DatenschutzEN - coaching.kirinus.de

Data Privacy Statement

We’re glad that you’re interested in
KIRINUS Coaching and that you’ve come to our homepage. Here we’ll be informing you of what personal data we’ll be collecting while visiting our website, and what they’ll be used for.

Responsible authority and contact
Within the framework of the Data Protection Act and particularly the EU General Data Protection Regulation (GDPR), the responsible party for your data is:

KIRINUS Coaching GmbH
Nymphenburgerstraße 148
80634 München
Represented by Managing Director Ludwig Klitzsch.

If you have questions regarding data protection, please write us an e-mail or directly contact the party responsible for our organisation’s data protection:

IITR Datenschutz GmbH
Marienplatz 2
80331 München
datenschutz@kirinus.de

Purpose of Data Processing through the Responsible and Third Parties
We will process your personal data only for the purposes outlined in this data privacy statement. The purpose of this processing is to ensure the availability of our services, the corresponding functions and content, response to contact requests and user communications, as well as implementing security measures and user reach measurements/marketing.

Transmitting your personal data to these parties for purposes other than the ones outlined above will not happen. We only transmit your personal data to third parties if the processing is necessary to completing a contract or fulfilling a legal obligation, if you’ve given your explicit consent, or if the processing is necessary for conserving justified interests and there is furthermore no reason to assume that you have an overwhelming interest worth protecting in not having your data passed on.

In order to carry out our business model and recognise user wishes, we analyse the available data of business processes, contracts, inquiries, etc. We process inventory data, communications data, contract data, and metadata on the basis of Art. 6 Section 1 lit. f) GDPR.

The analyses are carried out for marketing purposes. We also use the analyses in order to increase user-friendliness and optimise our offers and operational efficiency. These analyses are for our purposes alone and will not be publicly shared, provided that they don’t consist of anonymous analyses with summarised values.

As long as these analyses or profiles are personalised, they will be deleted when the contract conditions with the user have concluded. Furthermore, the overall operational analyses and the general trend determinations will be generated anonymously, as far as it’s possible. “Affected” are those who visit and use our website.

Processed data can include:

  • Inventory data (such as names and addresses)
  • Contact data (such as e-mails, telephone numbers)
  • Content data (such as text entries, photographs, videos)
  • Usage data (such as visited websites, interest in specific content, access times)
  • Meta/communications data (such as equipment information, IP addresses)

Access Data

Due to our authorised interests (cf. Art. 6 Section 1 lit. f) GDPR) we collect data over the access to our website and save them as “Server-Logfiles” on our website’s server. The following data is protocolled in this manner:

  • The visited website
  • The time of access
  • The quantity of sent data in Byte
  • The source/redirection from which you accessed the site
  • The browser used
  • The operating system used
  • The IP address used

The Server-Logfiles are saved for a maximum of 7 days and then deleted. The saving of data occurs due to security purposes, such as clarifying instances of misuse. If data has to be recovered for evidential purposes, they are except from deletion until the incident has been fully resolved.

Transmission in Third Countries

Processing data in a third country — meaning beyond the European Union (EU) or the European Economic Area (EEA) — only occurs when it’s relevant for completing our contracted and precontractual duties, when you’ve consented, due to a legal obligation, or on the basis of our authorised interests. Processing occurs for example on the basis of certain guarantees, such as the officially recognised assessment of a data protection level in accordance with the EU (in the USA, for example, this would be the “EU-US Privacy Shield,” also known as the so-called “data protection shield” www.privacyshield.gov) or through the observance of officially recognised special contractual obligations (so-called “standard contract clauses”). The following service providers assist us with our offers and have headquarters in the USA or in other third countries (this is not a conclusive list, further indications can be found on the corresponding site in this data protection references):

  • Google
  • Mailchimp
  • Facebook
  • NinjaForms

Business-related Processing

Other processes include contract data (such as contractual objects, duration, customer categories) from our users for the purpose of providing contractual services, customer service, marketing, advertising, and market research.

Healthcare related services

When we process healthcare-related data, it occurs in accordance with Art. 6 Section 1 lit. b) GDPR, in order to be able to provide you with our contractual or precontractual services. The data processed for this purpose, as well as the nature, scope, purpose, and necessity of their processing, are determined by the underlying contractual relationship. Among the processed data are fundamental inventory and master data of patients (such as name and surname) as well as contact data (such as e-mail addresses and telephone numbers).

Within the context of our contact form, our users are able to freely enter information regarding their health status. This occurs voluntarily as far as entering information that’s health-related is concerned. By sending off the form, the user consents to a further processing through
KIRINUS Coaching . The legal basis for this is Art. 6 Section 1 lit. a., Art. 7, Art. 9 Section 2 lit. a. GDPR. The processing occurs exclusively for health care purposes on the basis of Art. 9 Section 2 lit. h. GDPR, § 22 Section 1 Nr. 1 b. GDPR.

As far as it’s relevant for contractual performance or for legal reasons, we publish or transmit the data of patients within the framework of communicating with medical specialists, to third parties relevant to fulfilling our contractual obligations or otherwise typically involved—such as therapists, clearing offices or similar service providers, insofar as this is required for performing our services according to Art. 6, Section 1 lit. b) GDPR, or insofar as it serves our interests or those of our patients who have authorised interest in efficient healthcare according to Art. 6, Section 1. lit. f) GDPR, or is required according to Art. 6 Section 1 lit. d) GDPR in order to protect the vital interests of patients or other natural persons, or within the context of consent according to Art. 6 Section 1 lit. a), Art. 7 GDPR.

Data is erased once the data is no longer necessary for fulfilling contractual or legal duties of care, as well as for the use of possible guaranteed or similar duties, or when the relevant party demands erasure. The necessity of the data’s storage is reevaluated every three years; all legal retention duties continue to hold.

Therapeutic services and coaching

We process our users’ data according to Art. 6 Section 1 lit. b) GDPR, in order to provide our contractual or precontractual services. The hereby processed data, the nature, scope, purposes, and necessity of their processing are determined by the underlying contractual relationship. The data being processed fundamentally consists of users’ master data (such as names, addresses, etc), as well as contact data (such as e-mail addresses, telephone numbers, etc), contract data (the services that were used, fees, etc) and payment data (such as banking connections).

Within the context of our online services, we do not ask for any other health-specific data from users.

We publish or transmit data within the context of communicating with specialists or to third parties relevant to fulfilling our contractual obligations, such as clearing offices, insofar as it’s necessary for our contractual obligations or for legal reasons. This only occurs as long as it’s relevant to the provision of our contractual services according to Art. 6 Section 1 lit. b) GDPR, legally prescribed according to Art. 6 Section 1 lit. c) GDPR, relevant to our interests or the authorised interests of subjects of an efficient and affordable healthcare (cf. Art. 6 Section 1 lit. f) GDPR), or it’s permitted within the framework of an authorisation according to Art. 6 Section 1 lit. a) in conjunction with Art. 7 GDPR.

Data is erased once the data is no longer necessary for fulfilling contractual or legal duties of care, as well as for the use of possible guaranteed or similar duties. The necessity of the data’s storage is reevaluated every three years; all legal retention duties continue to hold.

Rendering of contractual services

We process inventory data (such as names and addresses as well as users’ contact data), contract data (such as services used, the names of contacts, payment information, etc) for the purpose of fulfilling out contractual obligations and service renderings according to Art. 6 Section 1 lit. b) GDPR. The entries on the online forms marked as obligatory are necessary for the conclusion of the contract. Otherwise, they’ll be marked as voluntary entries.

Within the framework of the use of our online services, we save IP addresses and the time period of the respective user action. Storage takes place on the basis of our authorised interests and on those of of users for the purposes of protecting against misuse and other unauthorised usages. A transfer of this data to third parties fundamentally doesn’t occur unless it’s necessary for pursuing our demands or there is a legal obligation according to Art. 6 Section 1 lit. c) GDPR.

We process usage data (such as the visited websites of our online catalogue, interest in our products) and content data (such as information entered into contact forms or in user profiles) for advertising purposes in a user profile, in order to show users product notices concurrent with their previously utilised services.

The data is erased once legal guarantees and similar duties have been completed, and the necessity of the data’s storage is reevaluated every three years; in the case of legal archiving obligations, erasure occurs after completion. Data in possible customer accounts remain until they’re deleted.

Data protection notices in application procedures

We process applicant data only for the purpose and within the framework of the application procedure in accordance with legal specifications. The processing of applicant data serves to fulfil our (pre-)contractual obligations within the framework of the application procedure according to Art. 6 Section 1 lit. b) and lit. f) GDPR, as long as the data processing is necessary for us within contexts such as legal procedures (in Germany § 26 BDSG also holds). The application procedure assumes that applications share applicant data with us. The necessary applicant data fundamentally consists of personal data, contact addresses, and material necessary for the application, such as cover letters, CVs, and report cards. Applicants can also voluntarily add information. By sending the application to us, applicants agree to have their data processed for the purpose of the application procedure in accordance with the nature and scope established in this data privacy statement. Apart from being able to apply online at
KIRINUS Coaching, applicants can also send their application via e-mail. In this case, we reiterate that e-mails fundamentally aren’t encrypted and that applicants will be solely responsible for encryption. We can, therefore, assume no responsibility for the path of transference of the application between the sender and the reception on our server, and therefore suggest using the online form or sending materials per post. There is also the option to send applications per post. The data made available by applications can, in the case of a successful application, be used by us for the purpose of employment relationships. If the application is not successful, then the applicant’s data will be deleted after six (6) months, subject to an applicant’s entitled revocation. The data of the applicant will also be deleted if an application is withdrawn.

Newsletter

By subscribing to our newsletter you’re agreeing to receiving and to the described process. We send out newsletters, e-mails, and other electronic notifications with promotional information (subsequently known as “newsletter”) only with the consent of the receiver or with legal permission. Signing up to our newsletter occurs in a so-called double-opt-in process. After signing up you’ll receive an e-mail in which you’re asked to confirm your signup. This confirmation is necessary so that no one can sign up with an unknown e-mail address. The signups to the newsletter are protocolled in order to be able to confirm the sign-up process with legal demands. This includes saving signup and confirmation dates and IP addresses. Any changes made to data saved by the dispatch service providers will also be protocolled. In order to sign up for the newsletter, it’s sufficient to provide an e-mail address. Optionally, you can also add a name that will be used for your personal greeting on the newsletter. The sending of the newsletter and the measuring of success metrics associated with it will occur on the basis of the recipient’s consent according to Art. 6 Section 1 lit. a), Art. 7 GDPR in compliance with § 7 Section 2 Nr. 3 Unfair Competition Act or on the basis of legal permission according to § 7 Section 3 Unfair Competition Act.

The protocolling of the sign-up process occurs on the basis of our authorised interest according to Art. 6 Section 1 lit. f) GDPR. Our interest is guided by implementing a user-friendly and safe newsletter system that serves our business interests and also conforms with user expectations and allows us to prove consent. You can cancel the newsletter anytime, meaning you can withdraw your consent. A link to cancelling the newsletter can be found at the bottom of every newsletter. We can save the registered e-mail addresses up to three years on the basis of our authorised interest before we delete them, in order to prove a previously granted consent. The processing of this data will be limited to the purpose of a possible defence against claims. An individual request for cancellation is possible anytime as long as there is evidence of previous consent.

The newsletter is sent out via the distribution service “MailChimp,” a newsletter distribution platform of the US company Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection regulations of the distribution service can be read here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the privacy-shield agreement and therefore offers a guarantee to uphold European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The distribution service will be implemented on the basis of our authorised interests according to Art. 6 Section 1 lit. f) GDPR and an order management contract according to Art. 28 Section 3 S. 1 GDPR. Mailchip can use the data of recipients in pseudonymous form, meaning without assigning it to a specific user, in order to optimise or improve its own services, such as the technical optimisation of its distribution or the newsletter style or for statistical purposes. However, the distribution service does not use the data of our newsletter recipients in order to unilaterally contact them or pass on their data to third parties. The performance measurement of our newsletter occurs through so-called “web-beacon,” meaning a pixel-sized file that is retrieved from its server after the newsletter is opened. Within the context of this retrieval, technical information, such as information about the browser and your system, are first collected, as is your IP address and the time of retrieval. This information is used in order to technically improve the service through technical data or through the target groups and their reading habits via their retrieval locations (which can be determined through IP addresses) or via retrieval times. Part of the statistical survey also is determining whether newsletters have been opened, when they’ve been opened, and what links have been clocked. This information can be assigned to individual newsletter recipients due to technical reasons, but it’s not our aim to watch individual users. The evaluation serves the purpose of giving us insight into our users’ reading habits and help us tailor out content to them or send out different content depending on user interest.

Hosting

The hosting services used by us serve to perform the following: infrastructure and platform services, computing capacities, storage space and databank services, security services, and technical maintenance services that we utilise for the purpose of managing our online offers. Under our assignment, our hosting company All-Iknl.com (ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf) processes all inventory data, contact data, content data, contract data, usage data, meta- and communications data from users and visitors of our online offers on the basis of our authorised interests in an efficient and secure availability of this online offering according to Art. 6 Section 1 lit. f GDPR in compliance with Art. 28 GDPR. A corresponding data processing has been concluded with All.inkl.

Out frontend (which is what you see as a user) is created via WordPress (a brand of Automattic Inc. from the USA, which is also located in the EU, Aut O’Mattic A8C Ireland Ltd. Business Centre, No.1 Lower Mayor Street International Financial Services Centre Dublin 1, Ireland). Automattic Inc. is also responsible for some parts of data processing through Aut O’Mattic Ltd. Aut O’Mattic does not receive any of your user data. Automattic’s data privacy statement can be found here: https://automattic.com/privacy/

Session storage

In order to make our web presence as user-friendly as possible, we use so-called session storages for our online offers. These are Application Program Interfaces (APIs) whose characteristics allow us to save data on their servers during the duration of your visit on your homepage in order to analyse your user behaviour. It will recognise from which page within our online presence you’re coming from, so that we can see what you’re interested in. After your session has ended this data is deleted. Session storage is necessary for running our homepage. The legal foundation for this is Art. 6 Section 1 lit. b) GDPR.

Cookies

Within the context of our website, we use cookies from third parties. “Cookies” are defined as small files that are saved on the computers of our users. Within cookies, different tasks can be saved. A cookie’s primary task is to save a user’s information (such as the device on which the cookie was saved) during or after a visit within the online offers. Temporary cookies such as “session cookies” or “transient cookies” are defined as cookies that are deleted after a user has left the online offers and closed the browser. Such a cookie will save information such as the content of a basket in an online shop or a login status. “Permanent” or “persistent” cookies are cookies that are saved even after the closing of a browser. A login status can, for example, be saved is the users search for it after various days. These cookies can also contain the interests of users, which are used for audience reach measurements or marketing purposes. “Third-party-cookies” are cookies that are offered by providers other than the responsible party managing the online offers (otherwise, when it’s just their cookies, they’re referred to as “First-party cookies”).

Cookiebot

In order to make the use of cookies on our site as transparent and comprehensible as possible, we use the tool from Cookiebot (Cybot A/S Havnegade 39, 1058 Copenhagen, Denmark). Cookiebot turns on a cookie banner on our site, on which users can see what cookies are used at
KIRINUS Coaching and can make a preselection. We also explain which cookies need to be used in order to present our online offer to your (rubric “necessary/notwending”). You can also give your consent to the use of cookies by clicking OK. By removing the checkmark on the displayed box you’re removing your consent and the corresponding cookies won’t be used. Please be aware that this choice can affect your online experience of
KIRINUS Coaching. The legal foundation for the usage is the protection of our authorised interests according to Art. 6 Section 1 lit. f) GDPR.

Google Tag Manager

Google Tag Manager is a solution with which we can manage so-called website tags over a surface (and then incorporate Google Analytics and other Google marketing tools in our online offers). The tag manager itself (which implements the tags) doesn’t process personal user data. In terms of the processing of personal user data, the following notices regarding Google services are to be observed. User guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.

Google Analytics

We use Google Analytics, a web analysis service of Google LLC (“Google”), on the basis of our authorised interests (meaning interest in analysis, optimisation, and the economic management of our online offer in accordance with Art. 6 Section 1 lit. f. GDPR). Google uses cookies. The information generated by cookies regarding the use of the online offers are usually transferred to a Google server in USA and saved there. Google is certified under the privacy shield agreement and therefore guarantees to uphold European data privacy laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). Google will use this information on our behalf in order to evaluate the usage of our online offers by our users, in order to compile reports about the activities within our online offers, and in order to create further services associated with the usage of our online offers and Internet usage. We only use Google Analytics with an activated IP-anonymisation. This means that users’ IP addresses are shortened by Google within the member states of the European Union or in other contracted states in the agreement regarding the European Economic Area. The IP addresses transmitted by a user’s browser will not be collected with other data by Google. Users can prevent the saving of cookies through a corresponding feature in their browser software. Furthermore, users can prevent their cookie-generated and usage-specific data from being collected and disseminated by Google by clicking the following link and downloading and installing this browser plugin: http://tools.google.com/dlpage/gaoptout?hl=de. Further information to Google’s data usage as well as installation and refusal options can be found in Google’s data protection statement (https://policies.google.com/technologies/ads) as well as in the settings for the display of integrated advertisement through Google (https://adssettings.google.com/authenticated). We use Google Analytics in order to only show advertisements from Google’s advertisement services and its partners to users who have shown interest in our online offers or who present certain characteristics (such as an interest in specific topics or products that are determined via visited websites).

Jitsi

This website uses jitsi, which is an innovative open-source live-chat video conferencing software of the jitsi.org community. Jitsi uses “cookies,” text data, that’s saved on your computer and allows you to have a conversation in the form of a live chat on the website. The collected data will not be used to personally identify website visitors and personal data will not be connected to the pseudonym carrier. The chat saves an identification key in the storage of your browser (window.localStorage). This is necessary so that you can access your past communication protocol at a later time, even after closing your browser. If you delete your browser cache, you will delete all saved settings corresponding to your chosen pseudonym, as well as the connection to the saved chat timeline. We cannot make any conclusions to your identity based on the saved data. Your prior consent is needed in order to use the blogs/chats, which means you consent to these conditions.

Facebook-Pixel

Within our online offers we use the so-called “Facebook Pixel” of the social network Facebok with your explicit consent (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you’re in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). Facebook is certified under the privacy shield agreement and therefore guarantees to uphold European data privacy laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

Facebook Pixel allows Facebook to determine the users of our online offers as a target group for the display of advertisements (so-called “Facebook Ads”). We use Facebook Pixel in order to show the Facebook Ads activated by us to only those Facebook users who have shows interest in our online offers or exhibit certain characteristics (such as an interest in specific topics or products that are determined by the visited websites) that we’ve transmitted to Facebook (so-called “Custom Audiences”). With Facebook Pixel, we want to ensure that our Facebook ads correspond to a user’s potential interests and aren’t bothersome. This also lets us determine the effectiveness of Facebook ads for static and market research purposes by determining whether users are redirected to our website after clicking on a Facebook ad (so-called “conversion”). We also use Facebook Pixel in order to release ads on Instagram. The processing of data through Facebook occurs within the context of Facebook’s data usage guideline. General information to the display of Facebook ads can be found in Facebook’s data usage guideline: https://www.facebook.com/policy.php. Special information and details to Facebook Pixel and its functions can be found in Facebook’s Help page: https://www.facebook.com/business/help/651294705016616. You can contradict Facebook Pixel’s collection and use of your data for displaying Facebook ads. In order to determine what kind of ads you should be shown on Facebook, you can call up the Facebook site and follow the instructions to installing user-based ads: https://www.facebook.com/settings?tab=ads. The installation is not platform-dependent, which means it’ll carry over to all devices, such as desktop computers or mobile devices. You can contradict the use of cookies, which serve for audience reach measurement and advertising purposes, through the deactivation site of the network promotional initiative (http://optout.networkadvertising.org/ ) and also through the American website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

Due to the decision made by the European Court of Justice on 05.06.2018 (C 210/16), we inform all visitors of our Facebook fanpage that their personal data in accordance with GDPR is processed through Facebook here. As a site manager, we cannot currently deactivate this function.
KIRINUS Coaching is aware of its mutual responsibility with Facebook. We hope to soon achieve a quick solution through Facebook.

Social Media

We maintain an online presence through social networks and platforms in order to communicate with our users and interested persons. Calling up a certain network or platform enforces the terms and conditions and the data processing guidelines of that particular operator. As long as it’s not otherwise states within our data protection statement, we process the data of our users as long as they’re communicating with us within social networks and platforms through actions such as commenting on our online presence or sending us messages.

Incorporating the services and content of third parties

Within our online offers we utilise the content or services of third parties on the basis of our authorised interests (meaning interest in analysis, optimisation and the economic management of our online offers in accord with Art. 6 Section 1 lit. f) GDPR), in order to incorporate their content and services such as videos or font types (hereto forth referred to as “content”). This always presupposed that the third providers of this content take note of the users’ IP addresses, since they cannot send content to their browser without their IP addresses. Therefore IP addresses are necessary for the display of content. We try to only display the kind of content in which third parties use IP addresses for the sole purpose of delivering content. Third parties can also use so-called Pixel Tags for statistical or marketing purposes. “Pixel-Tags” help sort through information such as visitor traffic on certain pages of a website. The pseudonymous information can also be saved in the cookies on a user’s device, and can include technical information about browsers, operating systems, referring websites, visiting times, and information regarding the use of our online offers, and can be connected with information from other sources.

Google Maps

We incorporate the maps of the service “Google Maps” (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The processed data usually includes IP addresses and location data of users, which however cannot be collected without their consent (often obtained through the settings on their mobile devices). This data can be processed in the USA. Further information from Google regarding data protection can be found here: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

The use of social plugins from Facebook, Twitter, Google+, Instagram, and co. under the use of the Shariff-Solution

On our website we use social plugins (“plugins”) from social networks. In order to increase the safety of your data while visiting our website, plugins are not limited but merely incorporated into the site through the use of an HTML link (a so-called “Shariff Solution” from c’t). “Shariff” was developed in order to ensure more privacy on the net and to replace the usual “share” buttons used by social networks. This incorporation ensures that no automatic connection is made with the servers of the providers of corresponding social networks whenever you call up one of our sites that has such plugins. If you click on one of the buttons, a new window in your browser will open and call up the site of the corresponding service provider, where you can then utilise the like or share button (sometimes after having put in your login data). The purpose and scope of this data collection and the further processing and use of data through providers on their sites as well as your rights and setting options on this subject and for the protection of your privacy can be found in the data protection notices of the providers:

Rights of affected individuals


If you have any questions or comments, you can always turn to our data protection representative under:
KIRINUS Coaching Privacy Policy.

You continue to have the right to demand a confirmation regarding whether specific data has been processed and to receive information regarding this data as well as other information and a copy of said data, in accordance to Art. 15 GDPR.

According to Art. 16 GDPR you have the right to demand the completion of data relevant to you or the correction of incorrect data relevant to you. According to Art. 17 GDPR, you have the right to demand that affected data be immediately deleted or alternatively, in accordance with Art. 18 GDPR you can demand a restriction of the processing of the data.

You have the right to demand that data relevant to you, which you have made available according to the guidelines of Art. 20 GDPR, be kept and that their transmittance to other parties be promoted. You also have the right, according to Art. 77 GDPR, to submit a complaint with a supervisory authority of your choice.

Right of revocation: You have the right to revoke given consent according to Art. 7 Section 3 GDPR with future effect.

Right of objection: You can object anytime to the future processing of your personal data according to Art. 21 GDPR. The objection can particularly be raised against processing for the purpose of direct ads.

Deleting data

We follow the guidelines of data avoidance and data minimisation. We therefore only save your personal data for as long as it’s necessary to achieve the purposes outlined here, or for as long as the various storage periods determined by lawmakers allow for. After the completion of the corresponding purpose or the completion of the time limit, the corresponding data will routinely and according to legal guidelines be blocked or deleted.

Standard legal bases

According to Art. 13 GDPR, we are publicising the legal basis of our data processing. Insofar as the legal bases aren’t determined in the data protection statement, the following goes into effect: the legal basis for obtaining consent is Art. 6 Section 1 lit. a) and Art. 7 GDPR, the legal basis for processing in order to perform our services and carry out contractual measures as well as answer queries is Art. 6 Section 1 lit. b) GDPR, the legal basis for processing in order to carry out our legal obligations is Art. 6 Section 1 lit. c) GDPR, and the legal basis for processing in order to protect our authorised interests is Art. 6 Section 1 lit. f) GDPR. In the case that vital interests of affected individuals or of other persons make the processing of personal data necessary, Art. 6 Section 1 lit. d GDPR provides the legal basis.

Security measures

We assume adequate technical and organisational measures according to the guidelines of Art. 32 GDPR that consider technical statuses, implementation costs, and the nature, scope, circumstances, and purpose of data processing as well as the different probability scenarios and the risk size for the rights and freedoms of natural persons in order to guarantee a level of security adequate to risk.

The measures include securing confidentiality, integrity, and access to data through the control of the physical access to data, as well as any sort of related access, entry, transmittance, securing of availability and severance of it. Furthermore, we’ve also established a process in which the observance of individuals’ rights, the deletion of data, and the reaction to data risks is guaranteed. We also already consider the protection of personal data during the development or selection of hardware, software, as well as in processes, in correspondence with the principle of data protection through technical development and through data protection-friendly default settings (Art. 25 GDPR).

Cooperation with external processors and third parties

When the data processed by us is made available, transmitted, or otherwise made accessible to other peoples and businesses (external processors or third parties), this solely occurs on the basis of legal permission (for example when data is transmitted to a third party such as a payment provider, according to Art. 6 Section 1 lit. b) GDPR, in order to fulfil a contractual obligation), if we’ve obtained your consent, if a legal obligation determines this, or if it’s part of the foundation of our authorised interests (such as the use of representatives, webhosters, etc). Insofar as we’ve commissioned third parties with processing data on the basis of a so-called “order management process contract,” this occurs on the basis of Art. 28 GDPR.

Utilised terminology

“Personal data” is all information that refers to an identified or identifiable natural person (now known as “affected person”); a natural person is considered identifiable if they can either directly or indirectly be identified via allocation of an identification such as a name, and identifying number, a location, an online identifier (such as a cookie), or who can be identified by one or various special characteristics that are an expression of that natural person’s physical, physiological, genetic, psychological, economic, cultural, or social identity.

“Processing” refers to every process, either assisted or unassisted by automated procedures, or to a series of processes in connection with personal data. The term can be widely applied and refers to basically every use of data.

“Pseudonymising” is the processing of personal data in a way that the personal data can’t be assigned to a specific person without additional information, insofar as this additional information  has been stored separately and technical and organisational measures have been undergone in order to ensure that the personal data cannot be assigned to an identified or identifiable natural person.

“Profiling” refers to any kind of automated distribution of personal data, which consists of ensuring that this personal data is used in order to evaluate personal aspects that relate to a natural person, especially when it comes to analysing or predicting aspects regarding work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence or moving destination of this natural person.

A “responsible party” refers to a natural person or legal entity, authority, institution, or other position which decides over the purpose and methods of processing personal data, either alone or together with others.

A “processor” is a natural person or legal entity, authority, institution, or other position who processes personal data on behalf of the responsible party.