Transfer of personal data

As part of our processing of personal data, it may be transmitted to or disclosed to other bodies, companies, legally independent organizational units, or persons. The recipients of this data can include B. include service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International data transfers

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing in the context of using third-party services or disclosing or transferring data to other persons, positions, or companies, this only takes place in accordance with the legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Furthermore, data transfers only take place if the level of data protection is otherwise secured, through standard contractual clauses (Art. 46 Para. 2 lit. c) GDPR), express consent or in the case of contractually or legally required transfer (Art. 49 Para. 1 GDPR). We will also inform you about the basics of third-country transfers for the individual providers from the third country, with the adequacy decisions taking precedence as the basic principles. Information on third country transfers and existing adequacy decisions can be found in the EU Commission’s information offering: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also increased the level of data protection for certain companies from the USA as part of the adequacy decision of Recognized as safe on July 10, 2023. The list of certified companies and further information about the DPF can be found on the US Department of Commerce website at https://www.dataprivacyframework.gov/ (in English). As part of the data protection information, we will inform you which service providers we use are certified under the Data Privacy Framework.

Disclosure of personal data abroad: In accordance with the Swiss Data Protection Act, we only disclose personal data abroad if adequate protection of the persons concerned is guaranteed (Art. 16 Swiss Data Protection Act). If the Federal Council has not determined adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anwissen-staats.html), we take alternative security measures. These may include international contracts, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or internal company data protection regulations previously recognized by the FDPIC or a competent data protection authority of another country.

According to Article 16 of the Swiss Data Protection Act, exceptions for the disclosure of data abroad can be permitted if certain conditions are met, including the consent of the data subject, execution of the contract, public interest, protection of life or physical integrity, data made public or data from a data subject register provided for by law. These announcements are always made in accordance with legal requirements.

General information on data storage and deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consent is revoked or there are no further legal bases for the processing. This applies to cases in which the original purpose of processing no longer applies, or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

Data that must be stored for commercial or tax reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.

Our data protection notice contains additional information on the retention and deletion of data that applies specifically to certain processing processes.

If there is multiple information about the retention period or deletion period for a date, the longest period always applies.

If a deadline does not explicitly begin on a specific date and is at least one year, it starts automatically at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the deadline is the time when the termination or other termination of the legal relationship comes into effect.

We process data that is no longer stored for the originally intended purpose but due to legal requirements or other reasons only for the reasons that justify its retention.

Further information on processing processes, procedures, and services:

• Retention and deletion of data: The following general deadlines apply for retention and archiving under German law:

o 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets as well as the work instructions and other organizational documents, accounting documents and invoices required for their understanding (Section 147 Paragraph 3 in conjunction with Paragraph 1 No. 1, 4 and 4a AO, Section 14b Paragraph 1 UStG, Section 257 Paragraph 1 No. 1 and 4, Paragraph 4 HGB).

o 6 years – Other business documents: commercial or business letters received, copies of the commercial or business letters sent, other documents insofar as they are important for taxation, e.g. B. hourly wage slips, company accounting sheets, calculation documents, price labels, but also payroll documents, provided they are not already accounting documents and cash register slips (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 No. 2 and 3, Paragraph 4 HGB).

o 3 years – Data necessary to address potential warranty and damages claims or similar contractual claims and rights, as well as to deal with related inquiries, based on previous business experience and common industry practices, will be retained for the duration of the regular statutory limitation period of three years stored (§§ 195, 199 BGB).

• Retention and deletion of data: The following general deadlines apply to retention and archiving under Swiss law:

o 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents and invoices as well as all necessary work instructions and other organizational documents (Article 958f of the Swiss Code of Obligations (OR)).

o 10 years – Data necessary to consider potential claims for damages or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and standard industry practices, will be stored for the period of the statutory limitation period of ten years, es unless a shorter period of five years is relevant, which is relevant in certain cases (Articles 127, 130 OR). At the end of five years, claims for rent, lease, and capital interest as well as other periodic services, from the delivery of food, for meals and for landlord debts, as well as from craft work, small sales of goods, medical supplies, professional work by lawyers, legal agents, procurators, expire and notaries and from the employment relationship of employees (Art. 128 OR).

 Rights of data subjects

Rights of the data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to object: You have the right, for reasons arising from your particular situation to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or (f) of the GDPR; This also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; This also applies to profiling insofar as it is connected to such direct advertising.
• Right to revoke consent: You have the right to revoke your consent at any time.
• Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request that the data concerning you be completed or that incorrect data concerning you be corrected.
• Right to deletion and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be deleted immediately or, alternatively, to request a restriction of the processing of the data in accordance with the legal requirements.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, common, and machine-readable format in accordance with legal requirements or to request that it be transmitted to another person responsible.
• Complaint to a supervisory authority: In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you usually reside, the supervisory authority of your place of work or the place of alleged data protection violation, to lodge a complaint if you believe that the processing of your personal data violates the GDPR.

Rights of the data subjects according to the Swiss Data Protection Act:

As a data subject, you are entitled to the following rights in accordance with the provisions of the Swiss Data Protection Act:

• Right to information: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to enable you to exercise your rights under this law and to ensure transparent data processing.
• Right to data release or transfer: You have the right to request that the personal data you have provided to us be released in a common electronic format.
• Right to rectification: You have the right to request that incorrect personal data concerning you be corrected.
• Right to objection, deletion, and destruction: You have the right to object to the processing of your data and to request that the personal data relating to you be deleted or destroyed.

Business Benefits

We process data from our contractual and business partners, e.g. B. Customers and interested parties (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships as well as associated measures and regarding communication with the contractual partners (or pre-contractual), for example to answer inquiries.

We use this data to fulfill our contractual obligations. This includes the obligations to provide the agreed services, any update obligations, and remedies in the event of warranty and other service disruptions. In addition, we use the data to protect our rights and for the purposes of the administrative tasks associated with these obligations and the company organization. In addition, we process the data based on our legitimate interests in proper and business management as well as security measures to protect our contractual partners and our business operations from misuse and jeopardy of their data, secrets, information, and rights (e.g. the involvement of telecommunications companies, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the scope of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. The contractual partners will be informed about other forms of processing, such as for marketing purposes, as part of this data protection declaration.

We inform the contractual partners which data is required for the aforementioned purposes before or as part of data collection, e.g. B. in online forms, through special markings (e.g. colors) or symbols (e.g. asterisks, etc.), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. A. generally after four years, unless the data is stored in a customer account, e.g. B. if they must be kept for legal archiving reasons (e.g. for tax purposes, usually ten years).

We delete data that was disclosed to us by the contractual partner as part of an order in accordance with the specifications and generally after the end of the order.

• Types of data processed: inventory data (e.g. full name, home address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact details (e.g. postal and email addresses or telephone numbers). Contract data (e.g. subject matter of the contract, term, customer category).
• Persons affected: service recipients and clients; Interested persons. Business and contractual partners.
• Purposes of processing: provision of contractual services and fulfillment of contractual obligations; Communication; office and organizational procedures; Organizational and administrative procedures. Business processes and business procedures.
• Legal basis: fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 Para. 1 Sentence 1 Letter f) GDPR).

 Further information on processing processes, procedures, and services:

• Coaching: We process the data of our clients as well as interested parties and other clients or contractual partners (collectively referred to as “clients”) to be able to provide our services to them. The procedures that are part of the scope and purposes of

Coaching include: contact and communication with clients, needs analysis to determine suitable coaching measures, planning and implementation of coaching sessions, documentation of coaching progress, recording and administration client-specific information and data, scheduling and organization, provision of coaching materials and resources, billing and payment management, follow-up and follow-up of coaching sessions, quality assurance and feedback processes.

The data processed, the type, scope, purpose, and necessity of their processing are determined by the underlying contractual and client relationship.

If it is necessary for the fulfillment of our contract, to protect vital interests or by law, or if the client has given their consent, we disclose or transmit the client’s data to third parties or agents, such as: B. Authorities, billing offices and in the areas of IT, office or comparable services; Legal basis: fulfillment of contract and pre-contractual inquiries (Art. 6 Para. 1 Sentence 1 Letter b) GDPR).

Business processes and procedures

Personal data of service recipients and clients – including customers, clients or, in special cases, clients, patients or business partners as well as other third parties – are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting, and project management.

The data collected is used to fulfill contractual obligations and to design operational processes efficiently. This includes processing business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal billing and financial processes. In addition, the data supports the protection of the rights of the person responsible and promotes administrative tasks and the organization of the company.

Personal data may be passed on to third parties if this is necessary to fulfill the stated purposes or legal obligations. After statutory retention periods have expired or if the purpose of processing no longer applies, the data will be deleted. This also includes data that must be stored for a longer period due to tax and legal documentation requirements.

• Types of data processed: inventory data (e.g. full name, home address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact information (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as the information relating to them, such as information on authorship or time of creation); Contract data (e.g. subject matter of the contract, term, customer category); Protocol data (e.g. log files regarding logins or the retrieval of data or access times.); Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Creditworthiness data (e.g. credit score obtained, estimated probability of default, risk classification based on this, historical payment behavior). Meta, communication and procedural data (e.g. IP addresses, times, identification numbers, people involved).
• Persons affected: service recipients and clients; Interested persons; communication partner; business and contractual partners; Third person; Users (e.g. website visitors, users of online services). Employees (e.g. employees, applicants, temporary workers and other employees).
• Purposes of processing: provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and business procedures; Communication; Marketing; sales promotion; Public relation; Assessment of creditworthiness and creditworthiness. Financial and payment management.
• Legal basis: fulfillment of contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 Para. 1 Sentence 1 Letter f) GDPR). Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR).

Further information on processing processes, procedures, and services:

• Contact management and contact maintenance: procedures required in the context of organizing, maintaining and securing contact information (e.g. establishing and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, Conducting backups and restores of contact data, training employees in the effective use of contact management software, regularly reviewing communication history and adjusting contact strategies); Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR), legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• General payment transactions: procedures required for carrying out payment transactions, monitoring bank accounts and controlling payment flows (e.g. creating and checking transfers, processing direct debits, checking account statements, monitoring incoming and outgoing payments, Chargeback management, account reconciliation, cash management); Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR), legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• Accounting, accounts payable, accounts receivable: procedures that are necessary for recording, processing, and controlling business transactions in the area of accounts payable and accounts receivable (e.g. issuing and checking incoming and outgoing invoices, monitoring and managing open items, carrying out payment transactions, handling dunning, account reconciliation in the context of receivables and payables, accounts payable and accounts receivable accounting); Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR), Legal obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR), Legitimate interests (Art. 6 Para. 1 p. 1 lit. f) GDPR).
• Financial accounting and taxes: Procedures that are necessary for the recording, management and control of financially relevant business transactions as well as for the calculation, reporting and payment of taxes (e.g. account assignment and posting of business transactions, preparation of quarterly and annual financial statements, execution of the payment transactions, processing of dunning, account reconciliation, tax advice, preparation and submission of tax returns, processing of taxes); Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR), Legal obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR), Legitimate interests (Art. 6 Para. 1 p. 1 lit. f) GDPR).
• Marketing, advertising and promotion: procedures required in the context of marketing, advertising and promotion (e.g. market analysis and target group identification, development of marketing strategies, planning and implementation of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management and cost control); Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• Public relations: procedures required as part of public relations work (e.g. development and implementation of communication strategies, planning and implementation of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, Organization of press conferences and public events, crisis communication, creation of content for social media and company websites, management of corporate branding); Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).

Provision of the online offering and web hosting

We process users’ data to be able to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g. IP addresses, times, identification numbers, people involved); Protocol data (e.g. log files regarding logins or the retrieval of data or access times). Content data (e.g. textual or visual messages and posts as well as the information relating to them, such as information on authorship or time of creation).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).). Safety measures.
• Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 Letter f) GDPR).

Further information on processing processes, procedures, and services:

• Provision of online offerings on rented storage space: To provide our online offerings, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called a “web host”); Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files include the address and name of the websites and files accessed, date and time of access, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. B. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure the utilization of the servers and their stability; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
• Email sending and hosting: The web hosting services we use also include sending, receiving, and storing emails. For these purposes, the addresses of the recipients and senders as well as other information regarding the sending of emails (e.g. the providers involved) and the content of the respective emails are processed. The data may also be processed for SPAM detection purposes. We ask you to note that emails on the Internet are generally not sent encrypted. As a rule, emails are encrypted during transport, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore assume no responsibility for the transmission path of emails between the sender and receipt on our server; Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).
• ALL-INCL: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: ALL-INKL.COM – Neue Medien Münnich, owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://all-inkl.com/; Data protection declaration: https://all-inkl.com/datenschutzinformation/; Data processing agreement: Provided by the service provider. Basis for third country transfers: Switzerland – adequacy decision (Germany).

Use of cookies

Cookies are small text files or other storage notes that store and read information from end devices. For example, to save the log-in status in a user account, the contents of a shopping cart in an e-shop, the content accessed, or the functions used in an online offer. Cookies can also be used for various purposes, such as the functionality, security and convenience of online offerings and the creation of analyzes of visitor flows.

Information on consent: We use cookies in accordance with legal regulations. We therefore obtain prior consent from users unless it is not required by law. In particular, permission is not necessary if the storage and reading of the information, including cookies, is necessary to provide users with a telemedia service they have expressly requested (i.e. our online offering). The revocable consent will be clearly communicated to you and contains information on the respective cookie use.

Notes on data protection legal bases: The data protection basis on which we process users’ personal data using cookies depends on whether we ask them for consent. If users accept, the legal basis for the use of their data is their declared consent. Otherwise, the data used using cookies will be processed based on our legitimate interests (e.g. in the commercial operation of our online offering and improving its usability) or, if this is within the scope of fulfilling our contractual obligations, if the use of cookies is necessary is to fulfill our contractual obligations. We will explain the purposes for which we use cookies during this data protection declaration or as part of our consent and processing processes.

Storage period: Regarding the storage period, a distinction is made between the following types of cookies:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the device is closed.

For example, the log-in status can be saved and preferred content can be displayed directly when the user visits a website again. The user data collected using cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. when obtaining consent), they should assume that they are permanent, and that the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke the consent they have given at any time and can also declare an objection to the processing in accordance with the legal requirements, including using the privacy settings of their browser.

• Types of data processed: meta, communication and procedural data (e.g. IP addresses, times, identification numbers, people involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 Letter f) GDPR).

Communication via messenger

We use messengers for communication purposes and therefore ask that you please note the following information on the functionality of messengers, encryption, the use of communication metadata and your options for objection.

You can also contact us via alternative means, e.g. B. via telephone or email. Please use the contact options provided to you or the contact options provided within our online offering.

In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that the communication content (i.e., the content of the message and attached images) is encrypted from end to end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use a current version of the messenger with encryption activated to ensure that the message content is encrypted.

However, we also point out to our communication partners that although the messenger providers cannot view the content, they can find out that and when communication partners communicate with us as well as technical information about the device used by the communication partner and, depending on the settings of their device, location information (so-called metadata) are processed.

Notes on legal bases: If we ask communication partners for permission before communicating with them via Messenger, the legal basis for our processing of their data is their consent. Furthermore, if we do not ask for your consent and you do so, for example. For example, if you contact us on your own initiative, we use Messenger in relation to our contractual partners and as part of the contract initiation as a contractual measure and in the case of other interested parties and communication partners based on our legitimate interests in fast and efficient communication and fulfillment of our needs Communication partner for communication via messenger. We would also like to point out that we will not transmit the contact details provided to us to Messenger for the first time without your consent.

Revocation, objection, and deletion: You can revoke your consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise, as soon as we can assume that any information from the communication partner will be answered if no reference to a previous conversation is to be expected and the deletion does not conflict with any legal retention requirements.

Reservation of reference to other communication channels: To ensure your security, we ask for your understanding that for certain reasons we may not be able to answer inquiries via Messenger. This applies to situations in which contract details must be treated particularly confidentially or in which an answer via messenger does not meet the formal requirements. In these cases, we recommend that you use more suitable communication channels.

• Types of data processed: contact details (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as the information relating to them, such as information on authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g. IP addresses, times, identification numbers, people involved).
• Affected people: communication partners.
• Purposes of processing: communication. Direct marketing (e.g. via email or post).
• Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 Para. 1 Sentence 1 Letter f) GDPR). 

Further information on processing processes, procedures, and services:

• Instagram: sending messages via the social network Instagram; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Data protection declaration: https://instagram.com/about/legal/privacy. Basis for third country transfers: Switzerland – adequacy decision (Ireland).
• Facebook Messenger: Facebook Messenger with end-to-end encryption (Facebook Messenger’s end-to-end encryption requires activation unless it is activated by default); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Data protection declaration: https://www.facebook.com/about/privacy; Order processing contract: https://www.facebook.com/legal/terms/dataprocessing. Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
• WhatsApp: WhatsApp Messenger with end-to-end encryption; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.whatsapp.com/; Data protection declaration: https://www.whatsapp.com/legal. Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).

Video conferences, online meetings, webinars, and screen sharing

We use platforms and applications from other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as “conference”). When selecting conference platforms and their services, we observe the legal requirements.

Data processed by conference platforms: As part of participation in a conference, the conference platforms process the following personal data of participants. The scope of processing depends on the one hand, on what data is required as part of a specific conference (e.g. providing access data or real names) and what optional information is provided by the participants. In addition to processing to carry out the conference, the participants’ data can also be processed by the conference platforms for security purposes or service optimization. The data processed includes personal data (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information about professional status/function, the IP address of the Internet access, information about the participants’ end devices, their operating system, the browser and its technical and linguistic settings, information about the content of communication processes, d. H. Entries in chats as well as audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference provider. If the participants are registered as users on the conference platforms, then further data can be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. from surveys) as well as video or audio recordings are logged, this will be transparently communicated to the participants in advance, and they will be asked – if necessary – for consent.

Participants’ data protection measures: Please note the details of the processing of your data by the conference platforms in their data protection information and select the security and data protection settings that are optimal for you within the framework of the conference platforms’ settings. Please also ensure data and privacy protection in the background of your recording for the duration of a video conference (e.g. by informing roommates, locking doors, and using, where technically possible, the function to obscure the background). Links to the conference rooms and access data may not be passed on to unauthorized third parties.

Notes on legal bases: If, in addition to the conference platforms, we also process users’ data and ask the users for their consent to the use of the conference platforms or certain functions (e.g. consent to a recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. in participant lists, in the case of processing the results of discussions, etc.). Furthermore, user data is processed based on our legitimate interests in efficient and secure communication with our communication partners.

• Types of data processed: inventory data (e.g. full name, home address, contact information, customer number, etc.); Contact information (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as the information relating to them, such as information on authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Image and/or video recordings (e.g. photographs or video recordings of a person); Sound recordings. Protocol data (e.g. log files regarding logins or the retrieval of data or access times).
• Affected people: communication partners; Users (e.g. website visitors, users of online services). People depicted.
• Purposes of processing: provision of contractual services and fulfillment of contractual obligations; Communication. Office and organizational procedures.
• Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 Letter f) GDPR).

Further information on processing processes, procedures, and services:

• Microsoft Teams: conferencing and communication software; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Data protection declaration: https://privacy.microsoft.com/de-de/privacystatement, security information: https://www.microsoft.com/de-de/trustcenter. Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland).
• Zoom: conferencing and communication software; Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://zoom.us; Data protection declaration: https://explore.zoom.us/docs/de-de/privacy-and-legal.html; Order processing agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA). Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Standard Contractual Clauses (https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA)).

Cloud services

We use software services accessible via the Internet and running on their providers’ servers (so-called “cloud services”, also referred to as “software as a service”) for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients or publication of content and information).

Within this framework, personal data can be processed and stored on the providers’ servers, if they are part of communication processes with us or are otherwise processed by us as set out in this data protection declaration. This data may include user master data and contact details, data on processes, contracts, other processes and their content. The cloud service providers also process usage data and metadata, which they use for security purposes and service optimization.

If we use the cloud services to provide forms or other documents and content to other users or publicly accessible websites, the providers may set cookies on the users’ devices for the purposes of web analysis or to remember the user’s settings (e.g. in the case of Media control) to remember and save.

• Types of data processed: inventory data (e.g. full name, home address, contact information, customer number, etc.); Contact information (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as the information relating to them, such as information on authorship or time of creation). Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
• Affected persons: interested parties; Communication partner. Business and contractual partners.
• Purposes of processing: office and organizational procedures. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).).
• Legal basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 Letter f) GDPR).

Further information on processing processes, procedures, and services:

• Apple iCloud: cloud storage service; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.apple.com/de/. Data protection declaration: https://www.apple.com/legal/privacy/de-ww/.
• Google Cloud Storage: cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://cloud.google.com/; Privacy Policy: https://policies.google.com/privacy; Order processing agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Adequacy Decision (Ireland). Further information: https://cloud.google.com/privacy.

Advertising communication via email, post, fax, or telephone