Data protection declaration
This data protection declaration explains the type, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) in our online offer and the associated websites, functions, contents, and external online presences, e.g., our social media profile (hereinafter referred to collectively as “online offer”). With regard to the terminology used, e.g., “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Brandenburger GmbH & Co. KG
Dipl.-Ing. Peter Schwab
Data protection officer
Types of processed data:
– Inventory data (e.g., names, addresses).
– Contact data (e.g., e-mail, telephone numbers).
– Content data (e.g. text entries, photographs, videos).
– Usage data (e.g., websites visited, interest in contents, access times).
– Meta-/Communication data (e.g. device information, IP addresses).
Categories of affected persons
Visitors and users of the online offer (hereinafter referred to collectively as “user”).
Purpose of processing
– Provision of the online offer, its functions and contents.
– Answering of contact queries and communication with users.
– Security measures.
– Reach measurement/Marketing
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “affected person”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is wide-ranged and includes practically all handling of data.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal basis
Pursuant to Art. 13 of the GDPR we are informing you of the legal basis of our data processing. Insofar as the legal basis is not specified in the data protection declaration, the following shall apply: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 of the GDPR. The legal basis for processing for the purposes of performing our services and carrying out contractual measures, as well as responding to queries is Art. 6 para. 1 lit. b of the GDPR. The legal basis for processing in order to comply with our legal obligations is Art. 6 para. 1 lit. c of the GDPR, and the legal basis for processing for the purposes of our legitimate interests is Art. 6 para. 1 lit. f of the GDPR. In the case that processing is necessary in order to protect the vital interests of an affected person or of another natural person, Art. 6 para. 1 lit. d of the GDPR shall apply.
We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, pursuant to Art. 32 of the GDPR, while taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
These measures shall include, in particular, the ensuring of confidentiality, integrity and availability of data by checking the physical access to the data, as well as the sharing, input, transfer, the securing of availability of such data, and its separation. Furthermore, we have also established procedures that guarantee the rights of affected persons, the deletion of data, and reaction to the endangering of data. In addition, we already consider the protection of personal data when developing or selecting the hardware, software, as well as procedures according to the principle of data protection through technology design and data protection-friendly pre-settings (Art. 25 of the GDPR).
Collaboration with order processors and third parties
Insofar as we, in the course of our processing, disclose data to other persons and companies (order processors or third parties), transfer this data to them, or provide access to this data in other ways, this shall only occur on the basis of legal authorization (e.g. when it is necessary to transfer data to a third party, such as a payment service provider, for the purposes of fulfilling a contract, as per Art. 6 para. 1 lit. b of the GDPR), or where you have given consent, or a legal obligation necessitates this, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.).
Insofar as we engage third parties to process data on the basis of an order processing contact, this shall occur on the basis of Art. 28 of the GDPR.
Transfers to third countries
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs as part of the availing of the services of third parties or the disclosure or transmission of data to third parties, this shall only take place when it serves to fulfil our (pre-) contractual obligations, or where your consent has been received, or on the basis of legal obligations or our legitimate interests. Subject to legal or contractual permission, we shall process or allow data to be processed in a third country only when the special prerequisites as per Art. 44 ff. of the GDPR apply. This means that such processing shall occur, for example, on the basis of special guarantees, such as the official recognition of a data protection level that corresponds to that of the EU (e.g., the “Privacy Shield” for the USA), or when officially recognised special contractual obligations are met (“Standard contractual clauses”).
Rights of affected persons
You shall have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and information on this data, as well as further information and a copy of the data pursuant to Art. 15 of the GDPR.
Pursuant to Art. 16 of the GDPR, you shall have the right obtain from us the completion of your incomplete personal data, or the rectification of inaccurate personal data.
Pursuant to Art. 17 of the GDPR, you shall have the right to obtain from us the deletion of your personal data without undue delay, or alternatively, pursuant to Art. 18 of the GDPR, the right to obtain from us a restriction of processing of the data.
You shall have the right to receive your personal data, which you have provided to us pursuant to Art. 20 of the GDPR, or to have the data transmitted to another controller.
Furthermore, you shall have the right, pursuant to Art. 77 of the GDPR, to submit a complaint to the competent supervisory authority.
Right of withdrawal of consent
You shall have the right to withdraw your consent with effect for the future pursuant to Art. 7 para. 3 of the GDPR.
Right to object
You shall have the right to object at any time to the future processing of your personal data pursuant to Art. 21 of the GDPR. In particular, this objection can pertain to processing for the purposes of direct marketing.
Cookies and the right to object to direct marketing
Cookies are small files that are saved on the user’s computer. Various information can be saved inside the cookies. A cookie is primarily used to save information regarding a user (or the device on which the cookie is saved) during or after a visit to an online offer. Cookies that are deleted after the user leaves an online offer and closes their browser are called temporary cookies (or “session cookies” or “transient cookies”). The contents of a shopping cart in an online shop, for example, or a login status, can be saved in such a cookie. “Permanent” or “persistent” cookies are cookies that remain saved after the browser is closed. In this way, for example, the login status can be saved when the user searches for it several days later. In addition, a user’s interests may be saved in such a cookie, and then used for reach measurement or marketing purposes. “Third-party cookies” are cookies that are offered by different providers to the processor that operates the online offer (otherwise, one speaks of “first-party cookies”)
We may use temporary and permanent cookies, and shall explain this use as part of our data protection declaration.
If the user does not wish that cookies are saved on their computer, they are asked to disable the corresponding option in the system settings of their browser. Saved cookies can be deleted in the browser’s system settings. The exclusion of cookies can lead to restrictions in the functioning of this online offer.
The US website http://www.aboutads.info/choices/ and the EU website http://www.youronlinechoices.com/ explain how to object generally to a large number of services using cookies for the purposes of online marketing, especially tracking. You can also save cookies by turning them off in the browser settings. Please note that not all functions of this online offer may then be available.
Erasure of data
The data we process shall be erased or restricted in their processing pursuant to Art. 17 and 18 of the GDPR. Unless expressly specified within this data protection declaration, data that we have saved are erased, as soon as they are no longer required for their purposes, and no legal retention obligations exist preventing their erasure. Insofar as the data are not erased because they are required for other legally permissible purposes, their processing shall be limited. This means that the data shall be blocked and cannot be used for other purposes. This shall apply, for example, to data that must be stored for commercial or tax-related reasons.
According to legal requirements in Germany, storage shall take place in particular for 10 years pursuant to Section 147 para. 1 of the General Fiscal Law, Section 257, para. 1 no. 1 and 4, para. 4 of the German Commercial Code (books, recordings, status reports, accounting records, account books, documents relevant for taxation, etc.), and 6 years pursuant to Section 257 para. 1 no. 2 and 3, para. 4 of the German Commercial Code (commercial letters).
According to legal requirements in Austria, storage shall take place in particular for 7 years pursuant to Section 132 para. 1 of the Federal Fiscal Code (accounting documents, receipts/invoices, accounts, records, business papers, statements of revenue and expenditure, etc.), for 22 years in connection with premises, and for 10 years in the case of documents covering services that are provided electronically, telecommunications, radio and television services, that are provided to non-entrepreneurs in EU member states, and for which use is made of the Mini-One-Stop-Shop (MOSS).
Business analyses and market research
In order to operate our business efficiently, and to be able to recognise market tendencies and wishes of contractual partners and users, we analyse the data at our disposal concerning business processes, contracts, queries, etc. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata, on the basis of Art. 6 para. 1 lit. f. of the GDPR, whereby the affected persons include contractual partners, interested parties, customers, visitors, and users of our online offer.
The purpose of such analyses are business assessments, marketing, and market research. During this process, we are able to take into account the profiles of registered users with details, for example, of the services they have availed of. The analyses help us to improve user-friendliness and to optimise our offer and increase business efficiency. The analyses are only used by us and not disclosed externally, insofar as anonymous analyses with summarised values are not involved.
Insofar as these analyses or profiles are related to persons, should the user terminate the contract they are erased or anonymized. Otherwise they are erased two years after conclusion of the contact. Apart from that, the overall business analyses and general tendency determinations are created anonymously where possible.
Data protection information in the application process
We shall only process the applicant’s data for the purpose of, and in the course of, the application process in compliance with legal requirements. Processing an applicant’s data shall take place to fulfil our (pre-)contractual obligations in the course of the application process within the sense of Art. 6 para. 1 lit. b. of the GDPR, and Art. 6 para. 1 lit. f. of the GDPR insofar as the data processing is required for us, for example, in the context of legal proceedings (in Germany, Section 26 of the German Federal Data Protection Act shall also apply).
A requirement of the application process is also that applicants shall disclose to us applicant data. The necessary applicant data are indicated on an online form insofar as this is provided; otherwise, the data are specified in the job description and are comprised principally of the personal details, postal and contact addresses, and the documents necessary for the application, such as cover letter, c.v., and references. Applicants may also supply us with additional information voluntarily.
By submitting the application to us, the applicants agree that their data will be processed for the purposes of the application process in the form and extent that is set out in this data protection declaration.
Insofar as special categories of personal data are voluntarily disclosed within the meaning of Art. 9 para. 1 of the GDPR, their processing shall additionally take place pursuant to Art. 9 para. 2 lit. b of the GDPR (e.g. health data, for example, serious disabilities, or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 of the GDPR are requested from applicants during the application process, their processing additionally takes place according to Art. 9 para. 2 lit. a of the GDPR (e.g. health data, when this is required for professional activity).
Insofar as this is provided, applicants can send their applications using an online form on our website. The data shall be transferred to us encrypted according to the state of the art.
Applicants may also send their applications per e-mail. However, in this case, please note that e-mails are generally not encrypted when sent and the applicant will have to provide their own encryption. For this reason we cannot accept responsibility for the transmission route of the application between sending and receipt on our server, and we therefore recommend using an online form or the postal service: applicants continue to have the option of sending us the application by post instead of using the online form or e-mail.
In the case of a successful application, the data made available by applicants may be further processed by us for the purposes of the employment relationship. Otherwise the applicant’s data shall be erased insofar as the job application is unsuccessful. The data of the applicant shall also be erased if an application is withdrawn. The applicant is entitled to do this at any time.
Erasure shall occur, subject to a justified withdrawal by the applicant, after a period of six months, so that we are able to answer any follow-up questions on the application, and fulfil our obligations to produce proof with regard to the Sex Discrimination Act. Invoices for travel cost reimbursements are archived according to taxation law requirements.
When making contact with us (e.g., per contact form, e-mail, telephone, or social media), the details of the user shall be processed in order to execute and process the contact request pursuant to Art. 6 para. 1 lit. b) of the GDPR. The details of the user can be saved in a Customer Relationship Management System (“CRM System”) or a similar request management system.
We shall erase the queries insofar as they are no longer required, and check the necessity in this regard every two years. The legal archiving obligations shall also apply.
With the following information, we shall inform you on the contents of our newsletter, on the registration, sending, and statistical evaluation processes, and on your rights of objection. By subscribing to our newsletter, you declare that you consent to receive the newsletter and agree to the described processes.
Content of the newsletter: We shall only send newsletters, e-mails, and further electronic messages with marketing information (hereinafter referred to as “Newsletter”) with the consent of the recipient or with legal permission. Insofar as a newsletter’s contents are paraphrased concretely in the context of a registration process, this shall be decisive for the user’s consent. Apart from that, our newsletters contain information on our services and about us.
Double opt-in and logging: Registration for our newsletter takes place in a double opt-in process. This means that after registration you receive an e-mail requesting you to confirm your registration. This confirmation is necessary so that nobody can register with different e-mail addresses. Registration for the newsletter is logged so that the registration process can be proven to have taken place according to legal requirements. This includes the saving of the registration and confirmation time, as well as the IP address. The changes to your data at the sending provider are also logged.
Registration data: In order to register for the newsletter, it is sufficient to enter your e-mail address. You can also optionally enter a name with which you will be addressed personally in the newsletter.
Sending the newsletter and the associated measuring of success occurs based on the recipient’s consent pursuant to Art. 6 para. 1 lit. a, Art. 7 of the GDPR in conjunction with Sec. 7 para. 2 No. 3 of the Act Against Unfair Competition, or where consent is not required, based on our legitimate interests in direct marketing pursuant to Art. 6 para. 1 lit. f. of the GDPR in conjunction with Sec. 7 para. 3 of the Act Against Unfair Competition.
Logging the registration process shall take place on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f of the GDPR. Our interest is focused on the use of a user-friendly and secure newsletter system, which serves our business interests and meets the user’s expectations, and furthermore allows us proof of consent.
Termination/Withdrawal – You can terminate your newsletter subscription at any time, i.e., withdraw your consent. At the bottom of every newsletter, you will find a link with which you can unsubscribe. We can save the received e-mail addresses for up to three years on the basis of our legitimate interests before we erase them, in order to be able to prove the previous granting of consent. The purpose of processing this data shall be limited to a possible defence against claims. An individual application for erasure is possible at any time insofar as the previous existence of consent exists at the same time.
Online presence in the social media
We maintain an online presence in social networks and platforms in order to communicate with customers, interested parties, and users who are active there, and to inform them about our services. When the respective networks and platforms are opened, the business terms and conditions and the data processing guidelines of the respective provider shall apply.
Unless otherwise specified in the context of our data protection declaration, we shall process the data of users insofar as they communicate with us in the social networks and platforms, e.g., by posting contributions on our online presence or by sending us messages.
Integration of services and third-party contents
In our online offer, we shall use content and service offers of third-party providers on the basis of our legitimate interests (i.e. interest in the analysis, optimisation, and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f of the GDPR), in order to integrate their contents and services, e.g. videos or fonts (hereinafter referred to as “contents”).
This always requires that the third-party provider of these contents uses the IP address of the user, because without the IP address, the contents cannot be sent to their browser. The IP address is thus required for the display of such contents. We shall endeavour only to use contents where the respective provider only uses the IP address for their delivery. Third-party providers may also use pixel tags (invisible graphics, also called “Web Beacons”) for statistical or marketing purposes. Through the pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymed information can also be saved in cookies on the user’s device, and contain technical information on the browser and operation system, linking websites, visit times, and other information on the use of our online offer, and be connected with such information from other sources.
We may integrate videos of the platform “Vimeo” from the provider Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. Data protection declaration: https://vimeo.com/privacy. We would like to point out that Vimeo can use Google Analytics and refer you to the data protection declaration (https://www.google.com/policies/privacy) and opt-out options for Google Analytics (http://tools.google.com/dlpage/gaoptout?hl=de) or the Google settings for the use of data for marketing purposes (https://adssettings.google.com/.).
We may integrate videos of the platform “YouTube” from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/, Opt-out: https://adssettings.google.com/authenticated.
Use of Facebook social plugins
We shall use social plugins (“plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 (“Facebook”), on the basis of our legitimate interests (i.e. interest in the analysis, optimisation, and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. of the GDPR). The plugins can display interaction elements or contents (e.g. videos, graphics, or text contributions), and are recognised by one of the Facebook logos (white “f” on a blue tile, the word “Like”, or a “Thumbs up” sign), or with the additional text “Facebook Social Plugin”. The list and the appearance of the Facebook social plugins may be viewed here: https://developers.facebook.com/docs/plugins/.
Facebook is certified under the Privacy Shield agreement and in this way provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
When a user opens a function of this online offer that contains such a plugin, their device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted directly by Facebook to the user’s device and from here integrated into the online offer. User profiles for the user can be generated from the processed data in this way. We thus have no influence on the scope of data that Facebook gathers using this plugin and are therefore informing the user about our state of knowledge.
By integrating the plugins, Facebook receives the information that a user has called up the corresponding page of the online offer. If the user is logged in with Facebook, Facebook can assign the visit to the user’s Facebook account. If users interact with the plugins, for example, by pressing the Like button or making a comment, the corresponding information is transmitted directly from their device to Facebook, and saved there. If a user is not a member of Facebook, it is still possible for Facebook to find out and store their IP address. According to Facebook, only an anonymized IP address is saved in Germany.
The reason for and scope of the data acquisition and information about the way in which the data is processed and used by Facebook, as well as the user’s rights in this respect and settings options for protecting the user’s privacy, can be found in Facebook’s data protection policy: https://www.facebook.com/about/privacy/.
If a user is a Facebook member and does not wish that Facebook collects their data via this online offer and links this to their member data stored by Facebook, then they must log out from Facebook before using our online offer and delete the cookies. Additional settings and objections on the use of data for marketing purposes are possible in the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. The settings are taken on, independent of the platform. This means they are taken on for all devices, such as desktop computers or mobile devices.
Functions and contents of the service Twitter, offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, may be integrated into our online offer. This may include contents, such as images, videos, or texts and buttons, with which the user can share contents of this online offer on Twitter.
Insofar as the users are members of the Twitter platform, Twitter can assign the opening of the above-mentioned contents and functions to the profiles of the users there. Twitter is certified under the Privacy Shield agreement and in this way provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Data protection declaration: https://twitter.com/de/privacy, Opt-out: https://twitter.com/personalization.
Functions and contents of the service, Instagram, may be integrated in our online offer by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. This may include, for example, contents like images, videos, or text and buttons, with which the users can share contents of this online offer on Instagram. Insofar as the users are members of the Instagram platform, Instagram can assign opening of the above-mentioned contents and functions to the profiles of the users there. Data protection declaration by Instagram: http://instagram.com/about/legal/privacy/.
Functions and contents of the service, Xing, offered by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany, may be integrated in this online offer. This may include, for example, contents like images, videos, or text and buttons, with which the users can share contents of this online offer on Xing. Insofar as the users are members of the Xing platform, Xing can assign the opening of the above-mentioned contents and functions to the profiles of the users there. Data protection declaration by Xing: https://www.xing.com/app/share?op=data_protection..
Functions and contents of the service, LinkedIn, offered by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, may be integrated in our online offer. This may include, for example, contents like images, videos, or text and buttons, with which the users can share contents of this online offer on LinkedIn. Insofar as the users are members of the LinkedIn platform, LinkedIn can assign the opening of the above-mentioned contents and functions to the profiles of the users there. Data protection declaration by LinkedIn: https://www.linkedin.com/legal/privacy-policy.. LinkedIn is certified under the Privacy Shield agreement and in this way provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active). Data protection declaration: https://www.linkedin.com/legal/privacy-policy, Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.