Privacy Policy
PREAMBLE
With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as “data”) we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online services”).
The terms used are not gender-specific.
Last Update: 29. June 2023
TABLE OF CONTENTS
- Preamble
- Controller
- International data transfers
- Erasure of data
- Rights of Data Subjects
- Use of Cookies
- Business services
- Use of online platforms for listing and sales purposes
- Providers and services used in the course of business
- Provision of online services and web hosting
- Contact and Inquiry Management
- Communication via Messenger
- Video Conferences, Online Meetings, Webinars and Screen-Sharing
- Job Application Process
- Cloud Services
- Commercial communication by E-Mail, Postal Mail, Fax or Telephone
- Web Analysis, Monitoring and Optimization
- Profiles in Social Networks (Social Media)
- Plugins and embedded functions and content
- Changes and Updates to the Privacy Policy
CONTROLLER
MyCargoGate AG
Grindelstrasse 11, CH-8303 Bassersdorf
Authorised Representatives: Michael Geraets
E-mail address: info@mycargogate.com
Legal Notice: Imprint MyCargoGate
INTERNATIONAL DATA TRANSFERS
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to express consent or transfer required by contract or law, we process or have processed the data only in third countries with a recognised level of data protection, on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission or if certifications or binding internal data protection regulations justify the processing (Article 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
Data Processing in Third Countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to express consent or transfer required by contract or law, we process or have processed the data only in third countries with a recognised level of data protection, on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission or if certifications or binding internal data protection regulations justify the processing (Article 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
Disclosure of Personal Data Abroad: In accordance with the Swiss Data Protection Act (DSG), we only disclose personal data abroad when an appropriate level of protection for the affected persons is ensured (Art. 15 Swiss DSG). If the Federal Council does not determine that there is an adequate level of protection, we implement alternative security measures. These measures may include international agreements, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or internal company data protection regulations previously recognised by the FDPIC or a competent data protection authority of another country.
Under Art. 16 of the Swiss DSG, exceptions can be made for the disclosure of data abroad if certain conditions are met, including the consent of the affected person, contract execution, public interest, protection of life or physical integrity, publicly made data or data from a legally provided register. Such disclosures always comply with the legal requirements.
ERASURE OF DATA
The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose). If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or for which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person. In the context of our information on data processing, we may provide users with further information on the deletion and retention of data that is specific to the respective processing operation.
RIGHTS OF DATA SUBJECTS
Rights of the Data Subjects under the GDPR: As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
- Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on letter (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right of withdrawal for consents: You have the right to revoke consents at any time.
- Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
- Right to rectification: You have the right, in accordance with the law, to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
- Right to Erasure and Right to Restriction of Processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
- Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.
- Complaint to the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
RIGHTS OF THE DATA SUBJECTS UNDER THE SWISS DPA:
You have the following rights as an affected individual in accordance with the provisions of the Swiss DSG:
- Right to information: You have the right to request confirmation as to whether data concerning you is being processed and to receive the information necessary for you to assert your rights under this law and to ensure transparent data processing (Art. 25 to 27 Swiss DSG).
- Right to data disclosure or transfer: You have the right to request the disclosure of your personal data that you have provided to us in a commonly used electronic format (Art. 28 to 29 Swiss DSG).
- Right to file a complaint: You have the right to file a complaint to protect your personality rights (Art. 32 para. 2 to para. 4 Swiss DSG).
- Right to rectification: You have the right, in accordance with Art. 32 Swiss DSG, to request the rectification of inaccurate data concerning you. If it is not possible to determine the accuracy or inaccuracy of the data, you have the right to attach a statement of disagreement (Art. 32 para. 1 and 3 Swiss DSG).
- Right to prohibition of processing: You have the right to request a prohibition or restriction of the processing of the data (Art. 32 para. 2 lit a. Swiss DSG).
- Right to prohibition of disclosure to third parties: You have the right to request that a specific disclosure of data concerning you to third parties be prohibited (Art. 32 para. 2 lit b. Swiss DSG).
- Right to deletion, destruction: You have the right to request the immediate deletion and destruction of data concerning you, or alternatively (Art. 32 para. 2 lit c. Swiss DSG).
- Right to withdraw consent: You have the right to withdraw your consent with effect for the future.
BUSINESS SERVICES
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) within the context of contractual and comparable legal relationships as well as associated actions and communication with the contractual partners or pre-contractually, e.g. to answer inquiries.
We process this data in order to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of administrative tasks associated with these obligations and company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and economical business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the scope of this privacy policy.
Which data are necessary for the aforementioned purposes, we inform the contracting partners before or in the context of the data collection, e.g. in online forms by special marking (e.g. colors), and/or symbols (e.g. asterisks or the like), or personally.
We delete the data after expiry of statutory warranty and comparable obligations, i.e. in principle after expiry of 4 years, unless the data is stored in a customer account or must be kept for legal reasons of archiving. The statutory retention period for documents relevant under tax law as well as for commercial books, inventories, opening balance sheets, annual financial statements, the instructions required to understand these documents and other organizational documents and accounting records is ten years and for received commercial and business letters and reproductions of sent commercial and business letters six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report was prepared, the commercial or business letter was received or sent, or the accounting document was created, furthermore the record was made or the other documents were created.
If we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.
- Processed data types: Inventory data (e.g. names, addresses); Payment Data (e.g. bank details, invoices, payment history); Contact data (e.g. e-mail, telephone numbers); Contract data (e.g. contract object, duration, customer category); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Customers; Prospective customers; Business and contractual partners.
- Purposes of Processing: Provision of contractual services and customer support; Security measures; Contact requests and communication; Office and organisational procedures; Managing and responding to inquiries.
- Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Customer Account: Customers can create an account within our online offer (e.g. customer or user account, “customer account” for short). If the registration of a customer account is required, customers will be informed of this as well as of the details required for registration. The customer accounts are not public and cannot be indexed by search engines. In the course of registration and subsequent registration and use of the customer account, we store the IP addresses of the contractual partners along with the access times, in order to be able to prove the registration and prevent any misuse of the customer account. If the customer account has been terminated, the customer account data will be deleted after the termination date, unless it is retained for purposes other than provision in the customer account or must be retained for legal reasons (e.g. internal storage of customer data, order transactions or invoices). It is the customers’ responsibility to back up their data when terminating the customer Account;
– Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR). - Online Shop and E-Commerce: We process the data of our customers in order to enable them to select, purchase or order the selected products, goods and related services, as well as their payment and delivery, or performance of other services. If necessary for the execution of an order, we use service providers, in particular postal, freight and shipping companies, in order to carry out the delivery or execution to our customers. For the processing of payment transactions we use the services of banks and payment service providers. The required details are identified as such in the course of the ordering or comparable purchasing process and include the details required for delivery, or other way of making the product available and invoicing as well as contact information in order to be able to hold any consultation;
– Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
USE OF ONLINE PLATFORMS FOR LISTING AND SALES PURPOSES
We offer our services on online platforms operated by other service providers. In addition to our privacy policy, the privacy policies of the respective platforms apply. This is particularly true with regard to the payment process and the methods used on the platforms for performance measuring and behaviour-related marketing.
- Processed data types: Inventory data (e.g. names, addresses); Payment Data (e.g. bank details, invoices, payment history); Contact data (e.g. e-mail, telephone numbers); Contract data (e.g. contract object, duration, customer category); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Customers.
- Purposes of Processing: Provision of contractual services and customer support; Marketing.
- Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
PROVIDERS AND SERVICES USED IN THE COURSE OF BUSINESS
As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (in short, “services”) in compliance with legal requirements. Their use is based on our interests in the proper, legal and economic management of our business operations and internal organization.
- Processed data types: Inventory data (e.g. names, addresses); Payment Data (e.g. bank details, invoices, payment history); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Contract data (e.g. contract object, duration, customer category).
- Data subjects: Customers; Prospective customers; Users (e.g. website visitors, users of online services); Business and contractual partners; Employees (e.g. Employees, job applicants).
- Purposes of Processing: Provision of contractual services and customer support; Office and organisational procedures.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- DATEV: Software for accounting, communication with tax advisors as well as authorities and including document storage; – Service provider: DATEV eG, Paumgartnerstr. 6 – 14, 90429 Nürnberg, Germany
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR)
– Website: https://www.datev.de/web/de/mydatev/online-anwendungen/
– Privacy Policy: https://www.datev.de/web/de/m/ueber-datev/datenschutz/
– Data Processing Agreement: Provided by the service provider - Abacus: Software for Accounting;
– Service Provider: Abacus Research AG, Abacus-Platz 19300 Wittenbach – St. Gallen, Switzerland;
– Website: https://www.abacus.ch/
– Privacy Policy: https://www.abacus.ch/datenschutz - Scope: Freight forwarding software;
– Service Provider: Riege Software International GmbH, Otto-Hahn-Str. 4 40670 Meerbusch, Germany
– Website: https://www.riege.com
– Privacy Policy: https://www.riege.com/de/datenschutz/ - JTL: ERP-Warehouse-Software;
– Service Provider: JTL-Software-GmbH, Rheinstr. 7 41836 Hückelhoven
– Website: https://www.jtl-software.de
– Privacy Policy: https://www.jtl-software.de/datenschutz - MCG-APP: E-Commerce software and software for Custom-/Duty-Payments;
– Service Provider: MyCargoGate AG, Grindelstrasse 11, 8303 Bassersdorf, Switzerland
– Website: https://mycargogate.com
– Privacy Policy: https://mycargogate.com/privacy - MOG-APP: Communication Service;
– Service Provider: MyCargoGate AG, Grindelstrasse 11, 8303 Bassersdorf, Switzerland
– Website: https://myordergate.com
– Privacy Policy: https://myordergate.com/privacy
PROVISION OF ONLINE SERVICES AND WEB HOSTING
We process user data in order to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user’s browser or terminal device.
- Processed data types: Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of Processing: Provision of our online services and usability; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.).); Security measures.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Provision of online offer on rented hosting space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a “web hoster”).
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). - Collection of Access Data and Log Files: The access to our online services is logged in the form of so-called “server log files”. Server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a general rule, IP addresses and the requesting provider.The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the stability and optimal load balancing of the servers.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
– Retention period: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified. - Service Provider:
CONTACT AND INQUIRY MANAGEMENT
When contacting us (e.g. via mail, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.
- Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
- Purposes of Processing: Contact requests and communication; Managing and responding to inquiries; Feedback (e.g. collecting feedback via online form); Provision of our online services and usability.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Further information on processing methods, procedures and services used:
Zendesk: Management of contact requests and communication.
– Service provider: Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA.
– Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
– Website: https://www.zendesk.com
– Privacy Policy: https://www.zendesk.com/company/customers-partners/privacy-policy/
– Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): Binding Corporate Rules as a Basis for U.S.
– Data Transfers: https://www.zendesk.de/company/privacy-and-data-protection/#data-processing-agreement
COMMUNICATION VIA MESSENGER
We use messenger services for communication purposes and therefore ask you to observe the following information regarding the functionality of the messenger services, encryption, use of the metadata of the communication and your objection options.
You can also contact us by alternative means, e.g. telephone or e-mail. Please use the contact options provided to you or use the contact options provided within our online services.
In the case of encryption of content (i.e. the content of your message and attachments), we point out that the communication content (i.e. the content of the message and attachments) is encrypted end-to-end. This means that the content of the messages is not visible, not even by the messenger service providers themselves. You should always use a current version of the messenger service with activated encryption, so that the encryption of the message contents is guaranteed.
However, we would like to point out to our communication partners that although messenger service providers do not see the content, they can find out that and when communication partners communicate with us and process technical information on the communication partner’s device used and, depending on the settings of their device, also location information (so-called metadata).
Information on Legal basis: If we ask communication partners for permission before communicating with them via messenger services, the legal basis of our processing of their data is their consent. Otherwise, if we do not request consent and you contact us, for example, voluntarily, we use messenger services in our dealings with our contractual partners and as part of the contract initiation process as a contractual measure and in the case of other interested parties and communication partners on the basis of our legitimate interests in fast and efficient communication and meeting the needs of our communication partners for communication via messenger services. We would also like to point out that we do not transmit the contact data provided to us to the messenger service providers for the first time without your consent.
Withdrawal, objection and deletion: You can withdraw your consent or object to communication with us via messenger services at any time. In the case of communication via messenger services, we delete the messages in accordance with our general data retention policy (i.e. as described above after the end of contractual relationships, archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any information provided by the communication partners, if no reference to a previous conversation is to be expected and there are no legal obligations to store the messages to prevent their deletion.
Reservation of reference to other means of communication: Finally, we would like to point out that we reserve the right, for reasons of your safety, not to answer inquiries about messenger services. This is the case if, for example, internal contractual matters require special secrecy or if an answer via the messenger services does not meet the formal requirements. In such cases we refer you to more appropriate communication channels.
- Processed data types: Contact data (e.g. e-mail, telephone numbers); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
- Purposes of Processing: Contact requests and communication; Direct marketing (e.g. by e-mail or postal).
- Legal Basis: Consent (Article 6 (1) (a) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
WhatsApp: WhatsApp Messenger with end-to-end encryption
– Service provider: WhatsApp Ireland Limited, 4 Grand Canal Quay, Dublin 2, D02 KH28, Ireland.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR)
– Website: https://www.whatsapp.com/
– Privacy Policy: https://www.whatsapp.com/legal
VIDEO CONFERENCES, ONLINE MEETINGS, WEBINARS AND SCREEN-SHARING
We use platforms and applications of other providers (hereinafter referred to as “Conference Platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as “Conference”). When using the Conference Platforms and their services, we comply with the legal requirements.
Data processed by Conference Platforms: In the course of participation in a Conference, the Data of the participants listed below are processed. The scope of the processing depends, on the one hand, on which data is requested in the context of a specific Conference (e.g., provision of access data or clear names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, participants’ Data may also be processed by the Conference Platforms for security purposes or service optimization. The processed Date includes personal information (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the internet access, information on the participants’ end devices, their operating system, the browser and its technical and linguistic settings, information on the content-related communication processes, i.e. entries in chats and audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If participants are registered as users with the Conference Platforms, then further data may be processed in accordance with the agreement with the respective Conference Provider.
Logging and recording: If text entries, participation results (e.g. from surveys) as well as video or audio recordings are recorded, this will be transparently communicated to the participants in advance and they will be asked – if necessary – for their consent.
Data protection measures of the participants: Please refer to the data privacy information of the Conference Platforms for details on the processing of your data and select the optimum security and data privacy settings for you within the framework of the settings of the conference platforms. Furthermore, please ensure data and privacy protection in the background of your recording for the duration of a Conference (e.g., by notifying roommates, locking doors, and using the background masking function, if technically possible). Links to the conference rooms as well as access data, should not be passed on to unauthorized third parties.
Notes on legal bases: Insofar as, in addition to the Conference Platforms, we also process users’ data and ask users for their consent to use contents from the Conferences or certain functions (e.g. consent to a recording of Conferences), the legal basis of the processing is this consent. Furthermore, our processing may be necessary for the fulfillment of our contractual obligations (e.g. in participant lists, in the case of reprocessing of Conference results, etc.). Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.
- Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Communication partner (Recipients of e-mails, letters, etc.); Users (e.g. website visitors, users of online services); Persons depicted.
- Purposes of Processing: Provision of contractual services and customer support; Contact requests and communication; Office and organisational procedures.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Microsoft Teams: Conference and communication software.
– Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
– Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
– Website: https://www.microsoft.com/de-de/microsoft-365
– Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement
– Security information: https://www.microsoft.com/de-de/trustcenter
– Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
JOB APPLICATION PROCESS
The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information contained therein.
In principle, the required information includes personal information such as name, address, a contact option and proof of the qualifications required for a particular employment. Upon request, we will be happy to provide you with additional information.
If made available, applicants can submit their applications via an online form. The data will be transmitted to us encrypted according to the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted during transport, but not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of the application between the sender and the reception on our server. For the purposes of searching for applicants, submitting applications and selecting applicants, we may make use of the applicant management and recruitment software, platforms and services of third-party providers in compliance with legal requirements. Applicants are welcome to contact us about how to submit their application or send it to us by regular mail.
Processing of special categories of data: To the extent that special categories of personal data (Article 9(1) GDPR, e.g., health data, such as disability status or ethnic origin) are requested from applicants during the application process, their processing is carried out so that the controller or the data subject can exercise rights arising from employment law and the law of social security and social protection, in the case of protection of vital interests of the applicants or other persons, or for purposes of preventive or occupational medicine, for the assessment of the employee’s work ability, for medical diagnosis, for the provision or treatment in the health or social sector, or for the management of systems and services in the health or social sector (Article 9 (2) (b) (c) (h) GDPR).
Ereasure of data: In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, to which applicants are entitled at any time. Subject to a justified revocation by the applicant, the deletion will take place at the latest after the expiry of a period of six months, so that we can answer any follow-up questions regarding the application and comply with our duty of proof under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.
Admission to a talent pool – Admission to an talent pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke their consent at any time for the future.
- Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Job applicant details (e.g. Personal data, postal and contact addresses and the documents pertaining to the application and the information contained therein, such as cover letter, curriculum vitae, certificates, etc., as well as other information on the person or qualifications of applicants provided with regard to a specific job or voluntarily by applicants).
- Data subjects: Job applicants.
- Purposes of Processing: Job Application Process (Establishment and possible later execution as well as possible later termination of the employment relationship).
- Legal Basis: Job application process as a pre-contractual or contractual relationship (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- LinkedIn Recruiter: Job search and application related services within the LinkedIn platform.
– Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR)
– Website: https://www.linkedin.com
– Terms & Conditions: https://legal.linkedin.com/dpa
– Privacy Policy: https://www.linkedin.com/legal/privacy-policy
– Data Processing Agreement: https://legal.linkedin.com/dpa - Indeed: Recruitment-related services (search for employees, communication, application process, contract negotiations).
– Service provider: Indeed Ireland Operations Limited, 124 St. Stephen’s Green, Dublin 2, Ireland.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR)
– Website: https://de.indeed.com/
– Privacy Policy: https://www.indeed.com/legal?hl=en#privacypolicy
CLOUD SERVICES
We use Internet-accessible software services (so-called “cloud services”, also referred to as “Software as a Service”) provided on the servers of its providers for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).
Within this framework, personal data may be processed and stored on the provider’s servers insofar as this data is part of communication processes with us or is otherwise processed by us in accordance with this privacy policy. This data may include in particular master data and contact data of data subjects, data on processes, contracts, other proceedings and their contents. Cloud service providers also process usage data and metadata that they use for security and service optimization purposes.
If we use cloud services to provide documents and content to other users or publicly accessible websites, forms, etc., providers may store cookies on users’ devices for web analysis or to remember user settings (e.g. in the case of media control).
- Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos).
- Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Customers; Employees (e.g. Employees, job applicants); Prospective customers; Communication partner (Recipients of e-mails, letters, etc.); Users (e.g. website visitors, users of online services); Business and contractual partners.
- Purposes of Processing: Office and organisational procedures; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.).
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Microsoft Cloud Services: Cloud storage, cloud infrastructure services and cloud-based application software.
- Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
- Website: https://microsoft.com
- Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security information: https://www.microsoft.com/de-de/trustcenter
- Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
- Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
- Amazon Web Services (AWS): Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities).
- Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, 1855, Luxembourg.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
- Website: https://aws.amazon.com/
- Privacy Policy: https://aws.amazon.com/privacy/
- Data Processing Agreement: https://aws.amazon.com/compliance/gdpr-center/
- Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): Inclusion in the Data Processing Agreement.
COMMERCIAL COMMUNICATION BY E-MAIL, POSTAL MAIL, FAX OR TELEPHONE
We process personal data for the purposes of promotional communication, which may be carried out via various channels, such as e-mail, telephone, post or fax, in accordance with the legal requirements.
The recipients have the right to withdraw their consent at any time or to object to the advertising communication at any time.
After revocation or objection, we store the data required to prove the past authorization to contact or send up to three years from the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. Based on the legitimate interest to permanently observe the revocation, respectively objection of the users, we further store the data necessary to avoid a renewed contact (e.g. depending on the communication channel, the e-mail address, telephone number, name).
- Processed data types: Inventory data (e.g. names, addresses).
- Contact data (e.g. e-mail, telephone numbers).
- Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
- Purposes of Processing: Direct marketing (e.g. by e-mail or postal)
- Legal Basis: Consent (Article 6 (1) (a) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
WEB ANALYSIS, MONITORING AND OPTIMIZATION
Web analysis is used to evaluate the visitor traffic on our website and may include the behaviour, interests or demographic information of users, such as age or gender, as pseudonymous values. With the help of web analysis we can e.g. recognize, at which time our online services or their functions or contents are most frequently used or requested for repeatedly, as well as which areas require optimization.
In addition to web analysis, we can also use test procedures, e.g. to test and optimize different versions of our online services or their components.
Unless otherwise stated below, profiles, i.e. data aggregated for a usage process, can be created for these purposes and information can be stored in a browser or in a terminal device and read from it. The information collected includes, in particular, websites visited and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have agreed to the collection of their location data from us or from the providers of the services we use, location data may also be processed.
Unless otherwise stated below, profiles, that is data summarized for a usage process or user, may be created for these purposes and stored in a browser or terminal device (so-called “cookies”) or similar processes may be used for the same purpose. The information collected includes, in particular, websites visited and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data or profiles to us or to the providers of the services we use, these may also be processed, depending on the provider.
The IP addresses of the users are also stored. However, we use any existing IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect the user. In general, within the framework of web analysis, A/B testing and optimisation, no user data (such as e-mail addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.
- Processed data types: Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (Creating user profiles); Provision of our online services and usability.
- Security measures: IP Masking (Pseudonymization of the IP address).
- Legal Basis: Consent (Article 6 (1) (a) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Google Analytics 4: We use Google Analytics to perform measurement and analysis of the use of our online services by users based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to an end device in order to recognize which content users have accessed within one or various usage processes, which search terms they have used, have accessed again or have interacted with our online services. Likewise, the time of use and its duration are stored, as well as the sources of users referring to our online services and technical aspects of their end devices and browsers. In the process, pseudonymous profiles of users are created with information from the use of various devices, and cookies may be used. In Google Analytics, higher level geographic location data is processed by collecting the following metadata based on IP search: “city” (and the derived latitude and longitude of the city), “continent”, “country”, “region”, “subcontinent” (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data via domains and servers within the EU. The IP address of users is not logged and is shortened by the last two digits by default. The shortening of the IP address takes place on EU servers for EU users. In addition, all sensitive data collected from users in the EU is deleted before it is collected via EU domains and servers.– Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR)
– Website: https://marketingplatform.google.com/intl/en/about/analytics/
– Privacy Policy: https://policies.google.com/privacy
– Data Processing Agreement: https://business.safety.google/adsprocessorterms/
– Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://business.safety.google/adsprocessorterms
– Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the Display of Advertisements: https://adssettings.google.com/authenticated
Further Information: https://privacy.google.com/businesses/adsservices (Types of processing and data processed).
- Google Tag Manager: Google Tag Manager is a solution with which we can manage so-called website tags via an interface and thus integrate other services into our online services (please refer to further details in this privacy policy). With the Tag Manager itself (which implements the tags), for example, no user profiles are created or cookies are stored. Google only receives the IP address of the user, which is necessary to run the Google Tag Manager.
– Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
– Legal Basis: Consent (Article 6 (1) (a) GDPR)
– Website: https://marketingplatform.google.com
– Privacy Policy: https://policies.google.com/privacy
– Data Processing Agreement: https://business.safety.google/adsprocessorterms
– Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://business.safety.google/adsprocessorterms
PLUGINS AND EMBEDDED FUNCTIONS AND CONTENT
Within our online services, we integrate functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may, for example, be graphics, videos or city maps (hereinafter uniformly referred to as “Content”).
The integration always presupposes that the third-party providers of this content process the IP address of the user, since they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of these contents or functions. We strive to use only those contents, whose respective offerers use the IP address only for the distribution of the contents. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our website, as well as may be linked to such information from other sources.
- Processed data types: Usage data (e.g. websites visited, interest in content, access times). Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status); Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Location data (Information on the geographical position of a device or person).
– Data subjects: Users (e.g. website visitors, users of online services).
– Purposes of Processing: Provision of our online services and usability
– Provision of contractual services and customer support.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processing methods, procedures and services used:
- Google Fonts (Provision on own server): Provision of font files for the purpose of a user-friendly presentation of our online services; Service provider: The Google Fonts are hosted on our server, no data is transmitted to Google; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
- Google Maps: We integrate the maps of the service “Google Maps” from the provider Google. The data processed may include, in particular, IP addresses and location data of users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy.
- reCAPTCHA: We integrate the “reCAPTCHA” function to be able to recognise whether entries (e.g. in online forms) are made by humans and not by automatically operating machines (so-called “bots”). The data processed may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). The data processing is based on our legitimate interest to protect our online services from abusive automated crawling and spam.
– Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
– Website: https://www.google.com/recaptcha/
– Privacy Policy: https://policies.google.com/privacy
– Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en
– Settings for the Display of Advertisements: https://adssettings.google.com/authenticated. - YouTube videos: Video contents; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR)
– Website: https://www.youtube.com
– Privacy Policy: https://policies.google.com/privacy
– Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en
– Settings for the Display of Advertisements: https://adssettings.google.com/authenticated - YouTube-Videos: Video content; YouTube videos are integrated via a special domain (recognizable by the component “youtube-nocookie”) in the so-called ” enhanced data protection mode”, whereby no cookies on user activities are collected in order to personalise the video playback. Nevertheless, information on the user’s interaction with the video (e.g. remembering the last playback point) may be stored.
– Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
– Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
– Website: https://www.youtube.com
– Privacy Policy: https://policies.google.com/privacy
CHANGES AND UPDATES TO THE PRIVACY POLICY
We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.
Stay In Touch