Data privacy
With the following data privacy statement, we would like to briefly inform you about the types of your personal data (hereinafter also referred to as ‘data’) that we process, for what purposes and to what extent. The data privacy statement applies to all processing of personal data carried out by us, both in the context of the provision of our services and, in particular, on our websites, in mobile applications and within external online presences such as our social media profiles (hereinafter collectively referred to as ‘online services’).
Overview of contents
- Responsible
- Relevant legal bases
- Safety measures
- Transfer and disclosure of personal data
- Data processing in third countries
- Deletion of data
- Provision of the online content and web hosting
- Commercial and business services
- Newsletter and electronic notifications
- Video conferencing, online meetings, webinars and screen sharing
- Web analysis, monitoring and optimisation
- Presence in social networks
- Plug-ins and embedded functions and content
- Planning, organisation and auxiliary tools
- Application procedure
- Rights of the data subject
- Amendment and update of the data privacy statement
- Cookie declaration
1. Responsible
VEACT GmbH
St.-Martin-Strasse 106
D-81669 Munich, Germany
Managing Director: Philipp Posselt
Telephone: +49 (0)89 4161 5810
Email: info@veact.net
Imprint: https://veact.com/en/imprint/
Contact of data protection officer:
By post: Data protection officer
c/o VEACT GmbH
St.-Martin-Strasse 106
81669 Munich, Germany
Email: datenschutz@veact.net
2. Relevant legal bases
In the following, we outline the legal basis of the General Data Protection Regulation (GDPR) on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence and domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the data privacy statement.
National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. This includes, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, the processing for other purposes and the transmission as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for purposes of the employment relationship (section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. Furthermore, the data protection laws of the individual federal states may apply.
National data protection regulations in Austria: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Austria. This includes in particular the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act – DSG). In particular, the DSG contains special provisions on the right to information, the right to rectification or erasure, the processing of special categories of personal data, the processing for other purposes and the transmission as well as automated decision-making in individual cases.
3. Safety measures
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk according to the statutory provisions, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.
The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access to, entry into, disclosure of, assurance of the availability of and segregation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data and responses to data compromise. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and procedures according to the principle of data protection through technology design as well as data protection-friendly default settings.
Truncation of the IP address: If it is possible for us to do so or if it is not necessary to store the IP address, we will truncate your IP address or have it truncated. If the IP address is truncated (also known as IP masking), the last octet (i.e. the last two numbers of an IP address) is deleted (in this context, the IP address is an identifier individually assigned to an internet connection by the online access provider). The truncation of the IP address is intended to prevent or make it significantly more difficult to identify a person by their IP address.
SSL encryption (https): In order to protect data transmitted via our online services, we use SSL encryption. You can recognise such encrypted connections by the prefix https:// in the address line of your browser.
4. Transfer and disclosure of personal data
When we process personal data, the data may be transferred to or disclosed to other bodies, companies, legally independent organisational units, or persons. The recipients of this data may include, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.
Data transfer within the organisation: We may transfer or provide access to personal data to other entities within our organisation. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate corporate and business interests or takes place insofar as it is necessary for the fulfilment of our contract-related obligations or if the consent of the data subjects or a legal permission exists.
5. Data processing in third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will be done only in accordance with the legal requirements.
Subject to express consent, contractual or legally required transfer, we process or have data processed only in third countries with a recognised level of data protection, contractual obligation through standard contractual clauses of the EU Commission (SCC) if certifications or binding internal data protection regulations are available (Article 44 to 49 GDPR, information page of the EU Commission https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
6. Deletion of data
The data processed by us will be deleted according to the statutory provisions as soon as the consent granted for processing is revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not necessary for the purpose).
Unless the data are deleted because they are required for other and legally permissible purposes, the processing of these will be limited to these purposes. In other words, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
Further information on the deletion of personal data can also be found in the individual data privacy statements of this data privacy statement.
7. Provision of online content and web hosting
In order to be able to provide our online offer securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online services can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.
The data processed as part of the provision of the hosting service may include all information relating to the users of our online service that arises in the course of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the contents of online offers to browsers, and all entries made within our online services or from websites.
Email sending and hosting: The web hosting services we use also include the sending, receiving and storing of emails. For these purposes, the addresses of the recipients and senders as well as further information regarding the sending of emails (e.g. the providers involved) and the contents of the respective emails are processed. The aforementioned data may also be processed for spam detection purposes. Please note that emails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted in transit, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of the emails between the sender and the reception on our server.
Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (server log files). The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
The server log files can be used for security purposes (e.g. to avoid overloading the servers, especially in the case of abusive attacks or DDoS attacks) and to ensure the utilisation of the servers and their stability.
- Types of data processed: Content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Persons concerned: Users (e.g. website visitors, users of online services).
- Legal basis: Legitimate interests (Article 6, paragraph 1, sentence 1 lit. f GDPR).
Cloud services
We use software services accessible via the Internet and running on the servers of their providers (cloud services or ‘software as a service’)
In use, personal data may be processed and stored on the providers’ servers to the extent that it forms part of communications with us or is otherwise processed by us as set out in this data privacy statement. This data may include, in particular, the master data and contact data of users as well as data on transactions, contracts and other processes and their contents.
- Types of data processed: Content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Persons concerned: Users (e.g. website visitors, users of online services).
- Legal basis: Legitimate interests (Article 6, paragraph 1, sentence 1 lit. f GDPR).
Services used and service providers
- Microsoft Office365: Document storage and management, calendar management, sending of email, spreadsheets and presentations, sharing documents, content and information with specific recipients or publishing web pages, forms or other content and information
Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://www.microsoft.com/de-de/, https://www.microsoft.com/de-de/microsoft-365/microsoft-teams/group-chat-software; Privacy policy https://privacy.microsoft.com/de-de/privacystatement; - Amazon Web Services (AWS): Hosting and data centre (Frankfurt am Main). (ISO 27001, 27017 and 27018 as well as PCI DSS Level 1 certification.
Service provider: Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA. Privacy policy: https://aws.amazon.com/de/compliance/gdpr-center/, https://aws.amazon.com/de/privacy/
8. Commercial and business services
We process data of our contractual and business partners (e.g. customers and interested parties; hereinafter referred to as ‘contractual partners’) within the scope of contractual and comparable legal relationships as well as related measures and within the scope of communication with the contractual partners (or pre-contractual), for example, to answer enquiries.
We process this data to fulfil our contractual obligations, to safeguard our rights and for the purposes of the administrative tasks associated with this information as well as for business organisation. Within the framework of applicable law, we disclose the data of the contractual partners to third parties only to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of the persons concerned (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). The contractual partners will be informed about further forms of processing (e.g. for marketing purposes) within the scope of this data privacy statement.
We inform the contractual partners which data are required for the aforementioned purposes before or in the course of data collection – for example, in online forms, by means of special labelling (e.g. colours) or symbols (e.g. asterisks or similar) or in person.
We delete the data after the expiry of statutory warranty and comparable obligations (i.e. generally after four years) unless the data is stored in a customer account. In this case, it is stored for as long as it must be retained for legal archiving reasons (e.g. ten years as part of the tax retention period). We delete data disclosed to us by the contractual partner within the scope of an order in accordance with the specifications of the order (in principle, after the end of the order).
Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data privacy statements of the respective third-party providers or platforms apply in the relationship between the users and the providers.
Project and development services: We process the data of our customers and clients (hereinafter uniformly referred to as ‘customers’) to enable them to select, purchase or commission the services or works and related activities as well as to pay for them and make them available or perform them.
The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and invoicing as well as contact information in order to be able to hold any consultations. Insofar as we have access to the information of end customers, employees or others, we process this according to the legal and contractual requirements.
More information on commercial services: We process the data of our customers and clients (hereinafter uniformly referred to as ‘customers’) to enable them to select, purchase or commission the services or works and related activities as well as to pay for them and make them available or perform them.
The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and invoicing as well as contact information in order to be able to hold any consultations.
- Types of data processed: User data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. email, telephone numbers) and contract data (e.g. subject matter of contract, term, customer category).
- Persons concerned: Interested parties, business and contractual partners.
- Purpose of the processing: Provision of contractual services and customer service, contact requests and communication, office and organisational procedures, administration, and response to enquiries.
- Legal basis: Contract fulfilment and pre-contractual inquiries (Article 6, paragraph 1, sentence 1, lit. b GDPR), contractual performance and pre-contractual enquiries (Article 6, paragraph 1, sentence 1, lit. c GDPR), legitimate interests (Article 6, paragraph. 1, sentence 1 lit. f GDPR).
9. Newsletter and electronic notifications
We send newsletters, emails and other electronic notifications (hereinafter ‘newsletter’) only with the consent of the recipients or a legal permission. Insofar as the contents of the newsletter are specifically described in the course of registration, they are decisive for the consent of the user. In addition, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to enter your email address. However, we may ask you to provide a name (for the purpose of personal address in the newsletter) or other details if these are necessary for the purposes of the newsletter.
Double opt-in procedure: Registration for our newsletter is always carried out in a ‘double opt-in process’. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with the email addresses of other people. Subscriptions to the newsletter are logged in order to be able to prove the subscription process according to the legal requirements. This includes the storage of the login and confirmation time as well as the IP address. Likewise, changes to your data stored with the shipping service provider are logged.
Erasure and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to prove consent was previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address in a block list for this purpose alone.
The logging of the registration process takes place on the basis of our legitimate interests for the purposes of proving its proper course. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure sending system.
Notes on legal bases: The newsletter is sent on the basis of the consent of the recipient or, if consent is not required, on the basis of our legitimate interests in direct marketing if and insofar as this is permitted by law (e.g. in the case of existing customer advertising). Insofar as we commission a service provider to send emails, this is done on the basis of our legitimate interests. The registration process is recorded on the basis of our legitimate interests to demonstrate that it has been carried out in according to the law.
Contents: Information about us, our services, promotions and offers.
- Types of data processed: User data (e.g. names, addresses), contact data (e.g. email), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).
- Persons concerned:
- Purpose of the processing: Direct marketing (e.g. by email or post), reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behaviour-related profiling, use of cookies), profiling (creation of user profiles).
- Legal basis: Consent (Article 6, paragraph 1, sentence 1, lit. a. GDPR) legitimate interests (Article 6, paragraph 1, sentence 1 lit f. GDPR).
- Possibility of objection (opt-out): You can revoke your consent for the future at any time or object to further receipt. You will find a link to cancel the newsletter at the end of each newsletter, or you can contact us via the contact options given here, preferably by email.
Services used and service providers:
Mailgun: Email marketing platform; service provider: Mailgun Technologies, Inc, San Antonio HQ, 112 E Pecan St. #1135, San Antonio, TX 78205, USA; Website: https://www.mailgun.com Privacy Policy: https://www.mailgun.com/privacy-policy/
Video conferencing, online meetings, webinars and screen sharing
We use platforms and applications of other providers (hereinafter referred to as ‘third-party providers’) for the purpose of conducting video and audio conferences, online events and other types of video and audio meetings. When selecting third-party providers and their services, we observe the legal requirements.
In this context, data of the communication participants are processed and stored on the servers of the third-party providers insofar as these are part of communication processes with us. This data may include, in particular, registration and contact details, visual and vocal contributions as well as entries in chats and shared screen contents.
Where users are referred to the third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security, service optimisation or marketing purposes. We therefore ask you to observe the data privacy statements of the respective third-party providers.
Notes on legal bases: Where we ask users to consent to the use of third-party providers or certain features (e.g. consent to a recording of conversations), the legal basis of the processing is consent. Furthermore, their use may be a component of our (pre-)contractual services provided that the use of the third-party providers has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners. In this context, we would also like to refer you to the information on the use of cookies in this data privacy statement.
- Types of data processed: User data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Persons concerned: Communication partners, users (e.g. website visitors, users of online services).
Purpose of the processing: Provide contractual services and customer service, contact requests and communications, office and organisational procedures. - Legal basis: Consent (Article 6, paragraph 1, sentence 1, lit. a GDPR), contractual performance and pre-contractual enquiries (Article 6, paragraph 1, sentence 1, lit. b GDPR), legitimate interests (Article 6, paragraph. 1, sentence 1 lit. f GDPR).
Services used and service providers:
- Teams: Messenger and conference software; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA
98052-6399
USA;
Website: https://www.microsoft.com/de-de/, https://www.microsoft.com/de-de/microsoft-365/microsoft-teams/group-chat-software; Privacy policy https://privacy.microsoft.com/de-de/privacystatement; - TeamViewer: If necessary, we use ‘TeamViewer’ to support requests. This is done only after a telephone request in a specific support case.
Service provider: TeamViewer Germany GmbH, Bahnhofsplatz 2, 73033 Göppingen, Germany; Privacy policy: https://www.teamviewer.com/de/datenschutzerklaerung/ - Calendly: Appointment scheduling software;
Provider: Calendly LLC, BB&T Tower 271 17th St NW, Atlanta, GA 30363, USA
Information on data protection
11. Web analysis, monitoring and optimisation
Web analytics (also referred to as ‘reach measurement’) is used to evaluate the flow of visitors to our online offering and may include behaviour, interests or demographic information about visitors (e.g. age or gender) as pseudonymous values. With the help of reach analysis, we can, for example, recognise at what time our online offer or its functions or content are most frequently used or encourage repeated use. Likewise, we can understand which areas need optimisation.
In addition to web analysis, we may also use testing procedures (e.g. to test and optimise different versions of our online services or components thereof).
For these purposes, user profiles may be created and stored in a file (‘cookie’), or similar procedures with the same purpose may be used. This information may include content viewed, websites visited and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this may also be processed depending on the provider.
The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by truncation of the IP address) in order to protect users. In general, the data stored in the context of web analysis, A/B testing and optimisation are not clear user data (e.g. email addresses or names) but rather pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of the users but rather only the information stored in their profiles for the purpose of the respective procedures.
Notes on legal bases: Insofar as we ask users to consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this data privacy statement.
Persons concerned: Nutzer (z.B. Webseitenbesucher, Nutzer von Onlinediensten).
Users (e.g. website visitors, users of online services).
Purpose of the processing: Reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behaviour-related profiling, use of cookies), conversion measurement (measurement of the effectiveness of marketing measures), profiling (creation of user profiles).
Security measures: IP masking (pseudonymisation of the IP address).
Legal basis: Consent (Article 6, paragraph 1, sentence 1, lit. a. GDPR) legitimate interests (Article 6, paragraph 1, sentence 1 lit f. GDPR).
Services used and service providers:
- Hotjar: In order to better understand the needs of our users and optimize the offer and experience on this website we use Hotjar. The provider is Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141 Malta. Using Hotjar’s technology, we get a better understanding of our users’ experiences (e.g. how much time users spend on which pages, which links they click, what they like and dislike, etc.) and this helps us to tailor our offering to our users’ feedback. Hotjar works with cookies and other technologies to collect data about our users’ behavior and about their devices, in particular, device IP address (collected and stored only in anonymized form during your website use), screen size, device type (unique device identifiers), information about the browser used, location (country only), language preferred to view our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf. For more information about the scope of processing by Hotjar, please see Hotjar’s help page; website: https://help.hotjar.com/hc/en-us/categories/115001323967-About-Hotjar.
- Google Analytics: This website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (hereinafter: “Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, due to the activation of IP anonymisation on these websites, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The purpose of the data processing is to evaluate the use of the website and to compile reports on activities on the website. Further associated services are then to be provided on the basis of the use of the website and the internet. The processing of data for the purpose of website tracking is based on the user’s consent (Art. 6 Abs. 1 lit. a DSGVO). Google acts as the recipient of the data in the role of order processor. We have concluded the corresponding order processing agreement with Google for this purpose. As a third country transfer cannot be excluded, the standard data protection clauses have also been concluded.
- LinkedIn Insight Tag: This website uses the conversion tool “LinkedIn Insight Tag” from LinkedIn Ireland Unlimited Company. This tool creates a cookie in your web browser which enables the collection of the following data, among others: IP address, device and browser properties and page events (e.g. page views). This data is encrypted, anonymised within seven days and the anonymised data is deleted within 90 days. LinkedIn does not share personal data with VEACT, but provides anonymised reports on website audience and display performance. In addition, LinkedIn offers the possibility of retargeting via the Insight Tag. VEACT can use this data to display targeted advertising outside its website without identifying you as a website visitor. Further information on data protection at LinkedIn can be found in the LinkedIn data protection information.
- Google Tag Manager: This website uses the “Google Tag Manager” service of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO). Google Tag Manager is a service with which we can manage so-called website tags via an interface in order to integrate Google Analytics, for example. The Tag Manager itself does not process any personal data of the users. Usage guidelines: http://www.google.com/intl/de/tagmanager/use-policy.html
- Usercentrics: This website uses the Usercentrics Consent Management System of Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany, to manage and document user consent to the use of cookies and similar technologies. This processing is necessary to fulfill a legal obligation (Art. 7 para. 1 GDPR, Art. 6 para. 1 lit. c GDPR). The following data is processed: Date and time of access, browser information, device information, geographical location, cookie preferences and the URL of the page visited. The functionality of the website cannot be guaranteed without this processing. Usercentrics is the recipient of this data and acts as a processor. The data is processed in the EU and deleted after three years. Further information on objection and removal options can be found in Usercentrics’ privacy policy. Please also note our general information on deleting and deactivating cookies.
- Hubspot: This website uses Hubspot, a service of Hubspot Inc. This uses so-called ‘web beacons’ and also sets ‘cookies’, which are stored on your computer and enable us to analyse your use of the website and enable a live chat function. The data processing is based on your consent and, if applicable, our legitimate interest in accordance with Art. 6 para. 1 lit. a, f GDPR. Hubspot uses the information collected (e.g. IP address, geographical location, browser type, duration of the visit and pages viewed) to create reports about your visit and the Veact pages you have visited. If you generally do not want Hubspot to collect data, you can prevent the storage of cookies at any time by changing your browser settings accordingly. Further information on how Hubspot works can be found in Hubspot’s privacy policy.
12. Presence in social networks (social media)
- We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.We would like to point out that user data may be processed outside the European Union. This can result in risks for users because, for example, it could make it more difficult to enforce users’ rights.
Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behaviour and resulting interests of the users. In turn, the usage profiles can be used, for example, to place advertisements (both within and outside the networks) that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers; the usage behaviour and interests of the users are stored in these cookies. Furthermore, data may also be stored in the usage profiles irrespective of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
For a detailed presentation of the respective forms of processing and the options to object (opt-out), we refer to the data privacy statements/privacy policies and information provided by the operators of the respective networks.
Also in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the user data and can directly take appropriate measures and provide information. If you still need help, you can contact us.
- Types of data processed: User data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Persons concerned: Users (e.g. website visitors, users of online services).v - Purpose of the processing: Contact requests and communication, tracking (e.g. interest/behavioural profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).
- Legal basis: Legitimate interests (Article 6, paragraph 1, sentence 1 lit f. GDPR).
- Types of data processed: User data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Services used and service providers:
Facebook: We are jointly responsible with Facebook Ireland Ltd. for the collection (but not the further processing) of data of visitors to our Facebook page (‘fan page’). This data includes information about the types of content users view or interact with or the actions they take (see under ‘Things you and others do and provide’ in the Facebook data policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under ‘Device information’ in the Facebook Data Policy Statement https://www.facebook.com/policy). As explained in the Facebook data policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analytics services (‘Page insights’) to page operators in order to provide them with insights into how people interact with their pages and with the content associated with them. We have entered into a special agreement with Facebook (‘Page insights information’, https://www.facebook.com/legal/terms/page_controller_addendum), ); in particular, this regulates which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the ‘Information on page insights’ (https://www.facebook.com/legal/terms/information_about_page_insights_data).
LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Possibility of objection (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
YouTube: Social network; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy policy: https://policies.google.com/privacy; Possibility of objection (opt-out) https://adssettings.google.com/authenticated.
Xing: Social network; service provider: XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.
13. Plug-ins and embedded functions and content
We integrate functional and content elements into our online services; these are obtained from the servers of their respective providers (hereinafter referred to as ‘third-party providers’). This may include graphics, videos or social media buttons as well as posts (hereinafter uniformly referred to as ‘content’).
The integration always requires that the third-party providers of this content process the IP address of the user because without the IP address, they would not be able to send the content to their browser. The IP address is thus or functions necessary for providing this content or functions. We strive to use only content from providers that use IP address exclusively for the delivery of content. Third-party providers may also use pixel tags (invisible graphics, also known as ‘web beacons’) for statistical or marketing purposes. The ‘pixel tags’ can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, and time of visit as well as other information about the use of our online offer as well as be linked to such information from other sources.
Notes on legal bases: Insofar as we ask users to consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this data privacy statement.
- Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Persons concerned: Users (e.g. website visitors, users of online services).
- Purpose of the processing: Provision of our online services and user-friendliness, contractual performance and service.
- Legal basis: Legitimate interests (Article 6, paragraph 1, sentence 1 lit. f GDPR).
14. Planning, organisation and auxiliary tools
We use services, platforms and software from other providers (hereinafter referred to as ‘third-party providers’) for the purposes of organising, managing, planning and providing our services. When selecting third-party providers and their services, we observe the legal requirements.
In this context, personal data may be processed and stored on the servers of the third-party providers. This may involve various data, which we process in accordance with this data privacy statement. This data may include, in particular, the master data and contact data of users as well as data on transactions, contracts and other processes and their contents.
Where users are referred to the third-party providers or their software or platforms in the course of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security, service optimisation or marketing purposes. We therefore ask you to observe the data privacy statements of the respective third-party providers.
Notes on legal bases: Insofar as we ask users to consent to the use of third-party providers, the legal basis for processing data is consent. Furthermore, their use may be a component of our (pre-)contractual services provided that the use of the third-party providers has been agreed within this framework. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this data privacy statement.
- Types of data processed: User data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Persons concerned: Communication partners, users (e.g. website visitors, users of online services).
- Legal basis: Consent (Article 6, paragraph 1, sentence 1, lit. a GDPR), contractual performance and pre-contractual enquiries (Article 6, paragraph 1, sentence 1, lit. b GDPR), legitimate interests (Article 6, paragraph. 1, sentence 1 lit. f GDPR).
15. Application procedure
The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information provided there.
The required information basically includes personal information such as name, address, contact details and proof of the qualifications required for a position. Upon request, we will be happy to provide additional information on which details are required.
Where provided, applicants may submit their applications to us using an online form. The data is transmitted to us encrypted according to the state of the art.
- Types of data processed: Applicant data (e.g. personal details, postal and contact addresses, the documents belonging to the application and the information contained therein such as cover letter, curriculum vitae and certificates as well as other information provided with regard to a specific position or voluntarily by applicants regarding their person or qualifications).
- Persons concerned:
- Purpose of the processing: Application procedure (establishment and possible subsequent implementation as well as possible subsequent termination of the employment relationship.).
- Legal basis: Article 9, paragraph 1, sentence 1 lit. b GDPR (application procedure as a pre-contractual or contractual relationship) (insofar as special categories of personal data within the meaning of Article 9, paragraph 1 GDPR (e.g. health data such as severely disabled status or ethnic origin) are requested from applicants in the context of the application process so that the data controller or the data subject can exercise the rights accruing to them under employment law and social security and social protection law and fulfil their obligations in this regard, this data shall be processed according to Article 9, paragraph 2, lit. b. GDPR; in the case of the protection of vital interests of the applicants or other persons in accordance with Article 9, paragraph 2, lit. c. GDPR or for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s ability to work, for medical diagnostics, care or treatment in the health or social sector or for the management of systems and services in the health or social sector in accordance with Article 9, paragraph 2, lit. h. GDPR). In the case of a communication of special categories of data based on voluntary consent, their processing is based on Article 9, paragraph 2, lit. a. GDPR).
16. Rights of the data subject
As a data subject, you are entitled and various rights under the GDPR; these arise in particular from Articles 15 through 18 and 21 GDPR:
- Right of objection: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you that is carried out on the basis of Article 6, paragraph 1, lit. e or f GDPR; this also applies to profiling based on these provisions. If your personal data are processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising.
- Right of withdrawal for consents: You have the right to revoke consent at any time.
- Right to information: You have the right to request confirmation as to whether data in question is being processed and to information about this data as well as further information and a copy of the data according to the legal requirements.
- Right to rectification: According to the legal requirements, you have the right to request that the data concerning you be completed or that incorrect data concerning you be corrected.
- Rights to erasure and restriction of processing: According to the statutory provisions, you have the right to demand that data relating to you be deleted immediately or to demand restriction of the processing of the data according to the statutory provisions.
- Right to data transferability: You have the right to receive data concerning you, which you have provided to us, in a structured, common and machine-readable format according to the statutory provisions or to request that it be transferred to another responsible party.
- Complaint to supervisory authority: According to the statutory provisions, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you believe that the processing of personal data relating to you infringes the GDPR.
The supervisory authority responsible for VEACT GmbH:
Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.
17. Amendment and updating of the data privacy statement
We ask you to regularly inform yourself about the content of our data privacy statement. We adapt the data privacy statement as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.
Where we provide addresses and contact details of companies and organisations in this data privacy statement, please note that the addresses may change over time, and please check the details before contacting us.
Last revised: 2 February 2021