Privacy policy

Basic information

Affected parties

This privacy policy is aimed at all persons who visit this website. All personal designations refer to all genders and the associated language forms, in particular diverse, female, male. Each personal designation is to be understood with the addition "(m/f/d)".

Person responsible

The controller for the processing described here is: Der Mittelstand. BVMW e.V., Potsdamer Straße 7 10785 Berlin, T: 030 5332060, E: info@bvmw.de, represented by the Chairman of the Federal Executive Board, former Senator Christoph Ahlhaus. The data protection officer can be contacted as follows: dsb@dsgvo-nord.de, https://dsgvo-nord.de.

Rights

(1) Data subjects have the following rights with regard to the personal data stored about them: the right of access, the right to rectification of inaccurate data, the right to erasure of data for which there is no longer a reason for storage, the right to restriction of processing and the right to data portability. They also have the right to lodge a complaint with the supervisory authority responsible for the controller.

(2) Insofar as the processing is based on the consent of the data subjects, the data subjects may withdraw their consent at any time and with effect for the future, for example by sending an informal message to one of the above-mentioned contact channels (controller).

(3) Insofar as the processing is based on the fulfillment of a legitimate interest, i.e. on Article 6 paragraph 1 sentence 1 lit. f GDPR, the data subjects may object to the processing at any time; for example, by sending an informal message to one of the above-mentioned contact channels (controller). If the objection is justified, processing will be terminated. If the legitimate interest lies in direct marketing, the objection is always justified.

Transmission to countries outside the European Union

(1) If personal data is transferred to bodies outside the European Union, the controller must provide additional safeguards in accordance with Article 44 et seq. GDPR.

(2) If the controller refers to a so-called adequacy decision in the following data protection declaration, this means that the receiving body is located in a country, territory or specific sector for which the EU Commission has decided that it offers an adequate level of data protection. The guarantee then follows from Article 45 GDPR.

(3) If the controller refers to the so-called EU standard contractual clauses in the following data protection declaration, this means that the receiving body has contractually undertaken to respect the EU data protection principles and this on the basis of the so-called EU standard contractual clauses, the guarantee then follows from Article 45 GDPR.

(4) If the controller refers to so-called binding, internal data protection regulations in the following privacy policy, this means that the competent supervisory authority has approved the transfer. The guarantee then follows from Article 47 GDPR.

(5) If the controller refers in the following privacy policy to the fact that the data subjects have expressly consented to the transfer to a country outside the European Union, this means that they nevertheless consent to the transfer in full knowledge of all associated risks. The guarantee then follows from Article 49(1)(a) GDPR. In this context, we would like to point out the following risks: In the USA, the Republic of India and the Russian Federation, no data protection law comparable to the GDPR has been codified. The state authorities there have approved intensive access to data, whereby the principle of proportionality regulated in the EU is not applied. Furthermore, there is no effective legal protection for EU citizens in these countries.

(6) The above information is only provided as a precaution. They only apply if and insofar as reference is made to them in the following data protection declaration.

Further information

(1) Automated decision-making, including profiling, does not take place.

(2) There is only a legal obligation for processing if reference is made below to Article 6 (1) sentence 1 lit. c GDPR.

Processing operations in connection with contracts

Purpose and legal basis

Unless otherwise stated in this section ("Processing operations in connection with contracts"), the purpose of all processing operations described in this section is the establishment, performance and/or termination of contracts. With

a. Contracts that are not employment contracts, Article 6 (1) sentence 1 lit. b GDPR is the legal basis.

b. Employment contracts is then Article 88 GDPR in conjunction with. § Section 26 (1) BDSG2018 is the legal basis.

Storage duration

(1) Personal data whose processing is described in this section shall be processed for as long as it is required for the establishment, performance and/or termination of the contracts. A longer storage period, which is independent of the achievement of the purpose described in sentence 1, may result from paragraphs 2 to 5.

(2) The personal data will be stored for three years, whereby this period begins on December 31 of the calendar year in which the data was collected. Notwithstanding the above information (processing operations in connection with contracts / purpose and legal basis), this processing serves the legitimate interest of the controller to defend itself against claims arising from the contractual relationship within the regular limitation period. Exceptionally, Article 6 (1) sentence 1 lit. f GDPR is therefore the legal basis.

(3) Personal data contained in received commercial or business letters and other documents that are relevant for taxation purposes will be stored for six years in deviation from the above information (processing operations in connection with contracts / purpose and legal basis), whereby the retention period generally begins at the end of the calendar year in which the relevant document was created. This processing serves the fulfillment of tax and commercial law obligations according to § 147 AO and § 257 HGB. Exceptionally, Article 6 (1) sentence 1 lit. c GDPR is therefore the legal basis.

(4) Personal data resulting from books and records, inventories, annual financial statements, individual financial statements, consolidated financial statements, management reports and group management reports, opening balance sheets, accounting vouchers, customs-related documents, trading books as well as work instructions and other organizational documents necessary for their understanding shall be retained for ten years, in deviation from the above (processing operations in connection with contracts / purpose and legal basis), whereby the retention period generally begins at the end of the calendar year in which the relevant document was created.The retention period generally begins at the end of the calendar year in which the relevant document was created. This processing serves the fulfillment of tax and commercial law obligations according to § 147 AO and § 257 HGB. Exceptionally, Article 6 (1) sentence 1 lit. c GDPR is therefore the legal basis.

(5) Personal data resulting from an application that does not lead to an employment relationship will be stored for six months after receipt of the rejection by the data subject, in deviation from the above information (processing operations in connection with contracts / purpose and legal basis). This storage serves the legitimate interest of the controller to defend itself against the accusation of a violation of the AGG, whereby the interest usually ceases to exist after six months, because then an assertion within the period specified in Section 15 (4) AGG is generally no longer to be expected. Exceptionally, Article 6 (1) sentence 1 lit. f GDPR is therefore the legal basis.

Form.

In brief: The controller provides one or more forms on this website.

Processing in detail: Communication takes place between the data subject and the controller via the form tool, whereby the data subject's entries are documented and transmitted to the controller.

Data that is processed: Data on the content, manner and scope of the entries in the respective form.

Third-party provider: The form tool "Salesforce" is used, which is offered by Salesforce, Inc. (USA), which is offered in Germany by Salesforce.com Germany GmbH (Germany - EU). The provider was commissioned in accordance with Article 28 GDPR. The fact that this provider is based outside the European Union does not prevent it from being commissioned. This is because the transfer is based on binding, internal data protection regulations (Article 47 GDPR).

Payment.

In a nutshell: Data subjects can make payments on this website. The invoice and, if applicable, account data are processed and transmitted to us as payment status.

Processing in detail: The data subjects visit the website and make declarations (e.g. by activating checkboxes, shopping cart decisions) that are aimed at concluding a chargeable contract. In this respect, the controller provides the option of online payment. For this purpose, you will be directed to a payment provider who accepts the payment order, executes it and sends confirmation to the controller that the payment has been completed.

Data that is processed: Content of the declaration of intent, payment status.

Third-party provider: The payment service "Stripe" of the provider Stripe Payments Europe, Ltd (Ireland - EU) is used, which was commissioned in accordance with Article 28 GDPR. Stripe Payments Europe, Ltd. is a subsidiary of Stripe, Inc. based in the USA. Stripe Payments Europe, Ltd. is subject to European data protection law. More information on the type and manner of processing by this third-party provider is described here: https://stripe.com/de/payments In particular, the following data is processed by the controller: Information,

  1. that the data subjects use this service and,
  2. that the parties concerned pay, in what amount and at what time,
  3. personal data and account information required to complete the transaction; and
  4. personal data required by the controller to clarify conflicts and to check for and prevent fraud. The controller receives the information on 2., 3. and 4. from the provider.

Third-party provider: The payment service "Doo" from doo GmbH (Germany - EU) is used. More information on the type and manner of processing by this third-party provider is described here: ... https://doo.net/de/knowhow/2021/01/27/zahlungsmanagement-ueber-doo-bei-kostenpflichtigen-events/.

Appointment booking.

In a nutshell: Data subjects can use this website to make appointments with the controller here, whereby the controller receives, stores and uses all the data required to make the appointment.

Processing in detail: If the data subjects wish to arrange a meeting appointment with the local controller, they can view available appointments via an appointment booking portal that is integrated on this website and simply select one. The local controller then receives a message from the appointment booking portal.

Data that is processed: all data that is collected when an appointment is made (usually name, e-mail address, appointment).

Third-party provider: The appointment booking tool "Calendly" from Calendly (USA), which was commissioned in accordance with Article 28 GDPR, is used. More information on the type and manner of processing by this third-party provider is described here: https://calendly.com/de/features. The fact that this third-party provider is based outside the EU does not prevent it from being used. This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Third-party provider: The appointment booking tool "Microsoft Bookings" from Microsoft Corporation (USA), which was commissioned in accordance with Article 28 GDPR, is used. Further details on the type and manner of processing by this third-party provider are described here: https://www.microsoft.com/de-de/microsoft-365/business/scheduling-and-booking-app. The fact that this third-party provider is based outside the EU does not prevent it from being used. This is because the provider has undertaken to comply with the EU standard contractual clauses.

Webinars.

In a nutshell: Data subjects can register for and participate in a webinar on this website. All data required for registration, delivery and follow-up of the webinar will be processed.

Processing in detail: Data subjects can register for a webinar on this website or otherwise communicate with the controller here via a video conferencing tool, whereby all data required for the registration (if necessary, making an appointment), implementation and follow-up of the associated video conference will be processed. It is important to note that image and sound data is processed during web goods and/or video conferences, which may allow conclusions to be drawn about particularly sensitive data, such as the health of people who wear glasses or their religious beliefs if the data subjects wear religious symbols. Article 9(1) GDPR does not preclude this either, as this transmission only takes place if the data subjects activate the camera and/or microphone and thus consent to the processing in accordance with Article 9(2) GDPR.

Data that is processed: All data required for registration, delivery and follow-up of the webinar, including image and audio data where applicable.

Third-party provider: The webinar tool "Webex" from Cisco Systems, Inc., (USA) is used, which was commissioned in accordance with Article 28 GDPR. Further details on the type and manner of processing by this third-party provider are described here: https://www.webex.com/de/video-conferencing.html. The fact that this provider is based outside the European Union does not prevent it from being commissioned. This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Third-party provider: The webinar tool "Zoom" from Zoom Video Communications, Inc. (USA), which was commissioned in accordance with Article 28 GDPR, is used. More information on the type and manner of processing by this third-party provider is described here: https://zoom.us/webinar. The fact that this provider is based outside the European Union does not prevent it from being commissioned. This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Third-party provider: The webinar tool "Microsoft Teams" from Microsoft Corporation (USA), which was commissioned in accordance with Article 28 GDPR, is used. Further details on the type and manner of processing by this third-party provider are described here: https://www.microsoft.com/de-de/microsoft-teams/video-conferencing. The fact that this provider is based outside the European Union does not prevent it from being commissioned. This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Recruiting.

In brief: Data subjects can use this website to apply for employment with the controller, who collects and processes the data required for this purpose.

Processing in detail: Data subjects can apply for employment on this website via a recruiting area and/or another contact channel. The controller receives this data and processes it in order to prepare a pre-selection and, if applicable, a job interview and/or trial working day or to communicate it for other purposes relevant to the application. In doing so, the controller may

1. access an internal area and view the applicant data (including the application documents and the date of receipt of the application).

There is then the possibility that he

2. makes notes that are linked to the application data,

3. communicate internally about your application (if necessary with the relevant departments),

4. document the decision on the further processing of the application,

5. carry out and document the invitation to one or more job interviews,

6. carry out and document the invitation to one or more trial working days,

7. submit the employment contract document,

8. submit and document a rejection,

9. carry out onboarding measures,

10. store the data of the data subjects, subject to their consent, in an applicant pool.

Data that is processed: All data from the application and other communication content between the data subjects and the controller here.

Third-party provider: The recruiting tool "Connector" of jobEconomy GmbH (Germany - EU) is used, which was commissioned in accordance with Article 28 GDPR. More information on the type and manner of processing by this third-party provider is described here: https://www.connectoor.com/funktionen/.

Automated communication and interaction.

In a nutshell: The controller uses the communication and interaction data of the data subjects for automated communication and interaction with the data subjects.

Processing in detail: In the context of the establishment, performance and/or termination of contracts, the controller has automated parts of the communication with you. In doing so, it processes all communication data of the data subjects that trigger automatic responses by the controller, such as the delivery of a product or service. In this respect, it controls

1. the collection of your personal data when initiating the respective contract,

2. the communication required for the establishment, execution and/or termination of the contract (in particular by e-mail) with the data subjects and

3. the delivery of the products and/or services.

Data that is processed: (1) all contact and order data entered by you, (2) payment data, if applicable, (3) data on delivery and (4) data on the assertion of rights of the data subjects and the reaction of the controller here.

Third-party provider: The automation tool "Salesforce" is used, which is offered by Salesforce, Inc. (USA), which is offered in Germany by Salesforce.com Germany GmbH (Germany - EU). The provider was commissioned in accordance with Article 28 GDPR. The fact that this provider is based outside the European Union does not prevent it from being commissioned. This is because the transfer is based on binding, internal data protection regulations (Article 47 GDPR).

Processing operations with the consent of the data subjects

Purpose and legal basis.

Unless otherwise stated in this section ("Processing operations with the consent of the data subject"), the processing operations are based solely on the consent of the data subject. The respective purpose is stated in the individual description of the processing. With

a. For data subjects who are not employees of the controller, the legal basis is Article 6 (1) sentence 1 lit. a GDPR.

b. employees of the controller, the legal basis is then Article 88 GDPR i.V.m. § Section 26 (2) BDSG is the legal basis.

Storage period.

(1) Personal data whose processing is described in this section will be processed until the relevant consent has been withdrawn.

(2) By way of derogation from paragraph 1, the controller shall retain the data from which the consent was granted for three years, whereby this period shall begin on December 31 of the calendar year in which the consent is revoked. Notwithstanding the above information (processing operations with the consent of the data subject / purpose and legal basis), this processing serves to fulfill the legal obligation to be able to prove the granting of consent. Exceptionally, Article 6 (1) sentence 1 lit. c GDPR in conjunction with Article 7 (1) GDPR is the legal basis. Article 7(1) GDPR is the legal basis. This obligation ceases to apply three years after consent is withdrawn, at the latest when the limitation period expires.

Type of consent (cookie consent tool)

(1) Certain declarations of consent, in particular those obtained by the controller for the use of marketing and/or analysis cookies and the associated data processing, are obtained via a so-called cookie consent tool. All data (IP address, consent status) is stored. In deviation from the above information (processing operations with the consent of the data subject / purpose and legal basis), this processing serves to fulfill the legal obligation to be able to prove that consent has been given. Exceptionally, Article 6 (1) sentence 1 lit. c GDPR in conjunction with Article 7 (1) GDPR is the legal basis. Article 7(1) GDPR is the legal basis. This obligation ceases to apply three years after consent is withdrawn, at the latest when the limitation period expires.

(2) The cookie consent tool "CookieFirst" from Digital Data Solutions B.V. (Netherlands - EU) is used for this purpose. More information on the type and manner of processing by this third-party provider is described here: https://cookiefirst.com/cookie-consent-manager-features/

Analysis tools.

In a nutshell: The controller uses cookies to evaluate user behavior on and interaction with this website. He then evaluates this information in order to make this website even more targeted.

Processing in detail: So-called cookies are used to analyze the user behavior of data subjects on this website. These are text files that are stored on the data subject's computer and enable the use of the website to be analyzed. The information on user behavior is used to generate reports on activities and interactions. The controller uses this data to regularly improve the user experience on the website. He can also use the statistics obtained to improve his offer in order to direct the interest of the data subjects more specifically to products and services that are suitable for them.

Data that is processed: cookie-based data about interactions (e.g. sequence of interactions, length of stay).

Third-party provider: In connection with the analysis of user behavior, the analysis tool "Google Analytics" of Google Ireland Ltd. (Ireland - EU) is used, which was commissioned in accordance with Article 28 GDPR. More information on the type and manner of processing by this third-party provider is described here: https://support.google.com/analytics/answer/9306384?hl=de. Please note: The IP address will be shortened by the provider within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a server of the provider in the USA and shortened there. The IP address transmitted by the browser when using this tool is not merged with other data by the provider. The tool is also used for a cross-device analysis of visitor flows, which is carried out via a user ID. Data subjects can deactivate the cross-device analysis in their customer account under "My data", "Personal data". For information purposes, please note that this tool is used with the extension "_anonymizeIp()". This means that IP addresses are further processed in abbreviated form, which means that they cannot be linked to individuals. If the data collected about the data subjects is personally identifiable, it is immediately excluded and the personal data is deleted immediately. The fact that the data is transferred to the USA, possibly in cooperation with Google LLC (USA), does not prevent it from being processed. This is because personal data is only processed if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Third-party provider: In connection with the analysis of user behavior, the central control tool "Google Tag Manager" of Google Ireland Ltd. (Ireland - EU) is used, which was commissioned in accordance with Article 28 GDPR. More information on the type and manner of processing by this third-party provider is described here: https://marketingplatform.google.com/intl/de/about/tag-manager/. Please note: This tool allows the controller to integrate various codes and services on this website in an organized and simplified manner. This tool implements the tags or triggers the integrated tags. When a tag is triggered, the provider may also process personal data. It cannot be ruled out that the provider may also transmit the data to a server in a third country. However, the processing does not prevent the data from being transferred to the USA, possibly in cooperation with Google LLC (USA). This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Third-party provider: The analysis tool "Salesforce Tracking" is used, which is offered by Salesforce, Inc. (USA), which is offered in Germany by Salesforce.com Germany GmbH (Germany - EU). The provider was commissioned in accordance with Article 28 GDPR. The fact that this provider is based outside the European Union does not prevent it from being commissioned. This is because the transfer is based on binding, internal data protection regulations (Article 47 GDPR).

Social media and networks (including marketing tools).

In a nutshell: The controller uses social media and social networks for marketing and acquisition purposes, among other things. This provides him with detailed information about the visitors to the websites and about the interaction of the data subjects with the social media and networks and he uses these in a targeted manner for advertising purposes and to identify potential customers.

Processing in detail: The controller uses social media and social networks. It has no influence on the data collected and data processing operations, nor is it fully aware of the full scope of data collection, the purposes of processing, the storage periods and the circumstances of deletion of personal data. If the data subjects visit the company and product pages of the controller in the social media or advertisements (so-called ads), it is possible that the providers of the social media and networks store the data collected about them as user profiles and use these for the purposes of advertising, market research and/or demand-oriented design of their websites. The data subjects have the right to object to the creation of these user profiles, whereby they must contact the respective provider to exercise this right. Insofar as the controller here can influence the type and scope of the associated processing of personal data, its purpose is to present the controller, to analyze the usage behavior of the data subjects in relation to the interaction with the company and/or product page maintained there and to communicate with the data subjects via this social network (possibly for advertising purposes).

Responsibility: If and to the extent that the controller analyzes visitor interactions with its company page, both the controller and the respective provider of the social network or medium are jointly responsible in this respect under data protection law; this in accordance with Article 26 GDPR. In all other cases, the respective provider of the social network or medium is commissioned in accordance with Article 28 GDPR.

Data that is processed: Cookie- or pixel-based data on interactions with the website and the company and/or product pages of the controller, e-mail address, name and communication data, if applicable.

Supplementary information on the legal basis: In addition to the general information on the legal basis (processing operations with the consent of the data subjects / purposes and legal basis), the following should be noted: If the data subjects themselves maintain a profile on the respective social network or medium, the legal basis is also the consent within the meaning of Article 6 (1) sentence 1 lit. a GDPR, which they have given to the provider of the respective social network.

Third-party provider: The social network "Facebook" of Meta Platforms Ireland Limited (Ireland - EU) is used. However, it cannot be ruled out that data may be transferred to or integrated into the parent company, Meta Platforms Inc (USA). If the controller and the provider of the social network or medium presented here are jointly responsible, the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum. All information on the scope of application and distribution of responsibilities can be found there. In all other cases, the provider of the social network or medium was commissioned in accordance with Article 28 GDPR. More information on the type and manner of processing by this third-party provider is described here: https://www.facebook.com/business/gdpr. The use of this third-party provider is not precluded by the fact that data transfer to or integration of the parent company based in the USA cannot be ruled out. This is because the processing of personal data via this tool only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). This is done vis-à-vis the controller here, insofar as it controls the data processing. In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant. If the provider of the social network or medium presented here controls the processing (for example, if the data subjects visit the social network independently of an action on this website), there is already no transfer by the controller to the USA, so that the local controller does not have to provide any further guarantee within the meaning of Article 44 et seq. of the GDPR. In this case, there is at most a relationship between the local controller and the provider of the social network within the meaning of Article 26 GDPR.

The controller also maintains a company or product page with this provider, which is also linked on this website. If the data subjects click on this link (i.e. the link to the company or product page), they will be taken to the profile of the controller.

The controller uses the "Facebook pixel". This is an analysis tool with which the controller can measure the effectiveness of advertising. It is generally used to understand and track the actions of people on a website. The controller has implemented the pixel on this website by placing the pixel code in the header of the website. If the data subject then visits the website and performs an action (e.g. completes a purchase), the pixel is triggered and the action is reported. In this way, the controller learns when a data subject performs an action and can evaluate this. There is also the option of extended matching, which the controller also uses and whose use is also covered by the consent. The pixel also allows data subjects' data (e.g. first name, surname, email address, etc.) to be transmitted to the provider and enriched with existing tracking data. This makes it possible to collect data from data subjects who do not use this social medium or to record users who are not logged in to this social medium when they visit this website. As a result, the data subjects are tracked via this social medium. More information on the type and manner of processing by this third-party provider is described here: https://de-de.facebook.com/business/help/742478679120153?id=1205376682832142.

The controller uses "Facebook Ads". With the help of the advertising media of this tool (so-called Facebook Ads), the controller here can draw attention to its offers within the framework of the social network or medium presented here. It can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In doing so, it pursues the interest of showing the data subjects advertising that is of interest to them, making this website more interesting for them and carrying out a fair calculation of advertising costs. These advertising materials are delivered by the provider presented here. If the data subjects access this website via an advertisement presented to them by this provider, the tool stores a cookie on the data subject's computer. These cookies are not intended to identify the data subjects personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. Due to the tool used, the browser of the data subject automatically establishes a direct connection with the server of the provider presented here. The controller has no influence on the scope and further use of the data collected through the use of this tool. However, it does communicate its level of knowledge: By integrating the advertising material of this tool, the provider presented here receives the information that the data subjects have called up the corresponding part of this website or clicked on an advertisement of the person responsible. If the data subjects are registered with a service of this provider, the provider can assign the visit to your account. However, even if the data subjects are not registered with the provider presented here or have not logged in, it is possible for the provider to find out their IP address and store it. Data subjects can prevent participation in this tracking process in various ways: Either by setting your browser software accordingly; in particular, suppressing third-party cookies means that data subjects do not receive any ads from third-party providers. Or by deactivating cookies. More information on the type and manner of processing by this third-party provider is described here: https://de-de.facebook.com/business/ads.

Furthermore, the controller uses the so-called "Facebook Custom Audience". In doing so, it uploads the data (usually the email address) to the so-called "Facebook Custom Audience", of course only after consent has been granted. This allows the data controller to display interest-based advertisements ("ads") to the data subject when they visit the social network or medium provided by the provider. This is done as follows: It uploads the contact details (usually the e-mail address) to the provider presented here. The provider then checks whether the data subjects are registered with this contact data. If not, the contact details are not entered into the custom audience (a type of database that the controller maintains with this provider). If the answer is yes, they will be entered in the controller's Custom Audience. If the data subjects then visit the social network provided by this provider, the controller here has the opportunity to show the data subjects advertising that is of interest to them. More information on the type and manner of processing by this third-party provider is described here: https://de-de.facebook.com/business/help/341425252616329?id=2469097953376494.

Third-party provider: The social network "Instagram" of Meta Platforms Ireland Limited (Ireland - EU) is used. However, it cannot be ruled out that data may be transferred to or integrated into the parent company, Meta Platforms Inc (USA). If the controller and the provider of the social network or medium presented here are jointly responsible, the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum. All information on the scope of application and distribution of responsibilities can be found there. In all other cases, the provider of the social network or medium was commissioned in accordance with Article 28 GDPR. More information on the type and manner of processing by this third-party provider is described here: https://help.instagram.com/519522125107875. The use of this third-party provider is not precluded by the fact that data transfer to or integration of the parent company based in the USA cannot be ruled out. This is because the processing of personal data via this tool only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). This is done vis-à-vis the controller here, insofar as it controls the data processing. In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant. If the provider of the social network or medium presented here controls the processing (for example, if the data subjects visit the social network independently of an action on this website), there is already no transfer by the controller to the USA, so that the local controller does not have to provide any further guarantee within the meaning of Article 44 et seq. of the GDPR. In this case, there is at most a relationship between the local controller and the provider of the social network within the meaning of Article 26 GDPR.

The controller also maintains a company or product page with this provider, which is also linked on this website. If the data subjects click on this link (i.e. the link to the company or product page), they will be taken to the profile of the controller.

The controller uses "InstagramAds". With the help of the advertising media of this tool, the controller here can draw attention to its offers within the framework of the social network or medium presented here. It can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In doing so, it pursues the interest of showing the data subjects advertising that is of interest to them, making this website more interesting for them and carrying out a fair calculation of advertising costs. These advertising materials are delivered by the provider presented here. If the data subjects access this website via an advertisement presented to them by this provider, the tool stores a cookie on the data subject's computer. These cookies are not intended to identify the data subjects personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. Due to the tool used, the browser of the data subject automatically establishes a direct connection with the server of the provider presented here. The controller has no influence on the scope and further use of the data collected through the use of this tool. However, it does communicate its level of knowledge: By integrating the advertising material of this tool, the provider presented here receives the information that the data subjects have called up the corresponding part of this website or clicked on an advertisement of the person responsible. If the data subjects are registered with a service of this provider, the provider can assign the visit to your account. However, even if the data subjects are not registered with the provider presented here or have not logged in, it is possible for the provider to find out their IP address and store it. Data subjects can prevent participation in this tracking process in various ways: Either by setting your browser software accordingly; in particular, suppressing third-party cookies means that data subjects do not receive any ads from third-party providers. Or by deactivating cookies. More information on the type and manner of processing by this third-party provider is described here: https://business.instagram.com/advertising/.

Third-party provider: The social network "LinkedIn" of LinkedIn Ireland Unlimited Company (Ireland - EU) is used. However, it cannot be ruled out that data may be transferred to or integrated into the parent company, LinkedIn Corporation (USA). More information on the type and manner of processing by this third-party provider is described here: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv. The use of this third-party provider is not precluded by the fact that data transfer to or integration with the parent company based in the USA cannot be ruled out. This is because the processing of personal data via this tool only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). This is done vis-à-vis the controller here, insofar as it controls the data processing. In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant. If the provider of the social network or medium presented here controls the processing (for example, if the data subjects visit the social network independently of an action on this website), there is already no transfer by the controller to the USA, so that the local controller does not have to provide any further guarantee within the meaning of Article 44 et seq. of the GDPR. In this case, there is at most a relationship between the local controller and the provider of the social network within the meaning of Article 26 GDPR.

The controller also maintains a company or product page with this provider, which is also linked on this website. If the data subjects click on this link (i.e. the link to the company or product page), they will be taken to the profile of the controller.

The controller uses "LinkedInAds". With the help of the advertising media of this tool, the controller here can draw attention to its offers within the framework of this social network or medium presented here. It can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In doing so, it pursues the interest of showing the data subjects advertising that is of interest to them, making this website more interesting for them and carrying out a fair calculation of advertising costs. These advertising materials are delivered by the provider presented here. If the data subjects access this website via an advertisement presented to them by this provider, the tool stores a cookie on the data subject's computer. These cookies are not intended to identify the data subjects personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. Due to the tool used, the browser of the data subject automatically establishes a direct connection with the server of the provider presented here. The controller has no influence on the scope and further use of the data collected through the use of this tool. However, it does communicate its level of knowledge: By integrating the advertising material of this tool, the provider presented here receives the information that the data subjects have called up the corresponding part of this website or clicked on an advertisement of the person responsible. If the data subjects are registered with a service of this provider, the provider can assign the visit to your account. However, even if the data subjects are not registered with the provider presented here or have not logged in, it is possible for the provider to find out their IP address and store it. Data subjects can prevent participation in this tracking process in various ways: Either by setting your browser software accordingly; in particular, suppressing third-party cookies means that data subjects do not receive any ads from third-party providers. Or by deactivating cookies. More information on the type and manner of processing by this third-party provider is described here: https://business.linkedin.com/de-de/marketing-solutions/ads.

Third-party provider: The social network "Twitter" of Twitter International Company (Ireland - EU) is used. However, it cannot be ruled out that data may be transferred to or integrated into the parent company, Twitter, Inc (USA). More information on the type and manner of processing by this third-party provider is described here: https://twitter.com/de/privacy. The use of this third-party provider is not precluded by the fact that data transmission to or integration of the parent company based in the USA cannot be ruled out. This is because the processing of personal data via this tool only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). This is done vis-à-vis the controller here, insofar as it controls the data processing. In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant. If the provider of the social network or medium presented here controls the processing (for example, if the data subjects visit the social network independently of an action on this website), there is already no transfer by the controller to the USA, so that the local controller does not have to provide any further guarantee within the meaning of Article 44 et seq. of the GDPR. In this case, there is at most a relationship between the local controller and the provider of the social network within the meaning of Article 26 GDPR.

The controller also maintains a company or product page with this provider, which is also linked on this website. If the data subjects click on this link (i.e. the link to the company or product page), they will be taken to the profile of the controller.

The controller uses "Twitter Ads". With the help of the advertising media of this tool, the controller here can draw attention to its offers within the framework of this social network or medium presented here. It can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In doing so, it pursues the interest of showing the data subjects advertising that is of interest to them, making this website more interesting for them and carrying out a fair calculation of advertising costs. These advertising materials are delivered by the provider presented here. If the data subjects access this website via an advertisement presented to them by this provider, the tool stores a cookie on the data subject's computer. These cookies are not intended to identify the data subjects personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. Due to the tool used, the browser of the data subject automatically establishes a direct connection with the server of the provider presented here. The controller has no influence on the scope and further use of the data collected through the use of this tool. However, it does communicate its level of knowledge: By integrating the advertising material of this tool, the provider presented here receives the information that the data subjects have called up the corresponding part of this website or clicked on an advertisement of the person responsible. If the data subjects are registered with a service of this provider, the provider can assign the visit to your account. However, even if the data subjects are not registered with the provider presented here or have not logged in, it is possible for the provider to find out their IP address and store it. Data subjects can prevent participation in this tracking process in various ways: Either by setting your browser software accordingly; in particular, suppressing third-party cookies means that data subjects do not receive any ads from third-party providers. Or by deactivating cookies. More information on the type and manner of processing by this third-party provider is described here: https://ads.twitter.com/onboarding/18ce555439h/welcome.

Third-party provider: The social network "Google" and in particular the "Google Ads" tool of Google Ireland Ltd (Ireland - EU), which was commissioned in accordance with Article 28 GDPR, is used. However, it cannot be ruled out that data will be transferred to or integrated into the parent company, Google LLC (USA). More information on the type and manner of processing by this third-party provider is described here: https://ads.google.com/. The use of this third-party provider is not precluded by the fact that data transfer to or integration of the parent company based in the USA cannot be ruled out. This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

The controller places advertisements (so-called ads), in particular in the search engine provided by the local provider. If the data subjects interact with the controller (e.g. visit this website), it is possible for the controller to mark the data subjects as suitable recipients of the ads with cookies after they have given their consent. If the data subjects then visit the social medium presented here, they will be recognized and the above-mentioned ads will be displayed to them. The purpose is to present the controller, to analyze the usage behavior in relation to the interaction with this website and to communicate with the data subjects via the social network or medium presented here (possibly advertising). These advertising materials are delivered by Google via so-called "ad servers". For this purpose, the controller uses so-called ad server cookies, through which certain parameters for measuring success, such as the display of ads or clicks by the data subjects, can be measured. If the data subject reaches this website via a Google ad, Google Ads stores a cookie on the data subject's computer. These cookies generally lose their validity after 30 days and are not intended to identify the data subject personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. These cookies enable Google to recognize the internet browser of the data subject. If a user visits certain pages of this website and the cookie stored on their computer has not yet expired, Google and the controller can recognize that the data subject clicked on the ad and was redirected to this website. Due to the marketing tools used, the browser of the data subject automatically establishes a direct connection with the Google server.

The data subjects can prevent participation in this tracking process in various ways:

a) by setting their browser software accordingly (in particular, the suppression of third-party cookies means that they do not receive ads from third-party providers)

b) by deactivating cookies for conversion tracking by setting their browser to block cookies from the domain "www.googleadservices.com" (see https://www.google.de/settings/ads), whereby this setting is deleted when the data subject deletes the cookies.

Third-party provider: The social network "Google" and in particular the "Google Remarkting" tool of Google Ireland Ltd (Ireland - EU), which was commissioned in accordance with Article 28 GDPR, is used. However, it cannot be ruled out that data will be transferred to or integrated into the parent company, Google LLC (USA). More information on the type and manner of processing by this third-party provider is described here: https://support.google.com/google-ads/answer/2453998?hl=de.The use of this third-party provider is not precluded by the fact that data transfer to or integration of the parent company based in the USA cannot be ruled out. This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

The controller places advertisements (so-called ads), in particular in the search engine provided by the local provider. If the data subjects interact with the controller (e.g. visit this website), it is possible for the controller to mark the data subjects as suitable recipients of the ads with cookies after they have given their consent. If the data subjects then visit the social medium presented here, they will be recognized and the above-mentioned ads will be displayed to them. The purpose is to present the controller, to analyze the usage behavior in relation to the interaction with this website and to communicate with the data subjects via the social network or medium presented here (possibly advertising). These advertising materials are delivered by Google via so-called "ad servers". For this purpose, the controller uses so-called ad server cookies, through which certain parameters for measuring success, such as the display of ads or clicks by the data subjects, can be measured. If the data subject reaches this website via a Google ad, Google Ads stores a cookie on the data subject's computer. These cookies generally lose their validity after 30 days and are not intended to identify the data subject personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. These cookies enable Google to recognize the internet browser of the data subject. If a user visits certain pages of this website and the cookie stored on their computer has not yet expired, Google and the controller can recognize that the data subject clicked on the ad and was redirected to this website. Due to the marketing tools used, the browser of the data subject automatically establishes a direct connection with the Google server.

The data subjects can prevent participation in this tracking process in various ways:

a) by setting their browser software accordingly (in particular, the suppression of third-party cookies means that they do not receive ads from third-party providers)

b) by deactivating cookies for conversion tracking by setting their browser to block cookies from the domain "www.googleadservices.com" (see https://www.google.de/settings/ads), whereby this setting is deleted when the data subject deletes the cookies.

Third-party provider: The video playback tool "YouTube" from Google Ireland Ltd (Ireland - EU), which was commissioned in accordance with Article 28 GDPR, is used. However, it cannot be ruled out that data will be transferred to or integrated into the parent company, Google LLC (USA). The use of this third-party provider is not precluded by the fact that data transfer to or integration of the parent company based in the USA cannot be ruled out. This is because personal data is only processed if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Specifically, plugins from the YouTube video portal are integrated on this website. Each time a page that offers one or more YouTube video clips is accessed, a direct connection is established between the data subject's browser and a YouTube server. These videos are all integrated in "extended data protection mode". No data about the data subjects as users is transferred to the provider if the data subjects do not play the videos. Only when they play the videos will the data specified above be transmitted. The controller has no influence over this data transfer. If the data subjects use a Google account and do not wish to be associated with their profile on YouTube, they must log out before activating the button. The provider stores the data of the data subjects as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about the activities of the data subjects on the controller's website. Data subjects have the right to object to the creation of these user profiles, whereby they must contact the provider to exercise this right. Further information on the purpose and scope of data collection and its processing by the provider can be found in the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: https://www.google.de/intl/de/policies/privacy.

The controller maintains a company page with this provider and has linked it on this website. If the data subject clicks on this link (i.e. the link to the company page), they will be taken to the channel of the controller.

Third-party provider: The video playback tool "Vimeo" from Vimeo, LLC (USA), which was commissioned in accordance with Article 28 GDPR, is used. The use of this third-party provider is not precluded by the fact that data transmission to the USA cannot be ruled out. This is because personal data is only processed if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Specifically, plugins from the video portal Vimeo are integrated on this website. Each time a page that offers one or more video clips is accessed, a direct connection is established between the data subject's browser and a YouTube server. These videos are all integrated in "extended data protection mode". No data about the data subjects as users is transferred to the provider if the data subjects do not play the videos. Only when they play the videos will the data specified above be transmitted. The controller has no influence on this data transfer. The data subjects have the right to object to the creation of these user profiles, whereby they must contact the provider to exercise this right. Further information on the purpose and scope of data collection and its processing by the provider can be found in the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: https://vimeo.com/privacy

The controller maintains a company page with this provider and has linked it on this website. If the data subject clicks on this link (i.e. the link to the company page), they will be taken to the channel of the controller.

Useful information by e-mail.

In a nutshell: Data subjects have the option of ordering email content on this website. For this purpose, the necessary contact data is collected and used to deliver the content.

Processing and third-party providers in detail: The controller may process the data of data subjects in order to send them useful promotional information by email. This is a regular and irregular electronic newsletter. At the beginning, they provide the data controller with the data requested for registration. Once the double opt-in procedure has been carried out, the data controller uses this data to contact the data subjects for advertising purposes by means of these e-mails.

Data that is processed: The controller processes the data that the data subjects voluntarily provide to it for this purpose (usually e-mail and name) as well as the data that it needs to prove that consent has been granted (opt-in status data) and, if applicable, data for withdrawing consent.

Addition to the legal basis "consent": To obtain consent, the controller uses the so-called double opt-in procedure. This means that he sends the data subjects an email to the email address provided after they have registered, in which he asks them to confirm their consent. If they do not confirm their registration within [waiting time] days, their information will be blocked and automatically deleted after one month. In addition, the controller stores the IP addresses used and the times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data. The legal basis for this processing is Article 6 paragraph 1 sentence 1 lit. c GDPR. According to this provision, the controller here may process the data of the data subjects if this is necessary to fulfill a legal obligation to which it is subject. The legal obligation follows from Article 7(1) GDPR and Article 5(1) GDPR. According to these provisions, the controller here is legally obliged to document the obtaining of consent. This is only possible if he collects the data of the data subjects for verification purposes.

Third-party provider: The automation tool "Salesforce" is used, which is offered by Salesforce, Inc. (USA), which is offered in Germany by Salesforce.com Germany GmbH (Germany - EU). The provider was commissioned in accordance with Article 28 GDPR. The fact that this provider is based outside the European Union does not prevent it from being commissioned. This is because the transfer is based on binding, internal data protection regulations (Article 47 GDPR).

Turing test.

In a nutshell: For certain interactions with this website, it is necessary to check whether the data subjects are a machine/bot in order to prevent misuse. A Turing test tool is used on this website to check this.

Processing and third-party providers in detail: To prevent misuse, a Turing test tool is used on this website. The data subjects have to solve a short task, e.g. to reproduce numbers written in italics using keystrokes or to recognize images. This input is documented. The result is analyzed to determine whether it is human or machine input. Based on this information, a decision is made as to whether certain processing operations (e.g. registration) can be continued or not.

Data that is processed: Input data.

Third-party provider: The "Google reCaptcha" tool from Google Ireland Ltd (Ireland - EU), which was commissioned in accordance with Article 28 GDPR, is used. However, it cannot be ruled out that data will be transferred to or integrated into the parent company, Google LLC (USA). More information on the type and manner of processing by this third-party provider is described here: https://www.google.com/recaptcha/about/. The use of this third-party provider is not precluded by the fact that data transfer to or integration of the parent company based in the USA cannot be ruled out. This is because the processing of personal data only takes place if the data subjects consent to the associated data transfer to the USA (see Article 49(1)(a) GDPR). In this respect, the above-mentioned risk information (basic information / transfer to countries outside the European Union) is relevant.

Processing operations with legitimate interest

Purpose and legal basis

Unless otherwise stated in this section ("Processing operations with legitimate interest"), they are based solely on a legitimate interest of the controller or a third party. The respective purpose is stated in the individual description of the processing. In this case, Article 6(1) sentence 1(f) GDPR is the legal basis.

Storage duration

Personal data whose processing is described in this section will be processed until the legitimate interest no longer exists or the data subjects have objected with reasons, whichever is earlier.

Advertising to contractual partners.

In a nutshell: If the data subjects conclude a contract with the controller, whether it is a fee-based or free contract, the controller will provide the data subjects with useful information by email. The data subjects can object to this at any time, for example by sending an informal message to the controller.

Processing and third-party providers in detail: The controller processes the email address and name of the data subjects in order to send them useful information by email at regular or irregular intervals. It also stores the information that a contractual relationship exists or existed between them and the controller in order to be able to prove the legitimate interest. The legitimate interest here follows from the fact that a contractual relationship exists between the data subjects and the controller, in the context of which the advertising approach by email is part of the usual expectations of the data subjects. This is supported by recital 47 sentence 7.

Data that is processed: (1) e-mail address, (2) name and (3) the status data for the contractual relationship.

Special note on the right to object: Data subjects can object to the use of their data for this purpose at any time, for example by sending an informal message to the controller (data subjects can find the contact channels at the beginning of this statement and in the legal notice). In particular, data subjects can object without incurring any costs other than the transmission costs according to the basic rates.

Informational use of the website.

In a nutshell: If the data subjects merely visit this website without interacting with it, the data controller processes their data insofar as this is technically necessary to display the website.

Processing in detail: If the data subjects use this website purely for information purposes, i.e. if they do not register as users or otherwise transmit information, the controller collects some data from the data subjects, insofar as technically necessary for the presentation of the website.

Data that is processed: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, operating system and its interface, language and version of the browser software.

Rights management and, if necessary, external legal advice.

In a nutshell: If the data subjects assert rights against the controller here (e.g. requests for information), the controller processes the associated communication data in order to deal with this in the interests of the data subjects and, if necessary, to be able to defend itself against claims under civil law and accusations under fine and criminal law.

Processing in detail: If the data subjects assert claims of any kind against the controller, the data will be processed as follows:

1. the controller receives the request and stores all associated data.

2. the controller uses this data to examine the request. If necessary, it will seek external legal advice.

3. if the request is justified, it will use the data to comply with the request. Otherwise, it will use the data to inform the data subjects.

4. the controller shall retain the data resulting from the processing referred to in points 1 to 3 for three years, starting on December 31 of the calendar year in which step 3 took place.

The legitimate interest in points 1 to 3 arises from the interest of the data subjects in having the claims processed and from the interest of the controller in avoiding claims and sanctions. The legitimate interest in section 4 arises from the controller's need to be able to defend itself against civil law claims and accusations under fine and criminal law at a later date. This interest in storage under point 4 ends with the expiry of the limitation period pursuant to Sections 193, 195 BGB.

Data that is processed: Name, contact details and communication content.

Supplement to the legal basis: The processing under points 1 to 3 is also justified by Article 6 (1) sentence 1 lit. C GDPR, as the controller is obliged to examine the concerns of the data subjects.

Our partners

The partners of Mittelstand BVMW are selected companies that, together with us, have committed themselves to the further development of SMEs.

Disclaimer: This text is a translation from the German original text. In case of doubt, the German text shall prevail.