Privacy statement

Preamble

With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as “data” for short) we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).


The terms used are not gender-specific.


Status: October 7, 2024


Table of contents

  • preamble
  • person responsible
  • Contact data protection officer
  • Overview of processing
  • Relevant legal bases
  • Transfer of personal data
  • International data transfers
  • Rights of data subjects
  • Provision of online services and web hosting
  • Use of cookies
  • Contact and request management
  • Web analysis, monitoring and optimization
  • application process
  • Data protection information for whistleblowers
  • Presences on social networks (social media)

Person responsible

Hahn Bau GmbH & Co. KG
Hommelstraße 2
55743 Idar-Oberstein

email address: kontakt@hahn-bau-gruppe.de

Contact data protection officer

We have appointed an external data protection officer for our company:
Our data protection officer Mr. Blazy, LL.M. (GDPC GbR) can be reached by telephone at +49 (0) 561 830 99 165, by post at the above address with the addition — data protection officer — and by e-mail at datenschutz@bauteam-hahn.de.

Relevant legal bases

Relevant legal bases under the GDPR: The following is an overview of the legal bases of the GDPR, on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or place of residence. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Article 6 (1) (a) GDPR) - The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or several specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures taken at the request of the data subject.
  • Legitimate interests (Art. 6 (1) (f) GDPR) - processing is necessary to protect the legitimate interests of the controller or of a third party, provided that the interests, fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail.
  • Application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR) - If, as part of the application process, special categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data, such as status of severely disabled persons or ethnic origin) are requested from applicants so that the person responsible or the data subject can exercise the rights conferred on him or her under employment law and social security and social protection law and fulfill his or her obligations in this regard, they are processed in accordance with Article 9 (2) lit. b. GDPR, in case of protection vital interests of applicants or other persons in accordance with Art. 9 para. 2 lit. c. GDPR or for health care or occupational medicine purposes, for the assessment of the employee's ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9 para. 2 lit. h. GDPR. In the case of communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Article 9 (2) lit. a. GDPR.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes in particular the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act — BDSG). In particular, the BDSG contains special rules on the right to information, the right to deletion, the right of objection, the processing of special categories of personal data, processing for other purposes and transmission and automated decision-making in individual cases, including profiling. In addition, state data protection laws of the individual federal states may apply.

Note on the validity of the GDPR and Swiss DSG: This data protection notice is intended both to provide information in accordance with the Swiss DSG and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to the wider geographical application and comprehensibility. In particular, instead of the terms “processing” of “personal data”, “overriding interest” and “particularly sensitive personal data” used in the Swiss DSG, the terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” are used. However, within the scope of the Swiss DSG, the legal meaning of the terms continues to be determined in accordance with the Swiss DSG.

Transfer of personal data

As part of our processing of personal data, it may be transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers tasked with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the group of companies: Data transfer within the group of companies: We may transfer personal data to other companies within our group of companies or grant them access to it. This transfer of data is based on our legitimate entrepreneurial and business interests. This includes, for example, improving business processes, ensuring efficient and effective internal communication, making optimal use of our human and technological resources, and the ability to make well-founded business decisions. In certain cases, the transfer of data may also be necessary to fulfill our contract-related obligations, or it may be based on the consent of the person concerned or legal permission.

International data transfers

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if processing takes place as part of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this is only done in accordance with legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for data transfer. In addition, data transfers only take place if the level of data protection is otherwise ensured, in particular by standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), express consent or, in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). In addition, we will provide you with the principles of third-country transfers with the individual providers from the third country, with the adequacy decisions taking priority as the basis. Information on transfers to third countries and existing adequacy decisions can be found in the information offered by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA as part of the adequacy decision of 10.07.2023. The list of certified companies and further information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ Remove (in English). As part of the data protection policy, we will inform you which service providers we use are certified under the Data Privacy Framework.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right of objection: For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.
  • Right of withdrawal in case of consent: You have the right to withdraw your consent at any time.
  • Right to information: You have the right to request confirmation as to whether the relevant data is being processed and for information about this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request the completion of the data concerning you or the correction of incorrect data concerning you.
  • Right to delete and restrict processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted immediately or, alternatively, to request that the processing of the data be restricted in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, common and machine-readable format in accordance with legal requirements or to request that it be transmitted to another person responsible.
  • Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you believe that the processing of personal data relating to you is contrary to the GDPR.

Provision of online services and web hosting

We process user data in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transfer the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, time information, identification numbers, involved persons); log data (e.g. log files relating to logins or retrieval of data or access times.). Content data (such as textual or pictorial messages and contributions and information relating to them, such as information on authorship or when they were created).
  • Affected persons: users (e.g. website visitors, users of online services). Business and contract partners.
  • Purposes of processing: Provision of our online offering and user friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.); security measures; content delivery network (CDN). Office and organizational procedures.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Provision of online services on rented storage space: To provide our online service, we use storage space, computing capacity and software, which we rent or otherwise obtain from an appropriate server provider (also known as a “web host”); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files may include the address and name of the retrieved websites and files, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used, on the one hand, for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure the workload of the servers and their stability; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
  • Webflow: creating, managing and hosting websites, online forms and other web elements; Service provider: Webflow, Inc., 398 11th St., Floor 2, 94103 San Francisco, United States; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://webflow.com; Privacy statement: https://webflow.com/legal/eu-privacy-policy; Order processing contract: https://webflow.com/legal/dpa. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Cloudflare: content delivery network (CDN) - service that allows content from an online offering, in particular large media files, such as graphics or program scripts, to be delivered faster and more securely using regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, United States; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.cloudflare.com; Privacy statement: https://www.cloudflare.com/privacypolicy/; Order processing contract: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Amazon CloudFront: content delivery network (CDN) - service that allows content from an online offering, in particular large media files, such as graphics or program scripts, to be delivered faster and more securely using regionally distributed servers connected via the Internet; Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://aws.amazon.com/de/cloudfront/; Privacy statement: https://aws.amazon.com/privacy/; Order processing contract: https://aws.amazon.com/de/compliance/gdpr-center/. Basis for transfers to third countries: Standard Contractual Clauses (provided by service provider).
  • jsDelivr: Content Delivery Network (CDN), which helps deliver media and files quickly and efficiently, especially under heavy load; Service provider: Prospectone, Królewska 65A/1, 30-081, Krakow, Poland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.jsdelivr.com. Privacy statement: https://www.jsdelivr.com/terms/privacy-policy.

Use of cookies

The term “cookies” is understood to mean functions that store information on user devices and read from them. Cookies can also be used to address various concerns, such as the functionality, security and convenience of online offerings and to analyse visitor flows. We use cookies in accordance with legal requirements. If necessary, we obtain the consent of the users in advance. If consent is not required, we rely on our legitimate interests. This applies when the storage and reading of information is essential in order to be able to provide expressly requested content and functions. This includes, for example, saving settings and ensuring the functionality and security of our online offering. The consent can be withdrawn at any time. We provide clear information about their scope and which cookies are used. [Please list all cookies used on the website (self-hosted/external), including the name, type, provider, purpose and expiration time, or integrate a link (short link) to the cookie consent manager]

Information on legal bases of data protection law: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as a legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the relevant services and procedures.

Storage period: With regard to storage time, the following types of cookies are differentiated:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their device (e.g. browser or mobile application).
  • Persistent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved and preferred content displayed directly when the user visits a website again. User data collected using cookies can also be used to measure reach. Unless we provide users with explicit information about the type and storage period of cookies (e.g. when obtaining consent), they should assume that they are permanent and that the storage period can be up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw their consent at any time and also declare an objection to processing in accordance with legal requirements, including using the privacy settings of their browser. To do this, you can access the cookie banner on any subpage via the fingerprint icon at the bottom of your screen.

  • Types of data processed: Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Consent (Art. 6 (1) (a) GDPR).

Further information on processing processes, procedures and services:

  • Processing of cookie data based on consent: We use a consent management solution that obtains users' consent to the use of cookies or to the procedures and providers mentioned as part of the consent management solution. This procedure is used to obtain, log, manage and withdraw consent, in particular with regard to the use of cookies and comparable technologies, which are used to store, read and process information on users' devices. As part of this procedure, users' consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management process. Users also have the option to manage and withdraw their consent. The declarations of consent are stored in order to avoid a new request and to be able to provide proof of consent in accordance with legal requirements. The data is stored on the server side and/or in a cookie (so-called opt-in cookie) or using comparable technologies in order to be able to assign consent to a specific user or their device. If there is no specific information about the providers of consent management services, the following general information applies: The period of storage of consent is up to two years. This creates a pseudonymous user identifier, which is stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, the system and the device used; Legal bases: Consent (Art. 6 (1) (a) GDPR).
  • Usercentrics: consent management: procedures for obtaining, logging, managing and withdrawing consent, in particular for the use of cookies and similar technologies to store, read and process information on users' terminal devices and to process it; Service provider: Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany; Site: https://usercentrics.com/de/. Privacy statement: https://usercentrics.com/de/datenschutzerklaerung/.

Contact and request management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) and within the framework of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to answer the contact requests and any requested measures.

  • Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: communication partner.
  • Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Further information on processing processes, procedures and services:

  • contact form: When you contact us via our contact form, by e-mail or other means of communication, we process the personal data provided to us to answer and process the respective request. This usually includes information such as name, contact information and, if applicable, other information that is provided to us and is necessary for appropriate processing. We use this data exclusively for the stated purpose of contacting and communicating; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).

Web analysis, monitoring and optimization

Web analysis (also known as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online offering or its functions or content are used most frequently, or invite them to be reused. It is also possible for us to understand which areas require optimization.

In addition to web analysis, we can also use test methods to test and optimize different versions of our online offering or its components, for example.

Unless otherwise stated below, profiles, i.e. data summarized for a usage process, can be created for these purposes and information stored in a browser or in a terminal device and then read out. The information collected includes in particular websites visited and elements used there as well as technical information, such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data with us or with the providers of the services we use, it is also possible to process location data.

In addition, the IP addresses of users are stored. However, we use an IP masking process (i.e. pseudonymization by shortening the IP address) to protect users. In general, as part of web analysis, A/B testing and optimization, no clear user data (such as email addresses or names) is stored, but pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective processes.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (such as page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the “General Information on Data Storage and Deletion” section. Storage of cookies of up to 2 years (Unless otherwise stated, cookies and similar storage methods can be stored on users' devices for a period of two years).
  • Safety measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6 (1) (a) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to a device in order to identify which content users have accessed during one or more usage processes, which search terms they have used, have accessed them again or have interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users who refer to our online offering and technical aspects of their devices and browsers.
    Pseudonymous profiles of users are created with information from the use of various devices, and cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the city's derived latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). In EU data traffic, the IP address data is used exclusively for this derivation of geolocation data before it is immediately deleted. They are not logged, are not accessible and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: consent (Article 6 (1) (1) (a) GDPR); Site: https://marketingplatform.google.com/intl/de/about/analytics/; Safety measures: IP masking (pseudonymization of the IP address); Privacy statement: https://policies.google.com/privacy; Order processing contract: https://business.safety.google/adsprocessorterms/; Basis for transfers to third countries: Data Privacy Framework (DPF); Objection option (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff. More information: https://business.safety.google/adsservices/ (Types of processing and data processed).
  • Google as recipient of consent: The consent given by users as part of a consent dialogue (also known as “cookie opt-in/consent”, 'cookie banner, 'etc.) serves several purposes. On the one hand, it serves us to fulfill our obligation to obtain consent to store and read information on and from the user's device (in accordance with ePrivacy guidelines). On the other hand, it covers the processing of users' personal data in accordance with data protection requirements. In addition, this consent also applies to Google, as the company is required under the Digital Markets Act to obtain consent for personalized services. We therefore share the status of consents given by users with Google. Our consent management software lets Google know whether or not consents have been given. The aim is to ensure that the consents given or not given by users are taken into account when using Google Analytics and when integrating functions and external services. For example, user consents and their revocation as part of Google Analytics and other Google services in our online offering can be adjusted dynamically and depending on user selection; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: consent (Article 6 (1) (1) (a) GDPR); Site: https://support.google.com/analytics/answer/9976101?hl=de. Privacy statement: https://policies.google.com/privacy.
  • No collection of detailed location and device data (Google Analytics function): No detailed location and device data is collected (more information: https://support.google.com/analytics/answer/12017362).

Application process

The application process requires that applicants provide us with the data necessary for their assessment and selection. What information is required is derived from the job description or, in the case of online forms, from the information provided there.

In principle, the required information includes personal information, such as the name, address, a contact option and evidence of the qualifications required for a position. On request, we are also happy to inform you which information is required.

If provided, applicants can send us their applications using an online form. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications via email. However, please note that emails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but not on the servers from which they are sent and received. We can therefore assume no responsibility for the transmission path of the application between the sender and receipt on our server.

For purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us about how to submit their application or send us the application by post.

Processing of special categories of data: If, as part of the application process, special categories of personal data (Article 9 (1) GDPR, e.g. health data, such as status of severely disabled persons or ethnic origin) are requested from or provided by applicants, they are processed so that the person responsible or the data subject can exercise the rights arising from employment law and social security and social protection law and fulfill his or her obligations in this regard, in the event of protection of vital interests of applicants or other persons or for health care or occupational medicine purposes, for the assessment of the employee's ability to work, for medical diagnostics, for care or treatment in the health or social sector, or for the administration of systems and services in the health or social sector.

Deletion of data: In the event of a successful application, the data provided by applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to justified withdrawal by applicants, the deletion will take place no later than after the expiry of a period of six months so that we can answer any follow-up questions about the application and comply with our obligations to provide evidence under the rules on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax requirements.

Inclusion in a pool of applicants: Admission to a pool of applicants, if offered, is based on consent. Applicants are informed that their consent to join the talent pool is voluntary, has no influence on the ongoing application process and that they can withdraw their consent at any time in the future.

  • Types of data processed: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms). Applicant data (e.g. personal details, postal and contact addresses, the documents associated with the application and the information contained therein, such as a cover letter, curriculum vitae, certificates and other information provided voluntarily by applicants about their person or qualification in relation to a specific position or qualifications).
  • Affected persons: Applicant.
  • Purposes of processing: Application process (justification and possible subsequent implementation as well as possible subsequent termination of the employment relationship).
  • Legal bases: Application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR).

Data protection information for whistleblowers

In this section, you will find information about how we handle data from individuals who provide information (whistleblowers) and from affected and involved parties as part of our whistleblower process. Our goal is to provide an easy and secure way to report potential misconduct by us, our employees or service providers, in particular for acts that violate laws or ethical guidelines. We also ensure appropriate processing and handling of the information.

Types of data processed:

As part of the receipt and processing of reports and in the subsequent whistleblower procedure, we may collect various data. These include in particular the data provided by a whistleblower, such as:

  • the name, contact details and whereabouts of the person giving the report,
  • names and data on potential witnesses or persons affected by the report,
  • names and data of the persons against whom the notice is directed,
  • data about the alleged misconduct,
  • Other relevant details, if provided by the whistleblower.

For the purposes of the investigation and further proceedings, we also process the following personal data:

  • unique identification of the message,
  • contact details of the reporting person, if provided,
  • personal data of persons named in the notice, if provided,
  • personal data of persons who are indirectly affected by the factual review, if applicable,
  • personal data of persons from other participating companies (e.g. as part of legal advice), if relevant,
  • Other data that is related to the facts.

Special categories of personal data:

We may collect special types of personal data as part of our activities, in particular when provided by a whistleblower. This includes:

  • health-related data relating to an individual,
  • data on the racial or ethnic origin of people,
  • information about a person's religious or philosophical beliefs,
  • Information about a person's sexual orientation.

This data is only processed if it is relevant to the processing of the respective report and has been expressly provided by the whistleblower.

Using our online forms: Please note that it is possible to submit information anonymously. To ensure the security of your data when using our online forms, we recommend that you access them in the so-called 'incognito mode' of your browser. This is how you can open an incognito window: a) On a Windows PC: Open your browser and press Ctrl+Shift+N; b) On a Mac: Open your browser and press Command+Shift+N; c) On mobile devices: Switch to private mode via the tab menu.

When you visit our website in normal mode, your browser automatically sends certain information to our server, such as browser type and version, the date and time of your access. This also includes the IP address of your device. This data is temporarily stored in a log file and automatically deleted after 30 days at the latest.

The processing of the IP address is used for technical and administrative purposes of establishing a connection to our website. It ensures the security, stability and functionality of the whistleblower form and is an important part of our measures to ensure confidential reporting.

The processing of logged data is based on Article 6 (1) S.1 lit. f) GDPR. Our legitimate interest lies in the need for security and the need to ensure the technical requirements for a smooth and trouble-free submission of information.

Provide names: You have the option to submit information anonymously. However, unless prohibited by national legislation, we recommend that you provide your name and contact details. This enables us to respond to the report more effectively and, if necessary, to contact you directly.

If you provide your name and contact details, your identity will be kept strictly confidential. Exceptions to this confidentiality only exist if we are required by law to disclose your identity. This may be necessary to protect or defend our rights or the rights of our employees, customers, suppliers or business partners. Another exception is when it is found that the allegations were made with malicious intent.

Provision of data to third parties: Data related to the information provided will only be passed on by us to third parties under certain circumstances. This happens either a) when you have given us your express consent to do so, or b) when there is a legal obligation to share the data. Potential third parties include public authorities, government, regulatory, or tax authorities if the transfer is necessary to comply with a legal or regulatory obligation. We may also hire lawyers and other specialist advisors within the scope of legal requirements. They are entitled to investigate suspected misconduct and take necessary action following an investigation, such as initiating disciplinary or legal proceedings. In addition, carefully selected and monitored service providers may receive data from us for these purposes (such as operators of a web-based reporting system). However, as part of order data processing, these service providers are contractually obliged to comply with the applicable data protection regulations.

Data Retention and Deletion: Personal data is only processed for as long as is necessary to fulfill the processing purposes described above. If this data is no longer necessary for the stated purposes, it will be deleted. However, in certain situations, the data may be kept longer to comply with legal requirements, as long as this is necessary and proportionate. In such cases, the data will be deleted as soon as it is no longer required for these purposes.

Technical and organizational measures: We have implemented the necessary contractual, technical and organizational measures to ensure the security of all data we process. This data is processed exclusively for the specified purposes. The incoming information is processed by authorized persons, who receive access to the respective information and carry out the subsequent review of the facts. Our employees are specially trained and trained to properly carry out the factual checks and are committed to maintaining the strictest confidentiality.

  • Types of data processed: Inventory data (e.g. names, addresses); employee data (e.g. master data of employees, personnel files, applications); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms). usage data (e.g. websites visited, interest in content, access times).
  • Affected persons: Employees (e.g. employees, applicants, former employees); third parties. Whistleblower.
  • Purposes of processing: Whistleblower protection.
  • Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR). Legitimate interests (Art. 6 (1) (f) GDPR).

Presences on social networks (social media)

We maintain online presences within social networks and process user data within this framework in order to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This can result in risks for users because, for example, it could make it more difficult to enforce user rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably match the interests of users. Therefore, cookies are usually stored on users' computers, in which the usage behavior and interests of the users are stored. In addition, data can also be stored in the user profiles regardless of the devices used by the users (in particular if they are members of the respective platforms and logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

Even in the case of requests for information and the assertion of data subject rights, we would like to point out that these can be asserted most effectively with the providers. Only the latter have access to user data and can directly take appropriate measures and provide information. Should you still need help, you can contact us.

  • Types of data processed: Contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status).
  • Affected persons: users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication; feedback (e.g. collecting feedback via online form). marketing.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing processes, procedures and services:

  • Instagram: social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.instagram.com; Privacy statement: https://instagram.com/about/legal/privacy. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Facebook pages: profiles within the social network Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.facebook.com; Privacy statement: https://www.facebook.com/about/privacy; Basis for transfers to third countries: Data Privacy Framework (DPF); More information: Together with Meta Platforms Ireland Limited, we are responsible for collecting (but not further processing) data from visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content that users view or interact with, or the actions they take (see “Things done and provided by you and others” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As stated in the Facebook data policy under “How do we use this information?” Facebook also explains, collects and uses information to provide analytics services, so-called “page insights,” for site operators so that they obtain insights into how people interact with their pages and with the content associated with them. We have signed a special agreement with Facebook (“Page Insights Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must comply with and in which Facebook has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). Users' rights (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about page insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transfer of data to the parent company Meta Platforms, Inc. in the USA.
  • LinkedIn: Social network - Together with LinkedIn Ireland Unlimited Company, we are responsible for collecting (but not further processing) data from visitors, which are used to create the “page insights” (statistics) of our LinkedIn profiles. This data includes information about the types of content that users view or interact with and the actions they take. Details about the devices used are also collected, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, hierarchical level, company size and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy
    We have signed a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum), which in particular regulates which security measures LinkedIn must comply with and in which LinkedIn has agreed to fulfill the rights of those affected (i.e. users can direct requests for information or deletion directly to LinkedIn, for example). The rights of users (in particular the right to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint responsibility is limited to the collection and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. LinkedIn Ireland Unlimited Company is solely responsible for further processing of the data, in particular as regards the transmission of the data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: legitimate interests (Art. 6 (1) (f) GDPR); Site: https://www.linkedin.com; Privacy statement: https://www.linkedin.com/legal/privacy-policy; Basis for transfers to third countries: Data Privacy Framework (DPF). Objection option (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.