racial or ethnic origin.
  • Religious or philosophical beliefs.
  • Sexual orientation.

Anonymity and Security Measures

  • Anonymous Submissions: Whistleblowers can report anonymously via our online forms.
  • Incognito Mode: Recommended for added security. Access incognito mode using:
    • Windows: Press Ctrl + Shift + N.
    • Mac: Press Command + Shift + N.
    • Mobile: Enable private browsing via the tab menu.
  • IP Address Logging: IP addresses are logged for technical and administrative purposes and deleted within 30 days.

Confidentiality and Disclosure

  • Confidential Treatment: Whistleblowers’ identities are kept confidential unless legally required to disclose (e.g., malicious intent, legal obligations).
  • Disclosure to Third Parties: Data may be shared with:
    • Authorities (e.g., regulatory or tax agencies).
    • Legal advisors for investigations or proceedings.
    • Service providers managing reporting tools (under strict data protection agreements).

Data Retention and Deletion

  • Personal data is retained only as necessary for processing or legal compliance.
  • Data is deleted when no longer needed, ensuring compliance with proportionality and necessity.

Technical and Organizational Measures

  • Access to whistleblower reports is restricted to authorized personnel.
  • All employees involved are trained and bound by confidentiality.
  • Technical and organizational safeguards ensure data integrity and confidentiality.

Rights of Whistleblowers

  • Consent Revocation: Consent for data processing can be revoked at any time with future effect.
  • Anonymity: Whistleblowers can choose to remain anonymous.
  • Information Access: Right to know how data is processed and request deletions.

Supervisory Authority

Austria:
Austrian Data Protection Authority
Wickenburggasse 8-10
1080 Vienna, Austria

Definitions and Terminology

  • Personal Data: Information identifying a person (e.g., name, IP address).
  • Processing: Any operation involving personal data (e.g., storage, analysis).
  • Usage Data: Data on interactions with digital services (e.g., click paths, device types).
  • Special Categories of Data: Sensitive data (e.g., health, ethnicity).
  • Web Analytics: Evaluating visitor interactions for optimization.

For further definitions, refer to the “Terminology and Definitions” section.